Greg Schaffer: Hi, I’m Greg Schaffer, and welcome to the virtual CISO Moment. Today’s guest is Travis Whitesel. He is a cyber threat intelligence professional, educator, and cybersecurity consultant with a diverse background spanning military intelligence, academia, and private consulting. Now, he currently serves as a cyber planner with the US Northern Command while also working as an adjunct instructor for Pikes Peak State College. And it’s a mouthful right there. And leading Victory Cybersecurity Consulting, where he focuses on helping underserved organizations and sectors like sports, health care and academia strengthen their cybersecurity posture within real world budget constraints. We all know about those. He’s also completing his Ph.D. in cybersecurity and holds several professional certifications, including the CompTIA Security Plus and Network Plus. Travis, thank you so much for joining us today.
Travis Whitesel: Yeah, thank you for having me. I’m stoked to be here. I love your podcast, so I’m just excited to be here. So thank you.
Greg: All right. Now I’ve got like three fans. That’s awesome. I appreciate that. Well, and I do appreciate, too, we are actually recording this on a Monday instead of a Friday, and I appreciate your interest. your willingness to move it off a day because I had a chance to do some volunteering. I’ll be completely transparent. I had a chance to do some volunteering outdoors, helping to build a mountain bike trail or rather helping to fix a mountain bike trail. And that that’s one of my passions, one of the things that I do to help decompress from the stresses. And we’ll talk about that later. But before we get to all that, as always, I’d like to hear your story, Travis, how and when you got started in cyber and just bring us all the way up to what you’re doing today.
Travis: Yeah, absolutely. So a bit of a winding path, if you will. So military career started in two thousand and ten as a intelligence analyst. And I did mainly geopolitical and strategic intelligence, which is looking at how governments operate and things of that nature. And then it wasn’t until two thousand and twenty that I was able to switch to do intelligence support to cyber. And that started out as cyber threat intelligence. And at that point, I only had my master’s in national cyber or national security studies and with a concentration in cyber. So I had familiarity with how nations plan to leverage cyber capabilities. I never understood the actual tactical understanding, if you will, or the frontline defender understanding. And that was really an educational moment for me to bridge strategic to tactical is what I would call it. And from there, I said, hey, I want to continue doing Intel support to cyber. Unfortunately, it just wasn’t in the Army’s plans for me. So as a result of that, I switched over to cyber warfare technician as a complete job change about two years ago. um and at which point uh when i was i started my phd around that same time during that transition and my main focus was in sports academically and i began to notice a tremendous gap between cyber security and then traditional security domains for sports and it was extremely concerning So that really is what spurred Victory Cyber. My wife heard me complain many nights while doing research, talking about why don’t they do this? And, oh, this is a huge vulnerability that the sports industry has. She said, well, why don’t you fix it? i said well yeah that’s a big problem but she has a business background um and that’s what started victory cyber consulting was actually um her her and her business acumen saying hey you have the talent to fix it let’s let’s try to get after this problem set together so that’s that’s kind of where i am now i work at northcom um doing more strategic cyber again helping plan and things of that nature um But yeah, and then I come home from work as we were discussing a little bit earlier, come home from work, take off the military uniform and then put on my victory cyber hat and my dad hat and I do that until I go to bed and wake up and do it again.
Greg: I love the fact that you’re you you found a problem you saw a problem and and with your wife’s prodding you you you you you’re diving in to help fix it because ultimately um when i when i i i often ask that question it’s like well why did you even want to get into this field and and the incorrect answer is money and unfortunately it’s like a lot of people um they they got drawn into cyber like a few years ago because it was very lucrative and uh i’m of the opinion that if you don’t have a passion for it you don’t feel like you’re making a difference then then you’re going to get burned out really easily and you’re you’re making a difference with with victory cyber what’s what’s like give me an example of like one of the things that you have helped solve in victory.
Travis: Yeah Absolutely. So a common misconception in the in the sports industry, at least that I’ve noticed, and I’m sure many cybersecurity professionals have heard it from maybe executive individuals. And it could just be a lack of knowledge or ignorance about cybersecurity. But they when I talk to them initially, they say, hey, we don’t need we don’t need any help. We have an I.T. guy. Right? And it’s, hey, you know, IT is a little bit different than cybersecurity and it’s understanding the nuances of that. The way I kind of describe it for the sports world, at least, is your quarterback is kind of the IT infrastructure. They’re leading everything. They’re implementing changes and calling the plays, if you will, to meet business objectives. cybersecurity is kind of that left tackle. They’re probably the second highest paid individual on the team, and they’re there to protect that quarterback because that’s your moneymaker. And that’s the way I’ve tried to describe it to them, and depending on what kind of sport person I’m talking to, if it’s not a football university, it’s a basketball university. I’ll change that a little bit, but that’s the way I’ve thought about it. And then the secondary thing that I’ve helped solve is really – And it’s one of the things that were in the questions, you know, the read-ahead was education. Education in the sense that with NIL, which is a name, image, and likeness now for college athletes, allows them to get paid and it’s great. I’m a huge supporter of NIL. However, with that comes inherent risks that I don’t think the sports industry completely understands yet. When you look at the value of an athlete, an individual, I think us in cyber, we would call this like executive protection teams or things of that nature, where you have a dedicated cybersecurity analyst to that CEO, because they’re the high value target, if you will. With this advent of NIL, you have multiple college players within a sport making two million dollars a year, if not more. And they’re walking around with the value of a small business fiscally, if you will. but none of the protections. So.
Greg: And they’re usually quite young, too.
Travis: Absolutely. Yeah. When they’re very much inexperienced, you know, and and they go from like, you know, like maybe minimum wage or something if they were working a job to like, you know, all this money, it’s like that would freak anybody out.
Greg: Yeah. And then you got to think about the how a threat views that the data hasn’t been published yet, I think just because NIL is so new. And then another issue With anything cyber, for those listening, understand if you’ve done academic research, no one ever wants to put their dirty laundry outside. Right. So you’ll never know really, hey, how many phishing attempts were targeted at this player? Were they breached? And the only way you find out if they’re breached is if a bad news headline comes out and things of that nature.
Greg: Yeah. So that’s really what the two things I would say is education and then just fundamental understanding of the difference between IT and cyber. So I like the visual image of the quarterback as IT and the left tackle as information security. But I got to ask, in that model, who’s the threat actor? Is it the other team or is it the refs?
Travis: Yeah, sometimes it could be both, right? Yeah. I would view it as the defense with, you know, they have an edge rusher. Some teams have better edge rushers than others. And that could be a cyber criminal or a nation state. And then the refs, the refs, I kind of view in no disrespect towards compliance. But, you know, it’s kind of.
Greg: Yeah. I love it. I love the whole analogy thing. That’s going to stick in my head. And, you know, we often say in cyber and I’m not really a fan of this statement because I think it oversimplifies it. But having said that, I’m going to bring it up now. It’s like that, you know, we have to get it right all the time, every time. And the bad guys just have to get it right once. I think it’s an oversimplification. But now I’m looking at it from the from from every time that I think of like the missing it just that one time, not getting it right. That’s a sack.
Travis: Yep, exactly. It’s like I see quarterback’s helmet flying off and all that.
Greg: So thank you for the, probably for the rest of my career, I’m going to have that image. But I want to switch gears for a second too. And while you were talking, I thought about this question. And yeah, I think it is kind of related and sort of like the prep stuff that we were talking about, but more specifically. And I want to preface this by saying I’m not going to ask you or I’m not intentionally asking you anything that you cannot talk about. But one of the things, of course, that we’re worried about today, given the geopolitical situation, are attacks from Iran. And we just had the striker issue happen this past week. How serious, in your view, is that threat and what can businesses do to help combat that threat?
Travis: Yeah, absolutely. So anytime you’re dealing with nation states, right, it’s always going to go right to the top of the the the worry list for sure. Priority lists really of, hey, how do we combat some of these more advanced techniques that may be out there that may be employed against us? And I will say. Iran is definitely, as they’ve proven, to be a worthy opponent within the cyber domain, right? And the Stryker instance really is the most prominent one right now, I think due to the heightened awareness of Iran’s cyber capability.
Greg: Well, plus anything that affects healthcare seems to get more traction, so.
Travis: One hundred percent, immediately.
Greg: I did find it interesting with the wiper malware, particularly, There was a lot of confusion that I was seeing on some of the social media, LinkedIn and all these kinds of things, executives wondering why this was such a big deal. And to get into that Intune and kind of just erase all end devices where you’re trying to log in in the morning and you don’t even have an image or you’re using your work phone and it’s a blank image of an iOS.
Travis: Yeah. I mean, if we think about that at scale, that’s terrifying because you don’t have to get to each endpoint. You just get to the to the cluster or this the center of gravity where all those things are held.
Greg: Yeah, it’s a brick.
Travis: I mean, if we think about that at scale, that’s terrifying because you don’t have to get to each endpoint. You just get to the to the cluster or this the center of gravity where all those things are held. But Iran, I think they understand because before Stryker, you go back a few years, they were targeting water facilities. Those kind of critical infrastructure is really what it is. And I think they understand. that maybe militarily they can’t match blow for blow, but in the cyber domain, it’s kind of an equalizer, to be honest with you, because the civilian aspect, like you said, medium, really any business that operates within the United States, uh it it becomes a bit frightening because nobody is safe you don’t know who’s going to be targeted um so you need to make sure like you were just discussing they only have to get it right once we have millions of companies within the united states so um i mean i’m sure from your experience and the listeners experience you’re like There’s there’s problems at the end of the week that you say, hey, that’s a Monday problem. And then you come in Monday and all of a sudden you have a striker situation and you say, oh, that should have been.
Greg: Well, I mean, that’s risk management at the core. You can’t address everything. You’ve got to figure out the best way to prioritize. And your prioritization is never static because the threat environment is always changing. And so, unfortunately, that’s actually the reason why I don’t care for that statement too much about you have to get it right a hundred percent of the time, because no, you don’t. And no, you can’t. It is impossible to get it right a hundred percent of the time. And I think it’s a little bit of a lazy way of trying to talk to executives about it, particularly when you have executives that have, and particularly in the smaller businesses and smaller organizations that you and I both deal with, I mean, they’ve got unlimited, I mean, they don’t have unlimited funds. Not to say that larger organizations do, but typically you get people like your Fortune their CISOs have teams of like dozens, if not hundreds of people. And then you’ve got an SMB that has a team of one and they may be doing other stuff as well. So how do you, How do you help those organizations prioritize and make those decisions so that they can effectively use their security budget as small as it is to the best of their ability?
Travis: Usually what I do is I have them map out the terrain and say, where is your center of gravity? If you got hit with a cyber attack on one piece of equipment, for example, and the whole business goes down, that’s where we need to prioritize. um the the end points to me hey we can re-image something tomorrow we can we can isolate that and re-image it or or do whatever we need to do to protect it but understanding within your network where all the data is flowing right and and those are things as a one-person shop with minor uh sometimes even freeware you can you can measure that almost immediately to understand hey this is the no crap, I can’t lose this piece of equipment because if I lose it, then it’s done. The business ceases to operate. So that’s one of the big things that I’ve helped several small businesses do is kind of just map that terrain and understand, hey, where is it going to inflict the most damage if it does hit you?
Greg: And when you go through the data mapping exercises with them, at least maybe you found the same as well. I’ve seen this before. Often you find data that’s residing somewhere and you ask the question, well, why are we keeping this? And you get a lot of the, well, I’m not really sure. Well, what do you need it for? Well, we don’t really need it anymore. Then why are you keeping? I don’t know. I never thought nobody ever asked me that before.
Travis: Yeah. I often tell the one to three person shops I work with, hey, it’s going to be a bit of spring cleaning. You’re going to see your storage space maybe go from five hundred gigs to four hundred. You know, it’s one of those things where and it’s just because I don’t think when you’re a one to three person shopper, whatever it may be, a smaller team, and you’re constantly in that daily grind of protect or die, because that’s what all cybersecurity professionals kind of feel like, I imagine. There’s so much going on to where you say, hey, I wish we did have a smaller text surface or less files to worry about and things of that nature. And the other portion of that I find that we struggle with in the community is really communication. And it’s finding that common example or way to put it into layman’s terms to an executive, like we were just discussing a little bit left tackle quarterback, you kind of have to reach their level to communicate, Hey, you know, if we did get rid of these old PDFs that have the, that use Adobe, uh, or whatever that has this known existing vulnerability, we could, we could help ourselves here, update whatever the case may be.
Greg: Well, I know from my perspective, I’m guilty as this as well, because I was brought up, I guess, as like, I won’t say that necessarily with a pack rat mentality, but it was always like, well, you don’t want to throw out something. I’m one of those people that have really a couple of those boxes of AC adapters that I have no idea what they go to. And yet I can’t bring myself to throw them out because I might need it sometime. I’ve got cables there too. It’s like RS-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E-E- Yeah, exactly. So so you can give me the risk argument to that. It won’t hold. But if you give someone the risk argument about, well, you’re holding on to these PDFs that have vulnerabilities in them or you’re holding on to paper documentation, you’re holding on to whatever that you don’t really need anymore, but you are incurring risk and not getting any reward. That seems to get traction, though.
Travis: Yes. Yeah, one hundred percent. And then it’s interesting, right, because you bring up that mentality for yourself and I’ve you know i’ve i’ve talked to executives that say hey like i need this file from from i don’t know two thousand and eight or two thousand and ten because of x um and it’s like hey you can now consolidate all of these files to get to one singular master document that’s updated whatever the case may be but then you try to apply that mentality you think across an organization with two hundred people maybe hundred people if everyone has that one mentality of like kind of a packer out right or i need to keep this i need to keep this that risk like you just said there’s increment it’s death by a thousand cuts essentially where you’re you’re just incurring small levels of risk maybe for each uh user.
Greg: Exactly. Well, it actually multiplies. But I had a little smirk there when you were writing. It’s like I just came to the realization that yet another thing has been ruined in life. I’ve said before that with PCI, it’s like, you know, they talk about the attestation of compliance or AOC. Well, I can’t say AOC anymore because it’s been ruined by our esteemed member of Congress. But the same thing here, you just said, well, you know, they’re keeping it because of X. And I’m like, I immediately went to Elon Musk. I’m like, I hate you, Elon. Because my first thought was like, why are you keeping it? Are you going to post it on Twitter or something? I mean, it’s stupid. I know. But really, it does come down to mindsets. And that prompted me another thought. This goes back to military because I’m former myself. And I like asking folks questions. i like hearing stories about what they have taken or maybe in your case continue to take from the military that helps you in your civilian background and i don’t necessarily mean what you’re doing technically with the military i mean the just the whole environment the lifestyle the mindset what’s something that that you’ve brought over from there?
Travis: Yeah it’s um I would say patience is probably one of the biggest ones. Patience is up there. And then trying to, I guess it would be build cultural bridges within cybersecurity. And I don’t mean that necessarily from an ethnicity or anything like that. cultural bridges and building common understanding of problems. In the military, CTI was a bit more challenging in the sense that intelligence professionals are focused on army problems, right, for the army. And cyber is a separate domain to the land domain, if you will. So you have the land domain, which is army, then you have the cyber domain, which is cybercom. And we We obviously are affected by it in the military and the army and we account for it. But growing up from two thousand and I joined in two thousand and ten, it was terrorism. Right. So we focused mainly on terrorism and geopolitical things that that could cause the next terrorist wave to occur. So for that, I wasn’t great at networking as we discussed or anything like that. It was something that I had to go and learn. But we keep these job fields separate. So intelligence is separate from a seventeen series, which is cyber, which is also separate from a twenty five series, which is signal. So for civilian terms, it would be your I.T. guy, a cyber defender and then an intelligence professional. And what I’ve found in the civilian world is they expect these unicorns to kind of appear in these jobless things that I’m seeing, at least with to do everything. yeah cti analysts they want you to be able to identify a nation state and from that identification go all the way and fix it um when in reality there’s there’s so many levels within there um when it comes to from the military side of processes right and that’s that’s what i’ve really patience and processes is probably the two biggest thing is that um with processes You don’t really need to rely as much on the technology is still obviously very important, but procedurally the technology is just giving you an output. The process relies on the human to to create that action. And I’ve seen that as a as a big issue from military to civilian as well as that.
Greg: Well, the AI will do it or Um, you know, we, we need to invest all this money in all of this technology, which speaking of small to medium sized businesses, we need this technology to do X or else we can’t do it. And it’s not necessarily true. It’s a process that you’re missing to create the action to with the having the technology help. Absolutely. Absolutely. But you can still shorten that gap due to your budget constraints by, by implementing this process. Well, and I think that this is a good place to point out that no technology is going to solve your problem. It’s how you use it. And with AI, it’s all about those who understand how to use it. When I say AI, I’m talking generative AI, the chat GPTs and all that. You don’t want to ask chat to solve your problem. You want to use chat as a resource so that you can solve the problem. I like to equate it to like being like a, if you’re in counseling or something like that, it’s like counselor can’t solve your problem, but they can help you solve your problem. It’s almost the exact same thing. And yeah, you don’t want, that’s interesting, your takeaway. What I was thinking about as you were talking is early on in my career, I landed in a job where there was one person that wanted to, wanted to keep information to himself. That was perceived as sort of like a way for job security. But it’s like, no, I need to know what you know. And you need to know what I know. We need to talk. And my takeaway from my time in the Air Force was like, it’s like, we need to talk. We need to have the processes. We are doing this together as a team. There is no individuality here.
Travis: Yeah. And it’s funny that you say that because in one of the questions about that we discussed earlier with the education and workforce development and things of that nature, I actually have networking as one of my ways to solve the talent gap. And I think it’s something we do. We’ve gotten better at in the military. on the Army side as a warrant officer, you know, we’re considered shadow governors and technical experts and all these kind of things. And it’s a small cohort of technical experts. But I know I can call any one of my fellow warrants to say, hey, I’m seeing this problem and I’m out of rounds, dude. I have no idea how to solve this. And they’re like, oh, that’s easy. Have you done this? I’ll send over the documentation I created two weeks ago about this. I ran into this and it’s like, Well, yeah. Awesome. You know, networking is so, so very important in our field. That’s one of the reasons why I like LinkedIn, but I won’t go down that rabbit hole. But it does help to deflect some of the stress that we have in the field. But it is a stressful field. And, And certainly, you know, being a co-founder and, you know, I founded my business nine years ago. There’s a lot of stress involved with that as well, too, because suddenly you’re learning how to actually be a business person, which was something that unless you got like an MBA, you’re not taught how to do. You just kind of learn as you go. So I encourage folks that they need to. decompress from the stresses in our field. And for those of us who are entrepreneurs, that additional stress, and what’s one of the things that you do, Travis, to decompress from all of that stuff?
Travis: Yeah, so with two kids, number one is I usually play pretty princess with my daughter. When I get home, it’s a very simple game, but play board games or color with her. With my son, I might pick up the switch or something like that, or go kick a soccer ball. um and then really i walk i walk my dog at night i’ve started doing that about a month or two ago nice little two to three mile walk uh get outside and touch grass as they say as they’re saying nowadays yes yes go out and walk barefoot in the grass that’s from pretty women the movie so yeah right yeah it’s one of those things i think um we oftentimes want to come home and if there was a problem i know i suffered from this a good amount but if there was a problem at work i couldn’t solve i’d come home open the laptop immediately and start researching that and it’s you got to kind of take a break yeah um from all of it and let your brain rest because then you’re just like you we talked about burnout there are several academic studies now in the last three years that um cyber security professionals have one of the highest burnout rates um and on top of that mental health they see the most mental health professionals or cyber security per personnel because They’re stressing themselves out a lot.
Greg: I was there myself. I mean, you know, I saw a mental health professional like fifteen years ago. That’s how I was talking about the counseling. It’s like I understand how that all works. And but yeah, and you’d lose you lose effectiveness the more you were like attacking a problem. It’s like you’ve got to shut it off and then approach it fresh the next day. Well, part of it is that when you shut it off in your subconscious, it’s still kind of like we’re in around back there. But you’re not letting it bother you. So you might wake up the next morning, you’re in the shower, you’re like, I got it. I figured it out. It seems like it comes out of nowhere, but your little stuff back there has been working in the back.
Travis: Yeah, one hundred percent. And I think it’s one of those things where when you do walk away. You can you can kind of like you said, come back to it and you’re like, oh, it’s just like doing a puzzle. We were like, hey, I was missing this piece. And you take a step back and it’s like, oh, fell on the floor. But the carpet and see it with the carpet and then the networking piece on that as well. I can’t speak highly enough of networking where it’s like the NBA, the co-founder piece that you’re talking about, where it’s like, I don’t that is not my acumen. no but i call buddies who are going to university for their mbas or whatever and i’m just like hey i am struggling with this oh send me over this document and i’ll critique it and stuff like that so that also as humans we need to rely on other humans to help carry our burdens sometimes and that’s normal that’s.
Greg: Yeah and we need to also remember that that that more often than not, you’re not the only one who’s going through something. Everybody’s going through something at some point in time and, and most people tend to hold it in, but it’s okay to talk about it. It’s actually a measure of strength to talk about it. Cause then as you were just saying, you can get some other resources in to help solve a problem, whether it be like something more academic, like an MBA type of question, or if it’s something like I’m, I’m, I’m dealing with this stress, how, what’s, what’s, what’s a way that I can deal with it. So. But what kind of future plans you got down the road there as far as the business goes and other stuff?
Travis: Yeah. So as in four to about four to six years, I’ll be be ready to retire from the military and really start doing victory. I think full time is is the goal is. This next year is going to be attending conferences, getting our names out there, working on building a threat Intel platform for sports and stuff like that. Just a lot of moving pieces at this point. That’s really where the future for us is going at VCC is getting to more probably universities considering their attack surface. They’re the people dealing with one to two people IT shops that are also I’m allegedly also a cybersecurity professional. So we’re there to help them out and get them on the right track.
Greg: Yeah, I can relate to universities. I was a networking and security guy at a university for twelve years. So there you go. I understand it.
Greg: Well hey drivers all that sounds very exciting um looking forward to keeping up with what all y’all are doing uh both you and with victory and how that how that emerges we’ll have to have you back on when you got some more stuff going with there but it’s been a pleasure talking with you it’s like these things for me you know i looked at the timer and i’m like we’re already past thirty minutes you know it’s like um but i i you know i could do one or two things i could i could you know, well, I could extend the, the, the time, but I’m like, well, then now people start to get bored of my voice and all that. No, it’s, I think it’s great to have it, you know, exactly this length because we get in a lot of good stuff and we may have more stuff to talk about. I may ask you to come back on at a future time.
Travis: Yeah, absolutely. So I’d be. Appreciate your time out here, man. Yeah, absolutely. Thank you.
Greg: All right, everybody stay secure. Thank you.