Justin LeaplineWelcome, everybody, to the sealed security podcast. My name is Justin Liebling, and I'm joined by Rick Yocum and Joe Wynne. We're glad to have you here. We're doing a little bit different format where we're doing more conversational base in around interesting security topics while having a little sip of, some good refreshments and everything. So with this, type of format, what we're aiming to do is just get into, you know, good discussions, maybe some arguments along the way.
We're also looking to kind of learn. Some of us would be more familiar than others on certain topics. But no matter what, we're just looking to have a really good conversation, and we've been friends for many years and everything. So it's been quite a while. So, but to start off with, I figured what we'd do is just kind of introduce ourselves.
Since this is episode 1, we'll go through and just give a little bit of background and history and just start from there. Rick, you wanna start us off? Sure. So, hey, guys. It's great introducing myself to you. I know. But I'm Rick Yocum.
Rick YocumYeah. So I've been doing security and compliance stuff for, like, 20 ish years. Okay. I actually, started the my the high school I went to hired me to do computer stuff, which was pretty cool.
Justin LeaplineAfter you hacked them.
Rick YocumWow. There's a little bit. A little bit. I think there was a bit of, hey. This kid likes computers. Let's harness this energy towards something less destructive than breaking everything.
Justin LeaplineIsn't that all the boys? Like, you have to direct them to something worthwhile. Yeah.
Rick YocumSo there was a little bit
Justin Leaplineof shenanigans upfront, and then
Rick Yocuma lot of me stopping other people's shenanigans, That's cool. So yeah. And then went to Duquesne. Did kinda like a combo IT business degrees. After that worked for Deloitte for a handful years, both on the audit side and then on the kind of security consulting side.
Okay. Then I moved to Del Monte where I worked with that security program for probably 5 or 6 years. Fast forward to the federal home mortgage bank system doing compliance stuff for a year. Then global GRC director for Black Box Network Services for a handful of years. And then my good friend, I don't know if you know him Justin Leipline, introduced me to this company called TrustedSec and that's where I
Justin Leaplineam today. Okay. Great. Yeah. Joe you wanna go?
Joe WynnYeah. Absolutely. So, I too went to Duquesne, and we've been friends
Justin Leaplinewith the community right now. Yeah.
Joe WynnYeah. We'll get in that later when we hit the topic of, you're
Rick Yocumright here. Right.
Joe WynnSo, yeah, I've, I currently run a cybersecurity engineering firm. And Yeah. That's not
Justin LeaplineNo. We'll get to that.
Rick YocumYeah. And and
Joe Wynnbut years ago, I've always kinda when I was a kid, it was like, you know, I want to have a company. But did I really even know what that meant? I had no idea. And so I went through everything and had an affinity for computers in in middle school and high school as well. I remember one time I was sitting there writing this stuff on a piece of paper and my 8th grade teacher came over and asked me what I I was doing.
And I was writing basic code by hand so I could later go home and type it in on my Texas instruments, TI 99 4 a. And I was just gonna draw a picture of, like, a Santa Claus. So I still remember that. And so that kind of was like my first having fun with figuring out that I really enjoy computer stuff. That's a cool memory. And I always liked the idea of, like, spy movies and making things do what you don't want to do, like lock picking.
Justin LeaplineYou
Joe Wynnopen it up without a key and all this stuff. So I always enjoyed that and got into high school, just kept learning more and more about computer stuff. Went to Duquesne for I wasn't gonna go for computer science, but I was gonna go for physics and engineering eventually and ended up having my, yeah, my, my comp sci teacher for one of my classes talked me into switching over because I was, you know, I would I took to it. I'm not a coder now, but I did okay then. Mhmm.
So I just started working while in Duquesne for a for the computer department. And all kinds of cool stuff you can figure out on campus and also opportunities to make things work in the way they shouldn't work. So, you know, hypothetically, you can even pipe a microphone from a computer on one side of campus to the speaker of 1 another side of campus. So
Rick YocumI remember working in the computer labs at Duquesne. A lot of opportunities to both do and shut down shenanigans that
Justin Leaplineyou do. Yeah.
Rick YocumSo that
Joe Wynnwas, that was cool. So I got out of Duquesne, got a job and I worked there for, like, 20 years. Kinda went up through the ranks of being on the help desk to doing sysadmin stuff.
Justin LeaplineThat's what we do. Rebate admin stuff. Yeah.
Joe WynnYeah. Eventually. And, that was I was probably there for, like, 10 years by that time.
Justin LeaplineYeah. Probably. Yeah.
Joe WynnAnd so, but nobody was there didn't even have, like, a specialized security department. It was just something people did Yeah. The best they could. And so things have come along, and eventually I was able to, create a one man shop and move out of, like, traditional IT into still an IT, but it was a security department. Yeah. And then was able to grow that up. Sarbanes Oxley was the trigger for them, the one to invest in it. So then eventually, you know, got a
Justin LeaplineIf that's security time the rigor that we have to go through today for regulation and compliance.
Rick YocumRight. At the time, it was it was a Peter of pitchforks and fire.
Joe WynnRight? Absolutely. And and that stuff was crazy back then, but there was no, like, control frameworks that people were trying to intentionally follow.
Rick YocumYeah. Yeah. So standard like like what are these
Justin Leaplineaccess control reviews? I have no idea.
Joe WynnRight. Yeah. An audit meant, you know, a deep audit meant Anderson Consulting coming in and running some stuff on your Nobel server. I remember that.
Justin LeaplineI'm like, why
Joe Wynnare we paying this much money? How do we do this ourselves? Let's just do this. Right. And so anyway, so that's how, you know, kinda got into official security and then kinda grew up from there. And after working there for a while, got recruited away, went to another company for a year, and kinda started thinking back about how I always wanted to start a company.
Justin LeaplineYeah.
Joe WynnAnd, like, what am I gonna do? How am I gonna do this? And so the, you know, the piece I had to figure out is, well, how do I leave and also go do that and get it started? And I started a company called WinSecure. It was just me. And then name. Yeah. That's
Rick Yocuma really good name.
Joe WynnAnd, and then eventually, we, I met up with my cofounder John Ziola, and we formed CISO. And I met him during, b sides, Pittsburgh organization meetings. And so, which which you're on now.
Justin LeaplineYeah. Yeah.
Joe WynnAnd anyway, so long story shorter as, kinda always always doing something security related Yeah. And finally got into leadership and then wanted to really bring that to other companies and companies that can't afford the luxury I had of being able to build a, you know, dozen people or so team. And that was a lot of fun. So now we can do that for lots of companies that just can't do it.
Justin LeaplineYeah. And then you don't have the all the politics above you to do some of the stuff. You still have to report to the customer, but sometimes it's a little less on, like, if you think it's the right way, you just kinda
Joe WynnAnd sometimes, sometimes you don't have customers anymore, that you choose to hire.
Justin LeaplineRight. Exactly.
Rick YocumAnd you
Justin Leaplinego find a voice. So So alright. My turn. So, yeah, so I started off I think tinkering in around, high school. So, my dad actually started up an ISP.
He was the first one here in north of Pittsburgh called FYI Networks, and I remember he turned our garage into basically an Internet service provider hub. We had a t one line in 1992 coming into our house, you know, kind of thing, when everybody was hearing modems. So, like, we had this t one line coming in, and it was blazing fast. There really wasn't stuff out on the internet, but it was really fast, you know, for us, that 1.44 megabytes, you know, type of thing. But, yeah, he, he set up a Internet service provider right at our house, and it was really exciting to actually see him kind of start that, grow that, get a little you know, he got a lien on the house, a loan to, you know, do this thing and everything.
And it was really cool. I remember, you know, we had 10 modems at first, you know, and he started off, you know, remembering being so excited when first one came in, like, we have one customer dialed in. That's everything. And within, I think, months, it got to, we have one open. Nope.
It's, it's a good it's gone. And it was always that battle of expanding, and then over all the modem wars, you know, like the the V 90, the X52, you know, all the there were different models and depending on who, like, was it Dell or, you know, Commvac. They had different modems that they sold.
Rick YocumSo this
Joe Wynnwas a t one of phone lines, not a t one of network or Yeah.
Justin LeaplineT one was a direct line coming in, but it was 1.44 megabytes. I think it was the speed and everything. It was a direct line, you know, with that. But we were serving customers through modem, so they were dialing in through their POTS lines Oh, to connect. To get out. And then the pipe out was that t one line, and everything. So but we've got to obviously be on the t one line. Yeah.
Joe WynnAll those phone lines plus the t one line. Exactly. Okay.
Justin LeaplineYep. Yep. But, yeah, it was really cool. It definitely left an impression on me. Just, you know, the, you know, the successes and struggles that having your own company and everything.
I I remember sitting in we didn't have AC until I was like 16, 17 years old, and remember the first few months they didn't have like a machine to do letters. So we were all there licking, you know, the envelopes to put all the bills in to all the customers. Family mail room. Oh, yeah. It was it was child labor at its best, type of thing, and we're just all pouring down sweat. We could have probably just used our sweat to, like, seal it.
Joe WynnThere you go. So youwarbill.com? Newwarbill.com.
Justin LeaplineYeah. Exactly. Right? But yeah. So, and out of high school, like, I had some programming classes like C plus plus actually, Mars Area High School had that, growing up and everything.
And I went to intern that company, but didn't go to college. I went to intern a company and they're like, oh, yeah, you're pretty good, like, with this. And they offered me a job, you know, with that. And I still remember I had the letter somewhere. It was like $22 a year, like, was my first salary job, and I was so excited.
A 1000000, zillion dollars. Yeah. I'm like, yeah, right. That's I forget what the hourly rate was, but it was a little bit above what I was making at that point. But now I'm looking at that like $22.
I'm not sure I'd do a project for it enough. But, yeah, so and kind of went up through programming, but it was around 2,002. You know, I was basically doing some introspection on like whatever I want to do, you know, like I'm doing this programming job. And I really like security because it's the constant challenge of it, you know, just that kind of it's not you do it once and done. It's always trying to keep up with the bad guys and all that stuff and everything.
So, I decided to go then make a switch to, security, and I had that decision, like, do I go to college or go to a certification route? And I decided to go the certification route. 1, it's faster and cheaper, you know, type of thing, but also it was less time. So, I was like, well, I won't waste anything doing this. And I got my CEH and my CIS, you know, way back in the day and then went into consulting a little bit at that first and then came back and I did GRC at Diebold.
I ran the security program at giftcards.com before they got sold off, and then went to trusted sec, because I'm good friends with Dave Kenny, and he needed somebody from, you know, the PCI, GRC world and everything at the time. Only Alex Hammerstone was, there. It was great. I was there, I don't know, 5 years or something like that. I have to look at LinkedIn, you know, to figure out his history. Yeah. Yeah. Yeah. Same. But yeah, and then a few years ago, I wanted to kind of break on my own.
You know, I started up at PISQI. I really wanted to bring kind of the GRC tooling market to small to midsize organizations. It's been way longer than what I wanted it, to be. Just trying to struggle your, you know, do the consulting and the development because I've had some developers here and there, but it's still, you know, a lot on my shoulders and everything. Sure. But yeah, that's where I'm at today, doing some consulting, helping customers out, and it is what it is.
Joe WynnThat's awesome. Yeah.
Justin LeaplineSo why don't we dive into some topics here?
Joe WynnWell, I know we're gonna talk about one topic, but you brought something up in your intro. So maybe we just switch right to that. And it's the career. Is college worth it? Wanna hop into that one first?
Justin LeaplineSure. No. No? Okay. Slightly biased into this, but there are so many topics nowadays that you really don't need a college degree on.
You honestly need more of an apprenticeship into it to like, you still need the experience and the actual real world with that. And even like, I've hired several college graduates and they come to like work for me and I almost have to retrain them, you know, to get to learn what the job is and everything. I remember specifically, I think it was from Pitt, I heard somebody and one of my questions from an interview is tell me what you think the biggest threat to organizations are right now from just a holistic perspective, and it's meant to be an open ended question just to see where their mind at. And I forget when this was late like, it was, like, 2015, 2014, 2015, and he answered, slammer worm like worms and everything. I'm, like, worms?
Like like, what do you mean worms? So, like, that's, like, mid 2000. It's like, oh, we just learned about them in school. I'm like, really? Like, that's not a thing anymore.
Joe WynnSo that wasn't the right answer.
Justin LeaplineYeah. Yeah. In an open ended nothing's wrong answer, that was wrong.
Rick YocumNo wrong answers, but there are some not great
Justin Leaplineanswers. Yeah. But it just goes to show the curriculum was way outdated from that. So, you almost have to kind of retrain. It's like, hey, the email is a bigger threat than, you know, than, you know, than any worm nowadays, you know, type of thing.
Joe WynnAnd we should talk about threads later and what the biggest ones are.
Justin LeaplineOh, okay. Let's go
Joe Wynnback to arms. Yes. So so it's so with respect to college or jump right into it, what's some pros for going to college?
Justin LeaplineSo I think there are some, academic learning that you have to do to go through that. So you can't get out of college to become a lawyer. You can't get out of college to become a doctor. Those are licensed things that require degrees into that. Now, you could do an argument of whether a degree is actually, you know, word like you need a degree to actually do that.
Like I've made the argument before that like a general MD, like your local office and everything like that, that could be an apprenticeship. Like what do they do? They go through like my throat hurts. Okay. I'll swab you and throw it in a test, and, yeah, you got strep. You know? So doctor prescribed whatever. You know? Or something really hurts, let me refer you to a specialist. Like, that's all they're doing. And you can
Joe Wynndo that on video call now.
Justin LeaplineYeah. It's probably They're essentially an operator.
Joe WynnIt's probably just a, you know, a deep fake It's just AI? AI now doing
Justin Leaplineit too.
Joe WynnYou have to go
Justin Leaplinethrough a doctor.
Rick YocumRight. Yeah.
Justin LeaplineAnd and so I guess, you know, into that context there, you know, you can have an argument whether it is you know, that's required, but you need that.
Joe WynnIt's legally required now.
Justin LeaplineExactly. You need
Joe Wynnit that kind of level of training.
Justin LeaplineRight. Right. Now Obviously, you know, somebody going into open heart surgery, like, they better have training at the Wazoo, you know, type of thing. I'm not putting myself on the table. You know?
Rick YocumBut you did you ran yourself through a series of, like, focused studies when you knocked out all those search. I
Justin Leaplinemean, yeah. And Barnes and Noble was my friend. If I didn't know a topic, I went to go buy a book and learn it, you know, that type of thing. Yeah. You can't just stay still and say, okay. I'm not gonna get educated. Like, there are almost like that personal MBA or whatever they call where it's like,
Rick Yocumwell, I'm just gonna, you know, go read all the MBA books.
Justin LeaplineWell, and that's what was it, Goodwill Hunting, when he gets in it. It's like, you know, there's 2 certain days. 1, you're gonna realize that you wake up and you could have had, you know, your entire education for a dollar 50 late charges, you know, with that, which is true, you know, like there's nothing needed to be sitting in a classroom. I mean, I think and we've had losses from the educational system. I think it was really there to test you from a reason standpoint, and we've really lost that.
Rick YocumAbility to execute logic and patterns
Justin Leaplineto think through. Yeah. And, go up against adverse challenges of your thought process, you know, and I don't think that's really there anymore. Like, it's not that you're challenging, you have to defend yourself or make up good arguments on a premise or a thesis or whatever it is. Like that's what I think college was like a 100 years ago, you know, type of thing where they basically made you sharp and honed on utilizing the knowledge that you had you know, come up and defend it well.
Now it's more of, like, can you regurgitate it right, you know, kind of thing.
Joe WynnWell, very interesting is a 100 years ago, the only place to go to collaborate like that was either university or the bar. Mhmm. And and so you couldn't just get online and have a meaningful discussion Or the information. Discourse on anything. But today, you know, you can you can have those without having to go to Right. To school.
Rick YocumI I will say, what going that what the degree did for me had very little to do with the degree itself and a lot more to do with, some professors and relationships with them who I still maintain relationships with. Yep. And other students who I'll pull on not necessarily for anything related to my degree. Right? But if I have a weird question on government stuff, I have a friend who is in Pali sci and I'll ask you all that weird question about government stuff.
There are things like that. The other thing that's probably
Justin Leaplinemore important. Of relationships is really what you're Yeah.
Rick YocumThe social aspect of it. Mhmm. Because I think a lot of people, that part of their lives, if you take kind of a typical route in terms of where when you
Justin Leaplinego to school Yeah.
Rick YocumYou're at the you're in these sort of formative years and a lot of people are out of the home for the first time or partially out of the home for the first time, all that stuff. So I think there's some can be some good stuff there. But from a career perspective, what it did was I think it it got me the internship at Deloitte, which to a large extent for me was that formative apprenticeship, you know, truly through the ringer for the first bunch of years. And and that's what helped sharpen my thinking. And I don't know that I would have naturally got, like, say, that internship had I known I don't think he
Justin Leaplinewould have at the time he went because Deloitte was, like, 4 year degree. Right. In fact, I I experienced that. You know, it was I graduated 1999.
Rick YocumYep.
Justin LeaplineAnd when I was trying to hop around, like, I was getting stuff like, oh, yeah. You're well qualified, but you forgot to put your college degree on your resume.
Joe WynnI didn't forget about it. Yeah.
Justin LeaplineYeah. Yeah. It's like, oh, well, it's required, you know, type of thing. But I
Rick Yocumwonder if it's a but I wonder if that's changed now. Right?
Justin LeaplineI don't I wonder if it has. Yeah. At least for a lot of tech jobs. Every position that I hire for, I throw that degree out the out the window and everything. Now it might be a good, like tie breaker, you know, type of thing. Like, people are basically equal and one's on the college, one hasn't.
Rick YocumAnd then I want to
Justin Leaplineknow, like, what did you do with those years? Right?
Rick YocumYeah. That would be my question.
Justin LeaplineThat's true. But I'm looking for anything that'd be a tiebreaker at that point. But there's usually never, like, a one for 1, you know. There's good quality and bad, you know, or worse qualities. I wouldn't say bad, you know, but yeah.
Rick YocumAnd I agree with you, and I wanna hear your thoughts on this too. But, like, me me having had hired a number of people in the past, when I'm advising people on hiring practices, I basically tell them the same thing you do. I said, look, if your HR department will let you do it Mhmm. Right, Get rid of the degree requirement or potentially certification requirements because there's a lot of people out there that are potentially super skilled. Now you need to have some education.
You need to be good at the thing. Right? But you don't necessarily need just this one thing or just this other thing or this combination of things to do the job. And I actually think a lot of people that are super good or super driven and have good brains but just haven't had that experience yet and could get there very quickly aren't given opportunities because there's kind of these artificial barriers that don't really serve anyone.
Justin LeaplineSo Yeah. Yeah.
Joe WynnNo. Actually, I agree with all of that. And, I wanna get to the cons of of going to college as well in a second. But you know well just to sum up some of those things well rounded. I don't know that I've encountered people who haven't gone and immerse themselves in, like, that college environment.
It drives a more social interaction they wouldn't have otherwise gotten. That's not applies to everybody. Right. Like, you'll just go up to anybody in any place and just start talking to them. So experienced
Justin Leaplinea number of college parties, and I've never went to college.
Rick YocumSee? Yeah. Yeah. They'll let you in. Yeah. Right. They'll let you in.
Joe WynnAnd, opportunities to collaborate. You were hitting on that that you never would have gotten any other place. And in some places, just some jobs require it.
Rick YocumYeah.
Joe WynnBut the other part is, unless you're a unicorn, and I was doing a little bit of, like, superficial research on this before, we got here, was, you know, higher earning potential. Unless you're but I I think there's unicorns out there who, will do that. When you look across the general Yeah. Populace, I think people who come out of college will get a higher level. They'll they'll won't hit a certain signal. Other people
Rick YocumYou'll yeah. That that that early start at a higher thing, assuming you make the jumps at regular intervals Right. Is gonna get you to a higher place overall, potentially. Yeah.
Joe WynnBut that leads into my first con.
Justin LeaplineWell, especially the government. They have a very strict, you know, qualification hiring process. And they're
Rick Yocumnot a small employer.
Justin LeaplineYou know, they aren't Like, 1 fifth of the economy or something
Joe Wynnlike that. Also get capped at a salary range there really fast. So you've got to go to college, which costs a ton. Plus if you go to the government job, then Mhmm. Yeah, you may not get as high of an earning potential.
And then what happens during those 4 years? So a great argument for not going to college is it costs a ton and you can actually be earning during those 4 years. Absolutely. So if you can find yourself into how do you become that unicorn who doesn't need to go to college to still get the job? I'm thinking, like, entrepreneur level person.
Justin LeaplineRight.
Joe WynnNow you kind of break that, that mold. What do you think?
Rick YocumI think that's probably true, but it's probably also true that we are all weirdos and that we've been doing, like, IT and security stuff, like, almost from the jump. And I do think there's probably a large number of people that try a thing in college and then go, this isn't for me. Well, to to an extent, you know, that that I think that was your host for me. Right? Right.
Joe WynnWell, even before the jump, like, you were saying in high school and in high school, we all took, like, some sort of computer stuff. Well, nobody else was.
Rick YocumBecause there's people like, oh, yeah. I'm going into biomed and then all of a sudden, now I'm gonna do landscaping instead or whatever. Right? It happens all the time because people start doing the formal training and whatever that discipline is and then they shift. So, yeah, I could see that
Justin LeaplineA promise of money and then they're like, I can't do 8 hours of business either way.
Rick YocumYou could theoretically figure that out doing the actual work too, potentially.
Justin LeaplineThat's the argument for apprenticeship. Yeah. You know, like, that's a low risk tryout. Right. And you don't have to sign up for college to do that. I mean, most college, you spend 2 years just doing general courses and then you start getting into whatever your elective degree is, you know, type of thing. The apprenticeship is like, okay, do I like it or not, you know, and then you can drop out with the like, and you get paid. You know? Like Right?
Rick YocumWell, can
Joe WynnI ask you a question that I was asked just today? I was talking to somebody, another professional executive, another company, and he said, schools, college is leaving out. My, he said his son's roommate is coming out with a security degree. Yeah. What should you do? And this is always a perplexing answer because you think you went to school for all these years in cybersecurity. You should come out and get a job in cybersecurity.
Rick YocumI know.
Joe WynnBut I wanna know who's hiring a job in cybersecurity for an entry level person coming right out of college. No.
Justin LeaplineI don't care what you're doing.
Rick YocumThe vast majority of people are starting to help.
Justin LeaplineIs that an overnight SOC, position? That was one
Joe Wynnof the things I said. There's companies that'll hire you to be a SOC analyst so you can figure things out. And and part of the answer I gave was relating it to, you know, would you hire somebody who's never lived in a house nor build a house to come and put a home security system in? They'd have no idea. No concept. Right?
Justin LeaplineMhmm.
Joe WynnSo would you bring somebody into your company and have them jump right in? Well, if it's a PNC level, cybersecurity team with 100 and 100 of of of people, well, then there's probably a place for somebody to come in because they actually have the Right. The training program
Justin LeaplineYeah.
Joe WynnThe apprenticeship program. And so it's built into the companies. You can get the companies to do that, but I'm not gonna be able to bring somebody in right out and make them super productive right away. But Right. Have you seen too much of that?
Justin LeaplineAnd that's the thing. Like, yeah, smaller companies, they can't afford bad employee not even necessarily Inexperienced. Well, it could be bad and or inexperienced because even if you're like you know, an employee that doesn't do anything, you can mix into a larger crowd and not have that much of an impact. It really it depends on your immediate manager to kind of supervise, but it comes down to the culture with that. But, yeah, if you're with a small company, a team of 10 people, and somebody's not pulling their weight, it's very apparent, you know, like it's like, I've asked this person 3 times to do this, and they haven't done it yet, you know, type of thing.
Rick YocumWell, experience on the job also means a couple different things. Right? Like, there's these core security skill sets. Right? Maybe a bunch of nontechnical patterns and then, like, some technical knowledge that supports that and all that, and that's fantastic.
But, also, like, what I think someone right out of school, even if they have a security degree, they don't know how to be an employee yet. Yeah. Right? And I actually think, like, security is one of those jobs that it requires this different positions are different, but many of the jobs require some level of interpersonal and communication skills in addition to the the the technical skills. And if you've never done the work thing really before in a corporate environment or professional environment, there's actually this whole other layer of learning you have to do at the same time that could potentially be super challenging.
Right? And so I actually think the people that I have hired that had, like, low to no security experience, they came from, like, PMO or not for profits or things like that. And so they actually had all the, like, how to be a great employee stuff Mhmm. Nailed down. And I was like, oh, okay. I just need to show you some security stuff. Right.
Joe WynnThat was easy. Understand how the world works a little bit.
Justin LeaplineYeah. Exactly. Exactly. I was working with a client, client earlier on, and, they have a culture of meetings, you know, 9 to 5 meetings, wall to wall, and everything like that. And, you know, I was onboard doing a long term project, and I blocked off my calendar, you know, when you know, don't schedule stuff during this time and everything.
And, of course, you know, the invites go out, you know, and I had a Friday blocked, and they threw it on. And I did not like, I declined it. I gave a reason, like, hey. I'm at a conference today, and, you know, I can't do a meeting. While at the conference, I get the ping.
Like, why aren't you on this meeting? You know? I'm like, what do you mean? Like, I declined it, and it was blocked too before it was scheduled. Like, but, again, go to, like, the I they didn't check for busy or they didn't care, you know, type of thing, and then the decline and how it was somehow my responsibility. You know, go into like there's an etiquette there. You know, it's an underlying etiquette to that, you know. So are
Joe Wynnyou saying that's attributed because that person didn't have experience with, like, the way things ought to work?
Justin LeaplineOr didn't care, you know, type of thing. But, you know, that we have a normal etiquette, like, you check they're free busy. You try to avoid lunch. You try you know, there's You don't schedule stuff at 4 o'clock on a Friday. But these are my kids.
Rick YocumYou know? But insecurities is one of those things. It typically makes things more difficult in some way, shape, or form. Right? It's it adds friction intentionally. Yeah. Right? It can solve some things, but that's a a bunch of different conversations. But if you're in that position where you're like, hey. I need to slow down the business a little or make sure people are doing things safely or tell someone, no.
You just can't do this. Mhmm. It helps if they don't hate you for a whole bunch of unrelated reasons already. Yep. Setting up meetings on Fridays or whatever. Right? Right.
Joe WynnYeah. Good. So as we wrap up this topic and let's could we give some advice? And the advice is if you're going into college or you're coming out of high school and you want to get into cybersecurity, it actually just there's probably 2 different answers. If you're going into college for cybersecurity, you just got accepted at one of the great programs. What should you be doing along the way that makes you hireable or somebody wants to hire you as you're graduating?
Justin LeaplineNetwork. So go to the conferences, all the free the chief conferences, meet people, invite them to LinkedIn as soon as you meet them, start to get your network kind of, up there and everything. If you graduate or come to graduate or just you're now looking for a job and you've met somebody and you've had a good impression on them, you will get an interview. Yeah. You know, whether you get the job or not will be another thing, you know, in the interview, but you will get an interview through relationships, you know, with that, so that's one thing I always tell, you know, with mentors and graduates is like, you know, just getting a degree is not enough.
You've got to work to get those, you know, relationships and conferences are perfect for that, you know. Just introduce yourself, hey, I'm giving you a little bit of backstory, you know, could I hit you up if I have any questions, like look to them and say, hey, I'd love to get your perspective on the security industry. Where do you think I should be focusing on and just kind of build a relationship from there.
Joe WynnThat's great. What do you have, Ed?
Rick YocumI would say, and I actually think I don't think there's anything I could say that would be more important than networking, so I'm gonna throw that out first. But as a secondary thing, I'd say find a secondary topic of focus that you also study or that's important
Justin Leaplineto you. Plan.
Rick YocumNo. But as a to relate things. Right? So, like, I did, like, IT and security, Sloan plus accounting stuff. So one of my superpowers right out of school was, oh, yeah. I can talk to all these finance people and their ERP, you know, about security because I speak that language too. Right? And it could be anything. It could be health, and now you're talking to doctors. It could be whatever. It could be hospitality, and you're talking to hotel owners.
Joe WynnLike That's a fantastic idea. I didn't even think of that one.
Rick YocumIt's just it's just find a secondary domain of study so that if you really wanna do security, you're, like, carving out an initial niche. And you don't have to stay in that niche, but you're always gonna fall back to certain the relationships in that niche or patterns that you get from that niche. Because I'll also say, every time I, like, find myself thinking about something new, I'm like, oh, how does this apply to security? Right? Yeah.
And so you'll do that too as part of these other studies. So that's what I'd say. Study study a secondary thing even if your core interest is security.
Joe WynnYeah.
Justin LeaplineYeah. Just real quick on that. One of the things I thought was really cool, it was last year or the year before coin Coinbase was hiring a whole bunch of people, and they had a number of things that was guaranteed to get you a job, and one of it was if you're anyway titled with chess, you like if you're a FIDE master, international master, or obviously a grand master, but like if you're anyway titled, you get an interview, you know, like we we want an interview. Like, how you think. It's like and that gives you, like, secondary skill, like and that's a very Yeah.
Analytical cut. You you have to study for that, you know, type of thing. You have to look at both sides of the, you know, the fence to, you know, come up with a plan. So they're taking that skill and saying, hey. These people have a base of that, and maybe they'd work well, you know, in, the crypto industry.
Rick YocumBut yours.
Joe WynnYeah. Well, I I still wanna I'm still fixated on you said because it ties back to something I was thinking about earlier as well. But it's the you don't just do security because it's a thing to do. You do security because you're securing something. What is that something?
And that's where we're getting to. And so some of my advice today to that person was, you know, it's just like computers now. Everybody needs to know how to use computers. So I think as people come out of school, everybody should understand core concepts for security. You know, what was it 50, 60 years ago?
If you wanted a letter typed, your secretary would listen to you talk about what it would be. The executive wouldn't sit down in front of a typewriter and type it out. But now executives sit down and type their own stuff. Yeah. And so because now everybody needs to know how to use computers. So I'm seeing everybody needs them to understand core basic security concepts and then apply it to their area.
Rick YocumYeah.
Joe WynnBut the other things I would say that if you are a if you're starting college now, several things I would do to be hired coming out with a cybersecurity degree is, 1, before you get to college, set up your LinkedIn and start bragging about everything you're doing. That means you have to do some things to brag about. So don't just go to the conferences, but I tell people just submit to a talk. Eventually Mhmm. You might get a talk.
There, you'll find the right menu. Yeah. Get up on stage and speak about something. What do you speak about? So I was listening to a different podcast today, and they were talking about, well, writer's block. And people have these things they don't know what to write about. That's because they're trying to sit down to write intentionally to write. No. Go do something that you think is interesting and then write about that because people like you will do that.
Justin LeaplineYou know, like, give me a nap song to write about somebody and give you, you know, all the bullet points there. You know?
Joe WynnOh, sure. Sure. But still, agree.
Rick YocumWe could talk about something that stumped you. And then, okay, now you're past being stumped whether you succeeded or failed, and then write about that. Right.
Justin LeaplineYeah. And do a talk about it. Yeah. I saw a b sides, Harrisburg talk where a gentleman, he was pretty new and everything, but he talked about how he learned and shared that out on LinkedIn and how it got an audience out
Joe Wynnof hacking 1?
Justin LeaplineNo. Oh, a Derral. Yeah. It's a Derral one and everything. Yeah. And it was, like, really cool. He'd said, like, I came at it as a novice, but I shared my experience. He went into, you know, did some, like, bug bounty stuff for a bunch of different, websites and everything and talked about how he got stuck and how he got passed on stuff and how he, did a number of things, which led to other networks, which led to, you know, eventually his career into the industry. Yeah.
Joe WynnSo you talk about some things. You go to the meetups and the networking. Yep. The networking again. And you start logging all this stuff. So if you're an interviewer and you're looking at 2 different candidates, they both have 4 year college degrees in cybersecurity. During college, one of them interned at a bunch of places, wrote some papers, got published on whatever because it's not difficult to get stuff published. You can self publish. Mhmm. Has them a couple recorded talks.
All of a sudden, you have that person and the other person who just has a a great degree. Right. What are you gonna hire?
Justin LeaplineI I'd actually throw in a wrench into that. Uh-huh. You got somebody with college degree just with that and somebody with no college degree with all that stuff.
Joe WynnAbsolutely. That's why I clarified
Rick YocumYeah.
Joe WynnBecause I knew that you would go there, and I would a 100% agree with you. Yeah.
Rick YocumYou know what it sounds like too? And I've never thought about it this before this way before, but it's almost like, 2 kids in art school. Right? And one of them is building their portfolio Mhmm. And the other one, you know, whatever. They're throwing it out or burning it. It. Mhmm. Right? And they get to the end of art school, and they're like, oh, you wanna be an artist? Okay. Why would we hire? You know, here's all my stuff.
I'll show you all my stuff. And the other one's like, I can draw you something now. Okay. What do you want?
Justin LeaplineI'm pretty good.
Joe WynnYeah. That's really good. So the concept of build a portfolio Build a portfolio. Yeah. Network and document your portfolio in your LinkedIn because that's what all the business people are gonna look at when they're doing hiring.
Rick YocumYeah. Cool. Secondary thing.
Justin LeaplineAnd secondary thing.
Joe WynnLearn a secondary thing. Yeah. I I think that's cool. I like that. So here we we plugged b sides a little bit. Let's officially plug b sides.
Justin LeaplineOkay. Yeah. That's all.
Joe WynnSo, I think this might come out before b sides, but b sides is on, July 12th at the Rivers Casino. We have a number of people who are organizers. We'll get you hooked up to be an organizer one day. No. No.
Justin LeaplineI've I've talked a number of times but yeah. No.
Joe WynnThere are many organizations. Did you submit a talk this time?
Justin LeaplineI run the lobby con. Okay. I make sure What are you making sure? Care position. I make sure everybody's behaving in the lobby.
Joe WynnI never seen somebody go to more conferences and never see a talk.
Rick YocumYeah. But I'm
Joe Wynnjust kidding. You've seen Slack. Have you submitted a talk? I haven't. No. Talks, submissions closed last week, and I know I was just reviewing a couple of the, a couple of the, CFP submissions and some I was looking at were AI related, respect to some open source testing tools and, how to do, like prompt engineering security.
Justin LeaplineOkay.
Joe WynnThere's some some talks I looked at, that were good for developers. So your hardcore developers. And I was reading this thing, you know, like, well, that's a little bit above my coding level. So I'm sure people understand it, but I was on a verge. And then there were some hardware hacking including cars and medical devices in the ones I've read.
Justin LeaplineOh, okay. That would be that's a good group of diverse
Joe WynnI only looked at 10 of them, and I think there were, like, 20 to 30 submissions, maybe more.
Rick YocumMaybe more. Okay. That's a lot of submissions.
Justin LeaplineLet's see Cool. Yeah. What's the is it, like, 15, 20? How many are you accepting?
Rick Yocum3 tracks. About 16. 2016. Yeah.
Joe WynnYeah. About 2 tracks of, 8. That's right. Okay. Got it. Yeah. So do you see any other topics that jumped in mind in this submission? I think
Rick YocumI think maybe we saw some very similar ones.
Joe WynnOkay.
Rick YocumI think there are a couple, a couple less technical, more like governance ones that
Joe WynnI saw from other stuff.
Rick YocumYeah. Yeah. Yeah. And there there are a couple, even sort of, like, entry level 1 on 1 things that I think were really good.
Joe WynnOh, really? I didn't get to see that.
Rick YocumYeah. There were 2
Joe Wynnof those that
Rick Yocumthat I
Joe WynnThere's something for everybody. Yeah. Yeah. Yeah. Yeah. It's awesome. So besides, it starts around, show up around 8 in the morning and prepare to go. If if you're like us, you might prefer to go until 2 AM.
Justin LeaplineYeah. Exactly. Yeah. Cookie table Should definitely go. Yeah.
Rick YocumCookie table was a major topic recently too. Uh-huh.
Joe WynnI'm excited about that. Yeah. Yeah. If you're, from Pittsburgh, you know what a cookie table is.
Justin LeaplineAt the weddings. And if
Rick Yocumyou're not, come find out.
Justin LeaplineYeah. It's not a big mystery. It's it's it's in the name. Alright. So what's next? Yeah. What's a good topic here?
Joe WynnI don't know. We we we threw around, Microsoft, started to do some stuff where they, they started to create these physicians, deputy CISOs, and are tying them to a lot of development. And the CEO made a statement that security is gonna be above everything else for priority. I read that in one of the articles. You suggested article. What what comes to mind?
Justin LeaplineYeah. So, I mean, just to kinda set up, the little bit of backdrop here. So, you know, Microsoft got breached. You know, their email servers were breached and everything like that, and then CISA decided to basically investigate them because Microsoft does a lot of government work, you know.
Rick YocumAnd agencies specifically, they
Justin Leaplinewere were there were agencies that were notified that those emails were being read. Exactly. So there was an investigation, and then CISA basically came out and had a report that basically said, Microsoft, do you know security? You know, like, Clifton thing. It wasn't good for them, you know, so they were scrambling to, you know, kind of respond to that.
But I thought it was really interesting to your point where, you know, they made a number of announcements, and one of the things that really caught my eye was the that they're tying performance compensation to security for their executives and everything, which they didn't say specifically what, you know, that was kind of left up to there, but I thought that was interesting from a compensation perspective. 1, I thought, you know, how are you going to measure that? You know, that would be fairly hard to get specific metrics. I mean, you have to get very specific of your time dollars to it, you know. Like is it you get 0, you get money, you get, you know, like one incident on you, you get less, you know, like how does that even work, you know, from that perspective?
And then 2, you know, I was talking with some other, executives, and they were saying like, yeah, if it's tied to my bonus pay, I'm definitely making sure I'm hitting those marks. Right.
Rick YocumYeah. The compliance part of me says, oh, man. That could go wrong in so many ways. Right. Right? Because to your point, like, how do you quantify it? Okay. Is it based on incidents? That's kind of a weird metric. Is it based on, like, the, you know, 1 to 5 score that you get from consulting agency on this framework that you're supposed to align to?
Okay, well now you're setting up some very bad feedback loops and unintended consequences. Because guess what? Now my money is tied to XYZ. Where maybe I would, initially be like, okay. Well, I'm gonna kind of leave this be fully independent. Right? Well, now I might be interested in exerting some pressure to make sure the score is what I want it
Justin Leaplineto be. Right. Right? So I there's a lot
Rick Yocumof, like, conflict of interest alarms that start going off in my head when it's like, hey. Your responsibility is security, but also you're gonna get measured on how good the security is. It's like, well, you should actually get measured on how honest you are about the security is as opposed to, like, that number. So maybe it'll be measured different ways, but if it's done poorly, it could be really bad.
Justin LeaplineRight. And, you know, I just thought of something like one of the things, with this compensation, what if you're low on resources? And you said, like, I I don't have the resources to do what you need me to do. How many times, you know, have, you know, visitors say that, and then they get popped anyways or, you know, with that? It's like but I told you, like, I didn't have the resources to do what you wanted me to do. Where where does that even come down?
Joe WynnYeah. Well, what, so here's a quote, from the article, and Nadella hinted the changes last week in the company's quarterly earnings call when he said the company will be putting security above all else before all other features and investments. So to me that's that's a way to begin to address that
Rick YocumWhat does
Justin Leaplinestock do for that?
Joe WynnConstraint. What's that?
Justin LeaplineWhat does stock do for that?
Joe WynnWell, I don't know.
Justin LeaplineI'd be curious on what investors actually thought of that. It could
Rick Yocumbe an investor thing, or it could just be just, like, competition. Okay. We're gonna ramp up features faster. Right?
Justin LeaplineYeah. Well, I'm just curious that if they're not pushing out features is from an investor saying, but did their stop Right. Go up or down or
Rick Yocumnot lending? That's a good that's
Joe Wynna good question. But, you know, I would hope that, no. Did did the stock even take a hit? How much did the stock take a hit when, there was the incident?
Justin LeaplineI don't know. Yeah. But it'd be interesting. I remember years ago in, at ShmooCon, somebody did a talk, and I think the name was, like, breaches are good for you, and everything, and they basically did kind of a historical analysis of mainly the stock market and with that, and they looked at major breaches and where there were Oh, yeah. Breach I
Joe Wynnknow you're talking about.
Justin LeaplineWhere they got hit, and then a year out, and most of them fully recovered, if not more
Rick YocumOh, yeah.
Justin LeaplineFrom where they were at.
Joe WynnDS s it was the the shoemaker. The shoe
Justin LeaplineDSW? Yeah. DSW. DSW, Target. Like, there's a whole bunch of them that had major major breaches, and a little bit later, you know, with that who was it, Troy, Fine just did a post when, United basically came out and said, oh, yeah. Like, they got based our, you know, our entire database. Like, 1 eighth of Americans were compromised or whatever the number was. You know? I forget what it was. And they announced this, on a, you know, a public, you know, call, and their stock went up that day.
Well, that's very interesting. Well Yeah. They're about to solve
Rick Yocuma bunch
Joe Wynnof Fact fact check me here, but, didn't the CEO of MGM say that their huge breach
Rick YocumYeah.
Joe WynnWas not even material in his mind? Right.
Rick YocumThe Target one is well,
Justin LeaplineI remember a 1000000 years ago,
Rick Yocumit feels like, the big Target stuff. There are spirited debates about all this.
Joe WynnEvery time you say Target, you have a drink.
Justin LeaplineI know that. But it
Rick Yocumvery much was like, it was like a mark my words. Right? Their stock's gonna be recovered in a week than it was. So yeah. But I anyway yes, please. But I you know, my my my fear with that like, I I think the intention is good. But like many other things, if the execution is poor, it could create some really bad Yeah.
Joe WynnWell, usually, they bring that security executive compensation on progress toward on progress towards security goals. They're gonna install deputy chief info, info security officers in each product group and bring together teams from its major platform and product teams in engineering waves to overhaul security.
Justin LeaplineYeah. So so it sounds more development and, you know, into their products. It could still
Rick Yocumgo anyway. Like, progress towards goals, you're gonna quantify it. There's gonna be numbers. Gonna be on slides. And if you don't hit a thing, you don't get a bonus. Again, you're Yeah. But Yeah.
Justin LeaplineThat that that's workable and that's 0
Rick Yocumbeing for any goal. But it's gonna be cultural at the end of the day Yeah. Whether or not it works well. Absolutely. I mean, my my big takeaway is I I like it. Financial incentives drive behavior.
Joe WynnAnd, you know, that's good. And I also like dedicating extra people. So Mhmm.
Rick YocumI don't know if they had
Joe Wynnthese deputy, CISOs before, but putting them in place and putting them into these groups.
Justin LeaplineThey would. They would. Well, they could've announced it if they did already have it.
Rick YocumBut It's kinda surprising to me if they didn't, that they didn't. Because, like, I mean, most super large organizations I've worked with at this point absolutely do. What and they call them different things. Yeah. The Bezos. The Visa. Exactly. But it's like, look. You're the security chief in this area because, you know, it's it's one of the ships in the fleet, and it needs someone watching this in this specific space. Yeah. So, yep, they didn't have it before. Kinda interesting, actually.
Justin LeaplineNo? Yeah.
Joe WynnWell, that was a good topic. What what do you wanna hear on next?
Justin LeaplineSo what do we do? You're new in a company, head of security. What do you do first? Or what do you do? Like, just start off with, you know, a game plan and everything. I thought about this a lot.
Joe WynnYeah. I had these conversations a lot.
Justin LeaplineYeah. Right?
Joe WynnI mean, oh, you you might as well. In the, I didn't mention faculty of ions as, one of the things on the Yep. The resume now. But the, you know, ask an expert about this.
Rick YocumYou're always getting into this. Like, I'm I'm
Justin LeaplineI'm I'm on the friends and family. Yeah. Right.
Joe WynnThere you go. And so you jump into these conversations, but you you give us some thought. When were your what were your thoughts?
Justin LeaplineSo my I mean so first off, you gotta figure out what you're dealing with, you know, going on. Actually, ideally, you should figure that out before you accept the job, you know, type of thing. There's a lot of cultural things that will shoot you in the foot, you know, coming in. So as best as you can, those are the type of questions, you know, if I'm letting don't know if I'll ever take another head of security, you know, position at a company, but in the few that I've had, those are the questions I try to get from cultural perspective. Like, would I be able to be able to do anything there?
You know? And it's a continued, like, conversation, but, you know, first thing first or, you know, kind of accommodation, you gotta figure out your current state. What are you doing? Where are you at? What's your footprint?
You know, how are you doing everything, you know, from phone and data management, batching, to compliance if it's, you know, related, all that stuff and everything. 2nd, and it you can't understate it, and I think a lot of people failed this, you've got to build the relationships. One of the things I always did was I made a slew of, meetings Yeah. Absolutely. For executives.
Mhmm. Like and I've come I've come in to say, where are your experienced parents from security? How can I help you? Here's my philosophy. I don't say no.
I'm here to help the business, you know, like, I'm gonna tell you how, not I'm not gonna tell you no, you know, type of thing. And you start building that rapport, you know, to a lot of different people. I also, in the, you know, the times I do give advice, you know, to new people with GRC and and stuff of that nature is don't be afraid to bribe. I know that's probably a bad thing, but a gift here and there or something like that builds a good bond relationship, you know. So if somebody likes bourbon Mhmm.
Give them a good bourbon, you know. I've done times where if people were filling under the weather, I'll send them a gift a gift basket with, like, with soup and all that stuff and everything. Like, those little things go a long way when you need to get something out, you know, type of thing. And that's almost more important than what you're dealing with because the roadblocks that we face is from a security perspective is often the people in process, not the techno like, the technology we can figure out and all that stuff. There's usually cheaper ways or ways that you can kind of deal with it, you know, type of thing.
But when you get an uncooperative person or, you know, a roadblock and you need a way around, it's usually getting to somebody and say, can you help me out here? Yeah. Yeah. You know, type of thing.
Rick YocumYeah. So I have, like, a very similar in a lot of ways. Maybe framed slightly differently. But there's, like, 4 key things top of mind immediate. And it's, meetings with all the leaders. Mhmm. Right? Like peers and or various bosses, dotted line or straight line to say. And it's part of, you know, getting the feel of things, but also building the relationships. 2, same thing with the team.
Right? Before I even go start digging into controls and compliance frameworks and, like, looking at these reports that came before me and stuff like that. What, man? I wanna shake hands with everybody that's on the team.
Justin LeaplineYeah. Because that's gonna give me the best by. Yeah.
Rick YocumThat's gonna give me the best sense of, again, building relationships, but also, like, are we good or are we not good? Right? Because if there's a couple jokers in critical positions, I'm already a little nervous about what, you know, what might be there. And maybe they surprise me, but I know there's gonna see be some places I wanna pay attention. So 2 relational things, but leaders and then people.
And then from a other tactical perspective, the 2 things I always hit first. And a little of this is steeped in when I was in Del Monte because there's a huge seasonal workforce. So we would we had to figure out pretty good ways to hire and then release, like, 16,000 people every season. So I got kinda good at access management.
Justin LeaplineSeason getting the the the
Rick YocumYeah. Kinda like pick and pack season. Oh, yeah. Exactly. Got it. Exactly. Okay. So but it's paying dividends. So what I typically do from a tactical side then is it's access. I get my arms around access management and how that works almost immediately.
And if it's clean, great. I'll move on to somewhere else quickly. But that's, like, typically always the first domain. Because, also, then when you're talking about, like, the ability to, like, bribe people or just stop bad stuff, people are plugging stuff in the network you don't like. Alright.
Well, I figured out access management so I can, you know, get rid of shadow IT. All it has all these good, second order impacts. And then the second thing is finances. Right? I dig really deep into the IT and or security finances depending on the structure of everything and go, okay.
Where's the money going? Where should it be going? Because, ultimately, again, with those relationships with the leaders and getting wins quickly and stuff like that, if you can solve a couple things or start to utilize some of your resources more efficiently right away, It's gonna just help you do things down the road. So to me, it's always shake hands with everyone above you, shake hands with everyone that's working with you, Do the access stuff. Do the finance stuff.
And that's, like, a pretty good 90 day plan.
Joe WynnOh, I like that. I really like the access management, pieces. Your first, like technical piece to hit in on. Yeah. Yeah. So you're basically doing a risk assessment of the access management part. I was going to start with you to do some kind of risk assessment.
Justin LeaplineYeah.
Joe WynnAs you start going in part of the risk assessment, you're kinda doing it all along. So when you're talking to all the leaders, you're trying to get a sense of what what what could break. I was I was talking to somebody who came in and helped me probably 10, 11, 12 years ago now, and they just went around and said, let's go talk to the execs. Mhmm. It was for a pen test. And
Justin LeaplineYeah. And
Joe Wynnit was more than a pen test. And they started looking at it and saying, well, let's go ask them. What is the one thing that can happen in this company that shuts it down? Yep. And let's start reverse engineering from them.
Rick YocumI would say what what's your absolute worst Friday night slash Monday morning look like?
Joe WynnAnd why did that happen?
Justin LeaplineYeah. Yeah.
Joe WynnYeah. That's really good. So risk assessments, I I like that. And then, if you if you think about frameworks, I'm just a huger fan of ISO 27,001 that I am maybe of, some of the other ones. They're all good control sets like CIS is great control set.
Justin LeaplineThey focus on this continuous improvement.
Joe WynnThat's exactly why. Yeah. And so the first thing you do is, you know, you understand, you know, what what do you care about and who cares about it and what's the scope they care about and what's in it. And then now let's figure out what kind of risk you have with it. And as soon as you can start setting up so my first step is implement a blank risk register if there's not one already.
And get that in place and then start populating it with and I like your idea of focus on access. Figure that out and then start taking it to the leaders that you're meeting and saying, oh, so your area is this. Right? You're responsible for this line of business. Well, I was doing some access management review, and I'm finding some weaknesses in the way we do this.
And it's related to this process that happens, and even some of your people on your team have to, like, sign off on these things. Yeah. How do we, shore that up? You know what I mean? I can help you remove some of this friction Mhmm.
And to start, you know, making things more efficient, winning some friends, and fixing problems all at the same time and putting it in there. Now selfishly I would say that all 3 of us would have the same thing. If it's not us getting the job and it's you you should bring us in because the best thing that I ever did when I'm getting started is don't go it alone. Is who can come and give me an objective view? Because the moment you're in the company Right.
You're not as objective as you are when you're looking at it from the outside. Right. Go ahead.
Justin LeaplineYeah. I was just saying and also the sad thing about that, a lot of your execs won't listen to inside people. They could complain to the moon that, like, hey. We need to do something about this. And somebody outside writes a report about it, like, oh, why don't we do this yet?
Joe WynnYeah. He was a consultant I was working with years ago, and they were they kept saying, I keep getting asked for the companies I'm helping. Why don't you hire why can't we hire you to come in? He goes, because the moment you hire me, I will be no longer the smartest guy here. You will think I'm the dumbest guy here. Yeah. And I always thought that was pretty funny.
Rick YocumThat's a good lesson for the for the anyone that might be listening that's taking that college advice, what to do in college. Just realize that, you know, one of the hardest pills to swallow is even once you get really good at security. Right? If you're on the outside. Right?
You're gonna have a lot more airtime and a lot more visibility, you know, talking to companies about their security than if you're on the inside trying to evangelize security. Mhmm. It drove me nuts when I was at, you know, at Del Monte telling people things, and then I'm internal saying the same things. Right? And but you need that secondary opinion, and then you're external again, and it's the same thing. So it's a good lesson.
Justin LeaplineYeah. Yeah. Yeah. I'll pick a point on you. So when you say do a risk assessment Mhmm. Are you talking about actually looking at likelihoods of threats and impacts into that, or are you doing it more from a, like, control perspective? And I think it depends on the size of the company. Right.
Joe WynnI would say that there's no right answer. And I know you had another topic about
Justin LeaplineYeah.
Joe WynnShould you do risk assessments?
Justin LeaplineI'm opinionated on this.
Joe WynnAnd and, We
Rick Yocumshould probably we should spend a
Justin Leaplinewhole episode Yeah. Toward the end of this one. But yeah.
Joe WynnWell, just just to quickly answer your question, I think having so I'm I'm starting to read measure anything in cybersecurity to get my, head much more around. You got the book of it?
Justin LeaplineNo. There's a there's a
Rick Yocumbookshop behind. Yeah.
Joe WynnYeah. Get my head around how to, how to continue to improve on the way I quantify things. Mhmm. But, there is there's a nice to 27,001 news group. And one of the folks in it, and it's a Google group, and one of the people in it, is makes makes a great argument for not getting that specific at least until you're a little bit more mature.
Rick YocumYeah. Right.
Joe WynnAnd the reason
Justin LeaplineThat's I guess, kind of my point. You know?
Joe WynnThat that's yeah. Exactly. Because the reason is, if you would spend a 1000 hours of collected time Yep. Coming up with something that is super detailed and at the level of like a one of your large worldwide insurance companies level of detail Mhmm. For analyzing risk or And you're not
Justin Leaplinedoing a good job patching. You take a week It's just gonna echo that.
Joe WynnAnd figure it out. And you give it sure. You can't, like, add high, medium, and apples. Right? So they don't make sense, but you can start to carve a conversation of understanding what is riskier than another thing. And at the end of the day, is it gonna drive a different major change or major output?
Justin LeaplineRight. And that's where I agree risk assessments do help. When you get to a point where you're mature enough you're trying to decide, do we invest in a new EDR solution or a WAF, or, you know, where where do where's the best place for our dollars to go, you know, into there? A risk assessment will help kind of flush that out, but if you're not doing the basics, like, it's and it may be like a gut, you know, risk assessment at that point, but we all know if you're not protecting against phishing attacks, you're not educating users, you're not patching, you're not protecting your border, you're gonna get popped eventually, you know, that type of thing. You'll probably still get popped if you do all those.
Like, that should be your kind of first goal, You know? And once you get to a good spot, then you can start divvying up or where's our dollars best to go, you know, that thing.
Rick YocumI always want better language in the risk space. Right? Because, like, the risk word is, like, way overloaded, and you probably see probably go see this with different clients. We see it all the time. We're, like, someone's like, I want a risk assessment. It's like, okay. Well, what do you want? Like, the academic risk assessment? Do you actually need a controls assessment? Do you want a pen test? Like, because risk is a whole bunch of different things, and depending on the context Right.
Justin LeaplineBecause and so I I
Rick Yocumthink our language is really poor here. We're talking about a generic risk assessment. I don't know if they still use it, but there's this thing that E and Y had a a long time ago. And they they they framed it the what could go wrongs, the WCGW. WCGW. Oh, okay. And I always loved that for, like, the initial risk assessment or the high level thing. It's like, look. I seem to know what could go wrong. Yeah.
That's the whole thing. And what are the worst things that could go wrong? Okay. Top 10. Great. Let's focus on those. Well, that's
Joe Wynna really good point. And when we do a more detailed risk assessment, the first thing we actually do is a threat assessment.
Rick YocumExactly. Right.
Joe WynnAnd that's what what what what can impact you. Yeah.
Justin LeaplineYeah. But So Yeah.
Joe WynnWhat that's good. We we should dealt we should do a whole session on risk assessments and
Justin Leaplinetalk about why. Of the, methodologies and all the frameworks and everything like that.
Joe WynnAnd why not throw them all away and just do something that works?
Justin LeaplineYeah. Right? For sure. Cool. Alright.
Joe WynnIs this is this a wrap?
Justin LeaplineYeah. I think this is a wrap. Alright. This is a good hour and everything. So Cheers. Thank you, gentlemen, for doing this. Thank you, audience, for joining us. This will be released, here, and we're aiming to do a once a month podcast. So join us next month as we dive into a number of these, topics and everything. Don't forget to, like and subscribe and comment, you know, if you really enjoyed it or you have any other topics or questions for us. And that's a wrap. Thank you all. Bye.
Joe WynnYou know what I think we should do on a camera? You could clip this part back in since we're all still mic'd and Yeah. Everything on is, we should how about we review with each, with each episode? Yeah. Yeah. That's what I'm thinking. Some something, like, acknowledge what we got sitting here because and then why we picked it, the name of it Okay. And and stuff. And a few
Justin LeaplineI think it's a great idea.
Joe WynnRead the name, Kentucky straight bourbon and guided by wisdom and craft with knowledge.
Rick YocumWhere is it made? I like that. Distilled in Kentucky bottled by Kentucky Owl. And I'm gonna butcher this name. I apologize for everyone who lives here and nearby here. Lacassine, Louisiana.
Justin LeaplineYeah. Yep. So this one I bought down in Kentucky. They don't have it in PA here and everything. Hopefully, that's not illegal. Spoiler alert, you guys. Yeah. But, yeah. So I mean, from a notes perspective, does it say oh, okay. It's 91 almost 91%. Yeah. 90.8% proof. This is great. I love this. Yeah. It's nice and smooth. Yeah. Good caramel notes and everything.
Rick YocumAnd and for anyone who's listening just for the whiskey review, I would describe us as people that drink a lot of whiskey, but in no moderate to low amount about whiskey. Oh, okay.
Joe WynnI think Justin knows more
Rick Yocumthan that. I would rather I definitely like the the moderate category for sure.
Justin LeaplineYeah. Yeah. That's fair enough.
Rick YocumYeah. We're not we're we're not distillers and we're not the guys that have, like, the bourbon channels that are 50 gazillion videos deep that Yep. Have distilled since they were 2 years old somehow. Right.
Justin LeaplineIn the hills of West Virginia. Right.
Joe WynnHey. Well, cheers again. Cheers.
Justin LeaplineCheers, guys.
Joe WynnThis was good. This is great.