Hi, I’m Greg Schaffer and welcome to the virtual CISO moment. Dave McKenzie joins us today. He is a seasoned cybersecurity leader based in Scotland. He is the co-founder and director of Damn Good Security. Dave, thank you so much for joining us today.
Dave McKenzie:
Thanks for having me, man.
Greg:
Well, we’d love to start as we usually do. I want to hear about, uh, your journey, your history, how and why you got started in this wonderful technology space and what led you to, uh, what led you to being in an organization, which with such a damn good name.
Dave:
Yeah. Uh, the, the, the name is you either love it or you hate it. If you hate it, you’re probably not that much fun to work with. So, um, so yeah, but how did I. I wanted to be a pilot. I wanted to be a spaceman, right? Let’s face it. I want to be a spaceman, like as a kid. And then I get told, no, no, you need to be a pilot and go through the Air Force or Royal Air Force and stuff like that. And I was like, right, okay. So then I went off and I went, all right, okay. And then I started to learn flies, part of the air cadets, stuff like that. And it was like, there’s an awful lot of writing here. And my handwriting is terrible and I hate handwriting stuff. And so I had to pivot. And then I went, all right, okay, well, what’s the thing that doesn’t mean you have to do lots of writing? And at that time, you know, like computers came along and started hitting, like, the education streams. They were hitting, like, businesses and stuff like that. So I ended up in IT because I was a bit of a geek and I hated my handwriting. And that ended up being that. And so for years I did IT support, just helping. I mean, originally I was writing access databases. uh random mail like like mail recording and like payroll stuff and all that sort of lucky and then at one point they had me their company had been working on a payroll database except it was going straight into march and april which for us is tax year and so basically the entire department said go away And I’m like, right, what am I going to do? And they went, oh, go work on the IT help desk. And so I ended up doing IT support. I really loved the whole helping people. I’ve done some really random IT support jobs. I mean, back in the day, you had to go wearing shirt and tie to every job. And so I would be in a three-piece suit crawling under absolutely manky desks.
Greg:
I know, been there myself too.
Dave:
It just never made sense. I nearly lost my tie in the innards of an auto, a cash machine, an auto teller at one point, you know, like I’d tucked it in and these machines on the inside are just cogs and suction and stuff like that. So I did lose.
Greg:
Now that’s, that’s a good case study, a good case to make rather for wearing clip-on ties. It’s a safety feature, right?
Dave:
safety feature yeah yeah you won’t get choked you won’t get your tie so no no i tried wearing three pieces there because like it would always be tucked inside the waistcoat same same like prevention i did have long hair at the time uh so i didn’t lose some hair in one of those at the summit that was painful and then i ended up doing a whole bunch of really random i.t support jobs i worked for motorola at one point i was in the fab area so you’re trying to do i.t support on a three hundred and fifty bucks like compact machine that’s connected to some etching machine that’s in the fab that’s etching the insides of microchips and you’re like right if that thing’s off it’s like seven hundred and fifty thousand dollars an hour if it’s off and you’ve paid three hundred and fifty bucks for the machine that controls it and lots of random stuff like that’s why i spent like year two thousand on a hill looking at the one of the motorola plants with everybody taking bets on whether it was going to explode or not uh because we had absolutely no idea um and so yeah and so i carried on doing it support and then i ended up joining art in education which does a massive amount of support for schools or in the uk um and i was doing the it support like customers phoning up with all the where’s the any key i have spoken to like six-year-old children who could work the computer better than the teacher And when you’re talking someone through a command prompt, see what can they ping and what can they not ping, and you end up getting put onto a child, you’re like, this is a really weird experience. But education, because the way education is, it’s one of these not well-funded and quite often the IT manager in the school is the last person in the staff room to say no. And so you end up with lots of really insecure networks. And so Over time, I ended up being the security guy. I ended up doing an absolute ton of incident response and building proactive monitoring across hundreds of schools and stuff like that across the UK. Like when WannaCry came along, I had like eight thousand machines I was going to patch on a Sunday afternoon. I was like, I pushed the button. That’s not going to work. There’s hundreds of them each year. Oh, right. Because otherwise it was just completely impossible for us to, like, in a timely manner, patch them. And it was just a, it would kind of cost a fortune. And yeah, they just, so I ended up doing that. And then after a while, an ex-colleague from RM Education reached out and said, you seem to be doing security stuff all the time now. Do you want to come do it for real? And that’s how I ended up across in Quorum Cyber, which at the time was a startup. And the MD at the time, Fede Chirosky, interviewed me. And I turned up in my suit. three-piece suit, tie tucked inside. And yeah, it was like, and he told me that he hated me during the interview. And I thought that’s, that’s, I’ve never had that in an interview. And I went, I want to hire you for two different jobs. It was like, oh, right. Great. It then proceeded to give me a whole bunch of grief about wearing a suit and tie when they were like startup city, you know, everyone’s sitting in shorts and t-shirt.
Greg:
Well, you know, sorry to interrupt, but I was going to ask about that. It’s like about wearing the suit and the tie and the three piece there, particularly to a startup. And it’s made a difference or not.
Dave:
For me, if I don’t know what the culture is that I’m walking into, you have to kind of go with what was normal. And so for me, it was when you turn up for an interview, you wear a suit and tie. And for me, a suit is a three-piece suit because i’ve just ingrained to tuck that tie and it also covers an absolute like ton of sense when it comes to shirts that are too baggy or not and get increased and stuff like that
Greg:
well so so it’s always better to be conservative when you’re dressing for interviews as opposed to
Dave:
it is uh yeah i mean i’ve done i’ve done a ton of mentorship around people and like they’ll say they go oh my god you wore a tie you’re like see when it’s normal you don’t think about it everyone oh no i would choke you’re like no not unless it gets grabbed and shoved down the machine but But yeah, for me, it’s the people judging appearances. And so if you’re walking into an unknown, you have to kind of go with something vaguely conservative. And if they’re in certain industries, that means shirt and tie. In other industries, it means like something business casually. At worst, I would go, right, okay, maybe do a polo shirt. But that would be, I would do recon on the actual polo. company to figure out what they expect like what do they wear because as i’ve said like no matter what we do we just what our job is to communicate things i mean we’ve got engineers that actually push a button but once you’ve stopped pushing the button everything else becomes about communication i interviewed a thousand people that want to be a pen tester i want to be a pen tester do you like writing reports what do you mean Well, it’s all well and good popping a shell, but if you can’t tell people why that matters and what you did and how to fix it, then you’ve not done anything of any use whatsoever. You just had a bit of fun.
Greg:
It’s funny that you mentioned that, and I know I know I’ve already derailed like the intro. We’ll get back on it in a second. But one of my one of my interview questions that I’ll frequently ask is that I’ll ask folks now this is kind of dated, but it’s the example I always use. It’s like so so what’s what’s port twenty three used for it? You know, the book smart folks are always like, well, yeah, that’s a that’s a thing called Telnet. OK, well, that’s good. Why should you block that at the firewall? And then a lot of times if I get that deer in the headlight look where it’s just like, you know, you’re taking the knowledge, but you’re trying to apply it, like very simple answer about it not being encrypted. That’s where sometimes I think that we fail with regards to how we train folks. It’s like you said, it’s communicating not what we do, but why we do it from a business perspective, why it’s so important. And I was so enthusiastic about what I just said there that I shook the desk and the camera shook. Yeah. Anyway, back to Quorum. I’m sorry about that.
Dave:
Yeah, so Quorum ended up being the right, okay, be a consultant one day and run the security operations center. And that was, whenever you work with startups, startups are amazing to work in. I mean, there’s a whole stress of, you know, in six months we’ll have a job because it blew up. You know, like, you know, somebody walks in and says, good news, we don’t have any money. Yeah, you also, that’s where you, like, If you are looking in your career to move and to move upwards, a startup gives you such wide-ranging extra visibility into bits of a business. Absolutely. You can immediately go from being quite technical with a little bit of consulting to having everything plus a ton of business knowledge. And I learned so much about product management and a whole bunch of things that just never came across my desk before. And so it really fills you out and immediately then go, right, okay, you can do a really big step up from working in a startup in a quite small job as long as you roll your sleeves up, pitch in, and learn. And so I learned an absolute ton in Quorum. I took the guy that thought he was really good at security and IT and then went, right, actually, There’s a ton more to learn and that stuff will always keep going. Uh, and yeah, it’s one of those, one of those ones where doing security for real, it was all the thought was going to go in and immediately, I mean, yeah, I had a couple of staff that means like, Oh, he’s not really a security person. Uh, cause he’s a manager because he used to do it. Uh, And once you crush their souls and all their motivation and give them crap work forever, they leave. It’s great. But no, I mean, sometimes you just end up with people that just will look down their nose at you because you didn’t do a cybersecurity degree. And I’m like, right, but what? So communication, massively important. And one of the things I taught everybody that ended up working for me in Quorum was just about the Communicating and looking after each other is the most important thing because I had a guy that asked me, is it okay if I have a longer lunch because the new iPhone’s out and I want to go stand in the queue inside the Apple shop? I’m like, it’s the middle of the day. Is there anything urgent on your desk? No. He said, well, I don’t care. Cool. Good luck. Because I know by giving somebody that flexibility and that empathy about their wants and their needs, that when I phone them at two o’clock in the morning going, I know, you know, this particular type of system and we’ve got an incident that they’ll answer the phone.
Greg:
Absolutely. That’s that sort of conversation, that sort of relationship building with your staff and with your coworkers. I think it, One of the worst things that my boss once said to me, this was at a job that was the shortest tenure, as soon as I could get out, I did. But I remember him telling me once, I was in the CISO position, he said, your job is not to make friends. Because I would talk to people about things beyond like the security stuff. And I’m thinking to myself, you know, my job is to make relationships because that’s how security works. I need to earn your trusts. I need to be able to talk where I’m not like a person that’s going to say no or someone to be scared of all the time.
Dave:
Yeah. I mean, yeah. I mean, if you’re not approachable, then people will not tell you things when you probably need to know them.
Greg:
Exactly.
Dave:
I mean, yeah. And that’s every time I do something like cybersecurity awareness with a company or something like that, you just sit and they go, hi, and you put the friendliest face on. I mean, I could walk in face like a thunder and start shouting at everybody for not being secure, but that’s not going to let them, that’s not going to bring them to my door to sit and say, hey, we’re thinking about doing this. What do you think? uh because you need that or you need that i i’m too embarrassed or frightened to report the fact the mouse is moving by itself no i mean you’ve got a whole company of eyes and ears better than any sim monitoring that you have out there or edr or whatever
Greg:
yeah
Dave:
yeah people people will know they might not be able to they might not be able to like tell you what is wrong but they will tell you that something doesn’t feel right and they have to feel comfortable enough to approach you. And whether that’s like, you know, genie in the back office or whether that’s somebody inside your own team, they have to have that trust that, you know, you’re going to listen to them. So, yeah, massively important. I have to ask you, too, one item in your past that we didn’t touch up on yet is you’re the head of infrastructure and steering committee member for the COVID-COVID-NINETEEN Cyber Threat Coalition. What was that all about?
Dave:
Well, yeah. So we suddenly all had to work from home. So yeah, there was a few different bits and pieces. And as you’re trolling Twitter, as it was back then, and LinkedIn and stuff like that, and you’re reaching out and making conversations, people started to want to volunteer and help in some way. And the cyber coalition was One of two that I joined, the other one, I ended up not doing anything because I ended up focusing all my time with the threat coalition. But basically, we wanted to create a CTI feed for hospitals, for everybody that basically said, if there’s a COVID scam or somebody using COVID-type lures or anything around the pandemic, we basically wanted to create a threat intelligence feed that would help everybody. And that was, I think there was a couple of thousand people in it at one point. Like it was just, and everybody wanted to help. Nobody really knew what to do. But one of the guys that was the kind of, he never really wanted to be the chief, but I ended up saying, right, OK, let’s try it. If other people are doing some dodgy hackback stuff and other people are doing incident responses for free for hospitals and things like that, that stuff’s covered by them. What can we do that would affect as many people as possible? And so we ended up having this. There was dozens of companies just gave us their stuff. like from AlienVault and OTX, there was just tons. We had a full automation that somebody sent us that this is a potential dodgy link. We had a massive automation that would go and check it, clean it all up, and then pump it back out. And in the end, we managed to get it into Quad nine and into a couple of different feeds and stuff like that. So tons of people actually were being protected by what we were doing without even having ever heard of us because Quad nine DNS, if you used it, It just never put you anywhere near the bad stuff. And so we were feeding that. And that was absolutely amazing. I have absolutely no idea how I ended up being… I was head of infrastructure because loads of people were running around with bits. I was like, look, stop, everybody. You need to, like… We’re building… really big stuff it’s all really exciting everybody’s moving really fast uh but we need stuff like password so one password immediately jumped up and hey here you have stuff great uh and so you know we’re building that and it just ended up being the right if somebody needs something infrastructurally wise you’re in charge i will then do x y and z to make things happen but to be honest yeah
Greg:
oh i i love that because um obviously uh the whole covet period was very weird in some ways. And a new thing that I hope that we don’t have to quite experience. And it kind of brought out a lot of good info. So there was a lot of like this particular example of volunteering to do something well. But unfortunately, and I’ll just touch on this, I’m not really going to go down the path of discussing it, but Um, it, in some ways it went the other way as well. And what I’m particularly thinking about is this one group that I won’t name, but they’re, they’re a security networking group and it’s, it’s, it’s more like a marketing thing, like a for-profit, they sponsor things and, you know, vendor sponsor and they get security executives together and have a party or whatever. And the person who was leading it at the time asked me, because I was somewhat involved with it at the time, what’s something that we can do? Or no, I think that the way it was approached was, what do you think about us getting some security leaders together and creating some sort of a slide deck or something or some sort of a resource that then we can offer at a certain price point to small businesses that are having issues? And I said, yeah. Why don’t you just give that away for free? Everybody is like, why are you trying to monetize something that is screwing up everybody now?
Dave:
Yeah, we did that at the end. So once there was a, it was such a great group of people, including a whole bunch of people that started, because everyone was working from home, we all of a sudden started seeing people doing this a lot. I had this standing desk. It’s had different tops over the years, but, you know, it still goes up and down. But, yeah, people walking in meetings on the walking treadmills. So, and you’re just sitting there going, I was like, yeah, I need to get my steps in. You’re like, great. And apparently, like, it was Sophos. A whole bunch of them at Sophos were involved. They did tons of things. but they were all on treadmills in the call. So it would be like in a call every couple of nights and you’d have people that were like, and you’re sitting going, I don’t know how to, it’s hard to make eye contact and talk to people over video. Right. I mean, that’s, that’s, that’s why in-person meetings work a lot better for some things.
Greg:
That’s true.
Dave:
Well, even worse when you’ve got somebody like, you know, like, I don’t like, do I, And you’re like, no. And apparently they were doing like, thirty, forty miles a day on these treadmills. I mean, like some of these guys were like in apartments in New York. I mean, we had people all over the world.
Greg:
I tried to do that. I’ve tried to do the walking treadmill. And if I don’t have something to hold on to, I, I, I lose my, stuff like that and typing away. And I’m like, I mean, like, like you’d end up getting to like pan their camera and she could see exactly how, things are set up and uh yeah and then there’s the bike thing as well for under the desk
Dave:
yeah i and like you’re sitting going yeah that just makes the table wobble slightly and their heads wobble as well and you’re like yeah that was but that was one of the really strange things i don’t know how much exercise you actually get from one of those things
Greg:
yeah i mean me neither uh but i mean it’s just so
Dave:
He’s out of puff a lot of the time. I mean, because we catch him at the end of his working day and he’s already done like twenty, thirty miles on this thing. And so he’d be like absolutely exhausted. And I’m like, again, it comes down to everybody says exercise, everybody says jog or something like that. And then you get the next thing that comes along and says, oh, my God, people that jog will have no knees or hips or ankles. And you go, yeah, everything in moderation is fine. what you should do, walking on a treadmill continually that amount. You’re like, that cannot, that must be bad for tendons or joints or something. But yeah, the COVID…
Greg:
Or maybe even spatial awareness because you’re walking, but you’re not really walking. Your mind should expect you to be going forward, but you’re not going forward. And I don’t know. I think that might screw with the mind. I can’t run on treadmills. I often joke. We talked about this beforehand. I say this joke before every podcast when I’m… briefing the guests. It’s just like, I don’t like to go over thirty minutes because I envision people listening to this on a treadmill, and I just think it’s cruel to be on a treadmill for more than thirty minutes. If I go to the gym, I spend time on the thing, but I’ve never been, I cannot run. It just doesn’t work for me. I know plenty of people that do and really enjoy it, and I’m just sitting there, and I’m like, no, it just doesn’t do it for me. But I think the The podcast on the treadmill is a really nice warm-up stroke and cool-down. Like once I start to go and do weights or something else. But I can’t listen to Joe Rogan on it. It’s like that’s four hours on a treadmill. I can’t do that.
Dave:
I don’t think you have to stay on the treadmill until the podcast finishes.
Greg:
Oh, okay. There is freedom. Okay. Let me get back to the stuff that you’ve done and what you’re doing. I want to hear about what you’re doing at Damn Good Security. First of all, tell me about two things. First of all, how did you come up with the name? And second, you have, and I don’t know if this is specifically with Damn Good Security or if it’s just you in general, but you describe cyber risk reducer that that’s one of the ways you describe yourself and so that is easy that one is the um we were after do building i mean i did quorum and then went off to national grid that span out the national gas in the uk and i built the security operations from the ground up there and that was like massively interesting, stressful and like insane budgets with weird strings attached and things. And you can’t go out for dinner with anyone without fear that you might get called up by the regular. But it was a very bizarro world. But after that, I had missed when I worked with Quorum very in the beginning, I got to work with lots of small businesses because your startup, you’re you’re not getting the X hundred thousand contracts. Instead, you’re doing small businesses, medium sized businesses. And I missed work with them. I love working with lots of different types of businesses and finding out what makes them tick because. Yeah, I was speaking to somebody that works in the space industry. And I was like, oh, it’s space industry, brilliant. And my brain immediately goes to risks. What risks do you have to worry about? IP theft, China, physical damage from make rocket fall sideways, all these sorts of things. And I was like, right, I’m good with that. And I was like, right, so again, so that stuff must be like stress. The biggest stress is finding the satellite after we’ve launched it. I’m like, Apparently, they launch a satellite and it can take them two months to find it afterwards.
Greg:
Really? I mean, you would think these things would have like an air tag on them or something, right?
Dave:
Yeah. And I was like, no, no, I’ve seen movies. I know that, you know, there’s a basement in the States somewhere where somebody’s tracking every nut and bolt that’s flying about in the mess. And they’re like, nah. absolutely it’s somebody it’s somebody who’s like about thirty five years old yeah yeah a a an addict to mountain dew and doritos and um and oh yeah yeah they are the communications hub for the world and they can see now if you if you are wanting to send an rf signal anywhere in the world, that’s another problem. Because as your satellites go round and round, you’re crossing lots of international boundaries. And so if you’ve not paid the license in each place, you get jammed straight off the bat. But no, apparently when they launch a satellite, they’ve got a cone trajectory of where it will be released. They know where it’s going to be released and then it goes out, but they don’t really know what speed it’s going to go out and exactly, you know. And so apparently it takes up to two months to find it. And I’m like, that is, after all the work that they do, and we had a chat about the fact that their PCBs are all printed in opaque plastic nowadays, so that to reduce intelligence gathering on what the circuit board looks like and stuff like that. I was like, oh, this is really interesting. And he hits me with this, oh yeah, and then we need to find it. I’m like, I never. This stuff is fantastic. And you go, right, okay. And so working with lots of different businesses, and when I worked with When I worked with Quorum, we were trying to do the seven small businesses, three mediums, one large, to keep a balance. You don’t want to put all your eggs in one basket, even as a startup. If somebody comes along and says, hey, there’s a tendency of big businesses to find boutique security firms and go, yeah, if we become your biggest customer, that means you will do anything we say. And that’s a danger to derailing your business in the way you want to. You never want to have more than like, I’d say, fifteen, eighteen percent of your.
Greg:
Oh, yeah. Yeah. When you’re when you’re.
Dave:
Yeah. And it was and we always thought as the company grew, the definitions of small and medium and you’ve got different investors coming in. And so your definition is small. starts going up and up into the point where I was like, right, okay, but we’ve kind of lost small. And then of course it went off and did national gas. And that’s like, it’s as big as, you know, you’re likely to get in terms of threats and things you’re going to build. Uh, I was like, right. And because I dragged a couple of guys around with me on these kind of, uh, voyages, um, We went, let’s go build something that does small and medium and only does the big ones to pay for the small ones. So, you know, go and do a big FinTech job. That lets you help the really small, like e-commerce and all these sorts of things. So, yeah, it’s about damn good security. It was the brainchild of three of us. David, Gerard, Scott. DGS, and then they went DGS, and one of our spouses went, damn good security then. Here’s our initials.
Greg:
I was trying during that entire story to try to get ahead of you to figure out how you were going to bring it home, and I’m like, I have no idea where this is going.
Dave:
It’s one of these ones where we wanted to build this small, we wanted to build this thing, and we wanted to focus on these particular types of customers, which is an interesting challenge to say the least at times. But yeah, the actual name just ended up being essentially the initials of the founders, which is kind of
Greg:
So is getting back now to Cyber Risk Reducer, because I really thought that the DGS thing was going to be a very short segment and then going on to—
Dave:
Cyber Risk Reducer is easy. I go and find your site, look at risks from a cyber point of view. I mean, that’s my specialty. and then make those risks smaller. That’s what all of us in cybersecurity or infosec, that’s what we’re there to do. We can’t make it go away short of cutting all the cables and covering it in cement. So ultimately, yeah i want to find the risks and then work on each one individually to make it smaller as small as possible that’s but
Greg:
do you see that being prevalent in our industry or not as private
Dave:
oh no we get completely caught up on this the by the shiny uh fine find the the we get cut our industry is clickbait uh and that’s that’s it’s a pet peeve uh Because we’re always chasing the latest headlines. We’re always doing that. And for me, if CrowdStrike will release some report on X, Y, and Z, one, when I was working with CNI, I knew half that stuff already. It just wasn’t allowed to tell anyone, which you’re like, well, it’s a bit meh. But it ends up being that, right, okay, yeah, we’re all going to go chase that. We’re all going to chase this problem. We’re all going to chase this particular patch that needs to go out. and if you continually chasing the next thing you are losing your strategic program you’re losing what you’re actually trying to build in an organization i mean i’ve seen security teams that just chase chase chase and they still don’t know what gene in the office does you know
Greg:
and and i think i think sometimes the the the The soapbox that I stand on that’s relative related to this is when we tell people that, oh, you need to do X or whatever. You need to do something. You need to do multi-factor. But you’re never explaining the why behind it. You might put in a little bit of FUD, fear, uncertainty and doubt and say, oh, if you don’t do this, then your car will explode when you turn the ignition. It’s like or something ridiculous like that. Never really giving them an idea of what the relative risk is, because like like I’ll have I’ll have discussions with folks, sometimes disagreements about the the. Well, here’s one example about the juice jacking with USB ports and all that in airports and all that. Yeah, it could happen. Yeah, it’s very possible. But when was the last time, when was the first time that you ever heard of that happening in the wild? It just never happened. And so we’re spending all this time telling people to plug into there because that’s the worst thing in the world. And, you know, you’re going to, your head is going to explode if you do that, but without conveying the idea of risk instead and let them make the risk-informed decision.
Dave:
Yeah. And I think one of the big problems behind it ends up being that We’re not even just the boy that cried wolf all the time. Because people go, all right, I’ll follow your advice. But in your juice jacking example, they then turn around and look at everybody that’s getting a charge on their phone from these things going, but those people all seem fine. And I’m sitting here with no charge in my phone and I need help. I need things. And that’s a bigger risk. You’re telling me no.
Greg:
Yeah, of course it is.
Dave:
If you just don’t go, right, okay, I now can’t get on the plane because my tickets are on my phone. I have no charge. But good news, the Chinese haven’t hacked my phone via the USB cable.
Greg:
Amen. So good.
Dave:
Yeah. Yeah, Cyber Risk Reducer is about looking about those things. I mean, I try to avoid the kind of FUD presentations. I mean, I get asked to do them occasionally, like if you do a keynote or something like that. Even National Gas went, you can have three minutes to talk in front of everybody. And I’m like, right, I can’t even get on stage in three minutes, but okay. And they’re like, okay. And then I’m doing a talk around the, they wanted like your phone, the signals coming at your phone, the signals coming at your car. And basically they’re sitting there going, look, we can track, we’ve got access to all of these things. Your car can tell whether you’re having an affair. Here’s a whole bunch of things. But are you going to not drive a car anymore? And it is about, right, okay, if you are doing something stupid that the Chinese can blackmail you into compromising your critical national infrastructure the problem is not with your car it’s what you’re doing it is the right okay and if you are doing that stuff then go come clean because you can’t be blackmailed if everybody knows about it no matter how embarrassing it is Go come clean.
Greg:
That’s why I watch Holy Peace. I’m like, you know, you can go ahead and get me. I don’t have anything, you know? It’s like, this is it, you know? Yeah, the wife got most of it in the divorce. I don’t have anything.
Dave:
people and this isn’t as prevalent now but people that are like so upset or so worried about well i don’t want to be on a podcast because i don’t want people to have my my my voice and maybe that they can record it and clone it and this and that i’m like i’ve done the whole i’ve cloned the ceo voice from a like you know ten minute podcast and stuff i’m saying yeah but the point is and this is one of the like one of the big things outside of risk reducing is that i have this panacea. The thing that I want to get to is to have a company that no matter what one person does with their keyboard and their mouse and the clicky-click-click, that cannot affect the rest of the business. If you can build that, if no matter what, if Genie in the back office clicks on some invoice from a supplier that’s had business email compromised, whatever. But she clicks on it and the PDF does something horrible to her machine. That cannot affect what the business does. That’s why the solution will never, ever be solely human. It’s just like, it’s never.
Greg:
No, it cannot be. It’s a processing. It’s not a technology thing. I mean, everybody goes, well, what we’ll do is we’ll go and buy a bigger, better fishing machine. protection system. We’ll hammer people with phishing. People will click. Anyone that says I won’t ever click on a phishing email, liar. It’s going to happen no matter what awareness training you have. On a bad day, bad time, somebody will click on the thingy. These things are impossible. AI coming along, making it. I’ve had that whole, even before AI came along, I’ve done with incidents where the bad guy is talking for months with someone on a compromised account and then goes the Oh, yeah, and the bank details have changed here, the details. And then X hundred thousand walks out the door. If you can rearrange your processes so you never have that exposure.
Dave:
Yeah, I mean, yeah, I mean, and post-COVID was a big problem for that because everybody suddenly went home. And so I was asked to review an incident for an insurance thing. I was looking at going. It was horrible because business email compromised, money went AWOL, and they went, right, what went wrong? I said, well, all the incident response went horribly wrong because the IT firm was doing it. And they did have one IT guy that went, this looks a bit funny, but he was, no, that’s not important. But it was, the process was, if somebody asked for the bank details to be changed, go around and speak to the lawyer in charge of the case, the conveyance in case, to approve it. But they were suddenly all at home. And so she went, oh, right. And they didn’t have phones. They were basically just hitting people with teams and email. And of course, the bad guys already got the internal lawyers. So when she emailed, is this OK? The bad guy just went, yes, yes, it is. Thanks. And so at that point, the money goes away. And so she ends up losing her job because she didn’t follow process. And you’re like, well, that’s harsh because of the whole COVID thing. but the process was already in place to protect those funds, but it wasn’t followed. And if you add the process, right, and that’s cyber risk reducing, quite often it’s about the process, whether it’s the process of teaching people, whether it’s processes in the business. And yeah, you know, nobody has an asset inventory when I start, and you’re like, right, okay, go and do that, but Getting the process inventory, that’s the one that ends up being the… And they’re like, why? Because I need to know what are your critical processes. It’s easy to spot a critical asset because you’ve probably got all your stuff on it. What’s your critical processes? Because I need to map your protections to your processes. The assets are secondary to the processes because if the process has a backup, then the asset becomes less critical as well. I can spend less money fixing it.
Greg:
Yeah, but still, all of this stuff can be incredibly stressful. I know we carry a lot of stress in what we do just by nature of how we do it. And I always encourage people to step away sometimes. The job should not be your life. You need to decompress and hopefully do it in a positive way. So I always love asking people, and I’m going to ask you this. Dave, what’s one of the things that you do to decompress from all the stresses associated with what we do?
Dave:
I like to hunt people at night and murder them. I know. For me, dog like walk dog got kids so it’s like go forth and do art with the kids or something along those lines you know just sitting there going I’m a massive Denver Broncos fan Broncos so that you know for part of the season that works Lego and nerdy stuff so it is just the right okay you can push it all to the side and just go, yeah, it doesn’t matter. Something involved clever engineering and Lego, because my brain has to then focus on that and is really interested in the physical interplay between things. So I actually find that is quite a good break from the billion threats with a threat on top of that one with the, but what if this happens? following a simple set of instructions and then marvelling on at a clever piece of engineering or the fact that, you know, inside this set here, they’ve actually built a little thing there. And you’re like, oh, wow, that’s like, nice. I also analyse just how much crap Lego decide to go, oh, like, that could be, like, you put three bits there, that could be one. But you wanted the piece count up and then, yeah, I start ranting about the commercialisation and things. But ultimately, yeah definitely something that you can do with your hands and your brain uh i mean there’s guitar in the corner that i badly smash about with and yeah i mean Yeah, to be honest, the guitar normally comes out your means when I’m bored and people go, we can hear you. But yeah, it’s something to do as far as like fingering and all that stuff. Yeah, I mean, it is. It’s just like that. But ultimately, so, yeah, go find something clever and that takes your brain completely away from what can be. I’ve dealt with people hacking kids cancer charities. That does not leave you with a good taste in your brain at the end of the day. No. You’re like, this is just, oh, how could people be like that? So find nice things. I do tons of stuff in the cyber community about helping people in their careers and things like that. But that is about telling them to go find hobbies. So my hobby is telling people to find hobbies.
Greg:
Yeah. Yeah. So future plans, what future plans does damn good security have or what do you have or do they dovetail? Do they dovetail?
Dave:
To be honest, for the last couple of years, I’ve been quite quiet. So, you know, working away, I’ve done less talks, less events and stuff like that because I was getting slightly jaded and burnt out. I mean, when you do the critical national infrastructure stuff, that’s a lot. uh hey that is a what’s a bad day look like and they immediately start really it’s x billion a day this many people will die you know oh right that’s that’s a lot of stress to make sure that you’re putting stuff in right uh so yeah the basically just continue to build like helping small and medium-sized businesses and to be honest yeah i’m like i’m down now to go and do like like three or four different talks. I think I’m going to Romania next year to do a talk. Never been to Romania. I’m like, yeah, why not? Because it literally just went past in CFP. I’m like, yeah, I can throw in one of five different talk ideas. I’ll have to figure out which one I submitted and then go and write the talk. But yeah, doing stuff like that and getting more back into… The public eye, again I suppose, to be honest, because I’ve been quite quiet with building the business and stuff. And I’m like, right, okay, let’s go do, because meeting people on the road, finding their businesses and stuff like that, that stuff’s just fun.
Greg:
Yeah. Well, good. I appreciate the time. It’s been a great conversation. I apologize to folks on treadmills that might be listening to this because you had to do that. Faster, faster. Yeah. Go faster. Otherwise, we’re going to keep on talking and you got to keep on listening. So it’s like it’s too bad. But no, Dave, I really appreciate the conversation. Fascinating stuff. Great talking with you. I also appreciate you filling in when I had a cancellation at the last minute. We’ll have to do this again sometime because I got a host of so many other things I’d love to talk to you about. Just never got to. But thanks again.
Dave:
Anytime. Thanks.
Greg:
And everybody stay secure.