Speaker 0 | 00:09.746
So he charges me $69 to drive over to diagnose the problem. And I’m like, well, you know, yeah, it’s clogged. Thanks. You know, clearly it’s clogged. And then believe it or not, on top of the $69, $260 to snake the toilet. I was like, get out of here, man. I was like, I don’t have time to clean this toilet, but I don’t have, I definitely don’t have $260 to snake a toilet where like, I mean, I could take the whole toilet off, go to home Depot, throw that thing in the garbage can and probably buy another toilet for that. Just put a brand new one on the spot and call it a day. I was like, but I guess you guys are taking, you know, there’s something to be said, I guess, for people that are good at selling plumbing. Um, so anyways, you got no hot water.
Speaker 1 | 00:55.387
No, no, I’m up. I’m a YouTube how to go ahead and how to relight the pilot light in a few minutes.
Speaker 0 | 01:01.172
Okay. So if you don’t have time today, man, it’s totally fine. We can go. Okay. Okay. Okay. So we can, you want to just do the show live right now and go with it. You want me to, you want me to just fire away and ask you a bunch of questions and let you speak to your experience or your expertise. And then if it’s good, we make it into a show. If it’s not good, then we’ll just, you know, we’ll put some bullet points together and talk about a show later on.
Speaker 1 | 01:27.420
I’m not even dressed for it today.
Speaker 0 | 01:30.202
Don’t worry, because it’s an audio-only show. I’m definitely not dressed for it. I never put myself on live.
Speaker 1 | 01:36.727
Oh, sure. Yeah, we can do it.
Speaker 0 | 01:38.028
You want to do it? Okay. Here we go. Welcome, everyone, back to Dissecting Popular IT Nerds. Today we have PhD. Everyone knows what that stands for, right? Poor, hungry doctor. I hope not. Calvin Hobbs. I don’t know what to put down as a title for you. I’ll let you introduce yourself. You tell me what your specialty is. I mean, I know we have security and you’ve got quite a few other shows on kind of like the human factor inside of security and everything, which I think would be an interesting thing to talk about. But I’ll let you introduce yourself, kind of give me your background, maybe how you started off in this technology world. And back when security didn’t matter and no one cared. But I’ll let you introduce yourself.
Speaker 1 | 02:22.656
Oh, thanks, Phil. So how I got started in cybersecurity was I was a Navy cryptologist. And so I was doing what we call information security, cybersecurity in the basement before it was cool to do it, before it was cool to let anybody know what you were doing. And so we started doing cybersecurity and we’re a very small group of people. And I was very fortunate to be in that group. And then as it became more mainstream, as more company was realizing. This information security, this cybersecurity thing was becoming more prevalent. Then, you know, again, it became a norm. And like it is today, everybody’s doing it today. And so that’s how I got my immersion in the cybersecurity was actually through the intelligence community while I was serving in the U.S. Navy.
Speaker 0 | 03:08.318
Okay, excellent. So what were some of the things that, well, it’s probably classified, but let’s go back even further in time because you said before it was cool. It really wasn’t cool. to be in technology back in the day? I would say prior, I’d say around 1995 was like the cutoff point where it was really not cool. But what would you say like, well, back when it was not cool and you were doing it, why were you doing it or how did you get started out? You know, what was your first experience with technology, so to speak?
Speaker 1 | 03:42.574
So initially for me, it started out from the electronic warfare domain. As in the military, we always are looking how can we put effects. on another country’s infrastructure and platforms. And so for me, it grew out of that. We was looking at, you know, electronic warfare, you know, is more than just radars and just more than communications. It’s a lot more. And so to be honest with you, cybersecurity kind of is an extension of what we do today from electronic warfare, what we used to do in the military and what we still do in the military.
Speaker 0 | 04:16.405
And for layman people out there speaking, Is that hacking? What do we call that? What are we doing? What are we doing to shut people down? Are we, you know, I don’t know, DDoS attacks? What are we doing? What are we doing to shut down other countries?
Speaker 1 | 04:32.187
Well, I don’t want to say that we’re looking to shut down other countries,
Speaker 0 | 04:35.028
but… Or see who’s spying on us, I guess. You know, there’s like, you know, being able to intercept different messages and such. I’m just, you know, I’m just throwing stuff out there. I don’t know if this is actually what we’re doing. You describe to me.
Speaker 1 | 04:45.971
So when I was with the… with the U.S. intelligence community, we was looking at developing what we would call a holistic approach to cybersecurity. I can’t really get into details to that, but it was meaning that we was preparing. a military capability that will ensure that the U.S. national security interests, as well as our allies, who are able to conduct those at a very high level, just like we will conduct aviation warfare, air warfare, surface warfare, and submarine warfare.
Speaker 0 | 05:18.085
Okay. And how’d you get stuck in that or choose to be in that?
Speaker 1 | 05:26.100
So I was working in an organization and we were doing it, like I said earlier, we were doing electronic warfare. And then all of a sudden, we just, this capability started growing. As we shifted from our analog platforms to more of an IP-based platform, I mean, just like today, those access points became very important. And we realized that, hey, there might be some opportunities for not only as a warfare capability, but also as… a way that we need to really ensure that we’re protecting our own infrastructure and our own private and public entities.
Speaker 0 | 06:01.480
I guess just to be to be clear, did you always know you wanted to do this?
Speaker 1 | 06:07.703
I was always a tinkler. I always wanted, I always enjoyed taking things apart and I always wanted to know how things worked and because of that it just, you know, created that that innovative and you know mindset and so even today I’m always thinking. How do things work? Why do they work the way they work? And what does it mean for them to work the way they work? And so I still had that mindset today. And even today, you know, I consider myself to be a cybersecurity professional. I consider myself to be a human factors engineer. And so today I get to bring all of them together because in my current position. I’m the department chair and an associate professor up at the Illinois Institute of Technology for Information Technology Management, where I oversee graduate and undergraduate programs for information technology, cybersecurity, data analysis, digital forensics. So it’s kind of like I’m in my happy spot right now where I get to play around with a lot of everything.
Speaker 0 | 07:02.673
That’s awesome. It’s, I would imagine, a daunting, maybe overwhelming feeling. and place to be as a younger person in the wanting to get started in the technology space, potentially picking security and knowing, I guess knowing where to begin isn’t that hard, but knowing where to go and how to apply yourself and get in the door and make your mark could be very difficult. I would imagine. And as someone who’s had experience and made a difference in other organizations, what advice would you give to somebody? You talk a lot about the human factors of burnout or human factors just in general insecurity. What are some of the things that we could offer up to people out there, maybe in the work world with degrees? with certifications, maybe they went through school and now they’re, what, what do I have to offer that not everyone else with my same degrees and everything else has to offer? What can you, what can we give them? How can they make an impact in the real world? Kind of some of that knowledge that might not actually get taught in school. What would you, what would you say are some of those things that they can go in and ask questions they can ask in an organization or things that they can look for that would make a difference for them? Does that make, is that a clear question? Is that too in-depth?
Speaker 1 | 08:35.186
Yeah, it’s a lot, but let me unpack it. You mentioned a word there, apply, right? And so in our program field, we realize there’s a lot of people graduating with degrees in cybersecurity, IT, information security, digital parameters, and these people are sitting on the sidelines not being able to play. Those companies are, you know, just not hiring them because they like the experience. What we’ve done at Illinois Tech, we made our programs extremely applied-based. What does that mean? That means they spend a lot of time in the labs with hands-on experience. This program is a really technological or technical program that requires some really advanced level skills because we don’t want our students sitting on the sidelines. We want to teach them to do what they’re going to be doing, what they came to school to do. The second thing is that nowadays with the Internet, there’s so many free resources out there. Even for me, I’ll be honest with you, my… I’m pretty old at this point, but I still love to just learn different approaches. I use free resources. I get books. I learn things. I try to look at some of the different languages and how they apply today. And it helps keep me fresh. And I encourage everybody who’s really interested in cyber, who’s there, to be the same. Go out and leverage some of these free resources. Go out and look how you can become better at what you do. Build your own personal labs. Build your own portfolios on everything that you’re doing. And be able to demonstrate those skills to future employees, to employers, because that’s so important.
Speaker 0 | 10:14.550
Explain that your own personal labs thing, please. Because I’ve never heard someone say that before. Build your own personal labs. I want to hear that. I want to know what you mean.
Speaker 1 | 10:23.315
So I’ll be honest with you. I don’t have a personal lab built now because I just. I’ve only been in Chicago about six months. But when I was in Maryland, I had some old laptops sitting around. And I just keep, you know, people kept talking about Linux and all these different things. And I said, you know, I’m going to try this out. So I took Linux and I built a installed Linux operating system on my device. And then I started on a couple more devices. And I connected all these devices together. So I essentially built my own personal lab. And then I was running. all kind of tests and all kind of operations and doing things to these systems that I basically refurbished with Linux. And it just gave me a better perspective of how things really work. Even though I had a significant experience in doing this, it’s still good to do it over again and over and over again because it helps make you more proficient. And that’s the thing about it. You could build your own personal network and you can even make it virtual. You can have the old Linux machines that I talked about. and just gain so much more experience. And then on top of that, there’s a ton of YouTube videos of cybersecurity professionals and cybersecurity engineers just showing you how the different tools work and how to employ them and how to get good use out of them. And so it’s so much that people can learn today. And I think, you know, we got to take advantage of that. And Phil, and real quick, the third thing here is we have got to understand that there is no such thing People having all the skills that you want them to have when you’re trying to hire them. We need to start hiring people on their abilities and we need to start to hire them on what they can do and how we can project how that person is going to be able to fit into our organization. There is nobody that’s 100% ready around for every organization. It doesn’t exist.
Speaker 0 | 12:15.669
That’s a good point. Maybe give me a little more detail on that. In other words, what you’re saying is hire someone that has the ability. or demonstrable, demonstrable ability to have, I don’t know if creative mindset’s the right mindset, flexibility, ability, trust factor. In other words, they’re smart, they have character. And when I say trust, I mean, you trust their level of intelligence, I guess, to… So-called build the lab, but it’s not really the lab, but it’s really build the security solution that is needed for that individual unique business. In other words, you’re never going to find someone that’s already fully prepared and built around your business. Is that correct?
Speaker 1 | 13:08.058
Yeah, I find that to be the case. I found that a lot of these individuals who are looking to get into cybersecurity, they have the degrees, they have the certifications. And my thing I tell people. Let’s not put certifications against cybersecurity degrees because we have so many job vacancies. We need everybody and some.
Speaker 0 | 13:28.068
Really?
Speaker 1 | 13:28.329
They’re showing the initiative to get a certification or to get a degree, guess what? They show that they have the aptitude to be a part of the cybersecurity field. And so we need to look at ways to get these people into the seat so they can do the jobs and stop trying to find the perfect candidate. The perfect candidate is somebody. who have shown the aptitude, who have the intelligence, and who have the drive to do the job.
Speaker 0 | 13:56.227
So you said there’s a lot of job vacancies. I kind of had this perception that maybe there wasn’t in the security field. I kind of had this perception that there’s like the mass, like cybersecurity is this thing now that so many people. When I see cyber scare, I just see this, these droves of people trying to get into security. It’s not like you said, back in the day, it wasn’t cool, but now it is cool. And there’s droves of people wanting to get into this. And I didn’t know that there was so many job vacancies. Like, where are we getting that? Is there, I mean, where, where is that coming from? Where’s that information coming from?
Speaker 1 | 14:34.094
It’s always been there. I mean, even for the last few years, when I first started tracking this, by the way, two or three years ago, at the time, there was at least 300,000 job vacancies in the United States and about 1.5 million job vacancies globally. And so the jobs, I work in government and I work in And in the corporate sector, and I can tell you, there were shortages. And you felt that shortage every day because you’re trying to do so much with so less.
Speaker 0 | 15:09.324
Back to the labs thing, because I find this fascinating. And I think it could be maybe a way to stand out from the rest of the crowd. Someone trying to find a job in security or grow. a position in security or maybe grow inside or externally into a different company, would you suggest, would it not be a bad idea to make a lab that kind of mimics the industry or job that you would want to get into so that you could demonstrate some level of understanding success prior to even going in for a job interview or applying in a company?
Speaker 1 | 15:52.879
Absolutely. I used to sit on several hiring boards. And one of the things, you know, just asking, you know, the candidate, what are some things you do in your free time? And I was really amazed at how many of them were like they had their own labs. They were writing applications on their own. They were doing things above and beyond to not only to enhance their skills to be to be employable, but also to venture out more into the field because security. is a huge domain and it’s only getting bigger, right? My thing is when you show that you have the tenacity to learn and that you’re really passionate about the field, that’s a plus for me because the one thing about it is most of us know it. When we think about cybersecurity, it’s not what we see on TV. It’s not the cool stuff they show on TV, all the code happening really fast. It’s a lot of more monotonous work. We have to be honest about that and let people know. And so by people developing their own labs and building applications and just going out and testing different tools, their own virtual networks, they see that, you know, this is not the kind of work things I see happening on TV. But this is something that really has my interest and I want to pursue.
Speaker 0 | 17:08.896
I guess you could also do some penetration testing on the organization you want to get a job at. I remember Jeremiah Grossman, who is now the CEO at Bit Discovery, but he got his job at Yahoo back in the day in 1999. He got his job by basically hacking into them and saying, hey, by the way, I just want to let you know I found this weakness. I think he hacked into some email account. I can’t remember what it is. He basically hacked his own account and found his own weakness. and then sent him anonymously, hey, I just want to let you know that this exists because he sent it anonymously because he’s probably like, hey, you broke into our account. And then they, okay, we understand that you want to remain anonymous, but we want to send you a t-shirt and some stuff as a way of saying thank you. Can we know who you are? And then he ended up getting hired as the information security officer for Yahoo. So I don’t know. I’m just saying like, hey, by the way, I found a complete weakness and breach in your security. Here it is. Maybe you can give me a job. Sounds like a… Might be a nice tactic.
Speaker 1 | 18:15.603
I’ll be honest. I can’t say go out and just, you know, hack somebody. But I would say if you’re really savvy, you’ve got really good skills, be a part of the bug bounty program, right?
Speaker 0 | 18:26.566
What’s this? Say that again.
Speaker 1 | 18:29.407
I would never tell anyone to go out and hack somebody. But I would tell them if you’re really savvy and you’ve got really strong skills, go out and join the bug bounty program where companies pay you money to find weaknesses in their code, weaknesses in their code. in some of the infrastructure, you know, because that’s how…
Speaker 0 | 18:46.796
What is it? The Bug Bounty? Wait, how do we spell that? What is it called again?
Speaker 1 | 18:50.057
It’s a B-U-G. Yep. B-O-U-N-T-Y.
Speaker 0 | 18:54.619
Bug Bounty. Okay. That’s what I thought it was. Bug Bounty Program. Never heard of that. Right. I’m pretty stuck in networking and IT, you know, I don’t do too much security. So forgive me. Bug Bounty Program. Okay. It’s a great idea.
Speaker 1 | 19:07.264
Some people are really good at this and they make a lot of money doing it. So this is what I tell people, you know. Get involved in things like this to help showcase what your skills and how you could be useful to an organization.
Speaker 0 | 19:20.597
I noticed that you write a lot about the human factor. This seems to be, and everyone says, obviously, the weakest point in security is always going to be humans or even people that might just say, hey, I don’t care, or et cetera. But what is it about the human factor? Is there a top three? Is there a top three human factors we need to look out for? Like the disgruntled employee who doesn’t care. What do we look out? When it comes to the human factor, what’s maybe some of the ways to simplify this, dumb it down, rather than just say, hey, humans do crazy things and they’re going to be your weakness and you need to train them and make them aware and do quizzes and this type of stuff. Is there a simpler way to break this down or some other things that may or not, may not be normally talked about or something that’s not so cliche? You know, like… Humans are the factor in security. Okay, we know that. But… Can we break it down a little bit more? Or is there something that’s maybe more mind-blowing or a way to make it stick more for people that everyone knows that? Does that make sense?
Speaker 1 | 20:28.713
Yes, absolutely. Let me start off first, Phil, by just saying, you know, what we see in cybersecurity today, when people talk about human factors, they talk about the working definition. I call it the working definition of human factors, and that is human errors. poor security behavior, people being non-compliant, and people doing things to actually increase risk for their organization. Some of it’s malicious, some of it’s not. And so that’s the working definition. What I talk about in my writing, in my research, I talk about the scientific definition. So human factors as a scientific discipline has existed for over 80 years in the United States. It grew out of military aviation. And so the basic definition of human factors as a scientific discipline It is a scientific approach to improve the systems, processes, and technologies in which people interact with. That is the very basic definition.
Speaker 0 | 21:23.776
Say that one more time. Say that one more time. Only because I’m taking notes and there’s a few things that stand out there.
Speaker 1 | 21:30.639
Okay. So the basic definition of human factors as a scientific discipline is a scientific approach to improve humans’interaction with systems. technologies and processes. And so the goal we’re trying to achieve with human factors as a scientific discipline, we’re trying to improve human performance. And so we’ve seen human factors be an extremely effective…
Speaker 0 | 22:03.262
I think we finally found the link between security and IT. Yes. I think we finally found… the link of how we can all get along because that’s the goal of technology, right?
Speaker 1 | 22:16.971
Yes.
Speaker 0 | 22:17.691
The goal of technology is to simplify and make people’s jobs easier. It’s to aid humans. It’s a tool. It’s not something that’s supposed to, you know, I, my, my, my wife came in five minutes before my first meeting this morning. She’s like, the kids wiped their computers. And you know, I’ve got to, I’m like, look, I’m not the, I’m not the family it guy, which is, That’s just me denying the fact that I am. That’s just me denying the fact that I am. And I’ve got, well, let’s see. One child is married now. So I guess we can’t count her anymore. And one’s like three years old. So we can’t count him. He’s not on the network yet. But the other six kids and all of their, you know, all of the endpoints, all of my endpoints and end users, so to speak, are. And I realized at that point that. She was having a difficult time doing her job as the principal, homeschooler, all of the above, ability to balance tasks and do the other three things. And I saw someone that was just so frustrated using a piece of technology. I was like, look, just re-log back in and use their Gmail, email, log back in, rebuild this. It’s simple, blah, blah, blah, blah. And at that moment, I realized, I really did realize what… I guess the IT department feels like. From a home perspective, you’ve got an end user that’s super frustrated. You’re like, look, it’s not that. Calm down. It’s not that complicated. Relax. Have some patience. But anyways, that’s from the IT perspective. You’re saying the same thing, but from a security perspective. How do we improve human interactions with systems and technology that makes it better while making it secure? So how do we link in the security piece?
Speaker 1 | 24:10.582
So one of the things that you hear a lot of people talking about is through design. How do we design better systems? Because we know that the number one place where people struggle the most is their interaction with their system. And that is also the area that hackers and cyber criminals target the most.
Speaker 0 | 24:30.648
I love it. Sounds so simple. But we’re breaking it down real good here. It sounds so simple because. If the design is bad and the human interaction is frustrated and they’re going to do something to violate that security piece just because the design is bad and they need to get to what they’re doing fast, then boom, there’s the weakness, right?
Speaker 1 | 24:53.224
Phil, I would tell you this also, Phil. Think about it. Most people don’t get up in the morning and say, I’m going to go to work and I’m going to cause a human error that caused my company to deal with it. a major cybersecurity incident. That’s not the case. Most of my employees get up in the morning and say, I’m going to go to work and I’m going to have a home run day. I’m going to hit home run after home run. That’s their intent because they come to work with good intentions to do great things. Now. You know as well as I know, Phil, cybersecurity, information technology has become extremely complex today. And the last thing that we really consider when we build our system is the human element. And so we build our system, we implement our policies, we develop our processes, and then we tell the humans, now go strap all that on and do your job. And so we make them more vulnerable by not having a human-centered approach to this thing. And what I mean by human-centered approach is you design from the human element out, not from the technology piece out. Right now, we are a technologically-centric organization, and that has some vulnerabilities because technology-led cycles, which we see right now, are good, and they give you a short-term relief. But long-term, what happens, you have to… the human performance degradation sets in and that lead us to more human errors and make the company and put the company in more risk my brain is flooded right now with solutions for issues you
Speaker 0 | 26:31.624
literally just made me think of an instance of an easy solution to a complicated problem that i have from the by starting with the human piece by going to let me say this field the biggest problem and i just i’m writing an article for this
Speaker 1 | 26:46.244
for the cybersecurity magazine right now. And I’m calling it the Denning-Kruger effect of cybersecurity. You know exactly where I’m going with this. We have senior leaders who are in key positions who think they know more about the human factor than they really let on. Because remember, I gave you the definition, the working definition of human factor. The working definition of human factors is not going to get you the same result. as having a scientific approach to our human factors. And so that Denny Kruger effect is real because there’s a real knowledge gap. And so we have a lot of technology and security executives who don’t really understand human factors or accept human factors as a scientific discipline. And so we still struggle with that. We prefer to use technology rather than looking at the human element and finding ways to reduce the high friction points for the human worker.
Speaker 0 | 27:46.549
I mean for the employees the the other thing is is humans are so different yes but there’s gotta we’ve gotta be able to at least at least pigeonhole them into like four or five different categories we’ve got unorganized human being we’ve got someone like me with a million things all over their desktop and uh I don’t know where are we at today Because I know that there’s some people that manage a zero inbox. I’m not one of them. I have 69,623 unread emails. So there’s those people, and then there’s the zero inbox people, and then there’s the different type of people that just operate differently and how are the systems going to support them. I’m assuming that that’s got to be a factor that comes into play.
Speaker 1 | 28:36.086
Let me say this, Phil. Companies hardly ever use any type of scientific approach when they use technology. They buy technology based on the risk and the threat and what they need. Last thing they really consider is the human element. But what you’re talking about is when you say four or five people put them in boxes, you’re talking about personas. How do we take a look at different personas and say, I know that field is going to have 69,000 email in his inbox. So how do I develop security around somebody? and that persona. Then you might say, man, that Dave over here, Dave has no email in his inbox. And so how do I manage that persona? And then you might have somebody who might got 10,000 emails and they send 30 emails out of the company and get 80 emails in a day. How do you manage that persona? So it’s hard to establish that in cybersecurity because the human factors engineer is nowhere in the picture. We’re not there. People don’t value the human factors engineer the same way we value the cybersecurity engineer, the network engineer, or the software engineer. And that is part of that knowledge gap that I’m talking about.
Speaker 0 | 29:51.533
Well, you just mentioned a bunch of other categories. Doesn’t one fall into all of those? Doesn’t the human factor fall into all of those or no?
Speaker 1 | 29:59.837
Each field is different, but the discipline of human factors apply to almost everything we do. Like when you get up in the morning and you say, I got a call, I got to go, I’m driving into the office. Let’s say you’re working five miles away. You got to drive to the office. You leave 30 minutes in advance just to get to work on time. Let’s say by chance you woke up late and you say, I got a call at nine. It’s now 840. You know that you’re going to be in a hurry. You’re going to probably have to speed to get to work on time. So human factors can apply to everything we do. And we’ve seen it applied in aviation. We’ve seen it applied in medicine. We’ve seen it applied in nuclear energy and nuclear power. We’ve seen it apply in like mining operations.
Speaker 0 | 30:44.549
Let me get this straight. Why don’t we apply this in some of these jobs where it’s, and I’m just. this is just me ranting for a second uh because i come from a family of doctors and my brother’s uh he’s actually the fire chief actually in the in the town as well so almost all of us are doctors but except for me and my brother and why do they work humans 12 hour shifts then 10 12 hour shifts because they is this because they’re not taking the human factor first how can you expect a nurse or someone to do their job well or I don’t even know if I want to open up this can of worms, but I don’t know, law enforcement. How do we expect someone to think and operate under really highly stressful situations when they’ve been up for 10 hours, 12 hours? Or operate or a doctor or take someone’s blood or numerous other factors. When you mentioned aviation. uh obviously we had crazy guy that wanted to crash the jet blue plane and uh one of my colleagues was the guy that wrestled the guy on the ground years ago i don’t know if you remember that where they had to do an emergency landing in vegas but um like because the guy had done a bunch of plane flights being up for like 12 hours and he had some kind of weird psychosis or something because he had been up for so long and he was telling everyone they’re going to meet their creator today and try and crash the plane but is this some of the things that we’re talking about absolutely so
Speaker 1 | 32:13.696
The one thing we struggle with and what we don’t really understand is that every occupation has what I call cognitively demanding tasks and functions, and some of them have low cognitively tasks. And so as a manager, you have to understand what tasks are more cognitively intensive and which tasks are low level and monotonous. Because if somebody’s doing low level and monotonous tasks. They are not burning through their cognitive capability. When you have somebody that’s constantly burning through their cognitive capabilities, you’re going to get less out of them doing other things. They are burning everything they got. They’re intensely focused on the issue at hand. Like in aviation, if you ask a commercial pilot, they will tell you they have two to three phases of critical flight. Takeoff, landing, and if they have an in-flight emergency. If you ask a cybersecurity professional, what are your critical phases of operation? They couldn’t tell you. Whoa. Think about it. We have not taken the time to really define our domain the way it really needs to be defined.
Speaker 0 | 33:26.420
What are your critical, what’s the technical term again? What are your critical phases or what is it again?
Speaker 1 | 33:31.001
Critical phases of operations. That’s being when the risk is high, you’re doing something that is really critical. And if there’s a misstep. It could lead to something very catastrophic.
Speaker 0 | 33:43.534
Oh, I love it. And if you add that word catastrophic in there, it really makes it sound more. I use this, I joke around all the time because I do a lot of jujitsu. And if anyone knows anything about jujitsu or the UFC or anything, they’re going to know who John Danaher is. And he’s this kind of like Australian accent guy, right? He could be teaching a very, very simple thing that you would learn in any other class and your teacher would just describe it normally and you’d be fine. But when he describes it, he would say, now, if you put your arm here, This could happen. It would be catastrophic. Which adds the, this idea is, yeah, this is game changing. The idea that in cybersecurity, people don’t know their critical phases of operation or operations. That’s where their risk is high versus low, not really just kind of coming in. So you’re saying people just kind of come in and they batch everything into one kind of category called security and I’m just doing my job?
Speaker 1 | 34:43.357
I will be honest. I think what it is, Phil, is that we don’t really understand the human domain the way we think we do. Because remember, like I said earlier, you know, we try to we when we try to understand the human element, the human behavior, we don’t have the right people in the room. I call it the bus mechanic repairing the airplane engine analogy. Right. So you can’t take a software engineer, a computer scientist or. information security analyst and say, you know, talk to me about, you know, how to reduce the high friction points of human behavior, how to redesign our system. They haven’t had the training to do it.
Speaker 0 | 35:23.480
It’s almost like we need another job title and a whole nother piece of person in the industry.
Speaker 1 | 35:28.222
Phil, I’ve been saying that for the last five years and people have been laughing me off the stage. All I’m trying to get people to do is integrate the human factor professional into cybersecurity so they can help understand the high friction points of what drives human error.
Speaker 0 | 35:44.389
What are we going to call this title? What are we going to call this person?
Speaker 1 | 35:47.871
They already have a job title. They’re human factors engineers.
Speaker 0 | 35:50.674
Human factors engineers. Sir, it has been an absolute pleasure having you on the show. This is very mind-blowing. If you had one final message or anything out there to say to anyone about this human factor engineer or whatever it is, what would that be?
Speaker 1 | 36:05.966
I would tell the decision makers, the business decision makers, to think seriously about partnering and looking into the human factors engineer position. and integrating that position into your cybersecurity operations because you got to understand if you got a software engineering problem you go find a software engineer professional to do the job if you got a network engineering issue you go find a network engineer to resolve a problem quit trying to find people who don’t have the expertise to resolve your human factors problem they can’t do it and we got to start thinking highly and be more appreciative of the human factors as a scientific discipline.
Speaker 0 | 36:45.759
It’s outstanding. Very mind-blowing. Sir, thank you so much for being on the show. Very much appreciate it. And, you know, all my best to you in the future and making this human factor engineer, like, you know, something that’s more in the forefront in the future. And thank you so much for everything that you give back. Hey,
Speaker 1 | 37:07.388
thanks, Phil. It’s been great. And thank you for having me on your show.
Speaker 0 | 37:12.278
Thank you, sir. Take care.