Greg Schaffer: Hi, I’m Greg Schaffer, and welcome to the Virtual CISO Moment. Andrew Staton joins us today. He is a cybersecurity professional out of Huntsville, a good friend of mine, and glad to be able to catch up. Andrew, thank you so much for joining us today.
Andrew Staton: It’s my pleasure. It’s, man, Greg and I said this before we started recording, but it’s great to get to hang out and visit with you. It has been too long since we’ve gotten to connect.
Greg Schaffer: Yes, yes. And I know a lot has happened since the last time that we spoke. I’m sure we’ll catch up with this in the podcast. But the last time that we saw each other in person was during the National Cyber Summit in Huntsville a year ago, because I know both you and I were not able to make it this year around, which is unfortunate.
Andrew Staton: Yeah.
Greg Schaffer: So, but I know some of your story, but I know most of the folks out there don’t. I’d like to hear, starting from the beginning, it’s like how and why did you get into this wonderful field of cybersecurity? And just bring us up to what you’re doing today.
Andrew Staton: Yeah, so I’ll tell you one of the things that’s unique about my story. So growing up here in Huntsville, Alabama, I’ve been here in Huntsville pretty much my whole life. My mom and dad moved here when I was six months old because mom took a window system administrator job at Marshall Space Flight Center. So I actually was taught how to use a computer, a lot of computer hardware components, how to work my way around the machine by my mom. So…
Andrew Staton: Really growing up, I always had a good exposure to technology and computing. And there was always just something fascinating about how computers worked and functioned, what technology was doing. So really just kind of being here in Huntsville came up during a bit of a technological renaissance. So my family had been here in Huntsville and in this area for decades. you know, ages. So when I was coming up into high school was when the local city schools started to actually do a cybersecurity trade program. And you had several instructors that came in from local industry to teach us kind of hands-on keyboard, um, how to do simple things such as, okay, how do we harden a windows machine? How do you, what the heck is, do you do to configure a Linux box using command line? You know, Cisco routing was beat into me by several instructors, um, From the time I was in high school and it was done with the intent purpose that, you know, by the time you graduated high school, that if you wanted to go and get a job on the help desk working, you know, entry level here in town, you could do so. They aligned the courses to a lot of the DOD eighty five seventy certifications. So in high school, I had the opportunity to test for like the network plus the IT fundamentals and a couple other things. And while doing that was involved with Cyber Patriot, which is a, you know, hands on really more of a computer forensics computer hardening competition that’s put on by the Air Force Association. And, you know, just kind of fell in love with the hands on keyboard and the impact of it.
Andrew Staton: While in high school, I also was really encouraged to continue and pursue a career in cybersecurity. While I spent two summers on staff with Fellowship of Christian Athletes of North Alabama. Here as a first year, I was, you know, an intern working with some of the students at some of the sports camps. Second year, I did a lot of the audio visual tech stuff for the ministry. And, you know, was encouraged in one of my defining career moments, I was really tempted to kind of give up on going into cyber, was just really discouraged. And, you know, you had a retired NFL football player, a guy by the name of Devin Weinman, who I love that, you know, I remember sitting there, I’m like, man, I’m just a tech geek. I’m not good for much else beyond that. And I remember Devin, who, you know, six, oh, larger than me, one of the few men I have to physically look up to, got very angry with me and was like, man, you don’t talk about yourself that way. And, you know, encouraged me.
Andrew Staton: So I went to, from there, graduated from Grissom High School here in Huntsville and went to JF Drake State Community and Technical College here, got an associate’s degree. And while I was I would say the second year of my associates, I got picked up by a local small MSP. And from there, kind of the rest is history. I just continued to be involved in the local cyber ecosystem. And from there, just kept kind of moving up. So I’ve gotten to work and manage service providers that are super small. for an MSP that’s a bit larger, worked for a large Fortune one hundred company doing internal cybersecurity compliance work within their federal business unit. And right now I work for a smaller boutique cybersecurity consulting firm that’s very much involved in the federal ecosystem and helping clients to really navigate all the challenges that come with CMMC and various other federal cyber and data protection regulations.
Greg Schaffer: I think it’s so smart that Huntsville did that. I didn’t know that part about your backstory. Because looking at the local economy that they tailored for high school students, you see this a lot in colleges sometimes, but not necessarily in high school, that they tailored programs to get folks like you started and up and running. Now, I know your success from that program and from the CyberPatriot program as well. But are the high schools in Huntsville, are they still doing that sort of initiative? And do you know what kind of a success rate they have for placement?
Andrew Staton: So right now, one of the things that’s interesting, so here in Huntsville, when they initially set up the CyberPatriot program when I was in school, you only had two of the high schools that were really doing it at first. It was Grissom High School. which is lives resides physically here in South Huntsville. And then you had new century technology school, which was a magnet school that you had to apply to where the only ones doing it over the past couple of years that has been expanded to where to best of my knowledge and belief are All of the high schools here in Madison County have access to a cyber patriot team. Many of them have cybersecurity instructors that will teach them. And you even have, at the middle school level, people that are teaching hands-on basics of computing. Actually, one of my favorite public speaking engagements I ever did was you have a teacher, Mr. D’Angelo, over at Hampton Cove Middle School. And I got to take a whole day, basically, and did Ask Me Anything sessions with his middle school students. Like, man, if you have a question about cyber, throw it out. If you’re curious about something you saw on TV or in a movie, like, throw it out. Let’s talk about that. Yeah. you have a very, very blossoming relationship between the public schools and with the industry.
Greg Schaffer: Yeah, you know, see, I mean, that’s great for Huntsville, particularly since, I mean, for those who don’t know anything about Huntsville, and there may be some out there, but it’s like, you know, space capital of the world, Space Force is now going to be there as far as their headquarters go. Big, big history there as far as development with the space program, great museum there and all that. One of the I think one of the only two remaining never-flown Saturn V rockets is there at Huntsville, which if you walk under this thing, because they have it laid out in a building like on its side, and you walk under it, it’s like, yeah, it’s pretty big. But it’s funny you mentioned about as you were telling that story about, you know, talking about schools and middle schools. Well, not much had changed in the last few years because when I was in middle school, it was my first exposure to computers. And now back then it was nineteen seventy eight and I was exposed to a teletype machine that. that connected to a mainframe in Tarrytown, New York, a few towns over, and we got to play tic-tac-toe and to do our first basic programming, which everybody who’s done basic, the first program is line ten, print hello, line twenty, go to ten. It just prints hello over and over and over again. So I kind of dated myself a little bit there. But, you know, for those who are talking about in the cybersecurity industry that we don’t have like enough talent out there, this would seem to be a great pipeline that other communities could adopt.
Andrew Staton: Right. Absolutely. I mean, you know, one of the things that has been I know my dad for a bit of time. So my dad’s been involved with Civil Air Patrol for years. I mean, he’s I mean, been a part of that organization since he was a teenager. Uh, so dad, one of the things that I’ve heard him talk about is, you know, from a generational perspective, you know, my dad’s family is from, you know, the app from Appalachia. So they, you know, dad’s family were a bunch of truckers and coal miners and, you know, just through cyber Patriot in the public school, in the education, uh, You know, what that does from being able to find a job, to find employment, to even if I wanted to pivot, like having some of the foundational knowledge from that program is useful in any career space. Is, you know, CyberPatriot’s a tool that just with education and experience helps to lift people up out of potential impoverished situations, right? Where, you know, like within there, there’s a buddy of mine locally who went to one of the Title I schools here in town and was part of CyberPatriot, went and got a degree. And right now, you know, one of one of my favorite conversations with him sitting, we’re talking, he’s like, man, because of CyberPatriot, because the investment of local industry, my kids and my wife aren’t going to stress and worry about any of the things I stressed growing up. In terms of being able to put food on the table, being able to pay for rent, being able to live, take care of you. God forbid you break your arm, have to go to the hospital. It’s one of those resources that changes lives if people take advantage of it properly.
Greg Schaffer: I think that’s great. And it also helps. I mean, it helps the industry as well, too. You were talking about defense industry. So I did want to pivot and talk a little bit about that because, you know, a lot’s happened, particularly with CMMC, you know, now becoming finally it’s we’re going to see it in more and more contracts and all that. I think we got some SMBs that are small and mid-sized businesses that are still either their head might be in the ground, like ignoring that it’s still out there or that they’re begrudgingly starting to realize, okay, if I’m going to earn or be part of the federal ecosystem, I really got to pay attention to this thing. Well, what is, from your view and your experience in the field, what is one of the most prevalent misconceptions that SMBs have with regards to talking about compliance? I’m focused more in the federal sector, but I mean, you can talk about outside of that as well.
Andrew Staton: It’s, I would say, the first kind of misconception I would see, especially like right now with CMMC, starting November tenth with the conclusion of rulemaking, you’ll start to see contracting officers can put the CMMC requirements in their contracts requiring certification that you have to pass an external audit, an external assessment to be able to do business. And. You know, simultaneously, what I’ve kind of seen from businesses that, you know, the first thing I’ve heard from a lot of SMBs across years of experience is that, you know, there’s a bit of a panic. So, you know, you hear from, you know, small little manufacturing shop that, you know, they have been used to, hey, we run our machines, we can cut the parts, we QAM, you know, and it’s a lot of blue collar types that will look in the minute you put NIST-A-Hundred-One-Seventy-One in front of them, And there’s a bit of, you know, kind of a cat rearing up where it’s like, oh my, what am I going to do? How do I handle this? How do I, you know, navigate the increased costs? How do I navigate what this does to our workflow?
Andrew Staton: And, you know, the first thing I wish within the kind of the CMMC ecosystem, you know, if I could make one change is I wish there was more of an effort that when we engage with, you know, especially businesses that might be a little behind the eight ball at this point, that we approach it from a perspective of a little bit of grace of, okay, you know what? If you’re a small to medium-sized business receiving any work, either from a prime contractor or directly from the Department of Defense, the best time to start with CMMC would have probably been based off average time to implement, because that’s about the average time it takes to implement all the technology, develop the policies, do everything you need to be ready. but i i would say if you hadn’t started the prep then i would say the next best thing to emphasize to the small or small to medium-sized businesses is hey you guys can start today well it’s like planting a tree when is the best time to plant a tree the first best time is yesterday the second best time is today so and the first best time is ten years ago but
Greg Schaffer: Exactly.
Andrew Staton: And I also think that a lot of companies will start and they look at first step like, okay, we have to make a whole infrastructure swap. And they start looking at, okay, what MSP, what company can we hire to fix the problem for us? And one of the things that drives up the cost of compliance with CMMC is your data scoping. So with my current employer, one of the first projects we do, and one of the things my CEO, Ryan Bonner, is known for is, hey, let’s actually take a look at the data you receive. Let’s figure out the reality of, okay, where is your CUI coming into the environment? Where is it exiting the environment? And trying to take a bit of a common sense approach of, let’s figure out what you have first before we start building a technical solution or developing policies and procedures to Just because if you can limit the technological scope, that can help you to decrease the cost of implementing all the controls. If you’re wanting to use a cloud solution, the cost of going to GCC high, it’s a lot more affordable if you’re a company of a hundred users. The reality is only twenty, thirty employees need to access our touching, receiving, storing, processing, transmitting CUI. It’s a lot cheaper to implement that enclave for twenty to thirty users than the full one hundred in your enterprise.
Greg Schaffer: Well, and there’s a there’s a precedence for this, a roadmap, if you will, that we can follow, and that’s with PCI, because PCI, we say what’s the first tenets in PCI is define your scope because PCI only applies that scope for, you know, where is your cardholder data? which the equivalent here is where is CUI. And then to your point, it’s like you only have to worry about implementing the controls necessary in that scoped area. It’s not to say that you don’t want to implement controls outside of that, obviously you do, but you want to do a commensurate to the risk. And here we’re talking not just information risk, but also compliance risk. So how well do SMBs receive or even understand the idea of scoping like that
Greg Schaffer: i would say it really depends on size i’ve seen some some small medium-sized businesses that they’re on top of it they know the data they know what they get and you know they’re able to tell us hey here’s here’s the data we’re getting from the prime contractor here’s the cui data type classification here’s here is the data classification guide we’ve gotten from the federal government for this
Andrew Staton: Um, but I would say by and far, there’s, I wouldn’t say a majority, but there’s a good part of the defense industrial base that, you know, when, when they get data in the attitude, it tends to be that I’ve heard this a lot is, Hey, we need to treat what data we receive from the federal government as CUI. And one of my personal kind of pet peeves is that something either is controlled unclassified information or CUI. Or it’s not, you know, it, there isn’t really a, at least from, from a letter of the regulation, there isn’t a ton of room to sit there and go, Hey, your contract when given, or if you give any information, so let’s say if you give an SF-Eighty-Six as a DOD contractor, you give that to the federal government, they’re going to mark that as CUI. because to the government it is. But if they give that document back to you, it’s not CUI, it’s your own data. No, it’s also one of those things. CUI is a wide ranging term. So if you go and look at the national archives, their CUI registry, you know, you, you think, you know, Hey, CUI exists and it can be anything that we put on a weapon system or we make as part of a defense contract that goes in a broader thing. But if you look at the national archives, if you have for law enforcement purposes, if there are any, you know, sexually illicit photographs that are collected and maintained, those can fit a CUI category. If you’re working a archaeological dig pertaining to anything with any of the Native American dig sites that exist around the U.S., and if you take technical scan data, you can technically put a CUI category to that data. There’s even, if you have old historic landmarks and data that reside on National Registry of Historic Buildings, those can fall in a CUI classification and registry. So it’s one of those things that if you are a small business doing any sort of federal contracting work, first thing I’d encourage is look at the data and make sure it actually aligns to what the National Archives has in their CUI registry within the defense subcategory or what DOD has as their CUI types.
Greg Schaffer: Now, this is a side question that’s totally unrelated, but can you call it DoD anymore? Does it have to be now DoW? I mean, what’s sad is, Greg, that’s a good call out because…
Andrew Staton: I’ve been so used to calling it DOD since…
Greg Schaffer: I know, we’re always going to call it DOD. So I have a feeling that, you know, the branding change there, I’m hoping people won’t take a stick and beat me over the head with it. But…
Andrew Staton: Well, I’m not beating you over the head with it. It’s just something that came to mind. I’m like, I don’t know if I can adjust to that anymore. But, well, and…
Andrew Staton: Oh, go ahead.
Greg Schaffer: I’m sorry.
Andrew Staton: I was going to say, I’ve heard people have been referring using the two interchangeably. So that’s been the approach I’ve been attempting, you know, to adopt has been, you know what, if I’m using DOD or DOW, you know, we’re talking about the same branch of the federal government that handles all of our armed services and things that go boom.
Greg Schaffer: Yeah. Yeah. I don’t know if that’s going to end up being an issue or not, but it’s definitely something that I think I’m going to be more cognizant of reading things. And maybe unlike on LinkedIn, I might just troll folks and just say, don’t you mean Dow instead of Dodd?
Andrew Staton: Yeah, twice.
Greg Schaffer: I would do that just to mess with people. But I want to pivot back to something else. And this is actually really important to me. And I know you mentioned it to me when we were first talking about doing the podcast scheduling. And just as a bit of background, folks that are familiar with the podcast know that I spend the third segment talking about podcasts. to keep yourself healthy because it’s very stressful in our industry and and and that genesis of that question comes from when i was a cso for uh well at the time it was uh metro nashville which was a very stressful job for me which was uh also not the most fulfilling at the time and i internalized the stress and the only way that i really dealt with it is that I probably overconsumed, wasn’t an alcoholic, but was a self-medicator without a doubt, which is not the correct way to do it. And it also kept me away from God. And that’s why I ultimately quit drinking is because I realized whenever I would be like wanting to decompress, I should be praying instead of drinking. But you are working on developing a talk talking more extensively about mental health for cyber professionals. I’d love to hear more about that, where you’re going with that, and really just some more details that can help others as well.
Andrew Staton: Yeah. So a bit of background in, you know, if for people that are watching the podcast, you can go and look on my LinkedIn and see. But for me, I’ve always struggled over years with my own mental and physical health. So one of the things that’s part of my story is, you know, I grew up in a split household. My parents got a divorce when I was in middle school. And, you know, even when I was younger in third grade, my family, we went through an apartment fire and we lost everything. So as a response to those different traumas, I took to eating good food as a coping mechanism. And, you know, it was one of those things that if… I’d always had been big. At my heaviest, I weighed about five hundred and fifty pounds.
Greg Schaffer: Wow.
Andrew Staton: And, you know, like it was one of those things that, you know, I already had was I want to say predisposed to having those issues. But, you know, growing up with some of the just life experience and just kind of trauma inherent to those things, you know, growing up with a Living through, you know, the wreckage of an apartment fire and a parent’s divorce, that’s going to take a toll on any kid. I don’t care how well adjusted or, you know, how well off.
Greg Schaffer: Absolutely.
Andrew Staton: Yeah. And then throwing into that, you know, pursuing a career in cybersecurity and such, I was predisposed. And, you know, so from high school, I was really heavy. And then coming in, started working in cybersecurity. And, you know, when I was stressed at work, I would just sit there and go, man, I’m going to go eat and I’m going to eat a good bit. Yeah. And that became a coping mechanism. And then, you know, I would say a little over a year ago, you know, probably towards and I had had a couple spurs where I tried to do stuff to lose weight and better my health, but would start that would go for four, six months and then would just sputter and I’d regain the weight back. And, you know, one of the things that for me is trying to figure out the mental health piece was, okay, if I want to be better mentally and be better in my spiritual health, you know, Greg, you and I’ve talked a little offline. We come from the same or very similar Christian faith backgrounds. You know, I needed to be willing to take care of myself. So, you know, for me, it was started to really make some adjustments. So part of the impetus for this talk I’m developing and Lord willing, I’ll be able to have finished and submitted a conference here in the near future really came from like, man, what are some things I wish I would have known as a junior IT and cybersecurity professional to help and
Andrew Staton: You know, one of the things that’s key to that is, you know, as a cybersecurity professional, it is great for us to have community. Like I’m a part of the North Alabama ISSA chapter. I love the ISSA chapter. I love my technical peers here in Cyber Huntsville. But, you know, you need to have a grounding in community to have some human elements that pull us away from the computer screen, away from the world of endless vulnerabilities and CVEs or changing regulation and landscape to help ground us that, hey, the world, you know what, right outside our windows today, the sun’s shining. There is hopefully grass growing. You know, Greg, you and I are here in the South, so we’re in the false fall number two at this point.
Greg Schaffer: Yeah, it’s like eighty degrees outside right now. It’s like it’s wonderful, but it’s like, yeah, it’s false fall.
Andrew Staton: Well, we went from I guess it’s still summer number three. Maybe we could call it two. So I mean, it’ll go back and forth and we might get a week of fall, late November, and then it’s just going to be freezing.
Greg Schaffer: Yep, yep, yep.
Andrew Staton: So, you know, it was really for me, a lot of that talk’s kind of trying to take a look back and reflect at, okay, to Andrew at eighteen years old, what do I wish I would have known that could have helped me to not avoid some of the issues, but to better equip and tackle them?
Greg Schaffer: Well, I know that, uh, it’s interesting that you frame it that way. And, and so I’m going to walk down that path for a moment. If I, if I was to talk to my younger self, um, and I had some similar experiences, my parents divorced when I was three or four or something like that. So I kind of always grew up in that environment. It was normal to me for my middle brother. It was harder because he was older. Um, um, but, um, I know for me, uh, uh, I was very insecure. And if I could go back in time, some of the things that that I thought were so important weren’t, particularly when you’re a teenager and teenagers I don’t know how teenagers today do it with the pressures of social media and all of that. I know for me growing up as a teenager in the seventies and eighties, it was difficult. But a lot of the difficulty was me putting pressure on myself. I didn’t really need to. I think maybe, you know, they talk about being comfortable in your own self, in your own shell, who you are. Is that one thing that comes to mind with regards to mental health?
Andrew Staton: Absolutely. One of the things that I had always been kind of ashamed of physically, my body, how I looked, how I was perceived. In high school, that was a major issue, and even in college. And One of the things that was a bit of a, I don’t want to say a lie, but one of the factors in the back of my head when I went and had the bariatric surgery last year to try to help me, give me a tool and resource to lose the weight and start to keep the weight off was that, man, once I lose the weight, the self-confidence issues, that stuff’s going to go away.
Andrew Staton: And one of the things, so for context right now, I weigh about two hundred and fifty pounds.
Greg Schaffer: You say you’re half the man than when I last saw you. We were talking about that before we started recording. And I’m like, no, you’ll always be a full person to me. But I know what you mean. It’s like, that’s amazing.
Andrew Staton: And like one of the things that was interesting is like now at the weight I’m at, like, you know, me and my wife, we’ve we’ve had conversations with our marital counselor about, you know, for me, one of the things I’m having to adjust to is body dysmorphia. Like, you know, I’d spent years being so used to that. OK, I had rather large hands and there was a lot of like the button up I’m wearing here. There was a point where, you know, just to kind of show a bit like at the base of my wrist, it was tight up here. And having to mentally adjust to… that shift physically, that, okay, how I carry myself physically isn’t the same. And one of the things that I’ve had to continuously remind myself, and I say this to peers similarly in cybersecurity circles that might struggle with, hey, I’m not doing well in my job, or hey, I’m struggling with the shifting regulations, or man, I’ve got a client that’s just kicking my tail. Is that, you know, for us all in the cybersecurity community and really just as human beings, our worth isn’t defined by how we look. It’s not defined by what we do. You know, like, Greg, at the end of the day, you and I, we could have our titles taken away from us here at this moment. But our worth isn’t found in that. For us, us too, our worth is defined by our faith.
Greg Schaffer: Well, and I’m glad that you walked down that path because as you were talking, and I had already formulated in my mind, doing what you’re not supposed to do. It’s like, okay, what am I going to say next while you’re still talking? But I did do that. I wanted to say, in all honesty, it’s like, I mean, I recognize that you were a big person. Don’t get me wrong. But I never saw that. It was like with you, I’ve always known you as first and foremost, a very nice, approachable person. Second, a cybersecurity professional. And then third, when we started to talk about faith stuff, a brother in Christ. And then these are the things that when I think about Andrew that define me. physically never came into play. I mean, it’s not denying it. It’s just that it was no importance with it. And I think that you’re right. We get so hung up on one little thing that we, we, we lose the sight, no pun intended of, of what other people perceive you as. And that is such a key to gaining or regaining that healthy mental aspect.
Andrew Staton: Absolutely. And it’s also one of the things that, you know, I will say that it’s understated in, you know, like as a cybersecurity professional, being able to get outside of our bubble and engage with our community around us does a lot for mental health. You know, one of the things that you’ll see if I move out of the way, I have a bunch of model kits.
Greg Schaffer: I noticed that.
Andrew Staton: Yes. And I actually picked that up in twenty nineteen when I was working my first real job in cybersecurity and I.T. My therapist at the time recommended, hey, Andrew, why don’t you pick up, you know, model kit building? Try doing something with your hands that’s tangible, that, you know, if you want to throw on, you know, a sermon, he recommended a couple faith-based podcasts or, you know, some various worship music playlists. Like, you know, do something with your hands while nourishing your soul. And that… you know, something that I still will do as a coping mechanism. That’s actually a, I will say hobby, potentially addiction, depending on who you ask. Um, but me and my wife actually have a bunch of model kits that we build and work on together just because for both of us being able to do something with our hands that has tangible results helps to unwind.
Andrew Staton: Um, I also, nowadays, I spend some good bit of time volunteering at a local nursing home and do some prayer service type stuff with some of the residents. And one of the things that’s nourishing just to me as a professional is, you know, getting to sit with some older, some older people that have different life experiences and hearing stories. Um, one of my favorite things, and I’ll, I’ll tell you when, when I was talking with some clients, they asked about, man, what’s the highlight of, of your week been? It was, you know, I was pastoring two churches here in North Alabama at the time. And, um, You know, we were doing Holy Week services at a nursing home and did a Monday, Thursday service. I can’t remember if it was Monday, Thursday or Good Friday, but it was me and yet one of my close friends came over to help me with the service. And we pulled and did a, I think it was Good Friday. And we pulled an older liturgical service from an Anglican common book of prayer. Just because we wanted to try to find some worship style that was close to what the residents may have grown up with. And we got to sit after service and man, the service was great. Had a lot of fun. My favorite part of it was after church. One of the residents there grew up and she was a kid in England during the Blitz in World War II. So she sat there and was telling us stories about, you know, what it was like during the evacuations, the bombing raids. And one of my favorite moments was, you know, sitting there and she looked at me and, you know, and I was wearing a clerical collar. So she looked at me and she’s like, you want to know the worst thing about it, Reverend? And I’m like, what’s that, ma’am? She’s like, I went through all that nonsense and I didn’t even get to go to Narnia. Referring to, you know, she took her story and immediately recontextualized it that, okay, me and my buddy, we probably knew the closest impression until we had heard her stories was, you know, the opening of The Lion, the Witch, and the Wardrobe. And… you know, if as a security professional, being able to get outside of the digital realm and connect with humanity around us, with other human beings, I mean, that is the greatest bit of mental health advice I can give is, man, Find some time to mentor some students. Go visit with some of your local nursing home. Find something.
Greg Schaffer: Yeah, get outside of even your security folk bubble. Stories like the one you just told and the stories that both young and old um can can can provide i know for me it’s like i i i’ve been very good fortunately in my career is that i don’t look upon someone younger than me as as as like inferior just because they have less life experience because quite honestly they have more life experience in a lot of in almost every area of life because nobody nobody nobody has the same path in life so so talking about path in life what uh what’s coming up for you what kind of special plans you got coming up
Andrew Staton: well so um i got married in the past you know six months
Greg Schaffer: congratulations
Andrew Staton: i would say right now the big focus on life has been you know for me it had been in addition to continuing to better my physical and mental spiritual health was you know really really trying to make sure that me and my wife get settled in that You know, we’re laying a solid foundation for our marriage. And, you know, that has been kind of that has been priority number one for me. You know, that’s because it’s one of those things that if if I didn’t take the time to be willing to sit and recognize that, hey, this is a major life change. I need to we need to be able to walk through and enjoy that season. Um, you know, that can cause some major headaches down the road. Um, you know, it’s one of the things that’s been interesting with that’s been, you know, I started my job at def cert. Um, so six months ago, started at def cert, started, we, me and my wife moved into or got a house and then we got married all in the span of a couple of weeks. So, you know, there’s, there’s been a lot of life change, um, you know, one of the things I’m hoping with, I now have a little bit more bandwidth. So I’ve got some projects that I’ve had on the back burner that I’ve wanted to do. You know, wanting to do a talk on mental health, really kind of the nexus between cybersecurity and mental and spiritual health. Like, okay, what are the things that if a security practitioner is trying to look for resourcing to help them better their mental health or things that can help them, you know, navigate the crises in the world around us, you know, that could help with that. And, you know, that, that’s something that’s been really, really kind of burning on my heart and in the back of my mind. Um,
Andrew Staton: So other than that, I mean, I’m hoping at some point, I think, Greg, we first met at B-Sides Nashville when I first started working on a little thing called Roll for Instant Response, which was a conversion of D&D fifth edition to NIST eight hundred sixty one. I believe sixty one is the instant response handlers guide. If I’m wrong on that citation, I trust LinkedIn will call me out. I’m not going to edit this. I’m just saying. Yeah. But want to pick that back up and actually flesh that out as a full educational resource and try to make that available to the local school. Make the school and resources and practitioners just because, man, tabletop exercises that are slideshow and deaf by PowerPoint, you might be able to satisfy the compliance checkbox. and you might get some actionable data, but if you’re able to actually engage your audience, I find that you get a lot better, not just data to work with and remediate, but it’s also a lot more pleasant to get genuine engagement and buy-in from all parties involved.
Greg Schaffer: Yeah, because you need that. That’s the whole deal. It’s like checking the box is great and fine and necessary, but getting the engagement, building the muscle memory is so important with tabletops. I know we could spend a whole other podcast on that. I almost did ask a tabletop question, but I’m like, no, I wanted to… Wanted to pivot into the mental health. Well, I got to say, Andrew, it’s just been an absolute pleasure catching up. The one thing I will say about marriage is that you lay the foundation, but also recognize that people change and sometimes not at the same rate. So it’s communication and God, but not in that order. It’s God and communication. That’s the secret sauce. Everything after that just becomes gravy. I appreciate you coming on. Sorry, we didn’t get a chance for both of our reasons to not catch up in Huntsville at National Cyber Summit. But what do they say? I’m going to be back down there. It’s just down the road from me. It’s about an hour and a half down, sixty five. So looking forward to chatting again in person sometime. Congratulations on the on the on the on the marriage and congratulations on the health initiatives and everything that you’re doing.
Andrew Staton: Absolutely. Greg, it’s great to catch up with you. I know me and Emma, we actually have some plans to go up to Nashville here in the next few months.
Greg Schaffer: Well, the next time you’re up, let me know. On the way up, you’ll pass by Franklin. That’s where I’m at. Maybe we’ll get a chance to catch a cup of coffee or something.
Andrew Staton: Sounds good.
Greg Schaffer: Well, thanks again, Andrew. Everybody, stay secure.
Andrew Staton: Thank you.