Dissecting Popular IT Nerds

Apply
Episode Cover Image

360- Cyber Crisis turned opportunity with Jason Torrez

Our guest's LinkedIn profile

360- Cyber Crisis turned opportunity with Jason Torrez
Dissecting Popular IT Nerds
360- Cyber Crisis turned opportunity with Jason Torrez
Loading
/

Listen now: subscribe and join 1,000s of IT Leaders changing the face of IT.

ON THIS EPISODE:

➤ The critical elements of incident response planning
➤ Strategic approaches to cyber insurance and vendor alignment
➤  Methods for maintaining business operations during cyber events
➤  Techniques for communicating with executive leadership
➤  Essential partnerships and resources during cyber incidents

🔐 From Crisis to Opportunity: A Cyber Incident Success Story

Experience a deep dive into real-world cyber incident management with Jason Torrez, Executive Director of IT at Grede Holdngs. Learn how proper preparation and leadership turned a potential crisis into an opportunity for organizational improvement.

This episode reveals practical insights into managing cyber events while maintaining business operations, and how to leverage incidents to strengthen security posture and executive support for cybersecurity initiatives.

Jason details how taking proactive ownership of cybersecurity, despite it not being in his original role, positioned his team to successfully manage a potential crisis while maintaining production capabilities.

Disclaimer: The views, thoughts, and opinions expressed by guests on this podcast are solely their own and do not necessarily reflect the views or positions of their employers, affiliates, organizations, or any other entities. The content provided is for informational purposes only and should not be considered professional advice. The podcast hosts and producers are not responsible for any actions taken based on the discussions in the episodes. We encourage listeners to consult with a professional or conduct their own research before making any decisions based on the content of this podcast

360- Cyber Crisis turned opportunity with Jason Torrez (2)

3 Key Takeaways

  • Build foundation before crisis - align security with business objectives
  • Proactively coordinate insurance, incident response team and EDR tools
  • Take ownership beyond formal job description to protect company

Episode Show Notes

00:01 – Introduction and background
01:59 – Taking ownership of cybersecurity
04:21 – Incident response execution
07:50 – Managing business impact
11:29 – Timeline and remediation
15:08 – Insurance and vendor alignment
19:37 – Executive management response
24:18 – Post-incident strategy
32:37 – Current IT market insights

Transcript

 

Speaker 0 | 00:00.568

Good morning.

 

Speaker 1 | 00:01.629

All right. It’s working. We’re live. It’s live. We’ll see if anyone actually jumps on. But now that, anyways, what’s cool is that we’re, I want to start doing these podcasts live. Because then if anyone has any like, you know, great points or things to add, or questions to ask, it’s, And then once we link this to LinkedIn and, and or YouTube, we’ll get maybe even some more collaboration. I don’t know. How do you feel about that idea?

 

Speaker 0 | 00:26.829

All right.

 

Speaker 1 | 00:28.931

So so, anyways, welcome everyone back to dissecting popular it Nerds. This is, I’ve been off for like three weeks, so I don’t know if anyone noticed or anyone even cared. It’d be great. Maybe we’ll get like, you know, maybe someone out there will be like, yeah, I missed you, Phil. But anywho, it’s great to be back. And Jason Torres, you know, transformational technology executive, you know, extraordinary executive director of Information technology at, is it Greed Holdings? Am I getting that correctly?

 

Speaker 0 | 00:59.636

Grady. Grady.

 

Speaker 1 | 01:00.657

Grady. Okay. Well, that’s good. Just slap me around a little bit. But I want to start breaking these shows. Go ahead.

 

Speaker 0 | 01:06.842

That’s very common.

 

Speaker 1 | 01:09.063

I want to, I really want to make sure that we are more effective in breaking these shows up because I can talk forever and go off on tangents. And you had some, well, first of all, you’ve had a cyber event as of recent. And it sounds like it was a successful cyber event. Not that, people. Want to have cyber events, But we know that it’s just a matter of time. It’s not a matter of if it’s just a matter or when. It’s a matter of when and how bad it’s going to be and how well prepared you are. So, and I think you made a good point, which is when you, when you do have a cyber event and you, and it does go the way, I guess that’s supposed to, like, how do you capitalize upon that? So I don’t know where you want to go with that, or what happened, or how you did capitalize on that. Or what people can learn or take away from this, but maybe it’s a learning from a cyber event. Is is topic number one.

 

Speaker 0 | 01:59.442

Perfect. Yeah. And so, Phil, one of the things that we first started talking about is like, it’s a huge space. When I stepped in to Grady Holdings, I was hired in to integrate IT and OT. And to lead the IT function, not to lead cybersecurity, but part of the kind of standard onboarding that most people do, you go around and you get as many perspectives as you can. And I saw there wasn’t, you know, a really focused effort on developing cybersecurity capabilities. So from a responsibility perspective, someone needs to step into that. And so I spoke with my leader, my hiring manager, 72 hours in and said, hey, I need to lead this. I mean, we need someone who’s going to take point on cybersecurity and aligning it with business objectives. So I say that first is like, I mean, if that didn’t happen, then you’re certainly not positioned to be able to weather the storm of a cyber event. And to come out on the other side. But honestly, that allowed the conversation with. Senior leaders, you know, so with our C-suite, with general managers and plant leaders around cybersecurity, rallying people around what needs to happen. And starting with, like you said, it’s not if, it’s when. And beginning to change the perspective of you’re not building walls to keep the bad guys out. You need to believe in your heart. They’re already in your house because you will come into the job different. You will run your shop differently if you believe you’re already breached. And so when the day came… And we’ve had lots of, I mean, everybody’s constantly under some form of inspection or attack, but there is a day, right? The day came where we had something real to deal with. And when I contacted our CTO and said, like, this is the morning. We knew this was coming and here it is. And you can address that calmly, even with all of the unknown. It’s a, yeah, we knew it was coming now. We’re going to rally the troops. So part of, like, how do you come out on the other side? and, you know, with the… With the attention that you’ve got of board of directors, of your executive leadership team, um, how do you then accelerate a cyber program to better position the company? I think you. It’s best if you’ve already started, you know, because there’s a couple of pieces to that one. You’re more likely to be able to weather that storm. But um, but you’re not storytelling through the whole thing, through the whole event already. Like, you’ve already kind of laid the foundation,

 

Speaker 1 | 04:21.069

so let me let me ask you this. So it sounds like. Like, it was not a, like security was not like an expectation of the job or something that was on maybe, I don’t know, a job expectations list or something. It kind of sounds like, maybe like security wasn’t part of your role, but it is assumed to be part of your role. Is that correct?

 

Speaker 0 | 04:42.198

When I came in, it definitely was not part of the responsibilities we discussed. But you know how it is.

 

Speaker 1 | 04:47.342

So, yeah, I mean, because obviously if something went wrong and, you know, security took down the company and everything, who are they going to look to? And is it safe to assume that, even if it wasn’t part of your role, but if it did happen, they’d still blame you anyways?

 

Speaker 0 | 04:59.368

Oh. If it smells like technology and a manufacturing organization, yes. Yeah, there is. Some people would certainly assume you’re responsible for the outcomes of that system that you own. So, yeah. Yeah. I mean.

 

Speaker 1 | 05:13.641

So I think there’s just, I don’t know, something to be said about, I mean, from a general leadership perspective, if you want to be successful as an IT leader, really pay no attention to the. I don’t know, whatever the piece of paper is that HR gives you at the beginning that they’re trying to hire for?

 

Speaker 0 | 05:32.189

I would say it is one of many inputs. Like, they’ve just explicitly told you what they think on day minus five. But as soon as you get in there, and honestly, before you get in there, Whether it’s a brand new company or a brand new position, or just your responsibilities change, that’s just an input. Someone thinks this. Now you own that conversation of saying that’s accurate. That’s a small subset. That’s the most important. Like, now you own. Setting those up.

 

Speaker 1 | 05:58.623

Talk to me about the story in this event and what happened and rolled out. And for what you can, I mean, what you’re allowed to, you know.

 

Speaker 0 | 06:06.589

So a lot of this is going to be fairly common. You know, from what I’m seeing, it’s still not super sophisticated. The bad guy still has to get in. And in this case, the bad guy impersonated an IT admin, right? And so there was some social engineering. They knew enough about the company. They knew the name of an IT admin. It’s not a huge company, but some simple LinkedIn, I’m sure, And it was enough information to try to communicate with a few of our office workers. And that led to PC takeover. And then there’s just the pre-existing conditions that allow threat actors to elevate privileges, to move around the network. And so there was never, in this case, that’s the entry point. And then there was no deployment of malware. There was no super sophisticated. Once you’re in, it just was leveraging existing, legitimate tools. And the bad guys brought some of their own tools, but they were copies of legitimate tools, which is why lateral movement was possible. So Grady has got technologies and processes and partners in place that monitor and catch this. So here’s the, it didn’t get awful. Because unusual behavior was detected through our systems and services. And then that morning, we’ve got an incident response process in place. We executed that. It came with, you know, that collected the information that I needed to make the decision. That we would sever internet connections to the outside world from all of our plants. And then it rolled right into…

 

Speaker 1 | 07:50.421

So, like, a step-by-step policy of some sort was in place.

 

Speaker 0 | 07:53.423

Enough to get us to the point where I could make a call. Yes. Now, it wasn’t perfect. And we, you know, those things are living documents. Fortunately, in 2024, Grady’s board of directors and executive leadership team supported the investment in basic governance, risk and compliance activities. So that we have an incident response. So we have risk management processes in place, which we exercised there and they were successful. But, uh, but after that, it’s chaos. And I’ll tell you, we’ll take some luck. And one of the things that I learned that where our incident response policy was a plan, I should say, what our plan was a little deficient in. Is. It happened to be that the threat actor, I think, was working out of Europe. And so Grady is a North American company. When I had to make the call, when we observed this malicious behavior, most of my guys were still home. And so when I severed the internet connection, anyone in the offices lost their internet connection. And that would have made it really hard for us to collaborate, to communicate. But it just happened to be that everybody was home. So by severing the internet connections at our factories, all of our IT people were working remote. Again, if we’d have been in the office, things would have got more complicated. And so that’s a lesson learned. Anybody’s incident response plan has to account for, you know, how are you going to communicate if you have to sever your internet connection?

 

Speaker 1 | 09:16.025

What conversations would you have had with your peers that no one else in the company would have had any clue what you’re talking about? And the reason why I ask that is sometimes when you get a bunch of it guys together. And if your C-levels are sitting like, kind of like a fly in the room, like listening to the conversation, they would have absolutely no clue what you guys are saying. So if you had some peers, you know, to bounce ideas off while you’re in the situation, like, what would that conversation look like? I’m just curious. Like, is there anything sophisticated in there that you’re kind of curious about? Like, I’d just love to dig in on this because, I don’t know, it’s just cool. And there’d be no one else I could talk to about this.

 

Speaker 0 | 09:55.538

Yeah. Well, so I guess there’s two pieces to that that I would want to address. One is on the technical side. Like being able to go through that vast amount of all of the logged events that you have, whether it’s the network. And we’ve got a small network team. So they’re the only ones that can make sense of suspicious data transfer activity and what’s legit and what isn’t. We needed to process logs from all of our servers to figure out which accounts we’re using, which things. And so we’re doing like extracts, log extracts. And we’ve got a small group of people that know how to analyze that stuff. We’ve got our own EDR tool in place. And you have to have the working knowledge of that to make sense of those logs. So we don’t really have a full-on sim, which aggregates and tells us right now, or at the time of this event. But so there’s that, right? There’s that piece of it. We’ve got lots of different disciplines, small teams that are trying to make sense of their data, and then to have the conversation across the, and then, to like, to connect all those dots. So there’s that part. The other part on our senior leadership, on our plant general managers, that’s not telling them anything about the impact of the business. Like they have no idea. We have to, we have to help them understand. When I sever an internet connection, what’s it mean to your ability to make and ship parts? And and so there’s a learning on the IT side about knowing when the internet goes down. You can do everything you want, but you’re gonna have a problem printing shipping labels so you can have a speed. Eight hour. Yeah, yeah.

 

Speaker 1 | 11:29.325

So how long was the, how long was this? Um, I don’t know. Uh, what do we want to call it? Snafu.

 

Speaker 0 | 11:37.465

I think of it in like three different timelines. There was the 24 hours,

 

Speaker 1 | 11:42.685

but real quick, you said, you know, it was a known actor also. So, like, what was it? What was it again?

 

Speaker 0 | 11:48.005

Cactus is the name of the bad actor, the threat actor that, that, uh, that we were involved with, but there’s, there’s many, many, many of them out there. I mean, this was a big learning experience for, for all of us. So I would look at like, there’s the first 24 hours. There was the time when we identified the activity was going on. We severed in connection and we were figuring out what’s it mean to the business. We knew very quickly that there was no production impact. We could continue like our factories were melting iron, making parts and could ship parts. We found out that one issue was going to be with those printing and shipping labels. And that’s because our ERP is in the cloud. But like, this goes back to kind of risk management. The conversation from the top down on what are your key business processes that drive revenue, and how do your information system support those? We need to know that up front. But so we, within 24 hours, have resolved the print issue. And so we’re building and we’re shipping. No customer impact. That’s remarkable. And so that, in itself, was an enormous win. So that’s the first timeline I think of, like getting to the point where we know our customers are going to get their parts on time. Then there is the period of forensic investigation. There’s the period of the conversation with our customers on what happened. What’s it mean to you? What are we doing? And so, and in that period, you know, you’ll have some customers who are severing EDI orders, who are severing or disallowing your email, any collaboration. So they’re waiting for basically a letter of attestation from someone saying that the company is safe to do business with again. So that period took about two weeks, about two weeks of 17 days. Those were pretty much 16, 17 hour days for about 17 days straight. To get through all of the data collection, to do everything you need to do to remediate any of the indicators of compromise. Which in this case, it was a way to rebuild some servers that, you know. As is the case with many of these, you find things that indicate there was some level of compromise. You restore from backups and all that stuff. So that was about two weeks to where we had all of our internet connections back up. All of our customers who had been working with us through this had restored email, EDI, and all that stuff. And then the third, I’d say, still ongoing, which is what do you do after the event? So now there’s other things that you need to do, you know, after you’ve restored all services, which for me, you know, I’ll share. One of the big learnings that I had out of this is for companies who have cyber insurance policies. When you need to enact, when you have to execute that, your cyber insurance carrier is probably going to bring in an incident response team. That incident response team is going to need certain tooling. To be able to see the forensic evidence, to in the end, send the letter of attestation. If that’s not lined up before… You are lining that up, from legal paperwork to the deployment of tools in the middle of the fire. Okay. And you don’t want to do that.

 

Speaker 1 | 15:08.160

All right. So explain that a little bit more detail. So just in real layman’s terms, guys, do this so that this doesn’t happen.

 

Speaker 0 | 15:14.805

Yeah. So one, if you have a cyber insurance policy, make sure you understand the terms and conditions. You need to understand which incident response company is going to get pulled in in the event that you actually have an event. And you didn’t know which EDR tool. That cyber insurance or that incident response team is going to require that you have deployed to collect the evidence. So that they can confirm and write that letter of attestation. And if that’s it, again, if it’s not lined up, what you will find is that you’re going to be working through legal agreements and the terms and conditions of those legal agreements. You might be deploying new tools across your environment and just trying to do the forensic investigation and just restore. And it’s for the right reasons. But so be proactive. And this is, you know, something that we are working on now to make sure it’s all lined up. I mean, we work with great people. We work with great people and great teams. It is no slight at all. I mean, again, we were fortunate to have weathered this well, but…

 

Speaker 1 | 16:13.457

So how do we capitalize on all this, I guess, is the question. And, you know, we had talked last time about influencing executive management without really telling. How is this all… How is a negative a positive, I guess? And how do we, I mean, 16 to 17 days to remediate and get customers to accept you again? Is that good? Is that bad? Is that normal? Is that better than average? What is that? Because 16 to 17 days in the manufacturing world of people not buying from you or something like that, I would imagine could be a little painful.

 

Speaker 0 | 16:51.420

Oh, yeah. Well, and this one, again, the fact that no production impact is enormous. So you can find data in lots of different places. I like the Verizon data breach. There’s tons of reports that will give you different metrics. I think you can safely say that the average time of, let’s call it, an actual, if this had progressed.

 

Speaker 1 | 17:10.359

Well, hit on the comments, because that might be helpful to some people. So you got Verizon data breach. What else do you got? Let’s just hit on a couple of those, because it might be nice to bullet point here in the episode.

 

Speaker 0 | 17:16.586

I’m trying to think of some other ones. I mean, that’s the one that I would start with.

 

Speaker 1 | 17:21.608

I guess chat GBT on that one. I’m like, in progress. Perplexity A lot lately, that’s the one I use, perplexity for cooking recipes. I’m just telling you, it’s nails, nails it. Every time people are like, you are an amazing cook. My hands right time I did this first time anyways. So, um, well,

 

Speaker 0 | 17:41.778

so I, I would say, okay to capitalize on it. Ideally, you’ve already built a foundation, right? So you kind of know this is what I would. How I approach it, like, I know what, how I tend to operate and what some of my strengths are. So I play to those when I’m trying to build the foundation in advance about, in this case, a cybersecurity program. I also, for that foundation, you’ve got to learn the business, right? You’ve got to know what the business is trying to become. You’ve got vision. You need to know what the board of director and the executive management team’s goals are for the company. You need to understand the strategy. You’ve got to align it and cybersecurity strategy to that, right? So I’ll already, already be talking. Why would we do cybersecurity? It’s not. It’s not an IT to protect it systems. You know, it is in the case of Grady. When I joined, Grady was the second largest North American iron casting manufacturer. We wanted to be one. Part of the way to do that was our i4O program. That requires security. You know, there’s, there’s a, we want to keep the business out of the news, right? Avoid these events as much as it’s possible, you know, and the impacts of those. So part of it is build the foundation up front, talk the language of the business, understand what the business is trying to accomplish, align. In this case, cybersecurity strategy to that. I think that’s, that’s, and you have to own that conversation. As we talked about before, when I was brought in, it wasn’t explicitly stated, hey, you need to tighten cybersecurity up to protect the company. It was, it fell in with what I thought someone needs to do and who’s most qualified to do it. Well, I’m not an expert in the world on it, but probably I’m going to take that and put some shape to it. So if you lay that foundation, when you get into the event. You’re positioned to be able to talk about. What do we need to do to? first, as best we can, prevent the next event from occurring or minimize the impact of the business. And that’s the way that I talk about it.

 

Speaker 1 | 19:37.227

And what was the response of executive management?

 

Speaker 0 | 19:40.651

It’s been overwhelmingly supportive. One of the asks that I had of our senior leaders is you have to provide air cover. So not everyone’s going to understand what’s going on. With this. And there’s going to be a lot of problems out on the floor, even though we can make and ship with internet down. There are inconveniences. And one thing that, you know, I had to say, this is what support looks like, general managers and executive leadership team. Everything else is deprioritized. And if you hear of clever people trying to find ways to restore internet connections via hotspots or whatever, stop it. Can’t do that. Right. Because people are going to try to solve their problems. So, one, everybody demonstrated an understanding and support. In the moment. Beautiful. And then, on the other side, is I begin to present, okay, these were the activities that we conducted during the event to get us through it. This is what we found and to best position us to prevent or to minimize impact in the future. This is what we must do. So the alignment of cyber insurance carrier with the incident response team, with the EDR tool, That’s me coming to leadership, saying that cost us time. And in an event, you know, that old adage of time is money. There is an incredible magnifier in an event regarding time and money. If you, if you are wasting time in an event, the threat actors can. It’s just massive the impact that can happen in a short amount of time.

 

Speaker 1 | 21:17.940

Right. So that the would. I almost want to have, I think, a roundtable event around all of the things that you learned from a cybersecurity event that you didn’t know before the event, that you should have had in place after the event. Would that be useful?

 

Speaker 0 | 21:35.679

Oh, yeah. And so I think that’s great to call out. It’s also important to know you are not alone. So, you know, you might, some leader might feel the drama. So, to focus on the problem and not deliberately, but effectively, go it alone. And that is not what needs to happen. You are surrounded by your partners. And, ideally, you’ve built relationships with other peers out in your network that can help you navigate this every step of it.

 

Speaker 1 | 22:10.552

We need like an emergency button in the community. We need to like a red alert, red alert. Someone’s having an event who can come to the table right now and help, and help, I don’t know. Brainstorm this or word, I don’t know, whatever it is, uh, Cyber Smith, this or something like that. But was there people that you, was there anyone that you were able to call on outside, that were outside of maybe the, like, is there people that you call on? In times like this that are very helpful?

 

Speaker 0 | 22:34.011

Absolutely. Right. So, so one, the, your formal partners, you know, and the people in this case that you get, that you get kind of assigned to work with those, those people are there to help you. So Grady partners with Trend Micro right now for EDR and MDR. And so, and they were wonderful. The way that they partnered with us, round the clock, until we got to a good position. The IR team that we worked with through our cyber carrier, Iron Gate, can’t speak highly enough about them. They did a wonderful job at what they were doing. But for me, I’m part of Society for Information Management Detroit, a wonderful organization here in southeast Michigan, full of leaders who support each other. I’m a part of the CXO Forum and CSA. So there are these organizations that… That I highly encourage everyone to plug into. My take on those is you are part of a network, whether you like it or know it or not. So go figure out how they work and meet the people and understand how those systems work. And so it’s sensitive conversations, right? So you can’t have all details out on the table, But you know, you can reach out and you can say, I’m in a situation right now. And so other CISO, can you meet with me and talk through? Effective communication. Like I reached out to several, I reached out to one person in particular, and I hope she doesn’t mind me mentioning her name, But Darlene Taylor is a wonderful person. I reached out to Darlene. She connected me with a few other people who were wonderful enough to share their time as we talked through the preparing for the post event. Like, how was it on the other side? You make sure that with the attention that you have, you address the gaps that you must. End.

 

Speaker 1 | 24:18.100

Let’s touch on that. So, capitalizing on or post post cyber event, or capitalizing on a post cyber event. Was it a was it a powerpoint presentation in front of a board? What was it? What did it look like?

 

Speaker 0 | 24:30.130

There were a couple of slides, but more of it was. More of it was the daily conversation that I was having with our C-Suite through the event. You know, it wasn’t, it wasn’t a waiting for. It’s a relatively small organization, right? Twenty five hundred people. It’s a billion dollar revenue company. But, but I’m, you know. In daily conversation with our C-suite. And so through that, having a pulse on the conversation and then, to the best of my ability, sharing the impactful information. Of what do we need to focus on? Again, I very much focused on what are we going to do to prevent it from happening again? And when it happens again, what are we going to do to minimize the impact? And dollars and dates, and most impactful to least impactful. And

 

Speaker 1 | 25:16.759

I think that’s how I would- Is there any one thing that you, that like the biggest learning or biggest takeaway from this? I mean, I had all kinds of bullet points for us to talk about. We were going to talk about, you know, real AI versus use cases and everything. And would AI have saved the day here? And X, Y, Z, Ai guys, how could AI have saved the day here? I mean, what did it have, you know?

 

Speaker 0 | 25:43.625

Yeah. Well, so now I’m doing lots of evaluations on the tooling, but for me, okay, so that alignment that I’ve mentioned several times, that’s a big thing. And it’s something that everybody can do, and it’s something that can save you time. And can position your incident response team to be able to see historic telemetry data, as opposed to coming in and dropping a tool. And they’ll be able to see from today forward, which is heavily has certain value. So that is a big one. Go do that if you haven’t already done it.

 

Speaker 1 | 26:12.649

What does that look like specifically?

 

Speaker 0 | 26:14.771

Okay. So I’ll give you some names on this. If you work with a cyber broker or cyber insurance broker to find your cyber insurance carrier, I would initiate the conversation and say, I want to proactively align my insurance carrier with my incident response team. And with my EDR tool. Because, ideally, I want to discount on my premium because I’m picking your preferred vendors. So put me in touch with two or three of your preferred vendors on, they’re already going to tell you they’re cyber insurance carriers, right? That’s what the broker does. But then ask them, put me in touch with two or three of your IR teams that you prefer at IR teams. So it’s going to be Arctic Wolf. It’s going to be Kivu. I mean, there’s a handful, iron Gate. I don’t know all of them. And I’m not pretending to be an expert in this space, but this is based on my experience. So go have a conversation with them. Talk about the retainer fees. Talk about if you can use the fees you’re paying for retainer to apply to. Things like pen testing and tabletop exercises, the stuff that you’re going to need to do anyway. But if you don’t have an event, don’t just give them your money and do nothing. They will let you spend that credit down on stuff that you need in other areas of cyber. And then you have to talk through what’s the supported EDR tool. Because, again, you don’t want to be in the middle of it. And then have them tell you, oh, if you don’t have Crowdstrike installed, go install CrowdStrike. And no knock on any of the tools, right? But I’d ask them the same thing. What are the EDR tools that your I.R. teams are going to require be installed when they get engaged? And then you have to have this discussion around, okay, does my tool fit? If it doesn’t, can they go get to be a preferred tool with the I.R. team or whatever? But you got to have that. And there’s costs associated with that. But that goes to the story that you’re telling of time’s money. And if you’re going to spend a little bit of money up front. Maybe here’s this, and I feel like I’m scattered around.

 

Speaker 1 | 27:58.688

Oh, this is nice. This is very nice. This is kind of like unifying everything into one box and making it kind of like this streamlined security packaging of some sort, if that even does exist. But it does exist, but it doesn’t exist. You know what I mean? In other words, everyone should be playing together in the same sandbox, nicely.

 

Speaker 0 | 28:17.043

It’s essentially what you’re saying. Yeah, I think part of what we can talk about regarding tooling and roadmaps will fit into this. But here’s… Here’s the thing that I learned. If you have an event, you are going to pay somebody, right? You’re either going to pay the threat actor because they got all the way to ransom, right? You’re going to, maybe you pay them, maybe you don’t, right? Or you’re probably going to pay your partners. You’re going to pay your partners to make sure that you’ve got the tools in place to prevent it from happening. Or you’re going to pay your partners to help you remediate all of those things after the event. So you’re paying no matter what. You’re probably going to pay the threat actor a hell of a lot more than you would pay your partners to get the tooling in place. And so I think that’s another takeaway that I got on this. Now, we didn’t have to. Yeah.

 

Speaker 1 | 29:05.221

No, no, it’s actually, it’s beautiful. It’s straight to the point. And I think it’s very clear, which is this alignment of all these things. And if you didn’t do it ahead of time, then you would have wasted a double or triple that amount of time. Kind of like stumbling over your feet during the event, trying to get these different things in place. Um, is there anything? just, uh, um, just in general, before we wrap this up, because I think it’s a beautiful conversation. and, you know, we had talked a lot just, you know, behind the scenes about, you know, you know, Influencing executive management without telling and in a way that they understand and get excited. And, uh, because you can’t just use all the same terminology that say, I don’t know, real high level it guys use because they would gloss over. Get lost. And you had mentioned taking responsibility. And then we’d also, I had written down some notes on last time that was, you know, what do you do when you know what you have to do? But you can’t do it. That’s because it wasn’t approved in the budget or something. I don’t know, but I’m going to leave you with those thoughts, and you tell me, what’s your first thing that comes to mind.

 

Speaker 0 | 30:13.527

I’ll just jump to that last question, because that’s the most recently asked. Ideally, you’ve already got a Plan B and a plan C and a plan B. And so if you don’t get to do what you want to do, because you know you need to do it, hopefully, like we’ve been through this enough times to know more, then you don’t always get what you want. So hopefully you’ve thought through, if that’s not going to play out like that, then what? I think one of the notes that I took as I was thinking that is. That’s an opportunity to go back. To know how you want to show up at a moment like that. Right. So you’re a leader and people are watching you. And that’s an opportunity for you to demonstrate leadership. Like, you and your team probably came up with a good, logical plan. And now that can’t be the way that it operates. You could go back and complain and blame and waste time and show no responsibility, right? Or you could go back without complaining and blaming, and you can say the world’s changed. What, you know, the assumptions we made are not valid anymore. And so because of that, we’re going to do this. Or, again, go in. And one of the other notes I took was You’re not alone. So don’t tuck into your shell, but instead reach back out. And that could be your, you know, your partners in the business. It could be… You know, the, if it didn’t go the way that it needed to go, is it because people didn’t understand? And if they didn’t understand, that’s on you, like, you own that. If it’s because of budget, well, that’s the world we live in. And so what are you going to do? But I think you could also look at reaching out to your partners outside. Again, like, hey, let’s talk through this situation. Can I get some guidance? What do you think about? But you own it, right? I mean, I think again, going back to how do you want to show up at the moment? That could be. Career defining moment. It could be a time that rallies the team around and shows them that they’re capable of embracing and, like, thriving in that kind of a situation. That could be a good opportunity.

 

Speaker 1 | 32:09.344

What’s the Environment year? What’s your general feeling this year? I’m just curious. I mean, we’re, you know, we’re through March, we’re through the first quarter of the year. What’s your general feeling about just manufacturing, the United States? IT jobs in general. I kind of get the feeling that hiring is down. Or is there going to be a… Where are we at right now?

 

Speaker 0 | 32:37.311

Okay. I’m no expert here. I’ll throw some things out, but I’m certainly biased over the past week of events, two week of events with tariffs and things like that. So my take on that is, there’s a bunch of uncertainty that’s out in the market right now. And until we get to some stable, some understanding of, like, where is this going? I think there’s going to be that volatility, which is, and I think fear is going to prevent some investment. That’s my kind of guess, right? There’s, I think there’s going to be the leaders who are kind of like, man, let’s see how this plays out.

 

Speaker 1 | 33:08.338

Yeah. So then you being one that is response able and ability to choose your own response. As iT leaders, what do we do? Just keep managing and hoping, hoping we have a job next month or what, you know, but you don’t mean it’s like, what, what should we be doing? You know, to survive, to survive, because I’ve got people that, you know, are still looking for jobs. I’ve got people that are still, you know, whatever company shut down, there was a merger, I was made redundant, like, you know, whatever it is. Um, or I just, what should we be doing as IT directors to take over, uh, the world?

 

Speaker 0 | 33:44.862

I’m also about to throw a few things out and I’ll probably hit this from a few different, uh, levels, But so one regarding our people, Like, you know, I think our… Our value is not determined by whether the current employer can employ us. You know, I think our value is determined by what’s your skills and are you investing in your development? I would encourage everyone, have an opinion on what you think the most valuable skills are right now. I would, you know, given my recent experience, I’m probably going to be biased towards cybersecurity as a space that’s going to have demand. And good cyber folks are, I think it’s still… The demand versus the availability is heavily in favor of those with those skills. So Cyber is a good place to go skill up in. I think certainly data and analytics, and if you want to call it AI, all that stuff. But I think that that’s a space that you see is going to be around. That’s not going anywhere. So I think have an opinion on where you believe skills are heavily in demand. And then go skill up in those areas. Find not only like, you know, go take the classes and things like that, but, you know, have a conversation with your leadership and with your peers around, are there… Opportunities for me to plug into business activities where I can scale up in this space, like align my career development aspirations with business needs. So I think there’s stuff that you can be doing over on that side regarding our people. Um, now,

 

Speaker 1 | 35:18.925

because there is a lot of, I mean, there’s a lot of AI hype, but there’s a lot of AI reality as well. Which is how much time before many things are made redundant, and how do we leverage that? Yeah,

 

Speaker 0 | 35:32.424

Yeah.

 

Speaker 1 | 35:33.684

For everyone out there listening, we do have our AI for everyone that’s been on the podcast, that’s part of our secret community invite. Only that I want to just remind everyone that if you’ve ever been on dissecting popularity nerds and you’re in the community already, which we’ve got about 124 CTOs, CIOs, whatever in the community, the AI roundtable event is coming up and you can go to the events section and sign up for it. The actual date of that event, um, um, is Wednesday, April 23rd, 11 o’clock Eastern, I believe. Is that right? EDT. No, no, no. What’s EDT? No, no, no. It can’t be. It must be like 3 o’clock eastern and like 11 o’clock or something specific. But because I’m traveling right now, I don’t know what time zone I’m looking at. But anyways, it’s in there. The AI use case roundtable, Wednesday, April 23rd, which is going to be a great event. I think we’ve got, I know we’ve got. Dozens of people signed up for it already. To come. And just talk about hype versus reality and what AI use cases have actually been implemented, like real AI use cases, not just the hype. How is how have people used AI to actually make a difference? Which, um, to your last point there, um, scaling up and either cyber security, um AI. And then obviously data and being able to, you know, take company data and make sense of it. And I don’t do stuff with that to to grow the company and become billionaires, I guess that would, leverage it’s value inside the company. Jason, it’s been an absolute pleasure having you on the show. Any final thoughts or words of wisdom, or anything like that?

 

Speaker 0 | 37:08.073

Just to follow up on what your last topic was. So I’ll mention, I read a great PDF several years ago called The Mediocre Programmer. And I think it’s from a programmer that’s based out of Ann Arbor. I wish I could remember the person’s name, but at any rate, the person clearly is not a mediocre programmer. But the thing that I love the most about that is about. His prescribed way for learning big topics. So he talked directly to me. When I read, you know, you start learning something new, and then you read seven paragraphs in, and you’ve already seen five things that you don’t know. So you’re like, man, am I ever going to get this? So his way that he proposed to learn something big, like AI, is, okay, pick something, right? Go figure, you’re going to learn one aspect of it and have a notebook that you’re tracking the terms that you don’t understand and write it down every time. And if you do that, eventually you’re going to write down the same terms. Some of them are going to be multiple times. And you can basically just count the times that that topic comes up. That’s the next thing you should go learn. So it helps you to break down a big, massive topic like AI or machine learning or these things. And not feel overwhelmed and hopeless about being able to actually learn it. So the mediocre program, I’m pretty sure it’s a free PDF that’s out there, but that I use that learning method for these big things. And again, not that I’m just a. I’m certainly not selling perplexity, but pair those two things up. And I mean, you can get a plan.

 

Speaker 1 | 38:28.925

I, um, yeah, I mean, seriously, I started out with perplexity, um, give me an award winning, uh, sweet potato pie recipe. And I made that sweet potato pie and it came, and I gave it to my friend from Jamaica who loves sweet potato pie. And he was like, this is the best pie I’ve ever had. So, and that, you know, that’s, that’s saying something that I use for many other recipes. And so that’s my secret. That’s when I have to, when I have to cook dinner at night, that’s, that’s my secret weapon.

 

Speaker 0 | 38:56.909

I’ve been looking forward to this conversation for quite a while. So thank you. I’ll stay.

 

Speaker 1 | 39:00.973

Thank you, sir.

 

360- Cyber Crisis turned opportunity with Jason Torrez

 

Speaker 0 | 00:00.568

Good morning.

 

Speaker 1 | 00:01.629

All right. It’s working. We’re live. It’s live. We’ll see if anyone actually jumps on. But now that, anyways, what’s cool is that we’re, I want to start doing these podcasts live. Because then if anyone has any like, you know, great points or things to add, or questions to ask, it’s, And then once we link this to LinkedIn and, and or YouTube, we’ll get maybe even some more collaboration. I don’t know. How do you feel about that idea?

 

Speaker 0 | 00:26.829

All right.

 

Speaker 1 | 00:28.931

So so, anyways, welcome everyone back to dissecting popular it Nerds. This is, I’ve been off for like three weeks, so I don’t know if anyone noticed or anyone even cared. It’d be great. Maybe we’ll get like, you know, maybe someone out there will be like, yeah, I missed you, Phil. But anywho, it’s great to be back. And Jason Torres, you know, transformational technology executive, you know, extraordinary executive director of Information technology at, is it Greed Holdings? Am I getting that correctly?

 

Speaker 0 | 00:59.636

Grady. Grady.

 

Speaker 1 | 01:00.657

Grady. Okay. Well, that’s good. Just slap me around a little bit. But I want to start breaking these shows. Go ahead.

 

Speaker 0 | 01:06.842

That’s very common.

 

Speaker 1 | 01:09.063

I want to, I really want to make sure that we are more effective in breaking these shows up because I can talk forever and go off on tangents. And you had some, well, first of all, you’ve had a cyber event as of recent. And it sounds like it was a successful cyber event. Not that, people. Want to have cyber events, But we know that it’s just a matter of time. It’s not a matter of if it’s just a matter or when. It’s a matter of when and how bad it’s going to be and how well prepared you are. So, and I think you made a good point, which is when you, when you do have a cyber event and you, and it does go the way, I guess that’s supposed to, like, how do you capitalize upon that? So I don’t know where you want to go with that, or what happened, or how you did capitalize on that. Or what people can learn or take away from this, but maybe it’s a learning from a cyber event. Is is topic number one.

 

Speaker 0 | 01:59.442

Perfect. Yeah. And so, Phil, one of the things that we first started talking about is like, it’s a huge space. When I stepped in to Grady Holdings, I was hired in to integrate IT and OT. And to lead the IT function, not to lead cybersecurity, but part of the kind of standard onboarding that most people do, you go around and you get as many perspectives as you can. And I saw there wasn’t, you know, a really focused effort on developing cybersecurity capabilities. So from a responsibility perspective, someone needs to step into that. And so I spoke with my leader, my hiring manager, 72 hours in and said, hey, I need to lead this. I mean, we need someone who’s going to take point on cybersecurity and aligning it with business objectives. So I say that first is like, I mean, if that didn’t happen, then you’re certainly not positioned to be able to weather the storm of a cyber event. And to come out on the other side. But honestly, that allowed the conversation with. Senior leaders, you know, so with our C-suite, with general managers and plant leaders around cybersecurity, rallying people around what needs to happen. And starting with, like you said, it’s not if, it’s when. And beginning to change the perspective of you’re not building walls to keep the bad guys out. You need to believe in your heart. They’re already in your house because you will come into the job different. You will run your shop differently if you believe you’re already breached. And so when the day came… And we’ve had lots of, I mean, everybody’s constantly under some form of inspection or attack, but there is a day, right? The day came where we had something real to deal with. And when I contacted our CTO and said, like, this is the morning. We knew this was coming and here it is. And you can address that calmly, even with all of the unknown. It’s a, yeah, we knew it was coming now. We’re going to rally the troops. So part of, like, how do you come out on the other side? and, you know, with the… With the attention that you’ve got of board of directors, of your executive leadership team, um, how do you then accelerate a cyber program to better position the company? I think you. It’s best if you’ve already started, you know, because there’s a couple of pieces to that one. You’re more likely to be able to weather that storm. But um, but you’re not storytelling through the whole thing, through the whole event already. Like, you’ve already kind of laid the foundation,

 

Speaker 1 | 04:21.069

so let me let me ask you this. So it sounds like. Like, it was not a, like security was not like an expectation of the job or something that was on maybe, I don’t know, a job expectations list or something. It kind of sounds like, maybe like security wasn’t part of your role, but it is assumed to be part of your role. Is that correct?

 

Speaker 0 | 04:42.198

When I came in, it definitely was not part of the responsibilities we discussed. But you know how it is.

 

Speaker 1 | 04:47.342

So, yeah, I mean, because obviously if something went wrong and, you know, security took down the company and everything, who are they going to look to? And is it safe to assume that, even if it wasn’t part of your role, but if it did happen, they’d still blame you anyways?

 

Speaker 0 | 04:59.368

Oh. If it smells like technology and a manufacturing organization, yes. Yeah, there is. Some people would certainly assume you’re responsible for the outcomes of that system that you own. So, yeah. Yeah. I mean.

 

Speaker 1 | 05:13.641

So I think there’s just, I don’t know, something to be said about, I mean, from a general leadership perspective, if you want to be successful as an IT leader, really pay no attention to the. I don’t know, whatever the piece of paper is that HR gives you at the beginning that they’re trying to hire for?

 

Speaker 0 | 05:32.189

I would say it is one of many inputs. Like, they’ve just explicitly told you what they think on day minus five. But as soon as you get in there, and honestly, before you get in there, Whether it’s a brand new company or a brand new position, or just your responsibilities change, that’s just an input. Someone thinks this. Now you own that conversation of saying that’s accurate. That’s a small subset. That’s the most important. Like, now you own. Setting those up.

 

Speaker 1 | 05:58.623

Talk to me about the story in this event and what happened and rolled out. And for what you can, I mean, what you’re allowed to, you know.

 

Speaker 0 | 06:06.589

So a lot of this is going to be fairly common. You know, from what I’m seeing, it’s still not super sophisticated. The bad guy still has to get in. And in this case, the bad guy impersonated an IT admin, right? And so there was some social engineering. They knew enough about the company. They knew the name of an IT admin. It’s not a huge company, but some simple LinkedIn, I’m sure, And it was enough information to try to communicate with a few of our office workers. And that led to PC takeover. And then there’s just the pre-existing conditions that allow threat actors to elevate privileges, to move around the network. And so there was never, in this case, that’s the entry point. And then there was no deployment of malware. There was no super sophisticated. Once you’re in, it just was leveraging existing, legitimate tools. And the bad guys brought some of their own tools, but they were copies of legitimate tools, which is why lateral movement was possible. So Grady has got technologies and processes and partners in place that monitor and catch this. So here’s the, it didn’t get awful. Because unusual behavior was detected through our systems and services. And then that morning, we’ve got an incident response process in place. We executed that. It came with, you know, that collected the information that I needed to make the decision. That we would sever internet connections to the outside world from all of our plants. And then it rolled right into…

 

Speaker 1 | 07:50.421

So, like, a step-by-step policy of some sort was in place.

 

Speaker 0 | 07:53.423

Enough to get us to the point where I could make a call. Yes. Now, it wasn’t perfect. And we, you know, those things are living documents. Fortunately, in 2024, Grady’s board of directors and executive leadership team supported the investment in basic governance, risk and compliance activities. So that we have an incident response. So we have risk management processes in place, which we exercised there and they were successful. But, uh, but after that, it’s chaos. And I’ll tell you, we’ll take some luck. And one of the things that I learned that where our incident response policy was a plan, I should say, what our plan was a little deficient in. Is. It happened to be that the threat actor, I think, was working out of Europe. And so Grady is a North American company. When I had to make the call, when we observed this malicious behavior, most of my guys were still home. And so when I severed the internet connection, anyone in the offices lost their internet connection. And that would have made it really hard for us to collaborate, to communicate. But it just happened to be that everybody was home. So by severing the internet connections at our factories, all of our IT people were working remote. Again, if we’d have been in the office, things would have got more complicated. And so that’s a lesson learned. Anybody’s incident response plan has to account for, you know, how are you going to communicate if you have to sever your internet connection?

 

Speaker 1 | 09:16.025

What conversations would you have had with your peers that no one else in the company would have had any clue what you’re talking about? And the reason why I ask that is sometimes when you get a bunch of it guys together. And if your C-levels are sitting like, kind of like a fly in the room, like listening to the conversation, they would have absolutely no clue what you guys are saying. So if you had some peers, you know, to bounce ideas off while you’re in the situation, like, what would that conversation look like? I’m just curious. Like, is there anything sophisticated in there that you’re kind of curious about? Like, I’d just love to dig in on this because, I don’t know, it’s just cool. And there’d be no one else I could talk to about this.

 

Speaker 0 | 09:55.538

Yeah. Well, so I guess there’s two pieces to that that I would want to address. One is on the technical side. Like being able to go through that vast amount of all of the logged events that you have, whether it’s the network. And we’ve got a small network team. So they’re the only ones that can make sense of suspicious data transfer activity and what’s legit and what isn’t. We needed to process logs from all of our servers to figure out which accounts we’re using, which things. And so we’re doing like extracts, log extracts. And we’ve got a small group of people that know how to analyze that stuff. We’ve got our own EDR tool in place. And you have to have the working knowledge of that to make sense of those logs. So we don’t really have a full-on sim, which aggregates and tells us right now, or at the time of this event. But so there’s that, right? There’s that piece of it. We’ve got lots of different disciplines, small teams that are trying to make sense of their data, and then to have the conversation across the, and then, to like, to connect all those dots. So there’s that part. The other part on our senior leadership, on our plant general managers, that’s not telling them anything about the impact of the business. Like they have no idea. We have to, we have to help them understand. When I sever an internet connection, what’s it mean to your ability to make and ship parts? And and so there’s a learning on the IT side about knowing when the internet goes down. You can do everything you want, but you’re gonna have a problem printing shipping labels so you can have a speed. Eight hour. Yeah, yeah.

 

Speaker 1 | 11:29.325

So how long was the, how long was this? Um, I don’t know. Uh, what do we want to call it? Snafu.

 

Speaker 0 | 11:37.465

I think of it in like three different timelines. There was the 24 hours,

 

Speaker 1 | 11:42.685

but real quick, you said, you know, it was a known actor also. So, like, what was it? What was it again?

 

Speaker 0 | 11:48.005

Cactus is the name of the bad actor, the threat actor that, that, uh, that we were involved with, but there’s, there’s many, many, many of them out there. I mean, this was a big learning experience for, for all of us. So I would look at like, there’s the first 24 hours. There was the time when we identified the activity was going on. We severed in connection and we were figuring out what’s it mean to the business. We knew very quickly that there was no production impact. We could continue like our factories were melting iron, making parts and could ship parts. We found out that one issue was going to be with those printing and shipping labels. And that’s because our ERP is in the cloud. But like, this goes back to kind of risk management. The conversation from the top down on what are your key business processes that drive revenue, and how do your information system support those? We need to know that up front. But so we, within 24 hours, have resolved the print issue. And so we’re building and we’re shipping. No customer impact. That’s remarkable. And so that, in itself, was an enormous win. So that’s the first timeline I think of, like getting to the point where we know our customers are going to get their parts on time. Then there is the period of forensic investigation. There’s the period of the conversation with our customers on what happened. What’s it mean to you? What are we doing? And so, and in that period, you know, you’ll have some customers who are severing EDI orders, who are severing or disallowing your email, any collaboration. So they’re waiting for basically a letter of attestation from someone saying that the company is safe to do business with again. So that period took about two weeks, about two weeks of 17 days. Those were pretty much 16, 17 hour days for about 17 days straight. To get through all of the data collection, to do everything you need to do to remediate any of the indicators of compromise. Which in this case, it was a way to rebuild some servers that, you know. As is the case with many of these, you find things that indicate there was some level of compromise. You restore from backups and all that stuff. So that was about two weeks to where we had all of our internet connections back up. All of our customers who had been working with us through this had restored email, EDI, and all that stuff. And then the third, I’d say, still ongoing, which is what do you do after the event? So now there’s other things that you need to do, you know, after you’ve restored all services, which for me, you know, I’ll share. One of the big learnings that I had out of this is for companies who have cyber insurance policies. When you need to enact, when you have to execute that, your cyber insurance carrier is probably going to bring in an incident response team. That incident response team is going to need certain tooling. To be able to see the forensic evidence, to in the end, send the letter of attestation. If that’s not lined up before… You are lining that up, from legal paperwork to the deployment of tools in the middle of the fire. Okay. And you don’t want to do that.

 

Speaker 1 | 15:08.160

All right. So explain that a little bit more detail. So just in real layman’s terms, guys, do this so that this doesn’t happen.

 

Speaker 0 | 15:14.805

Yeah. So one, if you have a cyber insurance policy, make sure you understand the terms and conditions. You need to understand which incident response company is going to get pulled in in the event that you actually have an event. And you didn’t know which EDR tool. That cyber insurance or that incident response team is going to require that you have deployed to collect the evidence. So that they can confirm and write that letter of attestation. And if that’s it, again, if it’s not lined up, what you will find is that you’re going to be working through legal agreements and the terms and conditions of those legal agreements. You might be deploying new tools across your environment and just trying to do the forensic investigation and just restore. And it’s for the right reasons. But so be proactive. And this is, you know, something that we are working on now to make sure it’s all lined up. I mean, we work with great people. We work with great people and great teams. It is no slight at all. I mean, again, we were fortunate to have weathered this well, but…

 

Speaker 1 | 16:13.457

So how do we capitalize on all this, I guess, is the question. And, you know, we had talked last time about influencing executive management without really telling. How is this all… How is a negative a positive, I guess? And how do we, I mean, 16 to 17 days to remediate and get customers to accept you again? Is that good? Is that bad? Is that normal? Is that better than average? What is that? Because 16 to 17 days in the manufacturing world of people not buying from you or something like that, I would imagine could be a little painful.

 

Speaker 0 | 16:51.420

Oh, yeah. Well, and this one, again, the fact that no production impact is enormous. So you can find data in lots of different places. I like the Verizon data breach. There’s tons of reports that will give you different metrics. I think you can safely say that the average time of, let’s call it, an actual, if this had progressed.

 

Speaker 1 | 17:10.359

Well, hit on the comments, because that might be helpful to some people. So you got Verizon data breach. What else do you got? Let’s just hit on a couple of those, because it might be nice to bullet point here in the episode.

 

Speaker 0 | 17:16.586

I’m trying to think of some other ones. I mean, that’s the one that I would start with.

 

Speaker 1 | 17:21.608

I guess chat GBT on that one. I’m like, in progress. Perplexity A lot lately, that’s the one I use, perplexity for cooking recipes. I’m just telling you, it’s nails, nails it. Every time people are like, you are an amazing cook. My hands right time I did this first time anyways. So, um, well,

 

Speaker 0 | 17:41.778

so I, I would say, okay to capitalize on it. Ideally, you’ve already built a foundation, right? So you kind of know this is what I would. How I approach it, like, I know what, how I tend to operate and what some of my strengths are. So I play to those when I’m trying to build the foundation in advance about, in this case, a cybersecurity program. I also, for that foundation, you’ve got to learn the business, right? You’ve got to know what the business is trying to become. You’ve got vision. You need to know what the board of director and the executive management team’s goals are for the company. You need to understand the strategy. You’ve got to align it and cybersecurity strategy to that, right? So I’ll already, already be talking. Why would we do cybersecurity? It’s not. It’s not an IT to protect it systems. You know, it is in the case of Grady. When I joined, Grady was the second largest North American iron casting manufacturer. We wanted to be one. Part of the way to do that was our i4O program. That requires security. You know, there’s, there’s a, we want to keep the business out of the news, right? Avoid these events as much as it’s possible, you know, and the impacts of those. So part of it is build the foundation up front, talk the language of the business, understand what the business is trying to accomplish, align. In this case, cybersecurity strategy to that. I think that’s, that’s, and you have to own that conversation. As we talked about before, when I was brought in, it wasn’t explicitly stated, hey, you need to tighten cybersecurity up to protect the company. It was, it fell in with what I thought someone needs to do and who’s most qualified to do it. Well, I’m not an expert in the world on it, but probably I’m going to take that and put some shape to it. So if you lay that foundation, when you get into the event. You’re positioned to be able to talk about. What do we need to do to? first, as best we can, prevent the next event from occurring or minimize the impact of the business. And that’s the way that I talk about it.

 

Speaker 1 | 19:37.227

And what was the response of executive management?

 

Speaker 0 | 19:40.651

It’s been overwhelmingly supportive. One of the asks that I had of our senior leaders is you have to provide air cover. So not everyone’s going to understand what’s going on. With this. And there’s going to be a lot of problems out on the floor, even though we can make and ship with internet down. There are inconveniences. And one thing that, you know, I had to say, this is what support looks like, general managers and executive leadership team. Everything else is deprioritized. And if you hear of clever people trying to find ways to restore internet connections via hotspots or whatever, stop it. Can’t do that. Right. Because people are going to try to solve their problems. So, one, everybody demonstrated an understanding and support. In the moment. Beautiful. And then, on the other side, is I begin to present, okay, these were the activities that we conducted during the event to get us through it. This is what we found and to best position us to prevent or to minimize impact in the future. This is what we must do. So the alignment of cyber insurance carrier with the incident response team, with the EDR tool, That’s me coming to leadership, saying that cost us time. And in an event, you know, that old adage of time is money. There is an incredible magnifier in an event regarding time and money. If you, if you are wasting time in an event, the threat actors can. It’s just massive the impact that can happen in a short amount of time.

 

Speaker 1 | 21:17.940

Right. So that the would. I almost want to have, I think, a roundtable event around all of the things that you learned from a cybersecurity event that you didn’t know before the event, that you should have had in place after the event. Would that be useful?

 

Speaker 0 | 21:35.679

Oh, yeah. And so I think that’s great to call out. It’s also important to know you are not alone. So, you know, you might, some leader might feel the drama. So, to focus on the problem and not deliberately, but effectively, go it alone. And that is not what needs to happen. You are surrounded by your partners. And, ideally, you’ve built relationships with other peers out in your network that can help you navigate this every step of it.

 

Speaker 1 | 22:10.552

We need like an emergency button in the community. We need to like a red alert, red alert. Someone’s having an event who can come to the table right now and help, and help, I don’t know. Brainstorm this or word, I don’t know, whatever it is, uh, Cyber Smith, this or something like that. But was there people that you, was there anyone that you were able to call on outside, that were outside of maybe the, like, is there people that you call on? In times like this that are very helpful?

 

Speaker 0 | 22:34.011

Absolutely. Right. So, so one, the, your formal partners, you know, and the people in this case that you get, that you get kind of assigned to work with those, those people are there to help you. So Grady partners with Trend Micro right now for EDR and MDR. And so, and they were wonderful. The way that they partnered with us, round the clock, until we got to a good position. The IR team that we worked with through our cyber carrier, Iron Gate, can’t speak highly enough about them. They did a wonderful job at what they were doing. But for me, I’m part of Society for Information Management Detroit, a wonderful organization here in southeast Michigan, full of leaders who support each other. I’m a part of the CXO Forum and CSA. So there are these organizations that… That I highly encourage everyone to plug into. My take on those is you are part of a network, whether you like it or know it or not. So go figure out how they work and meet the people and understand how those systems work. And so it’s sensitive conversations, right? So you can’t have all details out on the table, But you know, you can reach out and you can say, I’m in a situation right now. And so other CISO, can you meet with me and talk through? Effective communication. Like I reached out to several, I reached out to one person in particular, and I hope she doesn’t mind me mentioning her name, But Darlene Taylor is a wonderful person. I reached out to Darlene. She connected me with a few other people who were wonderful enough to share their time as we talked through the preparing for the post event. Like, how was it on the other side? You make sure that with the attention that you have, you address the gaps that you must. End.

 

Speaker 1 | 24:18.100

Let’s touch on that. So, capitalizing on or post post cyber event, or capitalizing on a post cyber event. Was it a was it a powerpoint presentation in front of a board? What was it? What did it look like?

 

Speaker 0 | 24:30.130

There were a couple of slides, but more of it was. More of it was the daily conversation that I was having with our C-Suite through the event. You know, it wasn’t, it wasn’t a waiting for. It’s a relatively small organization, right? Twenty five hundred people. It’s a billion dollar revenue company. But, but I’m, you know. In daily conversation with our C-suite. And so through that, having a pulse on the conversation and then, to the best of my ability, sharing the impactful information. Of what do we need to focus on? Again, I very much focused on what are we going to do to prevent it from happening again? And when it happens again, what are we going to do to minimize the impact? And dollars and dates, and most impactful to least impactful. And

 

Speaker 1 | 25:16.759

I think that’s how I would- Is there any one thing that you, that like the biggest learning or biggest takeaway from this? I mean, I had all kinds of bullet points for us to talk about. We were going to talk about, you know, real AI versus use cases and everything. And would AI have saved the day here? And X, Y, Z, Ai guys, how could AI have saved the day here? I mean, what did it have, you know?

 

Speaker 0 | 25:43.625

Yeah. Well, so now I’m doing lots of evaluations on the tooling, but for me, okay, so that alignment that I’ve mentioned several times, that’s a big thing. And it’s something that everybody can do, and it’s something that can save you time. And can position your incident response team to be able to see historic telemetry data, as opposed to coming in and dropping a tool. And they’ll be able to see from today forward, which is heavily has certain value. So that is a big one. Go do that if you haven’t already done it.

 

Speaker 1 | 26:12.649

What does that look like specifically?

 

Speaker 0 | 26:14.771

Okay. So I’ll give you some names on this. If you work with a cyber broker or cyber insurance broker to find your cyber insurance carrier, I would initiate the conversation and say, I want to proactively align my insurance carrier with my incident response team. And with my EDR tool. Because, ideally, I want to discount on my premium because I’m picking your preferred vendors. So put me in touch with two or three of your preferred vendors on, they’re already going to tell you they’re cyber insurance carriers, right? That’s what the broker does. But then ask them, put me in touch with two or three of your IR teams that you prefer at IR teams. So it’s going to be Arctic Wolf. It’s going to be Kivu. I mean, there’s a handful, iron Gate. I don’t know all of them. And I’m not pretending to be an expert in this space, but this is based on my experience. So go have a conversation with them. Talk about the retainer fees. Talk about if you can use the fees you’re paying for retainer to apply to. Things like pen testing and tabletop exercises, the stuff that you’re going to need to do anyway. But if you don’t have an event, don’t just give them your money and do nothing. They will let you spend that credit down on stuff that you need in other areas of cyber. And then you have to talk through what’s the supported EDR tool. Because, again, you don’t want to be in the middle of it. And then have them tell you, oh, if you don’t have Crowdstrike installed, go install CrowdStrike. And no knock on any of the tools, right? But I’d ask them the same thing. What are the EDR tools that your I.R. teams are going to require be installed when they get engaged? And then you have to have this discussion around, okay, does my tool fit? If it doesn’t, can they go get to be a preferred tool with the I.R. team or whatever? But you got to have that. And there’s costs associated with that. But that goes to the story that you’re telling of time’s money. And if you’re going to spend a little bit of money up front. Maybe here’s this, and I feel like I’m scattered around.

 

Speaker 1 | 27:58.688

Oh, this is nice. This is very nice. This is kind of like unifying everything into one box and making it kind of like this streamlined security packaging of some sort, if that even does exist. But it does exist, but it doesn’t exist. You know what I mean? In other words, everyone should be playing together in the same sandbox, nicely.

 

Speaker 0 | 28:17.043

It’s essentially what you’re saying. Yeah, I think part of what we can talk about regarding tooling and roadmaps will fit into this. But here’s… Here’s the thing that I learned. If you have an event, you are going to pay somebody, right? You’re either going to pay the threat actor because they got all the way to ransom, right? You’re going to, maybe you pay them, maybe you don’t, right? Or you’re probably going to pay your partners. You’re going to pay your partners to make sure that you’ve got the tools in place to prevent it from happening. Or you’re going to pay your partners to help you remediate all of those things after the event. So you’re paying no matter what. You’re probably going to pay the threat actor a hell of a lot more than you would pay your partners to get the tooling in place. And so I think that’s another takeaway that I got on this. Now, we didn’t have to. Yeah.

 

Speaker 1 | 29:05.221

No, no, it’s actually, it’s beautiful. It’s straight to the point. And I think it’s very clear, which is this alignment of all these things. And if you didn’t do it ahead of time, then you would have wasted a double or triple that amount of time. Kind of like stumbling over your feet during the event, trying to get these different things in place. Um, is there anything? just, uh, um, just in general, before we wrap this up, because I think it’s a beautiful conversation. and, you know, we had talked a lot just, you know, behind the scenes about, you know, you know, Influencing executive management without telling and in a way that they understand and get excited. And, uh, because you can’t just use all the same terminology that say, I don’t know, real high level it guys use because they would gloss over. Get lost. And you had mentioned taking responsibility. And then we’d also, I had written down some notes on last time that was, you know, what do you do when you know what you have to do? But you can’t do it. That’s because it wasn’t approved in the budget or something. I don’t know, but I’m going to leave you with those thoughts, and you tell me, what’s your first thing that comes to mind.

 

Speaker 0 | 30:13.527

I’ll just jump to that last question, because that’s the most recently asked. Ideally, you’ve already got a Plan B and a plan C and a plan B. And so if you don’t get to do what you want to do, because you know you need to do it, hopefully, like we’ve been through this enough times to know more, then you don’t always get what you want. So hopefully you’ve thought through, if that’s not going to play out like that, then what? I think one of the notes that I took as I was thinking that is. That’s an opportunity to go back. To know how you want to show up at a moment like that. Right. So you’re a leader and people are watching you. And that’s an opportunity for you to demonstrate leadership. Like, you and your team probably came up with a good, logical plan. And now that can’t be the way that it operates. You could go back and complain and blame and waste time and show no responsibility, right? Or you could go back without complaining and blaming, and you can say the world’s changed. What, you know, the assumptions we made are not valid anymore. And so because of that, we’re going to do this. Or, again, go in. And one of the other notes I took was You’re not alone. So don’t tuck into your shell, but instead reach back out. And that could be your, you know, your partners in the business. It could be… You know, the, if it didn’t go the way that it needed to go, is it because people didn’t understand? And if they didn’t understand, that’s on you, like, you own that. If it’s because of budget, well, that’s the world we live in. And so what are you going to do? But I think you could also look at reaching out to your partners outside. Again, like, hey, let’s talk through this situation. Can I get some guidance? What do you think about? But you own it, right? I mean, I think again, going back to how do you want to show up at the moment? That could be. Career defining moment. It could be a time that rallies the team around and shows them that they’re capable of embracing and, like, thriving in that kind of a situation. That could be a good opportunity.

 

Speaker 1 | 32:09.344

What’s the Environment year? What’s your general feeling this year? I’m just curious. I mean, we’re, you know, we’re through March, we’re through the first quarter of the year. What’s your general feeling about just manufacturing, the United States? IT jobs in general. I kind of get the feeling that hiring is down. Or is there going to be a… Where are we at right now?

 

Speaker 0 | 32:37.311

Okay. I’m no expert here. I’ll throw some things out, but I’m certainly biased over the past week of events, two week of events with tariffs and things like that. So my take on that is, there’s a bunch of uncertainty that’s out in the market right now. And until we get to some stable, some understanding of, like, where is this going? I think there’s going to be that volatility, which is, and I think fear is going to prevent some investment. That’s my kind of guess, right? There’s, I think there’s going to be the leaders who are kind of like, man, let’s see how this plays out.

 

Speaker 1 | 33:08.338

Yeah. So then you being one that is response able and ability to choose your own response. As iT leaders, what do we do? Just keep managing and hoping, hoping we have a job next month or what, you know, but you don’t mean it’s like, what, what should we be doing? You know, to survive, to survive, because I’ve got people that, you know, are still looking for jobs. I’ve got people that are still, you know, whatever company shut down, there was a merger, I was made redundant, like, you know, whatever it is. Um, or I just, what should we be doing as IT directors to take over, uh, the world?

 

Speaker 0 | 33:44.862

I’m also about to throw a few things out and I’ll probably hit this from a few different, uh, levels, But so one regarding our people, Like, you know, I think our… Our value is not determined by whether the current employer can employ us. You know, I think our value is determined by what’s your skills and are you investing in your development? I would encourage everyone, have an opinion on what you think the most valuable skills are right now. I would, you know, given my recent experience, I’m probably going to be biased towards cybersecurity as a space that’s going to have demand. And good cyber folks are, I think it’s still… The demand versus the availability is heavily in favor of those with those skills. So Cyber is a good place to go skill up in. I think certainly data and analytics, and if you want to call it AI, all that stuff. But I think that that’s a space that you see is going to be around. That’s not going anywhere. So I think have an opinion on where you believe skills are heavily in demand. And then go skill up in those areas. Find not only like, you know, go take the classes and things like that, but, you know, have a conversation with your leadership and with your peers around, are there… Opportunities for me to plug into business activities where I can scale up in this space, like align my career development aspirations with business needs. So I think there’s stuff that you can be doing over on that side regarding our people. Um, now,

 

Speaker 1 | 35:18.925

because there is a lot of, I mean, there’s a lot of AI hype, but there’s a lot of AI reality as well. Which is how much time before many things are made redundant, and how do we leverage that? Yeah,

 

Speaker 0 | 35:32.424

Yeah.

 

Speaker 1 | 35:33.684

For everyone out there listening, we do have our AI for everyone that’s been on the podcast, that’s part of our secret community invite. Only that I want to just remind everyone that if you’ve ever been on dissecting popularity nerds and you’re in the community already, which we’ve got about 124 CTOs, CIOs, whatever in the community, the AI roundtable event is coming up and you can go to the events section and sign up for it. The actual date of that event, um, um, is Wednesday, April 23rd, 11 o’clock Eastern, I believe. Is that right? EDT. No, no, no. What’s EDT? No, no, no. It can’t be. It must be like 3 o’clock eastern and like 11 o’clock or something specific. But because I’m traveling right now, I don’t know what time zone I’m looking at. But anyways, it’s in there. The AI use case roundtable, Wednesday, April 23rd, which is going to be a great event. I think we’ve got, I know we’ve got. Dozens of people signed up for it already. To come. And just talk about hype versus reality and what AI use cases have actually been implemented, like real AI use cases, not just the hype. How is how have people used AI to actually make a difference? Which, um, to your last point there, um, scaling up and either cyber security, um AI. And then obviously data and being able to, you know, take company data and make sense of it. And I don’t do stuff with that to to grow the company and become billionaires, I guess that would, leverage it’s value inside the company. Jason, it’s been an absolute pleasure having you on the show. Any final thoughts or words of wisdom, or anything like that?

 

Speaker 0 | 37:08.073

Just to follow up on what your last topic was. So I’ll mention, I read a great PDF several years ago called The Mediocre Programmer. And I think it’s from a programmer that’s based out of Ann Arbor. I wish I could remember the person’s name, but at any rate, the person clearly is not a mediocre programmer. But the thing that I love the most about that is about. His prescribed way for learning big topics. So he talked directly to me. When I read, you know, you start learning something new, and then you read seven paragraphs in, and you’ve already seen five things that you don’t know. So you’re like, man, am I ever going to get this? So his way that he proposed to learn something big, like AI, is, okay, pick something, right? Go figure, you’re going to learn one aspect of it and have a notebook that you’re tracking the terms that you don’t understand and write it down every time. And if you do that, eventually you’re going to write down the same terms. Some of them are going to be multiple times. And you can basically just count the times that that topic comes up. That’s the next thing you should go learn. So it helps you to break down a big, massive topic like AI or machine learning or these things. And not feel overwhelmed and hopeless about being able to actually learn it. So the mediocre program, I’m pretty sure it’s a free PDF that’s out there, but that I use that learning method for these big things. And again, not that I’m just a. I’m certainly not selling perplexity, but pair those two things up. And I mean, you can get a plan.

 

Speaker 1 | 38:28.925

I, um, yeah, I mean, seriously, I started out with perplexity, um, give me an award winning, uh, sweet potato pie recipe. And I made that sweet potato pie and it came, and I gave it to my friend from Jamaica who loves sweet potato pie. And he was like, this is the best pie I’ve ever had. So, and that, you know, that’s, that’s saying something that I use for many other recipes. And so that’s my secret. That’s when I have to, when I have to cook dinner at night, that’s, that’s my secret weapon.

 

Speaker 0 | 38:56.909

I’ve been looking forward to this conversation for quite a while. So thank you. I’ll stay.

 

Speaker 1 | 39:00.973

Thank you, sir.

 

Share This Episode On:

HOSTED BY PHIL HOWARD

Dissecting Popular IT Nerds Podcast

Weekly strategic insights from technology executives who understand your challenges

Apple Podcasts
Amazon
Pandora
Spotify
Tuneln

Are You The Nerd We're Looking For?

ATTENTION IT EXECUTIVES: Your advice and unique stories are invaluable to us. Help us by taking this quiz. You’ll gain recognition good for your career and you’ll contribute value to your fellow IT peers.

Apply

The IT Leadership Podcast

Redefining How The Business World Sees IT

Hosted by IT Leaders... for IT Leaders

Linkedin Rss Instagram Youtube

Resources

Recent Episodes

Company

© Dissecting Popular IT Nerds INC

All Rights Reserved | Terms and Conditions | Privacy Policy

QR Code