Greg Schaffer: Thank you. Hi, I’m Greg Schaffer, and welcome to the Virtual CISO Moment. Mike Gropp joins us today. He is a senior offensive security consultant at Solasec. He is also a cybersecurity instructor with Applied Technology Academy. He is also an authorized offensive security instructor and a BlackHack USA trainer. Earlier in his career, he co-founded Global Companies, served as a chief compliance officer, and spent over a decade working in China. These have been experiences that have clearly strongly influenced his pragmatic business‑aligned approach to security today. Mike, thank you so much for joining us today.
Mike Gropp: Thank you so much for having me, Greg. It’s great to finally be here. I’ve read your book and I was like, I need to talk to Greg. And then here we are.
Greg: Well, and as we were saying before we started recording, you not only read, but you also helped as one of the beta readers, which I very much appreciated. You called out a few things that I was able to correct that made it a stronger product. So I very much appreciate your help with that. And one of the things I love about doing this series, the Virtual CISO Moment, is that I get to hear and learn more about folks that maybe you wouldn’t learn from LinkedIn or just from like casual discussions or something like that. And in the process of prepping for this, I have come to learn that you have quite an interesting journey from to how you got to get into cybersecurity and where you’re at today. So why don’t you take us through that from the beginning and you might even talk about a hundred miles in there at some point in time or a hundred and sixty two miles. I’m sorry.
Mike: Well, yeah, well, I mean, it depends how deep you want to go with this. So I’ll just start talking. If I get a little too detailed or off the rails, then feel free to, you know, tractor beam me back in, beam me up. I was born at a young age, like many of you. Just kidding, I won’t go that far back. But no, I—
Mike: I once started for English class—I’m sorry, see, now I’m going off track. Ninth grade English class where they told you you have to start general and get specific. And I started by saying, when the earth was formed four billion years ago—she’s like, no, that’s a little bit too general. Anyway, go ahead.
Mike: Yeah, so I won’t go too far back. But yeah, I lived in China for ten years and started two companies while I lived there. The first company was a Bitcoin exchange in 2014. I was really passionate about cryptocurrencies since 2010, 2011. Please don’t ask me how much I bought and held. Not enough.
Mike: I will say that the smartest guy I know—my brother‑in‑law—he worked at SpaceX for nine years. He now works in fusion in the Boston area. And I asked him, I said, “Morgan, I have two hundred bucks. I could buy eight hundred of these bitcoins. Do you think I should do it?” He’s like, “No, it seems like a scam.” So we’ll put that aside.
Mike: But I’ve always been passionate about the potential for cryptocurrencies and what they can do for the economy, especially for the unbanked of the world and those in countries where it’s really hard for them to have a stable currency and save money.
Mike: Since 2012, when Xi Jinping came to power, I could tell China wasn’t going to allow things they couldn’t control—Google, Facebook, Twitter, Instagram—pretty much anything they can’t control, they block. And so I thought, okay, having a cryptocurrency exchange in Beijing might not be the best place to continue doing that.
Mike: Long story short, my wife and I—she’s Canadian, I’m American—met online on christianmingle.com. We met, fell in love, she moved to China, we got married, and started a company. So 2015 was the whirlwind year for sure.
Mike: And the company we started was corporate training. I’d lived in China for five years at that point. I speak Chinese—read, write, speak it fluently. She lived around the world—seven different countries, visited forty. She speaks English, Spanish, French, Portuguese. So we had this international, cross‑cultural communication background.
Mike: We saw there was a huge need for communication. Funny enough, today I’m in cybersecurity and there’s still a huge need for communication.
Mike: So we started a communication training firm called Lead With Words. We built that up and started working with Mercedes‑Benz, Volkswagen, Airbus, Johnson & Johnson Innovative Medicine, and other companies.
Mike: And a lot of what we did actually was working with really technical people, helping them communicate to non‑technical audiences and executives. We worked with research and development engineers at Mercedes‑Benz, helping them communicate with their executives or the design team. We also worked with Johnson & Johnson Innovative Medicine scientists and statisticians who were trying to communicate with their supply chain, logistics teams, or executives.
Mike: As we were building up Lead With Words from 2015 to 2020 in China, I started using software to solve business problems. Sometimes the problems were simple, sometimes complex. For example, we had a contract that had thirteen parts in English and thirteen parts in Chinese because it was bilingual. Only the Chinese version was legally binding, so accuracy really mattered.
Mike: I started getting into Python, and my first project was a script. We’d send the client an Excel file, they’d fill in the details—contract amount, training location, banking details—and send it back. I’d feed it into the script, and it would generate a perfect contract.
Mike: After that, I kept using software to build business value. My next project was a full‑featured CRM for managing clients, projects, workflows, calendars, and to‑dos. Since I was already using Python, Django was the next logical step. I built an ugly but functional full‑stack app.
Mike: But as you build and build, you start to realize: we have to secure these things. I went through the same journey many vibe‑coders do today—Stack Overflow, Reddit, copy/paste, trial/error. My goal was just to get things working, not necessarily secure. Thankfully, I didn’t have major incidents, but I realized security mattered.
Mike: So the pivot came when COVID hit. We were in China, and suddenly all our clients shut down face‑to‑face training. It was supposed to be our biggest year yet, but everything stopped. So we said, “Okay, what do we do now?” We figured COVID would be like SARS or swine flu—maybe a regional epidemic that blows over in seven months.
Mike: So we each took a suitcase, flew to L.A. to see my family, then to Waterloo—an hour south of Toronto—to see Michelle’s family. The plan was to do business development for a few months and then return to China.
Mike: But as you know, it spread globally. It followed us. We were skiing in Quebec; the first day the mountain was open, and the next day it was closed. That was the exact moment it became clear COVID was everywhere.
Mike: We couldn’t get back into China. For seven months we faced intense uncertainty. Do we keep paying for our apartment? Most of our belongings were still there. We had great friends, a great church—our community and our business base. It was a huge struggle.
Mike: After months of uncertainty, we decided to move to Canada. And my wife—bless her—coordinated moving out of our apartment remotely. Our friends went in, labeled everything based on what she told them—sell this, give that away—and handled it all.
Mike: Our apartment had a code lock, so we just gave them the code. And in China, WeChat is a super‑app—messaging plus payments. So buyers would scan a QR code, send money directly to our friends’ phones, and they’d tell us: “We sold your bike, your scooter, this, that…”
Greg: I have to ask a human‑interest question. When you left, you didn’t know you weren’t coming back. Did you have laundry undone? Dirty dishes? Something left out?
Mike: No, no—we weren’t fleeing Egypt! Laughs. We were just leaving for a few months. Everything was buttoned down fine. The issue was that 95% of our belongings were still there, and of those, we sold or gave away probably 95%. We kept only essentials—wedding album, things like that. Basically a minimalist purge without trying to be minimalist people.
Mike: So we’re actually getting right to the cybersecurity pivot. I’d always been interested in computers since I was a kid—always cooking up something, trying to break something, or usually trying to get something to work. Installing drivers, learning about permissions, virtual machines, Linux, web apps, NGINX, reverse proxies… I learned everything the hard way, walking in the dark and fixing whatever I bumped into.
Mike: While building our company, I was the default IT guy. As I learned more about software development, I realized: we have to secure these things. That pushed me toward cybersecurity.
Mike: I did some SANS certifications through a great Canadian program called the Catalyst—they partnered with SANS. Then I discovered my passion was really offensive security, so I did the OSCP and OSEP.
Mike: ATA, one of OFFSEC’s instructor‑led training partners, reached out and asked if I’d like to teach the PEN‑200 (for the OSCP). I said yes—my training background and love for offensive security made it a great match.
Mike: I started doing part‑time project work, growing my skills. Then I got a job at the Catalyst, doing more training. But I wanted hands‑on work, so now I’m fully focused on penetration testing and red team work.
Mike: Meanwhile, my wife kept running the business. We pivoted into e‑learning—took about a year to create a 10‑hour course: 5 hours of video, 5 hours of practice. It became our signature “Present to Influence” program. Johnson & Johnson used it across 10–11 APAC countries. A cost‑effective way to train global teams.
Mike: So she’s running that, and I’m focused on cybersecurity. And that’s the short version of how I got here.
Greg: Just a quick business question before we dive deeper into the security side—you said you founded the business in China, but now it’s headquartered in Canada. Did you find it easier or harder to form the business in Canada versus China?
Mike: Yeah, so funny enough, there are actually two sides to that question: doing business and registering a business. Registration in China was very straightforward—fast and efficient. We registered in Shenzhen, which generally has fewer regulations the farther you get from Beijing, plus strong incentives because China has been strategically developing Shenzhen as a counterweight to Hong Kong.
Mike: Shenzhen had great regulatory setups—you didn’t need an office, and the process was quick. We still work with an agent there who handles things for us. Setting up in Canada wasn’t too bad either; we used a lawyer. I’d say the difficulty was similar.
Mike: But what we miss is doing business in China. The relationship aspect—guanxi—is pivotal. Here’s a cross‑cultural insight: in China, if you need a widget and tell your boss, “My brother has a widget factory,” they’d say, “Great—he’s family, you trust him, so I can trust him.” It’s viewed as a positive.
Mike: In the West, that immediately gets flagged as a conflict of interest or nepotism. Both systems have pros and cons. China’s approach builds trust and accountability, but yes—there’s more corruption. The Western system is designed specifically to reduce corruption, but it can shut down good options prematurely.
Greg: Exactly—corruption is everywhere, but the differences in approach really matter. And yeah, here on the Virtual CISO Moment, we’re corruption‑free. Laughs.
Greg: You mentioned your jump into coding. I love that you learned because you were solving real business problems. I’ve done vibe‑coding with Bubble for similar reasons—trying to speed up processes for my virtual CISO business. And like you said, even with no‑code tools, I’ve accidentally created security vulnerabilities…
Mike: I think it becomes a major issue. You’re unique because you’re in cybersecurity. But a typical business owner who isn’t—they’re end users of software. They care about functionality, not security. Does it work? Does it download the data? Parse it? Send the money? They’re not asking: What could happen to it? How could it be misused? How might this leak data?
Mike: So yes, I think vibe‑coding will become a big issue. And regarding your S3 bucket example—even AWS only relatively recently switched S3 buckets from default‑public to default‑private. Zapier probably made yours public automatically. So if even AWS has had to evolve, imagine small business owners.
Mike: With vibe‑coding, the challenge is speed versus understanding. You can build things fast, but you don’t always know why they work. You’ve probably seen the meme:
“It doesn’t work, I don’t know why.”
“It works, I don’t know why.”
That was true before vibe‑coding, and now even more so.
Mike: I think in the future, people will need to prompt AI to teach them what it just did. Something like: “Summarize the steps you took to fix this in a five‑minute lesson so I understand it.” That way, you’re building understanding, not just functionality.
Mike: But most people won’t slow down to learn. Some will—those with curiosity. Others will just move on to the next task. And that’s where vulnerabilities sneak in.
Greg: That reminds me—I once talked to a lawyer about something unrelated to tech. They said, “It works, but I don’t know how.” And I thought—nope! If you don’t know how, I’m not doing it. Same problem.
Greg: With vibe‑coding, I’ve been more intentional. I’ve talked with ChatGPT a lot—asking why things work or don’t work. Eventually, the patterns make sense, and I rely less on the AI. But still—if people don’t understand what the system is doing, then they don’t know when they’re creating vulnerabilities.
Mike: Oh, absolutely. AI is going to create lots of security vulnerabilities—not intentionally, but because people will rapidly build things without understanding the security implications.
Mike: There are two possible futures:
Security experts get pulled in to clean up all the insecure vibe‑coded systems.
Technology evolves so that AI starts correcting its own previous mistakes, improving security automatically.
Realistically, it’ll be somewhere in the middle.
Mike: I don’t think AI will replace people anytime soon. You still need human architects—people who understand the initiative, the value, the vision. AI right now is great at bricklaying, not architecture.
Mike: Even if AI does become good at architecture, it still won’t have imagination. Humans have the spark—the original idea. AI recombines patterns. It can produce things that look original, but it doesn’t have true inspiration.
Mike: That said, this opens up deep philosophical questions: What is originality? Are humans truly original, or are we remixing everything we’ve ever seen?
Mike: There’s a great video on YouTube—Everything is a Remix: The Matrix—that shows how even the Matrix borrowed heavily from Hong Kong cinema, Ghost in the Shell, and other works. Even our “most original” ideas come from somewhere.
Greg: I’m watching Battlestar Galactica right now—the remake. Never saw it originally because I was an original‑series loyalist. But the reboot keeps saying, “Everything that has happened before will happen again.” Nothing new under the sun.
Greg: Anyway—this has been an incredible rabbit hole. I haven’t even touched my prepared discussion questions, which has never happened in a podcast before.
Greg: And all of this is stressful. Vibe‑coding, AI, security issues—it’s a lot. I always tell folks in cybersecurity: we have to decompress. We put a lot of pressure on ourselves.
Greg: I always encourage people to de‑stress in a healthy way. So Mike, what do you do to de‑stress from the stress?
Mike: I like going to the gym—maybe twice a week. But my main thing is running. I used to be really big into running pre‑COVID and a bit after.
Mike: I’ve done 25K, 50K trail races, and one marathon. My first race ever was a marathon in the Phoenix Mountains west of Beijing. It started at 9 p.m. and the cutoff was 9 a.m. I thought, “Twelve hours? I can run a marathon in three or four.”
Mike: But trail races are totally different. I finished at 8:55 a.m. Almost missed the cutoff. I told my wife I’d be back in time for church the next morning. She was so worried because there was no cell service. I didn’t realize how tough trail races are—boulders, roots, dirt, steep climbs.
Mike: The biggest race I attempted was in Malaysia—TMBT: The Most Beautiful Thing. It ended up being the most painful thing. I didn’t make the 100K; I made it to 50K and then DNF’d.
Mike: Now I’m getting back into training. I want another shot at that race in 2027. I’ll have had ten years with that chip on my shoulder. This year I’m doing a 25K and a 50K as part of building back up.
Greg: Well, other than increasing the distance and shooting for 2027 for the 100K, what other plans do you have coming up?
Mike: I just stepped into this new role, so I’m focusing there. I’m really interested in getting more into low‑level work because at Solasec, a lot of what we do is on the hardware hacking side—medical devices, ATMs, cars, automotive systems.
Mike: I don’t have an electrical engineering background, so I’ve mostly done web app work—APIs, network pentests, all the pieces these devices connect to. But this year, I want to dive deeper into low‑level device work—pulling firmware, reverse‑engineering protocols directly on the chip, hardware‑focused offensive security.
Greg: Fascinating. Well, I love the conversation. We’ll have to bring you back in 2027 after you successfully complete the 100K—because I’m sure you will—and you can teach us about it.
Greg: And the theme of that episode will be: What I learned from completing a 100K, and how it applies to offensive security. Something like that.
Mike: Laughs. Sounds good.
Greg: Well hey, Mike, thank you so much for joining us this morning.
Mike: Good to be here. Thank you.
Greg: And everybody—stay secure.