Speaker 0 | 00:09.604
All right, welcome everyone back to Dissecting Popular IT Nerds. And today we have Pete Nicoletti on the phone. He is the Chief Information Security Officer from Cybraics. And that is a… We’re going to talk security today, and I am going to be completely honest with you guys. I have little to no security experience. You should not take my word from anything when it comes to security whatsoever. That’s why I’m bringing Pete on the show. And I typically steer away from security because there’s so much fear mongering involved. And I don’t know if it’s security guys in general typically have the job that you can only fail at. And I’m really not a failure. But I’m having Pete on the show because a lot of people are very fond of very particular niche security products, one of them being Darktrace. And Pete, one of your girls called me the other day and was trying I get calls all the time from vendors all the time. So I just kind of threw out the Darktrace there and asked to fire off and how you guys compare. And I’ll be honest, I was impressed a little bit. so I said can you just get me your top nerd on the show please I want the nerdiest person in your company the person that can actually speak facts and figures now I’m talking with you so I guess that you are I’m a nerd translator
Speaker 1 | 01:40.558
I sit between the data scientists and the normal people and I can use smaller words and talk slower but for 30 years I’ve been an ultra nerd and I dress apart and
Speaker 0 | 01:53.628
30 years, okay. So that means you’ve seen a floppy disk drive before, possibly.
Speaker 1 | 02:01.453
Single-sided, double-dense, single-sided, and 8-in before the
Speaker 0 | 02:06.397
5-1⁄4s. That’s beautiful. What was your first memorable computer? Do you remember your very first computer?
Speaker 1 | 02:14.002
It was a PDP, a DEC PDP. Before it was an 11, I think it was a PDP-10. It was a test machine. And it was up in Princeton at the Western Electric Lab where the laser and the transistor were invented. My dad was a research scientist there. And I wrote commands to control one of the very first CO2 lasers to cut through some steel. And here I was, you know, 14 and a half or so before I could even drive there. And I said, okay, if I can make a computer do this. And then I ended up building computers. I ended up… building a computer clone company and I was selling computers before Dell had temple and, uh, got into, you know, an ISP. I started an ISP. Then I started a wireless ISP. Then I got into, I was hacked and I got so pissed off that I self taught myself everything security. And I ended up finding the guy that hacked me, arrested him, put him away and got into hardcore security. Started an MSSP, a managed security service provider, sold that, started another one. And then I went from AAA ball to big time with down there in Taramark in Miami, running the incident response teams and the penetration testing teams. And we broke into buildings and banks and, you know, proved to them their security, as well as keeping sharp and doing incident response. doing dozens and dozens of, you know, I was incident commander for maybe close to 100 incidents. And then I went to a company called Virtustream and built their cloud practice at 1000 SAP customers and took their cloud to the FedRAMP client. Then we got recruited by Hearst and they bought out my golden handcuffs and Nice. Spent a year as global or two years exactly to the day at Hertz as global CISO. I used to tell my guys the average CISO term is, well, it’s 14 months. I said, guys, I just want to be above average. Get me through two years. And I managed that.
Speaker 0 | 04:41.933
I’m sorry about that, where I say CISO is the only job you can fail at. It really seems like a bang your head against the wall, painful, almost very stressful type of job. But listening to you talk just now, you actually made this all sound like it was a lot of fun.
Speaker 1 | 04:54.681
Well, you know… The higher you go in security, the more you lose your keyboard skills and your hacking skills and your security skills. And it turns into a business job. It turns into basically begging for money and justifying budget and working with different business groups to lubricate the business and make it faster and build security in sooner. So it really is more of a business rather than a technical situation at the highest level. So for our listeners out there,
Speaker 0 | 05:40.879
just for our listeners out there, because one of the biggest themes of the show is business acumen and how many of us that have gotten into technology, gotten to technology because of the technology side. And, you know, by 2000, what are we in? It is 2020. So we’ve already hit the day. So by 2020, you know, it’s something like. 85 to 90% of all IT directors and leadership and technology leaders will have to have a significant amount of business acumen that they may not have had in the past. And the way that you described it, the way a lot of people describe it is begging for money, having to really provide all these arguments. Do you have any tips or tactics? or anything other than showing ROI and fear-mongering and look at what happened to this company? Is there anything that you’ve done that has been significantly different or helpful to people when needing to ask for money?
Speaker 1 | 06:31.805
Lots of things. If you can prove the medicine is cheaper than the cure, show that, look, here we have 1,000 servers that are vulnerable. to want to cry and if we can pass those it’s going to cost us five bucks to patch each one but if we have an outage where we have to go to restore an each one and between the time and the business effect you know it’s going to cost us 15 000 per server let’s prioritize and get these things passed so that’s one idea the other idea that has proved effective although You know, it’s a little bit of a dick move. Sorry to use an expression there.
Speaker 0 | 07:21.107
I’m sure we’ll take anything at this point. Go ahead.
Speaker 1 | 07:26.289
When you present risk to the board or to executives and you say, hey, as a security expert, here’s the risk that we have to the business. You know, there’s four things you’re trying to protect. You’re trying to protect the reputation. You’re trying to protect business processes. You’re trying to protect records. protect intellectual property. So if you break it down to, hey, here’s a risk to this, here’s a risk to that, and it usually falls on deaf ears because they’re in their own little world worrying about their own little problem. But the minute you slide a letter across the table saying, all right, so we’re not going to do anything about this because your priority or the company’s priority is their fire, you need to sign this and say, look. I acknowledge this risk and we’re passing on in this budget cycle and we’re going to do it this way. And here’s why. You don’t want to be the I told you so guy. You want everybody involved in making risk decisions. If you’re the only one that’s aware of the risk, you’re utterly failing. You have to share the risk with all the other executives, get their buy-in. And if they don’t. buy into getting it fixed, then you say, look, I completely understand. You know, we’ve got other priorities. But here’s a little risk letter that, you know, we need to be able to show that you understand all the risk and we’re willing to forego action on it.
Speaker 0 | 09:00.952
How have people received that in the past?
Speaker 1 | 09:04.675
Oh, it’s terrible. It’s terrible the first time you do that.
Speaker 0 | 09:08.018
Please tell me.
Speaker 1 | 09:09.239
Somebody has to be the mature person. What’s that?
Speaker 0 | 09:12.442
please tell me how they received that the very first time you sent that letter.
Speaker 1 | 09:14.942
Oh, the first time was horrible. The first time was horrible. People don’t like to have their nose rubbed in a wrist. Nobody wants to spend money on security. Who wants to spend money on insurance?
Speaker 0 | 09:29.887
What if they say get the hell out of here with a few other expletives and say get this letter out of here? I mean… Oh,
Speaker 1 | 09:34.908
I’ve had that. No, that’s happened. No, that’s happened. Trust me.
Speaker 0 | 09:39.430
But then you can just email the letter with an attachment. You know, I know you guys failed to sign this, but I do want to make sure that this is documented within the exchange server.
Speaker 1 | 09:51.143
Yeah. I need… I need proof that you have it. And here’s a read receipt you son of a gun. Now, we’ve had some fun with it. We’ve had some fun. But, you know, the…
Speaker 0 | 10:02.420
This meeting is being…
Speaker 1 | 10:04.961
All the boards are being forced to acknowledge security. I mean, look at what ransomware is doing to our country. Look at the… If you just see the news, we are losing the battle. We are… Hacking is an ever-increasing…
Speaker 0 | 10:21.165
It’s because it’s easier to be a hacker. It’s easier. I mean, honestly, it’s easy to be a bad guy.
Speaker 1 | 10:27.469
There’s tons of reasons. You know, in some of my presentations, I give the top 20 reasons. And certainly, you know, grabbing a ransomware kit, there’s a whole ransomware, you know, group of companies focusing on ransomware. There’s call centers set up to, you know, talk people through. There’s people that set up Bitcoin accounts. There’s people that set up, you know. zero-day domains for it. There’s people that sell the code. You know, for a couple thousand bucks, for a couple hundred bucks, actually, you can be in the business, and it’s profitable, you know? There’s people that don’t have good backup. There’s people that don’t patch their servers. There’s people that don’t monitor the attacks that are going on. There’s people that don’t do any training whatsoever. And people that don’t protect their emails. uh, that vector. So, you know, until, you know, once it happens to you, then it’s important when it’s happening to somebody else, you know, we’re going to try to, you know, skip, you know, putting the appropriate amount of percentage of my it budget security. And that’s another big issue. You know, you’re always, you’re lumped into the it budget and, and the whole reporting structure for these information security officers sometimes is really screwed up with. you know, reporting to legal or reporting to another technology executive when it really could be its own discipline and its own…
Speaker 0 | 11:58.547
A lot of IT directors… I mean, at least in mid-market IT, I find a lot of… There’s not money for a CISO. There’s not money for the correct checks and balances that should be in place. You know, security checked against IT, IT checked against security. Usually it’s, you know, a lot of companies just… We got money for the IT director. So, yeah. definitely is lumped into the IT budget. And a lot of times they…
Speaker 1 | 12:21.644
Well, that’s when you get a third party in to do an audit to see where there’s weaknesses. That’s when you can get a, you know, the rise of the virtual CISA where you have somebody that has, you know, very deep experience. You know, you might not necessarily afford him or her full time, but at least get, you know, 10 hours a month, come in and look over things and work. in conjunction with the IT professionals and say, hey, you know, let’s do this, you know, and spend a little bit of money here because this is cheap money versus, you know, recovery money is expensive.
Speaker 0 | 12:59.071
Yeah, like a roadmap, get someone to roadmap, come in and roadmap. So talk to me about Cybrax. Why, you know, why are we talking? Why Cybrax over anyone else? Maybe just kind of give me a brief. Sure. Even how we compare against dark traces. I keep hearing that every day.
Speaker 1 | 13:15.894
I love to compare against. I guess I can use my internal code word. We call them dark traces. I’m unbiased here,
Speaker 0 | 13:25.522
just so you know. I do like this. Go ahead.
Speaker 1 | 13:29.705
We have names for everybody. It’s kind of our little thing. It’s a neat field, and it started for us as a DARPA project. So our founders, whom I’ve been working together with for 20 years because it started down at TerraMart.
Speaker 0 | 13:46.557
And before we go there, can you just give me your one-liner real quick? What do you guys do?
Speaker 1 | 13:53.041
We are a log analytic company. We take all the telemetry from all the security tools that you currently have. Firewalls, antivirus, DNS, syslogs, active directory logs. web application security logs, all those logs. We send them off to our data lake, and we start to chew on them with a very, very large suite of analytics looking for thousands of different types of behaviors. So the key thing for us is we are not signature-based. We’re not looking for things that have been seen previously. We don’t build correlation rules. We don’t build Boolean. you know, if then or else correlation rules. That’s every company that’s ever been hacked has a SIM. Every company that’s ever been hacked has a firewall. So the way we’re doing it with things that are 99.9% efficient. is failing us. So with us, our analytics span those log sources and look at the histogram of the attack, build that up into a case, and quickly present that case to the customer so they can remediate it. So the two big metrics that we fix are mean time to detection and mean time to repair. Mean time to detection for us, for the world, is almost 200 days. according to the Verizon breach report. So 200 days having a hacker knock around your network, reading your emails, establishing different CNC connections, encrypting your data and sending it out. We reduced that 200 days down to 200 milliseconds. We see those immediate issues that pop up. The hackers have gone through your firewall. The firewall just doesn’t know that that’s… behavior or analytics be that. Then on the meantime,
Speaker 0 | 15:58.852
is this kind of like a, um, how is it, is it learned behavior based on what your end users typically do type of thing like this?
Speaker 1 | 16:09.438
Yeah, there is a lot of that. There is a, you know, if you’re a database user and all of a sudden now you just query 10,000 records and you know you’ve only queried 50 per day something just stands it’s always something different you know yeah we learn those things we see those things um you know you’ve never used this port you’ve never gone to this website um your vpn connections have never gone you’ve never had a connection to china we you could write those rules but it’ll take you months and years to keep writing rules our analytics beat rule Now, the final thought on that is the mean time to repair. Because we’re presenting a case with remediation steps and research and third-party information, and the customers are able to remediate it, we see our customers remediate things in less than a day. So if you use the current pandemic lexicon, we find pace in zero quicker. And we inoculate that patient so that it doesn’t spread. The reason why it takes 97 days to remediate is because it spreads throughout the enterprise. It’s spread to more servers and more…
Speaker 0 | 17:32.364
So the average is 97 days. 200 days to detection. Oh,
Speaker 1 | 17:36.325
I’m sorry. 76 days for remediation. Okay. 197 for detection.
Speaker 0 | 17:43.567
Okay. 197. Okay. And less than a day for you guys.
Speaker 1 | 17:49.109
Less than a day. Okay. You catch it quicker. It’s quicker. So now you were asking about Dark Trace. Yeah. They have a different approach. They are a full packet analysis type company. So there’s lots of those companies out there. They’re actually a rather advanced one from what our customers tell us. that have used it, you know, they don’t find as many things as we find. You know, our internal tagline is we find stuff that everybody else doesn’t find. That’s what we’re really, really good at. Zero days. And in Darktrace, you know, they’ve got a lot of media attention because they’ve raised tons of money. They’ve got great valuation. They’ve got a lot of customers. They are using machine learning. I truly believe they don’t. use artificial intelligence because it’s, you know, the old, the old nerd joke is if it’s machine learning, it’s written in Python. If it’s artificial intelligence, it’s written in PowerPoint. So not many people are really using artificial intelligence. We’ve tried it. We’ve spent years and tens of millions of dollars trying to, you know, tag data so that it would know, but those efforts fail.
Speaker 0 | 19:14.305
Well, from my understanding, it’s more along that behavior, looking for different behaviors and that sort of thing is what we’re calling AI.
Speaker 1 | 19:24.070
So their approach is full package. So they need to put equipment, big BC packet analysis equipment everywhere in the network, which is expensive and capital. You need power and rack and engineering resources. Our approach is much lighter, you know, lighter footprint. All we need is your log. So whatever your log source is, point it toward a data collector appliance, a real small software piece of code. forwards and encrypts the logs off to our data lake and we can be up and running and literally giving value to the customer within a day you know the heavy equipment guys take you know months or weeks or whatever to get installed and nobody can afford all the different appliances that they should have you know they typically do it on ingress north south traffic and There’s just as much crazy activity going east-west, but not a lot of people monitor that. We can monitor that easily with lower cost approaches and just having that log telemetry sent off to us. So we’re faster to implement, walk deeper, and we provide better results. And we have a run rate right now where we’ve never lost to them. We love horse racing. We love the competition. We’ve got a pretty cool record against them.
Speaker 0 | 20:58.309
What’s keeping IT directors up at night that you guys allow them to sleep more peacefully?
Speaker 1 | 21:05.912
The unknown is really, you know, if you look at the NSS reports, if you read the paper every darn day, there’s something new, some new vector. some new approach, some new vulnerability. And with conventional tools, you know, each one of those tools is its own silo. So you’re not getting like a comprehensive picture of your risk. Each one of those tools is saying, hey, my antivirus, I’m reporting this little problem. Oh, my firewall’s, you know, shooting off all these different alerts. Oh, darn, my DNS system is telling me there’s 10. domains that could be on a black or you know hidden blacklist that i see yeah there’s no comprehensive approach there’s no single dashboard that says okay we’re going to take in all these logs analyze them and tell you where your risk is in a very very quick fashion traditional sims you know name and name key radar slonk arc site uh arctic koala whatever whatever oh, Arctic Wolf, sorry, that’s one of our goofy names. You know, they are conventional. They’re looking at correlation rules and standard rules, and you can’t write enough of them. You can’t find new anomalous behavior by writing a rule for it or having a blacklist on an antivirus system or a firewall. Those are always reactive. When our system finds things, we run those MD5 passes against the virus total. We look at the IC reputation against 23 different blacklists. And guess what? We find that those systems are not seeing what we’re seeing. And then a week later, two weeks later, somebody else reports it, and then it’ll pop up saying, oh, yeah, I’ve seen this test done before. Why?
Speaker 0 | 23:08.509
Why are you seeing things that other people aren’t?
Speaker 1 | 23:10.809
Because somebody else gets that. It’s behavior-based. We don’t rely on IP reputation or domain reputation or a signature that has to be developed after seeing the attack. We see the nature of the attack. We see the behavior of the attack. We see what it’s trying to do. Like, for example, in our syslog analytics, we look to see, you know, for fileless malware, we look to see a PowerShell execution. We look to see a modification of some root file that could be modified. We look at the DNS record that was associated with a query that came from that server. We go back in history and say, oh, this is where this administrator logged out and a new administrator logged in, and this wasn’t a natural. you know, log in, log out to somebody that snagged a credential, you know, and they’re logging in from a place that’s never been logged for. We’ll build that all in a case in a few seconds and say, Hey, here’s what you got to look at right now. We call it the phone drop moment. You know, we kind of joke around that we’re professional grief counselors because all we do is deliver bad news all day. But the bad news we deliver is we catch it early and catch it before it’s significant. And the customers appreciate that. And that’s why we’ve been, you know, right now we’re in the hockey stick of our growth. So it’s really been a fun ride here, especially the last year.
Speaker 0 | 24:50.793
Give me some case studies or give me some examples, I guess, of phone developments.
Speaker 1 | 24:55.678
Sure, sure. Yeah, all day long. You know, we’ve got a lot of oil and gas customers, and we’ve seen, you know, we’ve seen Russian and Chinese actors both trying to do disruption as well as intellectual property theft. We’ve had a chipboard system compromised through some Chinese cameras, and the entire ICS system, the integrated control system that controlled the pump. and the villages and the engines and the generators was completely compromised by some Chinese actors, and they had to take 14 steps out of service. Oh, wow. But it prevented loss of life. We’ve had other customers that have had recurring ransomware issues, and they just keep piling on the conventional tools. We’ll come in, and within minutes or hours, we’ll find where… the root of the malware is. And in certain cases, we had a financial company where it was on their wire transfer server, and they didn’t want to touch that server, and that was a server that had a credential stealing malware on it, and they were setting up for an unauthorized wire transfer, which caught it in time. We’ve had hospitals, you know, no… notoriously have equipment that they don’t want to pack because it, you know, break the application or, or it breaks the, uh, the FDA certification because it’s modified. So they have older systems that run pat and instead of having compensating controls on it, they sort of, you know, they’re steep. So we find malware on x-ray machines and bone density machines and, and patient monitoring systems that, uh, could easily be you know they own the system so they could do whatever they could literally kill a patient if they turn the knob and and uh you know modify it so uh it goes on and on we were the very first company to spot uh election interference by the reckons we monitor eight state election commissions and i know it’s annoying to hear russian interference every day but uh not only do we hear it we see it we have dashboards that monitor uh russian attacks all day long against our election commissions and uh we haven’t had a situation yet that we haven’t seen that we haven’t been able to uh help the customers pick so yeah i love use cases and it’s about someone that has if you had like a an i.t director
Speaker 0 | 27:51.884
that has a bootstrapped security program or maybe not too many checks and balances in place and is doing what they can, doing their own research, doing the best they can? Any suggestions for them or how can you help them?
Speaker 1 | 28:10.495
Well, in the case of, put it in the perspective of our platform, you’ve got to… centralize your logging. You have to have some kind of tool because if you’re not going to be proactive like our tool is, at least you’re going to be able to be reactive and be able to forensically look through logs to see what the hell happened. The cool thing about our platform is it’s very inexpensive according to size. Our licensing is by terabytes and… gigs and petabytes per month, whatever your traffic is per month. So for a small IT shop, you know, a couple grand a month is a very reasonable price to pay for all of your logging, all of your compliance reporting, and somebody, you know, our team and or an MSSP partner monitoring your environment and telling you exactly what you need to fix right then. So super inexpensive and you get the benefits of a federal quality level system because half of our customers are still federal. So what we’re providing to the federal government to protect our troops and everything.
Speaker 0 | 29:32.369
So who’s using you? Yeah, so who’s using you? Like biggest names?
Speaker 1 | 29:37.612
Well, a couple that I can say. The Department of Defense uses our system. Last. The last two months, our Cyber Threat Center has sent out three or four notices that have actually gone out to the FBI InfraGard distro list as well as the DHS list. A lot of our federal customers rely on us. We have a lot of state election commissions. We have a number of Fortune 500 companies, as well as the small companies, you know, 50 people in a company. That’s the cool thing. The system scales down really, really to that size. We’ve got insurance companies. We have a lot of banks. We have the… You know, a number of companies that have, you know, HIPAA requirements, high-tech requirements, PCI, you know, they’re looking for, you know, we have our own authority to operate at a high level at NIFA 853, which is, you know, the highest federal government-specified compliance framework. So, you know,
Speaker 0 | 30:51.348
we’ve got to count on the federal side. So from an IT director standpoint and doing my best here to remain objective and carrier agnostic and all that, when someone’s looking at a group of various different security products, what can you do for them? How can you help them make a decision or how can you help them make more of a kind of a non-biased decision without being biased yourself? Do you guys have any kind of, I don’t know, assessment and or trial period or anything like that that helps people make decisions easier?
Speaker 1 | 31:23.662
Yeah, that’s a great question. So yeah, we could do that. We’ve got a bunch of experienced folks on staff, including me, but we usually bring in a partner. We’ve got a really neat partner environment that has assessments, vulnerability tests. It’s got compliance, framework assessments. They’ll do SAMs. They’ll do the… they’ll do the next you know they’ll do a PCI assessment and that’ll tease out not just product issues or you know hey you need upgrade you’ve got crappy old virus you know you’ve got to upgrade something to something a newer generation or you’re using crappy old firewalls and you’ve got to have something that you know 10 3 10 4 kind of firewall that’ll tease out those things easily but
Speaker 0 | 32:18.286
So kind of a one-stop shop approach. Is that kind of like a one-stop shop approach from kind of a general planning standpoint?
Speaker 1 | 32:24.309
Yeah, the compliance folks will, yeah, the maturity analysis will tease all that out. Yep. And then you’ll prioritize it and then make sure you can budget for it. And in a lot of cases, our partners will implement those things for them. you know, a lot of times they’re just the auditors or just the compliance folks. And then you go out and pick your vendors, you know, to keep that, to maintain that arm’s length approach. We don’t get into the assessment side of things, but we do all day long. We’ll tell a customer, Hey, you’ve got a hygiene issue. You know, you’re not managing your firewalls. Gotcha.
Speaker 0 | 33:10.337
So let’s just do a scenario. Let’s just do a quick scenario, 100 user company, what does it cost to bring you guys in?
Speaker 1 | 33:19.989
Well, we would look at their current environment. We go through about an hour, hour and a half assessment. We have our own little internal, it’s more like a sales qualification process and I run that group. Okay. I’m also the CISO of the company, so I kind of have my feet in two different areas. It’s kind of fun. So we walk the customer through, hey, what are your current technologies? What are your current challenges? Have you been hacked? How is your patching routine? Are you using any kind of vulnerability assessment tools? Are you using patching tools? Figure out their processes and challenges. And then we’ll come up with the… a nice little recommendation form and you know sometimes you know we’ve had customers that are buttoned up tight and there’s not a thing we can do for them and we take hands or at least fist bumps now and you know virus world but uh now we’ll but in the most cases they know they have a weakness yeah in uh in the logging area and we’ll say look sure you can buy a sim But with us, you get analytics on top of it, as well as all the acceleration that will help your analysts quickly. You know, the whole thing about us is time, not only detecting an issue, but also remediating it. In every step of our platform, we’re walking the customer through how to do something faster, how to get to the problem faster. Because once they free up, we’ve seen customers free up people, full-time people from the alert directory. Because alerts coming off systems, typically half of them are false positives. In our case, our false positive rate is about 2%. So a huge reduction in false positives, and then a huge reduction in the case management time. A typical case takes 10, 15 minutes to build. Our system builds that automatically and drops it in your lap. So you can start looking to spend more time with the business and spend more time on other critical things rather than just being an alert monkey. Because if all you’re dealing is with the car alarm, and the car alarm is you know ringing it’s that constant the constant false positives you’re going to ignore it yeah and and you’re going to get hit and it’s going to be in the alarm it’s going to be in your your logs but you didn’t have time to look at it because you were you were tired of it and and the other thing is it burns people out you know if all you’re doing is scrolling through alerts all day Yeah, it’s just a security analyst. How long do you want to do that? The grass is going to be greener. You’re going to find some greener grass real quick.
Speaker 0 | 36:34.267
Yeah, yeah, exactly. Before we go, I do need to hear what that was like arresting the guy that you found that hacked you. Because that just sounds awesome. How’d you pull that one? Well,
Speaker 1 | 36:48.831
yeah, that one was a… That one was interesting because here I am running an ISP, buying my own business, and I get a call from the Toronto Star newspaper. And the guy there was sharp, sharp as a tack, a badass, you know, Unix administrator. And he says, dude, you are just hacking away at me. And I’m like, what are you talking about? I don’t know. I don’t know who you are. So because I was not a security professional at the time, I called in a good buddy of mine, Frank, who was an elite hacker. And he came in and within 15 minutes, he goes, wow, this guy’s really good. Not only did he hack you, but he hacked the system so nobody else could hack after him. So I thought that was kind of cool. But the fact that he was interfering with my business. And, you know, my buddy and I actually, you know, found IPs. And this was before, you know, VPN hopping and other obfuscation techniques were really out there now. It was a bit easier. It was a lot easier. You know, he had, it’s almost like he left his email or his business card in the hack. You know, some of the code had evidence. So I worked with the Canadian Mounted Police. And it ended up that he was, uh, uh, he was hacking when he was 17, but by the time I caught him, he was 18. And, uh, you know, and I pressed charges and that’s another thing. Uh, a lot of people don’t go through all that hassle of, you know, it takes time, effort, money.
Speaker 0 | 38:36.878
And most people-It’s like when your bank account is hacked. your bank account gets hacked. You call bank of America. You’re like, this is not an authorized charge. What the heck’s going on? 500 bucks. Yep. And no one ever really falls upon anything else. You just get your money back. That’s it.
Speaker 1 | 38:50.689
Well, not people like me. I take that personal.
Speaker 0 | 38:56.013
Yeah. Yeah. No, absolutely. I just think it happens a lot now. I think, I mean, I don’t know.
Speaker 1 | 39:00.277
It happens a lot.
Speaker 0 | 39:01.297
Yeah. It’s,
Speaker 1 | 39:02.919
it’s very hard to trace, but you know, I went to a Kmart one time and said, look, I want to see the tape. Here’s when this transaction was done and I provided the videotape to the police. So I did as much as I could. Oh, nice. I take that personal.
Speaker 0 | 39:24.520
Yeah. Well, sir, if you had any piece of advice or recommendation to any IT leaders out there listening to the show, what would that be?
Speaker 1 | 39:36.848
Well, I did write an e-book with Sentinel-1 on what to do to either get to be a CISO or Azure a CISO. You know, what are the things that need to be a priority? And the way that you advance your career, especially if you’re… you’re good technically and technically is is the base you want to really work on you want to make sure you have your certifications make sure you have experience in lots of different technologies not just one but the key thing if you want to be successful and hit the top of the game on the security stack and hit a cso level or director level is to be involved in the business and understand the company’s business that you’re working for to the point where you can actually help the business move faster whether it’s a an online ordering system that you know there’s a better way to do it or or or protect it or to add any fraud mechanisms in the purchasing process or to you know think about how you can protect the business if you get that reputation and you’re involved at the business level Then you’re going to be successful. Then when you ask for the raise, you’re going to get it. The other thing is you have to provide metrics. You have to show the effectiveness of your program to where you can show effectiveness changing over time and how you’re influencing the effectiveness of your security program. So if you can’t measure it, you can’t prove it, you can’t get a raise from it. So measure your metrics, come in. to a new organization and say you know we’re going to have metrics that that monitor our performance just like you have sales metrics and revenue and prove it and everything else yeah there are ways to measure security effectiveness and you have to be able to provide that to the executive do
Speaker 0 | 41:42.893
you know uh jeremiah grossman by any chance i do okay yeah he was on uh he was on one of my very first podcasts a couple years ago um it was funny Yeah, I do a lot of Brazilian jiu-jitsu, so I was like, I wonder if I can just find, that would be cool if we could find someone that’s like a real, kind of just a badass that’s also in security at the same time. So I googled jiu-jitsu and security at the same time, and he came up. So then you see pictures of him rolling with Forrest Griffin and everything, but he’s a great guy. He’s done a lot.
Speaker 1 | 42:14.548
I’m a very good pumping bag. I’m not the one doling it out, I’m the one that’s taking it with strung.
Speaker 0 | 42:23.684
Oh, well, Pete, man, it’s been, it has been a pleasure having you on the show and anyone that wants to, that wants to install Cybricks or, or at least start out with a, with a one hour, one and a half hour assessment where we go through with you and your team. You can certainly, this is, my podcast is going out to obviously my secret email list that not many people know about. I have like a secret IT leadership. newsletter. So you guys can just reply to my email, but, but everyone else can reach out to me on LinkedIn as well. And I will make the connection to Pete. And of course, we can find you on LinkedIn as well. And if you, if you mentioned, you know, dissecting popular IT nerds, I’m sure you will, you will make sure that they get that one and a half hour assessment.
Speaker 1 | 43:11.949
Happy to help out. And if we’re, if we can’t help them, we have a big variety of partners that we’ll put in front of that. are more than capable of helping out with any facet of security or IT challenge.
Speaker 0 | 43:26.732
Outstanding. Sir, thank you so much for being on the show today and have a wonderful, I guess it’s afternoon now. So have a wonderful afternoon.
Speaker 1 | 43:34.578
Fantastic. Have fun.