Security Culture Club

It's five o'clock somewhere. Time for the security cocktail hour. I'm Joe Patti.

I am Adam Rothman.

All right, Adam, how are you doing today?

Do you really want me to say?

No, I want you to answer like normal people and say, so pretty good. How are you? Even if your day was rotten. Oh, I'm doing incredible. Things are great.

The world is perfect. There's rainbows and blue skies.

There you go. Remember, this is entertaining. No one wants to hear your problems on this show, all right? That's another show. Yeah, that's a whole different show, OK? So look, you are a native Brooklynite, are you not?

No, I'm not. I was a native Queens person that moved to Brooklyn. But hey, represent.

Oh, really? Oh, man. Well, you spent a lot of formative years in Brooklyn, though.

Yes, sir.

Okay. So I'm sure that you have heard, even though you're a little young for this, so am I, I'm sure you have heard of the great Yogi Berra. Yogi Berra? I love Yogi Berra-isms. Everyone loves Yogi Berra. He was the great nemesis of the Dodgers, among other people. But he was also a philosopher of sorts. And he had many famous quotes that everyone loves. And one of them was, baseball is 90% mental. The other half is physical. Well, you know, security is kind of like that too. I don't know if it's 90% mental, but I've been saying for a long time, psychology and culture play a way bigger role in security than a lot of people realize.

I must've played a lot of baseball because people told me I'm 90% mental.

Yeah well also I can tell you being a security manager when you're admins manager I was also his therapist and he's behind on his bill just so everyone knows all right.

Yes sir.

But so we talked about this a little before when we talked about passwords and today we're doing a whole show on culture and psychology and a lot of non-technical stuff that is very interesting we think people will like. Today we have a special guest Letitia Espinoza. Welcome to the show. Thank you for having me Glad to have you here.

Yeah, why don't you uh, I introduce yourself I didn't want let me on the show, but it's all good joe.

I only came on Okay lady, so welcome and uh Tell us a little bit about yourself before we talk about drinking.

Yeah. Yeah I've been in the industry for quite a while. Let's say about a good 15 years 15 16 years, uh mostly focused on infrastructure. Um, and then specializing that into business continuity and disaster recovery, which almost tends itself to play into security. So I'm very, very honed into what's need to happen in security. Cause that impacts how, what, what we're going to do for business continuity and how the infrastructure needs to be secured. Um, that's overall kind of like. where I am.

Oh, great. Yeah, you know, well, it used to be with the old CIA thing, you know, in security, we'd say confidentiality, integrity and availability, but a lot of security people, like myself, gave up on availability and just, you know, gave it off to the you know, disaster recovery and business continuity. It became a thing in and of itself.

Yes, it did.

So that makes sense. There's a whole sub-discipline now.

I'll tell you this, though.

I'm sorry.

I have to give Leti a lot of credit. When I was first implementing ENAC, Leti was always there for me to help me with the data centers.

I didn't want you to mess anything up, because then I had to do double work.

NAC is Network Admission Control. It controls what can connect to the network, and it is a notoriously difficult and painful thing to implement. And Ledi is one of those people, one of those engineers that you go to eventually, whether you start with her or not. It seems like eventually, you're like, we need Ledi to get this working.

You know how many coffees and beers I had to buy her?

Speaking of beers and liquor, this is the Security Cocktail Hour. And as our guest, the choice of cocktail has fallen to Leti. And we have it right here. Why don't you tell us what we got?

So we have, I'm big on whiskey, smoky whiskey. Smokier the better. But I recently discovered mezcal, which is a very smoky version of tequila. It's delicious. Over ice. You can mix it with whatever you want, but over ice, some water. That's good. Three sips, remember, you have to do three sips.

Three sips. All right. I just took the first one and it almost took me out before we started. Let's try another one. We'll try it with some ice this time.

Yeah, it's a little better.

That is very good. It is smoky. I know it's not tequila, but it is reminiscent of tequila, but far more interesting.

Far more interesting. Yeah.

And this is a far better one you picked out than the tequila in the plastic bottle I used to get in college. I can tell you that much.

Yeah, it doesn't necessarily give you a hangover like tequila does.

All right. OK. Well, that's cool, because we've got to record again tomorrow morning early. So excellent.

It smells like you ever opened up a can of Band-Aid, like the original Band-Aid that used to come in the metal cans that's handed down from generation to generation.

Oh, you're right. That is kind of interesting.

It kind of smells like the Band-Aid.

OK. There we go. All right. Well, definitely an interesting one. Everyone get out there and try some Mezcal. But don't put us on pause. Keep rolling. Anyway, OK. So, you know, cyber security or talk about security and IT in general, you know, culture does matter quite a bit. You know, one of the things we found and we've talked about it before is that, you know, it's getting to one of the simplest things is that, you know, the bad guys try to exploit people's behavior. You know, there's social engineering, there's phishing and Basically trying to get people to do things that they really shouldn't do, that they should know better. It can be very tough on the security people.

Yeah, one size does not fit all. The corporate culture of a security team in one place might be the best possible place for you. However, the security at another corporation, the cybersecurity team might not even be anywhere near a fit. So while security culture matters, it also matters if you are a right fit for that culture.

Well, also the security team and the way it's run has to be the right fit. I mean, Leti, I'm sure you've been tortured by many security teams that don't understand what you're doing and what you need to do and what's realistic. That of course would not include me and Adam.

Yeah, but not that I care, but don't single me out.

I mean, that's the whole point, right? So cybersecurity for the longest time has been about getting the right tools in place and putting the right controls and putting the right policies. And when you really think about it, the weakest link in every single, you know, security networking is us humans. But then we're also the first line of defense at the same time. We have to go in there and fix it when something goes bad. But we don't do anything to change the culture and behavior of how we work, how we do what we do. Right. It's all about just getting it done.

I so agree with you because, you know, we call this layer eight in networking, right? So for those who don't know, there's seven layers of the OSI model. Those are the layers that we talk about when we do networking. It goes from physical all the way up to application. But what we kind of joke about is layer eight. Layer eight is the hands behind the keyboard. And while a human can be the best possible person for an organization and preventing disasters, they can also be the worst. So I agree with you. Education and culture and explaining to people why things are done, not just they shouldn't do it. So for example, we tell people sometimes in teams, don't do this, don't do that, but we don't tell them why. And if they understand why, they might be more likely not to repeat the same actions with an understanding of this is what you should not do. Does that sound right, Liddy?

That's about right. I mean, it's, and that's the thing, right? So we, we get the awareness training, right? Annually. I think every company now almost has to do that, even if they don't want to just the policy for insurance purposes or whatever it is, but most people just put it on the, on the second screen, click, click, click, next, next, next, and you know.

Yeah, let me explain to everyone what security awareness training is. If you haven't had the pleasure of going through it, with security awareness training, what happens is you get, it's like, you know, your security team says, oh, here's the annual training and maybe you get something online or they drag you to a class or something like that. It's something that, you know, it used to be maybe 20 minutes where you'd sit through a flash or an animation or whatever and you'd have to do it. Now it's getting longer and longer and longer as we've added more and more stuff and it's looped in there with all the HR stuff you got to do and harassment and You know, and if you're a bank, you know, money laundering and all right, all exactly all that mandatory training you have to do. That's so important. And that's it. And people just go through it and click through it. You can tell. And, you know, the problem is that even when, you know, people are paying attention and they're diligent and they are. you know, how long does it last? You know, we, we even, we even see that with like, um, you can even tell, uh, you know, we've seen kind of from a data, but also anecdotal, um, you know, uh, you know, perspective that like, wow, right, right when the security training is out, when people are taking it, you know, the phishing gets better. People click less because it's fresh in their minds. They're thinking about it because they don't want to get in trouble. Like, you know, two months later, it's back where it was before.

It's all behavior. And I think that's part of the creating a cybersecurity culture, right? And understanding it. Not everybody in the organization is going to resonate with the word cybersecurity. You know, you might have an assistant I work cybersecurity. She's like, she probably pictures like hackers and, you know, behind the, in Russia with the green letters on the screen, she's like, well, I'm not doing all of that. I don't have to worry about anything, but they do. They do. She might be, you know, uh, involved with, uh, certain emails that she's getting from outside vendors and, you know, saying she could be, he, um, but you know, it's so, I think creating the culture to enhance the behavior of how people work. And it's not about cybersecurity, right? But protecting systems and data. You have to protect our systems and data. And achieving that is quite difficult because it's a culture change across the board.

Let's be honest, right? Let's be really, really honest because I haven't been up until this episode. People look at training in two different ways. And sometimes it's both, you know, the third way is both. Security training for most organizations, and I hate to say this, is about a checkbox. It's to say that we did the work. And then we hope that the people really understood what they did. We don't go above and beyond. We don't spend extra money in a lot of organizations. And then the second part of that is, is that the people that do learn are not necessarily the people that are gonna do it. It's the people that don't really learn, who keep on doing it and don't understand that they're not grasping the concepts of the training. Now, what I mean by that is this, is you can go through all the training and see all the videos and it can be really animated and don't click a link, hover over it. or don't open a file that you don't know who the person is, and people will still do it. So unless we start moving towards a culture, yes, the key word, culture, of not only doing a checkbox, but really learning and grasping what these trainings are really about, we're still destined to make the same mistakes over and over again.

Yeah, it's really challenging. And one of the things I want to say before we even get to dealing with that is, you know, with the checkbox stuff, everybody falls into the checkbox trap, because that's really, and we're going to get to this too with other things, that's really what you're judged on. You know, that's an easy metric that you have to show, you know, your senior management, often your board, but it's also what you have to show your regulators, your customers, you know, your clients, your insurance companies. They want to see, did everyone take the training? Did they do it? It's always funny too when they say, well, what if they don't do it? Are they punished? We're like, yes, we make them sit in the corner with a dunce cap. What are you going to do? No one gets fired for this. At least not in most places. At some places, people get yelled at really nasty.

It's a good point because that's actually reading up about cybersecurity culture in the workplace. That's actually one of the things that you need to do is consequences. You don't just go show up drunk to work and you know, maybe the first time it was an accident, you know, but the second time, uh, we got to talk to HR.

Um, well, later you realize doing this podcast, Adam and I are drunk at the time, but aside from that, you're, you're, you're your own HR.

So it's good. I mean, but you know, I mean, maybe bad analogy there, but it's what I'm saying. Like there, there, I think that is one of the ways to fix the behavior because it's about fixing the behavior of how people work. and have cybersecurity conscience in their day-to-day, right? If you have a file and it's on a team site, there's no need for you to download it onto your laptop. Just open it directly in the Word app or whatever, edit it, and save it. But so many people are so, so used to, you know, like I mentioned, they've been going to school, career for a quarter of their lives, right, learning a specific method to work. and expecting them to change that overnight is difficult.

Well, not even overnight. There are so many things in IT that can be improved on, especially, God, I mean, I hate so many things that I know we can get rid of and not just in security, but some for security reasons like email and attachments. We don't need email and attachments anymore. We don't need it. There are better ways to do it. There are safer ways to do it. I mean, virtually everyone has access to it, even at home, whether you realize it or not. But it's what people are used to. It's easy. And people will do, absolutely, will do the thing that lets them do their job and do what they want to do.

Better.

The fastest and the easiest, the better, or what they perceive as better.

What they perceive as better, yeah.

Yeah, exactly, what they perceive as better.

Because they've been doing it this way for so long.

Yeah, and we've seen so much resistance. I mean, I learned this the hard way, you know, years ago when I was a younger, less experienced security manager, I had, you know, this concept of, well, you know, I'm going to do this thing. I'm going to partner with like, you know, the other IT people and the user people. And I say, we're going to do something where it's not only more secure, but it's easier to use and it's better and more effective. And we'll have, and we'll do a focus group and we'll have all these charts and all this things, and it'll be wonderful. And everyone will love it. And yeah, people still like to do things the old way.

So I'm going to jump in on that, right? There's a comic strip, I forgot who it is, and the comic strip shows the perception of the different people on what something is. the swing, how the salespeople sold it, the swing, how the customers saw it, the swing, like you're building a swing, how the project manager sees it, the swing, how your mom sees it. And the reason why I'm bringing this up, again, it goes back to culture. The IT infrastructure team might not even care or understand what the security team does. And the security team might say, why doesn't the IT, the infrastructure team understand the basic parts of security. And then you might have the help desk that says, well, I can bypass this control and make it easier for you, Mr. CISO or Mr. CFO or Mr. C-level person or partner. So we all have a culture of doing things our own way or their own perceptions and built-in biases. And that's not gone away.

Neither has your gender bias saying Mr. and Mr.

Well, that's a good segue there, because if you think about it, right, it's for decades, forever, the reward is, you know, if you're in school, you do your homework, you're in high school, you pass, you get an A, you get to college, you know, you get that amazing degree, you get into a job, right? There's rewards, and people try to do what they need to do to get to that reward. When it comes to cybersecurity, There is no reward for doing the right thing, for not sharing the passport, for calling things out. There's no reward, right? The same way there's no consequences if you don't do your awareness training. If you reward the being. It's like puppies.

Well, not serious ones. And you're right, Liddy. It's like, you know, the reward of my gratitude as the security manager has really never been enough to sway the population. I guess I'm not charismatic enough.

Well, Joe, let's be honest, right? You became a CISO the same year the Civil War ended. It's a different culture back then to now.

That's true. But I've since shaved a big mustache. Thank God. But no, you know, and you know, it's interesting with culture. There are so many different cultures and a lot of it has to do with, you know, with the company itself that makes it really challenging. you know, there are organizations, there are organizations where, you know, if you don't get, you know, if you don't do your awareness training, or if you don't do your AML training, your money laundering training, or HR training, whatever, you know, you'll get Little nasty grams some place to get a little nasty grams in place to get a little thing I have worked in places where eventually you'll get chewed out by someone Yeah, but that's kind of the worst that you know, I've never seen seen I personally have not worked in a place where anyone had their bonus affected or promotion or God forbid gotten fired nothing even close that people are much more motivated by you know getting their work done. But even aside from the reward and even aside from the punishment, you know, there's the psychological aspect of it too, of people used to working a certain way within the culture. Some places have cultures of compliance where people follow the rules very, you know, strictly. Other places have cultures where they say, and it can vary in different departments too, you know, salespeople very often will say like, hey, you know what, not taking my awareness training or me clicking on a link. I'm not going to get fired for that, but if I don't hit my quota. then I'm in big trouble. Or if they don't close a deal, they're in big trouble. Or if they, you know, another thing that can be very tough for us security people is, you know, especially in the, you know, in the world now, someone needs to do a presentation, or needs to do a Zoom, or needs to use the client's wacky, you know, video conferencing thing. It's got to work, period. They got to go. They got to do it.

If it means stopping the security apps for that one hour,

Right, and you know, you'll get a call from upstairs that says, let's do it.

So the GDPR training and other trainings in respective nations that require that additional training, you know, culture changes, not only in the company, not only in the team, but geographically where those offices are located. So in Asia, you might take the training less seriously, where in Europe, and I'm not saying this is true, I'm just making suggestions or examples, where in Central Europe, it might be really serious, because GDPR is out the door. And then maybe in South America, it might be like, we don't care, what are you gonna do?

No, Adam, you're very right. But, you know, it kind of depends too. In Asia, you know, I mean, we can't make a lot of assumptions or generalizations, but, you know, in, you know, Asia, I mean, particularly I've worked with Japanese companies, they do have a culture of compliance. And There is it is much more bureaucratic and people are going to follow rules more very different than a silicon valley start up with a move fast and break things and they get into a lot of trouble even when you know some of them start going into. You know regulated industries and stuff i mean i talked to this i talked to this one guy once it was actually pretty funny yeah you know we're talking and he needed some help with security or whatever and you know they were a startup and they had recently basically gotten, they'd gone public and they'd gotten some big government contracts and all. And, you know, they did not have a culture of security. They said, we have startup culture, we got to do all this stuff. And I said, you know, that's all well and good, but you've got a lot of requirements you got to meet now. And, you know, I hate to say you got to change your corporate culture, but you do to a certain extent, or you're going to have some serious, serious issues. And you're right, that's something that's a really tough nut to crack, because that has to go all the way to the top. At the top, they have to say, look, we are now, this is our business, this is what we're doing, and we got to change things. It's not optional. And somehow figure out, I don't know, get McKinsey in or something to figure out how to do that and keep that startup ethos or something, I don't know.

So insert disclaimer here. None of my examples had any scientific backing or any understanding or were not meant to be a reality. Only fictitious statements were made.

So that's fine. Just don't get the COVID disclaimer on this episode. Okay. I don't want that. Oh, should I do that next?

You know, Joe, to your point before, right? I mean, since what I would say over the last four or five years, maybe companies, all sorts of companies have been spending a tremendous amount of money in securing the environment with tools, but no time really spent on changing the behavior. And it's just so, I believe it was, and I'll get those references, I should have them ready. But I think it was Verizon's report in 2021, the investigation report from Verizon.

80% of it- The Verizon DBIR, they call it.

Yeah, it was 80% or 82% was all human data breaches due to human action or inaction.

And it's funny, we joke around about COVID, but COVID did change compliance issues also during those years, because some people couldn't prove their immigration, it wasn't manually viewed, and because you couldn't come into the office, certain regulations were waived, whether it was printing because you couldn't do split tunneling and everything else and so a lot of a lot of you brought up COVID as a joke but COVID did affect a lot of culture and compliance.

Oh, yeah.

Well, good job. Good insert.

Oh, thank you. But I mean, you know, that's really important to, you know, to point out because with COVID, you know, we must say we, I mean, the whole industry, the whole IT thing, everyone, you know, had to really, really quickly go to, yeah, really quickly adapt, you know, and some places were, you know, they just kind of expand their remote work. It wasn't as big of a deal as they say, despite their whining about it, saying they need more money. other places. It was a massive change, and it was a massive change technologically, but also culturally. And remember, you know, And we remember having talks about this, you know, where we'd say, look, you're introducing a lot of change. And even if people are accustomed to, you know, remote work, they've used a VPN before, they've used, you know, some kind of remote work and they have a laptop, they've worked in hotels, you know, people are upset. People are, you know, there's a lot going on. They're, they're worried. They have a lot of things going on. They're distracted. And the bad guys took advantage of that. And they, they always do. And that's a really, really important component, because maybe people are not going to notice some things that they otherwise would have noticed. And I would always tell my teams, especially when we have an incident, or when there's something going on, or when there's a lot of stuff, say, guys and gals, take a breath. Stay sharp. Remember, this is, and then make sure we're watching our flanks here. because people will take advantage of this if we're too distracted. So that's a that's a tough situation to it. I mean, not even especially for a security team, but really for for everyone. That's when the social engineering really comes into play. Well, think about trying to get you.

Yeah. And think about this, right? So, look, I live with my family, right? My kids, my wife, not really that big of a deal. I'm not worried about.

She let you back in?

It's none of anybody's business on this podcast show. But whatever, okay, we settled it. We got an attorney, it all worked out. So the point I'm making is what happens if you're... Um, a person living with roommates and then you have your laptop in a common area and you're doing work for your company and you don't necessarily know the integrity all the time of your roommates. Maybe it's somebody that you met on, um, I don't know, make it up Craigslist or something. And now you're working in the open, you go use the restroom and they're getting proprietary intellectual property. So, yes, things have changed, culture has changed. Forget about even COVID, remote working has made us more susceptible to attacks, whether they're physical, meaning people walking by your desktop and doing, you know, shoulder surfing, or whether, you know, your machine is out in the open, and now maybe somebody can intercept communications on the same Wi-Fi as you. I'm not saying that people are that sophisticated and do a man in the middle attacks on your own network. But guess what?

It could, you need to act like it is right. And then explaining that to the regular non-technical person, you know, they're like, well, you know, I'm just a Starbucks. I'm just here working or I'm just in the airport, whatever, you know, it is, it's difficult to change that mindset. And to your point before the example of the roommates, it's not just roommates. During COVID, do you know how many kids accidentally got into the parent's laptop and hit send to the wrong email, to the wrong, it happened quite frequently.

Oh, we know. And that was something we worried about a lot.

That's because for years, right, for the last that I can remember, parents have seen, you know, technology, iPhone and iPad, you know, as a toy. And it's not a toy. Again, that's a culture thing. So if you, you're not going to change people in their home, but if you can, change the culture of how they see technology within the organization, they're going to translate that into the house.

Well, you can change people in their home because the truth is, believe me, it's a long, slow process. And this goes even beyond work or the culture of your specific organization. It's like we do need to change people's mindsets about stuff. Yes, if you're carrying a phone, especially if it's a company phone or whatever, yes, it's got all the company stuff on it, et cetera. You need to take care of it. You need to, you know. I just flipped back the screen. Yeah, you need to at least not put it down on the bar and leave it there unlocked and go to the bathroom for God's sake. It's amazing how often simple stuff like that happens. You know, again, talking here with the cocktail hour. Bars are a lot of security risks in a bar, but I mean also, you know.

Yeah, do you ever eat some of those peanuts? People put their other hand, they put their hands in the peanuts, they go to the bathroom. It's a security risk. You can get compromised.

You know? It is, when you think about it.

You can make someone ill. No, but in all seriousness, what happens if you're having a conversation, you're an attorney, and you're talking about a merger and acquisition while having a sandwich at a bar?

Well, that's it, having that awareness of just, you know, throughout of like, you know, I'm handling it or I'm speaking or doing something. Am I putting things at risk? I mean, you know, I mean, I'm in security. I'm a nut. I'm out of my patio. I don't like to leave my laptop out there and go to the bathroom. I don't trust the neighbors. I don't trust your cat. Nor should you.

But, you know, it's just a, I don't know, it's,

People in security think a particular way. Many people in security, we kind of know everything that can happen and we're much more careful, but you know, other people aren't. And to tell the truth, I mean, another thing I'm big on when it comes to user experience and security is that in fairness to people, security is too hard for most people. It is way, way too hard.

If they want to continue working how they were working, then yeah, it's just a matter of they need to learn how to work differently. To use the security tools to their advantage.

Well, they do, but it shouldn't be so hard. Frankly, it shouldn't take that much thought. It's like biometrics. I can't tell you how many arguments I've gotten into with biometrics. And they say, oh, but on the phone, you want it to unlock every time? And I say, it's got face ID. You have to look at it. You can't use the phone if you're not looking at it. I'm like, that's easy. But putting in codes and doing a lot of other things can be much more complicated. I gotta be honest, you know, when it comes to detecting phishing emails, you know, we ask a lot of people to try to detect, you know, so look for the bad English, which AI is changing, but you know, look for this, look for that, look for all these things, you know, to tell the truth. I mean, security people all the time, sometimes I get an email, I'm like, I can't tell. I can't tell if it's real or if it's, and you know, and they've said, so if you do that, you need to go to another browser, look at this or check, you know, it is granted a little too hard for people. We do need to do a better job there.

But yeah, but the email can also be a legitimate sender. that's not a legitimate email. Somebody compromises my Gmail account because I didn't put on multi-factor authentication or somebody was able to laterally move to my machine in my house with machine already unlocked, sends you an email and says, hey, Joe, check out my beach pictures. Of course, Joe's excited. He wants to see my beach pictures.

I was going to say that's the best way to get me not to look.

So he opens up my email and boom, bada boom.

I mean, I was going to say with regards to emails, you know, if, I mean, that was a really good point about you can't tell, right. Let's say from an IT infrastructure team, right. We're monitoring everything. And we put all our email addresses for all of the tools that we use, storage, servers, compute, and we get bombarded thousands and thousands of emails a day. And, you know, if a, if a, bad actor figures out, hey, this company's using, you know, EMC or Dell, um, you know, they can fake a, an email alert and you can totally cook an it person and not know, you know, that. Oh yeah. And that's really easy. It's not their fault. Cause they, they, they get these emails thousands of times a day. How are they going to tell us it's. You know, from EMC India, and it comes from all these different places. Um, and also why use email emails for alerting? That's antique.

Well, that's true. That's true.

Email is the worst way to monitor something. But then again, who's going to sit in front of a dashboard and look for pop-ups?

Well, if you're a small organization, that's why there is the importance of you can't have, there is some value to. having that tier approach of a certain person just doing one thing or two things. There is value in that, even if they move on and it's a high turnover job, it's fine. But that is the focus, right? Because you can't have your engineers thinking about, your engineers and your architects thinking about the future of your organization and also focusing on what's going on operationally. Not all companies are like that. Some, the majority, a lot of good companies are like that though.

Look, Letty, you, myself and Joe have been very lucky in our careers where we've been able to experience enterprise level organizations that have SOCs and NOCs and a variation of both. And luckily, we usually have those organizations vet the alerts and vet the severity and call us, usually based on something serious, but you're 100% right. If I get an email from, you know, knack at any company.com that says that a threat actor has, you know, it's not going to say exactly a threat actor, but This device has been added to the network. Please take a look and it's one looks like a regularly normal formed alert. We might click the link thinking it's legitimate and now we've already been compromised. And especially if you and I are getting that many alerts and we have alert fatigue, you're 100% correct. Yeah.

Yeah. Well, that's on us too. And when I say us, I mean, you know, the security community in general to say, look, we need to put out stuff that is more trustworthy, you know, things like that really shouldn't come in email. We need to understand that there's, um, you know, alert fatigue, and there's the MFA fatigue too, that's another disaster. But, you know, we need to have things that, you know, we need systems that make it easier for people to act in a secure way, not that makes it difficult to act in a secure way. Because, you know, as we're seeing, even when you have someone conscientious who says, okay, I'm going to think, even though, you know, I'm not a security person, even though I'm under pressure, even though I got to do this, I got this, and I'm going to think for a few seconds and say, is it right? They're still not experts. And I think that's a big frustration for a lot of people. I suspect that it's like, you know, I just got to get my job done and get it done. So, yeah, something like this, right? Get it done and deal with it and deal with it later.

From a TTP standpoint or tactics, techniques and procedures, you know, when somebody pops up an MFA or a new click it automatically thinking, oh, yeah, yeah, yeah, I got to click it and click it, newsletter threat acting in there. We also know a certain organization that was doing a purple team that was very easily able to get into a certain portal and then change that portal during an exercise so that the SMS or text message was changed. So now that person was getting the text messages. So you might be oblivious to certain vulnerabilities in certain software, because now you didn't even get the opportunity to accept or reject that MFA. So, you know, not all MFAs are created equal.

No, no, not at all. And that's again, why we need to, you know, we talked about this in the, in a previous podcast where we talk about the different types of MFA and what's the most reliable. And we said, if you give people the option, they will choose the easiest one, which usually means they will choose the least secure one. And, you know, We need to give few choices, but make sure that the only choice, the only choices are good ones.

Well, I, I, I'm not using an MFA that does yes for everything. I don't even get the, uh, yes or no to decline. So it's all good. I mean, let's work.

But yeah, I mean, how to, how to help organizations in, in, you know, engage in cybersecurity culture. To the point that you said before, Joe, it really has to start from the top, right? And what are the goals? Let's say any, you know, company X goals is, you know, cost savings, right? Cost savings all around the board. Then you need to align your cybersecurity goals with that, right? Just a quick example, right? If you have a whole bunch of costs infrastructure and you have users that are saving local files or just copying files from different areas, different sections, that's something, especially if you're in the cloud, that's costly, the duplication of data, right? The duplication of data, sorry. That becomes costly. And now you've increased your risk of data breach, right? Because now it's not this file that's supposed to be protected. And the security team has done everything possible to protect that file. It's now proliferated everywhere. And that comes from the top. You have to lead by example. And it's all about behavior. It's the same. And it relates to outside of work, corporate work. Children need to start learning today. that technology is not a toy. Yes, you have your video games, that's separate, but a laptop, a phone, an iPad. It's not a toy. The internet is no longer anonymous. You can make it, but it's not. It's an extension of your lifestyle.

You know, it's interesting that you say that, because as soon as you say it, it's not a toy. I think about my kids and even the kids that you see now. You go to a restaurant or something. Well, they do. You see a two, three-year-old with an iPad. And you know what? For them, it's a toy. And they actually are being raised for it to be a toy. And oh boy, that's going to be a big challenge.

which is why I say, I was going to say, I'm going to be the opposite and say, it doesn't start at the top. It starts at the bottom because all these kids who are growing up with all this equipment, if we're able to, even in school, educate them, then maybe that will, it will bubble up to the top. And what I mean by that is, as a person who's knowledgeable, there are times I've gone to organizations and said, you shouldn't be doing it that way. My opinion is you should be doing it that way. And I would let the people that I was dealing with as a customer, know that and they would bubble that up to the top. So sometimes we always think at the bottom as employees, but we don't always think of the bottom as constituents or as customers or as purchasers. We need to start demanding that our organizations take our security more seriously.

Well, we do, but you know, it's funny. Here are the challenges. I can tell you, I have a bit of, been doing this. Up at the top, look, security is important to a lot of organizations, but it's one concern. And, you know, some of these things we're talking about, they're risks, you know, it's like, and they're trying to balance, you know, what is the risk of a security breach against losing sales, spending too much money, you know, again, you know, duplicating files a little, you know, You know, we're engineers here, we'd like things to be as efficient as they can be. And the truth is, you know, executives are willing to accept a little bit of inefficiency because they're looking at the big picture of, you know, in the end, what's our, you know, how much money are we making? What's the right mix?

Risk versus rewards.

Right, exactly. Cost-benefit, actually. But, you know, when we're talking about the users too, you know, the people actually, you know, their hands on the keyboards, eyes on the screen, whatever, you know, that's a huge, huge challenge too because, again, we have a what they call the kids now, the digital natives or whatever, that I guess did grow up with all this stuff. And the truth is, they have not been educated very well, in general, in the dangers of this, you know, and I mean, it's like, I know, you know, I have kids, you know, at school every once in a while, every year or so they have, I don't know, officer Email or something come in and tell them about the dangers of cyberbullying or some nonsense like that when the truth is, you know They were exposed to so much. None of these things that they're using are designed to you know protect them from that certainly not automatically and not even to encourage any kind of behavior that would be you know safer and more secure if anything they're encouraging the exact opposite of And those are the people now, I think the first generation of them now are actually coming into the workforce. And I can tell you from a security standpoint, that is a huge challenge. People say, what do you mean I can't do this? What do you mean I can't do this? What do you mean I can't do this? It's like, well, it's like this is a bank or this is the government or something. This is not your dad's couch or whatever.

So that previous comment just lost all our listeners in the eight-year-old, the 15-year-old category.

Fortunately, we're not very strong in that demographic.

We just lost 10,000 listeners just by that alone.

That's what we need next. We need like, what is it, a millennial or a Gen Z or someone, someone to come on and be the counterpoint. Tell us old people how the world really works.

There's a problem on both sides of the spectrum, though. It's not just the young ones coming in. It's also the older generation that's still, you know, kicking it hard in the workforce, actually really good, but they're used to working a certain way. and any new tools for security just interrupts their way of working. Now you want them to unlearn everything that they've been doing. And the new generation is the same way too. It's like, well, I'm used to just putting myself everything on social media. You can't.

I'm not worried about the generation that uses an advocacy system.

Okay, so we've now determined that this is a disaster amongst the older workers, and it's also a disaster amongst the younger workers. And now we understand why virtually all security people drink. So there we go. And by the way, Leti, I am growing very fond of this mezcal. I gotta be honest as the show goes on.

Can we actually do one of our episodes really at a bar?

Well, that would break everything that we just talked about.

Let's live vicariously through a bar.

It can be done through the magic of...

Didn't they ever get smart? They had those cones of silence. We can do that.

Well, that's no fun. All right. I think with that, it sounds like we're coming up against last call here.

Last call for alcohol. I'm sorry.

Last call. That's right. So, Leti, any final thoughts?

I guess final thoughts really is implementing cybersecurity culture is difficult, but it has to get done in order to really minimize all the risks and take advantage of all the companies, you know, the money and the effort that they've been putting into these tools. to protecting their systems and data, the only piece that's left right now is changing the behavior in the workplace. And that's going to take time eventually, but I think it'll happen. There's a lot of people that are seeing it, a lot of articles out there about cybersecurity culture. So eventually it'll probably be a policy in one of our new NIST

Oh, I'm sure.

It'll become a policy. What's your culture like on security?

I know. Well, that's it. Sometimes you get a question from an auditor like, what are you doing about your culture? It's like, uh, I put out a video. It's a thing.

It's a thing. And COVID just enhanced it, by the way.

Yes. Well, it made it more challenging. Yes. I'll tell you, at the risk of trying to sound too clever, I'll make this statement. You have a security culture if you have an organization, whether you realize it or not. Doesn't mean it's a good one. Doesn't mean you deliberately created it, but you have one and be aware of it. And please be aware of that and be, you know, somewhat kind to your security people who are trying to work through it.

Bring them food and money and give them and pay for their kids' school. Things like that.

Because that is one of the most challenging things to work through. If, again, like I said, I have kids. And if you've ever had kids, you know, you cannot make anyone do anything they really don't want to do or aren't interested in. It is impossible.

But you can adapt their behavior. That is proven fact.

Yes, you can.

If you adapt their behavior.

You can work on the culture.

Do the right thing. That frees up the security team to actually focus on those really, really tough incidents. Catching them early. That's right. Okay. All right.

Well, Leti, thank you very much for joining. This has been a great discussion.

So we have a guest. You won't let me do my final thoughts. Is that how it is, Joe? Please give us your final thoughts, Adam.

You know what, Adam? I am going to give you the last word here. It's all you.

The last word is pack everything up. Get rid of all your electronics. Get a notepad, a pen, a paper. Move to a cave. Don't engage anybody else and you'll be safe. All good.

Okay. Thank you, Adam. And despite what Adam said, we will have another episode. I hope this was an enjoying topic.

I think you could spin up a few more out of this.

Oh, we'll, we'll do more on this. We'll do it again.

And I just want to add one thing though. It was a little bit overwhelming. The amount of mail that we got, uh, we're still looking forward to additional, uh, feedback, uh, mail or hate mail goes to Joe and all. creative and beautiful comments go to Adam.

That's right, we love feedback. It's feedback at securitycocktailhour.com or at seccocktailhour on Twitter. Talk to us, give us your thoughts. Like I said, we love hate mail. It's cool. And we're available for events, birthday parties, consulting, and- Bar mitzvahs. Bar mitzvahs, that's right. All right, thanks everyone.

Thank you guys for having me.

Take care.

Bye!