Speaker 0 | 00:05.304
All right, welcome everyone back to Telecom Radio 1, specifically our IT Leadership Series, Dissecting Popular IT Nerds. And today, we’ve got Michael Wallace on the show. Very happy to have you on. You’ve got some great experience. We were talking before the show about how you kind of got started out and got a lot of experience in the U.S. Air Force, man. Why don’t we just start there with a good story from back in the day and how you got started.
Speaker 1 | 00:29.616
Yeah, absolutely. I got started in the Air Force in 2010 and got put at an enterprise help desk to oversee help operations for about 13 different bases. There wasn’t time when we got a ticket in from one of the bases. And this individual, you got to understand that people are only there for about six months or so and then they rotate out. So while they’re highly qualified individuals, it does take time to understand the IT systems you’re on.
Speaker 0 | 00:55.458
Hey, just to clarify though. This is during the war. This is overseas. And you’ve got people that, what’d you say, like two weeks tenure or two months, did you say? What’s the typical time frame?
Speaker 1 | 01:06.627
Yeah, they only get about two weeks of training and they have to manage a lot of important systems for thousands of people on those bases. So while things do get tied over with contractor help, the actual Air Force members don’t get a lot of training before they get started. So we had one particular individual did not realize what. permissions they had and managed to delete the entire user structure or base uh suspected more than 1500 people at the time and hey they uh they learned a lesson that day they gave us a call and we were able to work with them for a couple of weeks try to figure out what service accounts got broken but at the end of the day no one got punished because we understand but It was pretty bad.
Speaker 0 | 01:52.572
So two and a half weeks of rebuild, constantly dealing with some turnover. So they’re in that position for, so two weeks of training, but how long are they in the position for? Like two months or so or longer than that? How long? Six months. Okay. So pretty good preparation for dealing with staff turnover or kind of, I guess you could say drinking from the fire hose, if that makes sense. But you guys had to coach him through rebuilding. Basically, you had to rebuild 1,500 users?
Speaker 1 | 02:20.708
Little under 1,500 users. We had to get them back on. And that included some service accounts. There were many systems that were broken.
Speaker 0 | 02:29.358
Wow. Okay, so that was kind of your training grounds, I guess. You were there for, how long were you in that position for?
Speaker 1 | 02:37.307
I was in that position for about a year and a half, almost two years. Then I moved over to information security. I did some compliance work there, and then I went into cyber warfare and operations. Under the Obama administration, they hired in a great deal of security experts in order to train them as cyber warfighters.
Speaker 0 | 02:56.822
That’s really cool. Now, just since I talk about this a lot, I talk about, you know, do you need an education? Do you need certifications? Yes, you do. I think, you know, the majority of the people are going to answer like, yes, it makes a difference. It absolutely helps. But compared to experience, if someone has all the certifications, they have the education, what would you say is more powerful? The experience of being there? Where do you get the most learning? Yeah,
Speaker 1 | 03:23.311
absolutely the experience. You should be using some kind of training or websites and keep your skills fresh. You need to be working on this stuff. Yes, you can go to a SAMS course, or yeah, you can go and get your degree. And that is important to move up in the world. But for the practical day-to-day, you need to keep your experience fresh by working, scripting, looking at the articles, being aware of the security threats that are out there.
Speaker 0 | 03:50.840
Excellent. So fast forward X number of years. You’re now the IT security manager at Rubin Brown. Give me just kind of a day-to-day on that. I know you have some, you know, red team development, you know, experience in your past. You’ve got, you know, I’m assuming building numerous different policies and stuff. What is it? What is your day-to-day look like right now? now?
Speaker 1 | 04:10.848
Day-to-day now is making users aware of the security threats. We combat phishing and we combat the threat of ransomware. Just recently, there are competitors in the accounting field, TurboTax actually got hit by a ransomware attack. But actually, no, it was a data breach. Sorry, that was a different one. There was a data breach for TurboTax recently, and this has helped me make aware that, yes, we need to be concerned about these various types of external attacks, but even something, even our small accounting firm, a ransomware attack can actually just wipe us clean. So we really need to keep users aware, keep my leadership aware that when threats like that occur and they can occur in an environment such as ours as well.
Speaker 0 | 04:57.352
What’s your disaster avoidance? I mean, are you guys constantly mirroring your environment or what’s your kind of disaster avoidance?
Speaker 1 | 05:04.114
We absolutely have to back up to a secondary source off-site and we perform those backups weekly.
Speaker 0 | 05:11.756
Okay, nice. So the end users are always kind of the, there’s always a big turning point. Obviously, email phishing is big, social media phishing. Hey, I looked at your Facebook page. I noticed you’re going. that you go to XYZ every weekend, and then I can send an email to HR and ask for everyone’s W-2 last minute or something like that. What kind of phishing attacks have you seen?
Speaker 1 | 05:32.106
So we see a wide variety of phishing attacks related to, hey, you’ve got a financial statement waiting for you. A particular threat that’s been happening against some of our leadership will be, I just want to change my direct deposit account, something like that. They’ll send that to HR, and HR is very keen on those kind of requests. to make sure that individual is who they say they are.
Speaker 0 | 05:56.163
Yeah, that’s classic. Change my direct deposit to a different state and country.
Speaker 1 | 06:01.407
It works sometimes, yeah, for other situations. So yeah, that’s a pretty easy attack that occurs that people need to be aware of.
Speaker 0 | 06:10.836
And then they might get away with that one time or something. I’m assuming it doesn’t go on for months with just direct deposits going in. They might get a paycheck or something like that.
Speaker 1 | 06:18.562
No, yeah, this is a… It’s great. They’re sending these out, hoping they only get one or two, maybe.
Speaker 0 | 06:24.887
Yeah, gotcha. So you’ve got the end users. You’ve got the general security piece. What other kind of silos do you have going on? What kind of stuff gets thrown at you on a day-to-day basis? Because I know you said somewhere around 250 employees over there. So your day-to-day must have a fairly significant to-do list that can grow randomly at any time. How do you, as a… you know, IT security professional deal with that?
Speaker 1 | 06:52.558
So we use various team collaboration softwares. We have like Microsoft Teams and we will be working with situations like multi-factor authentication, finding applications in the environment that we can enable that on safely, finding areas where we can create single sign-on. There are various different accounting applications that we use. So we want to try to figure out ways so that users don’t have to remember so many passwords.
Speaker 0 | 07:19.468
Hmm. Okay. So, and are you able to measure, where are you measuring results? What are you tracking? What are you, I mean, are there any results or anything that you’re tracking to show that your department is not just a cost center and that you guys are actually a revenue generator and trying to, you know, drive revenue and time management, that type of stuff throughout the organization?
Speaker 1 | 07:40.393
Yeah, we utilize vulnerability scanning tools. Nexus comes to mind. That’s a pretty popular one from Tenable and they’ll scan and we can… show trending for reduced vulnerabilities from patching. We also run monthly phishing tests. We use TechGuard. So there’s a phishing suite called the Phish Proof that will allow us to simulate and recreate some of the emails that we use, that we get. Some phishing emails that we get in, we can actually package those back up and modify them and send those out. We send those on a monthly basis to test users. which has been highly effective in reducing from about 760 plus. We had about 23 at one point and click. Now that’s down to seven, seven to nine. So that was a significant reduction. We want to get that closer to maybe only one or zero preferably.
Speaker 0 | 08:37.586
Oh, that’s really cool. Okay. So I guess that brings up a couple of questions. Number one, how do you communicate with your end users? I’m assuming they don’t know this is happening first. You just do it. Number two, how do you have that conversation after they do click?
Speaker 1 | 08:49.853
Right now, we can set it up so that if they do click on the link, it’ll bring them to a custom page that we built. And if they put in their username or password or whatever the fake page we’ve created at that time, then they get that notification like, Hey, not only did you click on this link, you actually possibly put in information. Now, we don’t actually take their credentials or information. But what we do do is we reach out to that team member privately. and say, hey, just to let you know, here are the signs in the email that you probably should have noticed. So we actually try to make it into a learning experience, not any kind of accusatory manner.
Speaker 0 | 09:26.966
Yeah, no, I mean, you got 750 people. It’s absolutely going to happen. I just wondered if you ever have those, you know, what those coaching conversations look like, if you’ve ever had a one-on-one with anyone.
Speaker 1 | 09:38.289
Yeah, I had a one-on-one with an individual who felt that the test was unfair. But, you know, once you sit down and you actually point out the different scenarios, be it, you know, yeah, you can have spelling errors. I don’t like to include spelling errors in the email. I like to include where, hey, the email said it was from this person, but it was actually from this other person. something a little more realistic nowadays you don’t get as many of these misspelled typefishing emails or they do occur but you really need to be aware of the well-done ones that are imitating someone else pretty convincingly and it’s not a text where was the email coming from and what were they supposed to see uh the email pretended to come from uh the chief information officer we made it look like it was coming from them but it was actually slightly missed spelled off and it used a different uh it used a dmail account was coming from but it had his name so they they they just thought it was unfair because oh well no one would know who that is like absolutely they would know who that individual is in that person online they can look up on linkedin they will they will be able to imitate exactly who this person is so they needed to be aware of that
Speaker 0 | 10:54.640
Interesting. Interesting. So yeah, so that’s a good, that’s kind of a good conflict that you would have with an end user. Obviously you’ve got all kinds of people in the organization. All people are going to take things a different way. It’s just how it is. That’s the reality. I remember managing a large staff back in the day and coaching conversations can be painful, easy, but at the end of the day, it’s, you know, about accountability and having those tough conversations sometimes. So that’s great that you guys are having.
Speaker 1 | 11:20.194
Exactly.
Speaker 0 | 11:21.695
Outstanding. So. Uh, let’s see where else. So, so last question here, cause we could talk all day. You get one of the things that I I’m in vendor management. So I have people calling me all day long, trying to get me to, Hey, can you showcase this product or that product? Blah, blah, blah. I don’t even take that on to be honest with you because the amount of products right now are, there’s so many in the consequences are so high, you know, the research alone or vendor research alone, how do you even tackle the vendor research? Because I know how to do it from a voice and data perspective, co-location perspective, you know, like a WAN perspective. And I mean, I have great security engineers that I could go to if I really wanted to sell, you know, email phishing software or something like that. But how do you differentiate between all those security vendors?
Speaker 1 | 12:09.351
It’s challenging. We will go out and try to be in the community. We will. we go to conferences and we try to see the vendor demos that come up there. But really, we try to first, we try to identify a need. The vendors will always send out something that says, hey, I can solve this problem or I can solve that problem. And that may or may not be a problem in your particular organization. But first, you need to identify a need such as we need to manage privileged accounts, something like that. So then we will look out see if there will always be vendors that are helping in that space. And then we’ll pick three, and then we’ll do a demo with them and try to figure out which ones are beneficial to us. But yeah, there’s too many to go through all of them. So first we identify a need, and then we figure out what that need is.
Speaker 0 | 13:03.487
Sounds very similar to my methodology, except then obviously putting in some sort of proof of concept. proving it, checking financial backgrounds, where the company’s going, X, Y, Z. Hey, so one last thing, if you had one best practice or one trick or anything that you might do that’s like unique and easy to implement that people might just not think of, is there anything that you can share with anyone listening to the show that they can just take that and run with it and be like, Hey, yeah, this, this is easy. I can do this. And this is a nice little trick that I can just implement and never forget.
Speaker 1 | 13:37.083
Yeah. So What we do do is sometimes we’ll talk to the, we’ll just sit down and have a quarterly discussion with the department heads, if you can. And we just ask their perspective on, well, what keeps you up at night? And what security concerns do you have? We over in the security department, we have our own idea of what is important. But sometimes they actually point out some stuff to us. that we didn’t realize certain applications, certain accounting software that they might be utilizing, certain practices that they’re taking. They bring that up to us and it does help put in perspective like, hey, I didn’t know that you shared, you know, X information with Y person. That could be something that we need to take a look at. So just talking to the people using the applications and services on a daily basis can be really beneficial. We try to sit down and talk with them.
Speaker 0 | 14:29.017
Cool. So is that department head meeting? at the office? Is it in a boardroom? Is it everyone at one time? Is it like a half hour long, an hour long, or there’s no time limit and we’re kind of like whiteboarding stuff and parking lotting stuff? How does that kind of, just give me kind of a general idea of how that works.
Speaker 1 | 14:47.205
It’s very, it’s very informal. I’ll head over to a particular area and just sit down and, and, and just say, Hey, how’s it going? You know, I’m, I’m over in information security. I just want to sit and talk with you about some of your applications. Yeah. Um, it might be most time, less than
Speaker 0 | 15:07.190
30 minutes. Okay. Excellent. Um, well, Hey, you know, Michael, thank you so much for being on the show today, man. It’s been a pleasure. I’d love to dig in and hear some, uh, classified stories, which I know you can’t tell. Um, but you know, that’s for another time when it becomes unclassified. Okay. Um, I hope you have a great day, man. Thanks for being on the show.
Speaker 1 | 15:25.802
Great. Thank you, Phil. Thank you