Greg Schaffer: Hi, I’m Greg Schaffer. Welcome to the virtual CISO moment this Thanksgiving week. I’m excited to welcome back Chuck Anderson. He actually talked with us about a year and a half ago in twenty twenty four and glad to have him back. We’re going to talk about some really cool stuff. He’s currently an information technology consultant with Reliant Managed Services LLC. He specializes in strengthening IT operations, cybersecurity readiness and resilience for SMBs. His background blends computer science, engineering, and change enablement. Chuck, thank you so much for joining us today.
Chuck Anderson: Thank you. Really appreciate it. Thanks for taking the time.
Greg: So I know I asked you this back a year and a half ago, but for those who didn’t get the chance to check out that episode, if you could just give us a very quick rundown of your experience, how you got started and what led you to where you’re at today with Reliant Managed Services.
Chuck: Well, I’ve been doing the consulting gig for almost three years now, about twenty of it in health care. And have a lot of experience with a lot of different fortune fifties. And now I’m basically a one-man shop and do consulting work to help others out wherever they’re at and help improve environments where I try to make them better than what I found them.
Greg: So your main focus in your consulting arena is information security for small and midsize businesses?
Chuck: I do from small all the way up to very large is where most of my activity happens. I do a lot of project recovery. I do a lot of consulting, a lot of assessments and cleanup you know sometimes folks call me a technical debt collector where i’m helping people great things that should have been done a long time ago um and i kind of specialize in things that that are impossible so once you’re very very difficult and you know somebody taps me in the shoulder and says hey can you do this i pull the plan together and we end up making it happen even though we didn’t know couldn’t happen. So we made a made a pretty good effort with with aligning those things.
Greg: So a lot’s happened in the last year and a half. You’re like one of my few returning guests. I originally had this mantra that I’m like, every guest would be fresh, would be new. And that was when I had a much more standardized way of doing things. And now I’ve kind of opened the whole experience up to making each episode is now more tailored to both the environment and the person. I guess you could say it’s kind of like an evolution of me doing this podcast stuff a little bit better. But because of that, it’s like I get to ask you a question that I’m not able to ask most folks. It’s like since we last talked, what have been like some of the major changes in information security and technology that really has impacted businesses and their operations in the last year and a half?
Chuck: Oh, wow. Windows Eleven has been a big impact. I think some of the new wireless technologies have been an impact. I think AI is going to be a terrific or fantastic, depending on which way you’re at, impact. There’s something that’s moving right now that is, you know, it’s really cool to, you know, just type in a chat and get an answer. It’s the bots and the having those large models do things that’s really going to be interesting. And when they do things good and bad, you know, you got to look at it on both sides. You know, a knife is really good for cutting your food up if you stay out of the way of it.
Greg: Yeah.
Chuck: So the hard part is, you know, positive and negatives and trying to stay away from the bad stuff of it. Yeah. So there’s been a lot of movement on that.
Greg: Yeah. I tell folks with regards to AI, generative AI, I embrace it. But the way that I use it, and I think it’s the proper way to use it, is it’s just like any other tool. I don’t expect it to give me an answer and that that’s the final answer. The analogy that I used, I was talking to my wife about this last night. The analogy I used is like, it’s like counseling. A counselor isn’t meant to solve your problems. It’s meant to help you solve your problems or at least deal with it. I think that’s the same thing for generative AI. It’s treated as the beginning point where you start to have a discussion, but the way it works best for me is when it gets me to start thinking. A lot of times I’ll come back and say, hey, that’s good, but that prompted a better idea. I think, what do you think about this? Then usually chat GPT or whomever will come back and say, okay, yeah, you know, you’re right. You’re on a good path there. So let’s try to dissect that. You know, I think that’s generally the direction where it might be going. I mean, what do you think?
Chuck: Well, I agree with that. But then on the other side, you’ve got things like a particular model tried to send an email to DHS to tell them that they found a botnet that was… doing nefarious activity built into automatic vending machines that were connected to networks. So where it’s on its own without being prompted, trying to let DHS know about that. I thought that was a little, interesting and scary at the same time.
Greg: I was going to say scary was the first adjective that came to my mind.
Chuck: Yep. Yep. So what created that botnet was alleged that it was a different ai that created that botnet for the for the vending machines that was compromising the vending machines So AI warfare reminds me of the old Star Trek episode where they had the two computers battling each other.
Greg: M-five.
Chuck: I am great. You are great.
Greg: Yeah, pretty much. Pretty much.
Chuck: So I’m looking at that just going, oh, boy, you know. But then you get that. And then on the other side, you got like quantum computing that that is like predicting data. You know, that’s a really—
Greg: I didn’t think about it as an example. Yeah, I we just had a little glitch there on the Internet. Sorry. But I never thought of like the M-Five computer episode on Star Trek as being like a good, good sixty science fiction example of the dangers of A.I. Because if you think sixty science fiction dangers of A.I., what do you usually think about in two thousand one? So, yeah.
Chuck: So, well, just kind of wild stuff. But then you also have the quantum stuff, too, that’s coming up that also can predict numbers out of thin air without actually them being there or being attached to math. Have you seen any of that?
Greg: Can you? Can you? kind of back up and explain at a very basic level what quantum computing is i’ve got sort of like my gel idea in my head a little bit but um but i mean even down i think literally to the to the atomic level um it what is it and and why is that something that we should pay attention to
Chuck: Well The fun part is, is it’s really, really cool cutting edge science and really, really cool cutting edge science. We don’t really know all the pieces that it will affect. Like when lasers were created, it was, we thought one thing would happen. And then that plus a thousand other uses came out for, for lasers. So quantum computing is a way to generate answers by know with our current technology in a ways that look like cheating okay so you give it the question and you say hey what’s the answer and instead of um instead of having to do all the math to figure it out if you cool it down far enough and put the certain conditions in and that kind of stuff the theory is the answer will come out the other side without having to do all the work to get it and that’s that’s really the the layman’s abbreviated version of it and they’ve gotten it to work with i think like eight bits so far that they’re able to to put eight bits in and then get an eight bit answer out that works and and they’re like how did this happen and then they’re figuring out it’s like things you can attach to a quantum state on this side and just magically appear on the other without any any communication between the two and And it’s really kind of spooky stuff when you get there. But the the biggest danger from the quantum computing right now is encryption. Because you can drop a forty ninety six bit key into it. Theoretically, you know, you scale it up right now. We’re doing two and eight bits or whatever. But if you get enough of these devices cold enough, you could drop in a twenty forty eight bit key or forty ninety six bit key. And on the outside of it, you get the private key out of it. So the public key goes in, private key comes out, and then you can decrypt everything that was encrypted with that key. And it’s all open public text at that point. So there’s two different aspects happening currently right now is nation states and very smart government people are racing to build more quantum computers. And on the other side, there’s also nation states with giant hardware arrays that are just hoovering and storing encrypted traffic that’s on the internet.
Greg: So that they can decrypt it later on?
Chuck: Yes, sir. Yes, sir. So the keys, they’re expecting all the RSA keys today to be compromised within X number of years. Some people say ten years, some people say twenty, some say thirty, but there’s a pretty much a relatively good consensus that it’s going to happen with that. So the way how you can get ahead of it is encrypt the data with a different kind of key. The encryption methods and processes and stuff still works, but there are efforts and some early standards coming out right now to change from RSA or I see this wrong, the curve encryption to to the um electrical curve yes i can’t say that but to change from those to a quantum safe encryption standard and a couple of them are coming out of the the um darpa and uh i think it’s um uh which one’s the ones who do all the standards the not iso it’s the other one nest nest yeah nest has got the the the most compatible set of encrypted encryption standards that they put out and you know there’s some numbers behind it because you know it’s nest but there’s basically a low, medium, and a high, and a lot of folks are circling around the medium one. And what’s interesting with that is with everything being stored and getting these standards out there, eventually they’re going to need to be replaced, and they’re one Forbes article away from being obsolete. I’m sorry, RSA is one Forbes article away from being obsolete. So it’s, yeah, sure, we think it’s going to be ten, twenty, thirty years from now, But it could happen in one article. So it’s a thing that folks need to take a look at it now and figure out how to pre-plan and how to move forward with the quantum safe computing.
Greg: Well, let’s talk about that planning for a second. Because sometimes when you encrypt information, the level of risk associated with that potentially becoming decrypted is temporal, and it decreases over time. Because the information, as it starts to age down, loses its value. I mean, there are some things that you probably would want to not have decrypted like longer term items like someone’s social security number, which everybody’s is out there anyway. But what I’m getting at is that when businesses are thinking about like, oh, my gosh, what we’re encrypting right now could be decrypted by quantum. How should they factor in that temporal aspect? Because it could very well be that something like seven to ten years, they don’t even care about anymore. In fact, in a lot of instances, businesses are required by regulation to expunge their information that’s more than seven years old. So it wouldn’t even be of any danger of being decrypted at that point in time. How should if you were advising like a CEO or a board just from a very high level, holistic standpoint, how should they look at that?
Chuck: Well, first of all, the value of the property that’s being encrypted. And then what’s your regulatory compliance and exposure for that? And then doing some simple math of is the squeeze worth the juice to make that happen? The other thing that’s happening now with the quantum computing too is the The new standards inside of the certificate are being rolled out into web browsers, PCs, devices, that kind of thing. Not all devices are compatible with it. So it’s early on in the process to figure this out. But at the same time, if you’re like a hospital or something like that, that you have a lot of medical equipment that have certificates on it. it’s not an easy automation to just update like five machines you need to have a really good plan and and it’s going to take you a couple years to get those kind of things rolled out and and that’s where being aware of it coming in but also realizing hey i have that internal ca and that’s great and everything all of our stuff’s good but wait a minute we may have to make a new one And how do you transition from having one internal CA to two? And because you can’t do it all in one day, because it takes time and effort and, you know, hell grease to make that happen. You know, it’s not a today thing, but it’s a depending on what your what your exposures are with your business. It’s it adds or removes some of the urgency. And then the piece that the industry is kind of pushing is expiration dates on just regular certs. So some of them are, you know, they’re trying to push it down to like less than a year for internals and like less or about thirty days for external certs. So that’s pushing some automation pressure and and alignment that way to getting you ready to be able to change out certs and stuff when that comes out.
Greg: So it sounds like that what you’re saying is that one of the ways to approach this is to sort of constantly be rotating the shield frequency, if you will. You get constantly changing your root certificates.
Chuck: Not necessarily. It is necessarily changing your leaf certificate, the very last one at the end. But your roots need to stay there for a longer time. because that’s how your initial trust is established so you’ve you’ve got a you’ve you’ve got a root and then an intermediate and then your leaf okay and the leaves need to be changed because that’s what the traffic is actually encrypted with but the infrastructure the hierarchy of the certs have been relatively static a lot of people have very long-term certs for the route and aren’t really thinking hey quantum computing means i have to change my root certificate internally That’s new, you know, and that’s a different way of thinking because once you have to change an internal route certificate, then how you get half of the business running on one route and half running on the other as you’re moving everything over. And then the other aspect of it is if you have equipment that you need to hook up to, how do you get those all moved over? Because you generally, smaller embedded pieces of equipment can’t be automated. just because of the way they work you have to plug them in to a network to make sure they’re stable as you do the update if you’re doing it over wireless you know you tell it to remove the cert and then reboot and when it comes back it may not have a cert there so it’s a zombie at that point so there’s there’s a lot of forethought and planning that you need to go through to do this change to get into quantum computing or quantum safe certificates
Greg: So I guess I’m a little lost on what the trigger is. I understand broadly the trigger is quantum computing and that it can decrypt legacy keys. And that’s the trigger for potentially needing to change the root certificate. I understand that. But what I don’t understand is why is there not a follow-up plan that we’re going to assume that quantum is going to continue to grow in capability and that we need to bake in changing out our root CA every year or so? Or is it just that from where we’re at now to quantum is such a great leap that we have to deal with this once and then from there we’re kind of in a new quasi-steady state?
Chuck: Correct. Correct. And — okay — a lot of root certificates right now are five, ten years — five, ten, fifteen years. So you don’t have to change the root that often; you’re changing the leafs all the time, right? You’ll have one root and then if you have more than one CA server you might have more than one intermediate. That’s generally how that’s connected. And then your root is typically — it used to be generated on a laptop that you just generate, copy the key off, then shut the laptop down and put it in a drawer so it wouldn’t get messed with. Nowadays they’re doing that with VMs and that kind of stuff. But it’s a way of thinking that’s more than just buying a product and saying, “Hey, yeah, let’s automate it all and it’s all just going to be rainbows and unicorns.” And that’ll work great for most of your standard endpoints, but as soon as you get to something that’s not a Microsoft machine or not a straight Linux machine you need to actually do the work to make that…
Greg: Yeah.
Chuck: So…
Greg: Yeah, I’m always — I’m always like leery of like, if a vendor comes up and says, I’ve got the solution that basically it’s a one click and everything’s going to be fine — I’ll run with it for a little bit. I’ll ask questions. The first question I’ll ask is like, okay, when I click that button, what’s actually happening? If I can’t get a quasi explanation, then I don’t even want to touch it because that’s what I think one of the worst things you can do is to turn over your security infrastructure to a vendor just because they promised everything will be all right. Because if everything isn’t all right, who’s really going to suffer, the vendor or you?
Chuck: Exactly. Exactly. Like I’ll give you — and then you get into interdependencies, which is more interesting when you get to larger loads — like if you have an internal SSID with an internal certificate and you got devices that are connected to that certificate and understand it and like it and love it, how do you change that SSID cert out with the same SSID? So you’re gonna end up being forced into having a second SSID with the quantum certificate on it. And then start moving machines over to that other SSID. So you’re running two production SSIDs at the same time.
Greg: And that’s got to be almost like — I mean, you can’t automate all of that for a whole host of reasons, a big chunk of which is like business continuity and business operations is ultimately that’s the one thing that we’re tasked to not disrupt. That’s the whole point of all of this is like, we need to keep the business enabled and running.
Chuck: Yeah. Yeah.
And there’s some fancy folks that are saying like, let’s make a dual root and have half of it be an RSA and the other half being quantum or whatever. And my question mark is, okay, fine, you do that — but how do you get that into your environment? Make sure everybody’s compatible with it, right? Because not all devices are smart enough to understand this new certificate type.
Greg: So it’s a lot of — it’s a lot of work. It’s a lot of elbow grease.
Chuck: Well, and it’s a lot of — it’s a lot of change management as well too, and ensuring — I think that there’s probably like almost like — if it’s not linear, it could even be exponential — that the more complicated the project, the more critical it is that your change management and change enablement processes are in place and solid.
I know you do work in that area, not only in regards to talking about like changing out the root CA, but just big changes in general. I think change management is one of the things that, for whatever reason, in information security and cybersecurity, we just don’t get well. Maybe it’s because we don’t care about it as much, or maybe we do care, but it’s just hard to do. It’s hard to manage. It’s hard to enable. And it’s not something that’s particularly fun. I mean, if you’re going out and you’re coding something or you’re getting infrastructure to work, that’s great. But change management is… just seems sometimes like it’s all these governance processes in place to just like slow things down. And that’s not the case. So what’s your approach to good change management?
Chuck: Well, there’s two different kinds of change management. And I think the industry has really kind of done itself a disservice with the definitions. One is like a change control where you have, you know, “Mother, may I do this change next week? Is everybody okay with that?” kind of thing on like the ITIL side.
The other side is on the PMO/PMI type, where change management is, “Hey, we’ve got this big organizational change that’s going to be technical and we’re going to disrupt the way how we’ve always done it, but we need to do this other new thing.” That’s more of a soft skill — or it’s actually mostly a soft skill. And that’s something that I’ve done a lot of, where you’ve got major disruptions happening to either a person or an org. And how do you roll that across that affected area and get buy-in and make sure that everyone knows what to do and how to do it and tracking issues and that kind of stuff.
And I think folding security into that piece is super effective when you can explain the why and the how and the because instead of just the do — in terms of the business and the business units and the person you’re talking to. So the guy’s got to change where he’s got to do this, and it’s like, “Well, why do I got to do this? This is why we did it always, you know?” And then you unpack: “Well, we need to do it because of this, this, and this.” And then if you’re really lucky you can figure out a silver lining to it that you could tweak that change to make it better for what the end affected user unit is. And you can get better adoption with that.
And a lot of it’s preventing issues too. I often say scar tissue. If you know things that have gone wrong, if you’re in a position where you can talk about it, you have the ability to prevent them, which is super helpful.
Greg: Yeah, and I think that all that what you’re describing is project management. In fact, I think you mentioned PMI before, which if I’m not mistaken — and for the acronym challenge — would be Project Management Institute, correct?
Chuck: Yes, sir.
Greg: And I totally agree. And I’m glad that you brought that up because actually my master’s is in information systems project management. And in going through the project management formal education really gave me a much better picture of another side of everything related to information security, cybersecurity, and information technology, for all the reasons and then more so of what you just mentioned. Because there are so many considerations beyond the what — all the so-what’s and all that — that sometimes I think us in cyber, particularly the cyber arm, we just don’t appreciate. We just want to get it done and that’s it.
And would you suggest that maybe more folks in our industry, at the very least, look into some project management skills?
Chuck: Totally. And I think the biggest fatal mistake I’ve seen is people talking to people instead of with people. And there’s a huge difference in that, especially coming from the cyber world. I mean, I know a lot of that’s, you know — refer back to the theme here — a lot of that scar tissue, right? Cyber folks get a lot of the sharp sticks and, you know, that kind of stuff. But taking a beat, pausing, and then actually explaining and coaching — instead of talking to people, talking with people — about, “Hey, how can I keep this out of trouble? This is what’s going on, this is what we’re trying to prevent, what’s a good way for us to protect ourselves and the org and the business?” And having a couple of questions where you may know the answer, but it may not be the answer by the time you finish the conversation, right? You got to ask the questions and work through that.
So yeah — it’s hard no matter what. People problems are hard. Technology problems are hard. Security problems are hard. But empathy and scar tissue and talking with people instead of to them makes it so much easier for everybody involved.
Greg: Absolutely. I mean, empathy is such a solid skill. It’s one of the ones when people ask me, like, what’s your most solid skill set with regards to information security? More often than not, empathy is what comes to mind first. Because if you can understand empathy — if you can understand the people that you’re ultimately trying to solve a problem for (because I was going to say business, but ultimately it all comes down to the people — we’re all trying to solve people problems here) — then you gain an awful lot more traction that way.
But all of this can be very stressful. And sometimes when you’re stressed, you don’t know — yeah. It’s hard to generate that empathy. And so I encourage folks that we should deal with our stress in this industry in such a manner that it’s not only healthy to ourselves, but it’s also healthy to our jobs so that we can get to the point where we can have empathy. Because if you’re all run down inside and you’re empty, you can’t offer anything to anybody else.
Right. I know I asked you this before, and I apologize — I forgot what your answer was. I didn’t get a chance to review our previous episode, but it might have changed since then. So I’m curious, Chuck — what’s one of the things you do to help decompress from the stresses of cyber so that you’re on full all the time and can offer that empathy?
Chuck: Get away from the keyboard. Get away from the screen. Touch some grass.
Greg: Yes. Now I remember that — because I think you said the same thing: touch some grass. The only person who’s ever said that. And that resonated so much with me as well, too. And probably more so in the summertime when we talked beforehand, because now I look outside and the grass is kind of brown and it’s kind of cold out there and I’m like, “I don’t know if I want to touch it right now,” but…
But yeah — your point being is there’s a whole world out there and it’s just — decompress, get away from things. And sometimes just being around nature really just invigorates us.
Chuck: Yeah. And if that doesn’t work, make something. Get yourself a bottle of glue and some tongue depressors, you know, and a sheet of paper on the table — just make something. You know — Hawkeye Pierce in MASH*, the old show MASH* — made a tower of tongue depressors and then he didn’t want it to be used for propaganda for the war so he blew it up. Yeah. Well I mean, ya know — just get out of the ether and out of the computer stuff and get more grounded out there. Spend some time with family, you know — that kind of stuff.
Greg: So Chuck, what plans you got coming down the road, whether with you or with your company?
Chuck: Um, just keep doing the right thing. You know — that’s… and I never know what that is. I’ve got a career that happened to me instead of me having a career. So — you know — keeping busy. I’ve got work for a little while here, which is great. And then just prepping for the holiday and, you know, working on doing the next good thing.
Greg: Well hey, Chuck — it was wonderful catching up again. I love the conversation on quantum because that’s something which is so nebulous in my head right now. And sometimes it takes a little while and a little exposure to wrap around it, as it does with any new technology. It’s like — I was that way with generative AI when it first came out, and now it’s just like it’s a secondary. And I’m sure that’s the case too. It’s a very interesting field; there’s always something new. And it’s kind of always exciting to try to keep up and also to catch up.
So thank you — appreciate you joining us again this morning.
Chuck: Appreciate it.
Greg: Thanks everybody for watching. Alright everybody — stay secure.