The Security Career Reality Check with May Brooks-Kempler

Welcome to the Security Cocktail Hour. I'm Joe Patti.

I'm Adam Roth. Yes, you're Adam Roth. Remember, I noticed- Well, I'm the Super Bowl yesterday. It was the Super Bowl yesterday.

Yeah, I know. It's a little early. Well, we've had to make some changes. But before we get into that, let's introduce our esteemed guest. Today, we have Mae Brooks-Gempler. Mae, how are you doing?

I'm doing very well. How are you guys doing?

Okay, well, we're a little tired actually come to come to think of it.

Yeah. Super Bowl. Yeah.

Yeah. I mean, we have to we have to tell everyone we were originally going to record this the afternoon before the Super Bowl and we were like, yes, we'll pregame will get fired up. We'll have some cocktails. Instead, we have some technical issues and we're actually doing it the morning after. So for some of us, this is the hangover edition and we're doing coffee, but May is in the true spirit of the show. Yes, well done.

Yes. Well, it is five o'clock somewhere. It's actually 6.30 somewhere. What have I got? I got a martini with a twist. I usually go for a scotch, but I said 6.30, it's a bit early for a scotch for me, so let's do a martini. So cheers, guys.

Cheers.

Well, that's pretty good. I did myself proud.

You are later than us. We're on the U.S. East Coast, and you're in Dubai, right?

Yes. So here it's already evening. I'm in the future.

That's true, you're in the future. But I gotta say, I don't associate Dubai with a lot of drinking, but from what you've said, that's actually not correct.

No, no, that's a total misconception. Is that right? Yes, I've never drank so much since I moved to this Muslim country. Honestly, I never had so many drinks until I moved here.

If she's in the future, I'm in the past.

Well... I've sometimes said you've been living in the past, but you know, that's, that's nothing to do with the time zone. Oh, I got confused. Sorry. You walked right into that one, man.

Come on. Well, I'm still working on my time machine. So we'll talk about that.

Will you be a DeLorean?

I know it's, I have a 2000 Toyota Corolla.

No, it has to be a DeLorean.

Yeah, DeLorean's cool.

Gotta go in style.

DeLorean is pretty cool.

Yeah. So, Mae, why don't you tell us a little bit about what you do? You are also a fellow podcaster of more experience than us, as a matter of fact, but you do quite a bit more than that.

Yeah, well, I've been in cybersecurity for about 20 years, a little over 20 years, so I'm getting older. Some would say better, but I'm not sure. Been in cybersecurity, been doing it for a long time. Started as a penetration tester, absolutely hated it. Moved to consulting, architecture, GRC. Some point I was a CISO for quite a few years. Then I swore I would never be a CISO again. Then I took another position as a CISO. And that's where I will never do a CISO role again. So let's see how long this will last again. I'm a member of the IC2 board of directors, IC2 authorized instructor for a very long time. I've been teaching CISSP, HCIP, co-author, doing what else am I doing? Oh, the podcast. So I've been podcasting since 2020. Originally I'm from Israel, so originally I did it in Hebrew and around lockdown, I was having nice conversations with friends of mine. We were very lonely and very bored. So we started doing like these zoom calls. And at some point I said, wait a minute, why don't we just broadcast them in my Facebook community? So that was the ThinkSafe Cyber podcast. And we ran, apparently today we finished moving it from one platform to another. So apparently it was 105 episodes. It was, yes. Yes. So that was every Thursday night. So that's about two years of content and I'm still involved with other podcasts as well. And I have Cybermania where Joe already, I already had him as a guest and Adam, you're going to be up next for sure.

Yes, I know. Not that I have a choice, but it's okay, I'll do it.

No, no, you don't have a choice.

Hey, Jo, you know what we should do? No, I want to do a podcast in another language that we don't know and see how it works out.

Oh, that would be good.

That might be a little challenging. You know what we could do? We could do it in English and then do it with the AI. Did you see that thing? I think it was the president of Argentina. They translated a speech that he gave, but with AI made it in his voice. Oh, that's cool.

What's it called? With 11 apps, probably. It's super cool. Well, I actually participated in, I was a guest in the Greek chapter of IRC2 about a few months ago. Now, I actually logged in like 15 minutes before my presentation. So I was listening in. And it was like Greek to me. Like every once in a while they said AI, firewall, DLP. So I did get the gist of things, like what they were talking about, but that was about it. So yeah. So it could be nice doing a podcast in a language we don't understand.

Well, truthfully that happens to me when people say things in English, I get lost too. So, you know, I've never been to an ISC meeting and I've been, I think an ISC certified individual as an ISSAP and a CISSP for I think 20 years. I'm a five digit ISC person. I should probably go to a meeting. I hear the New Jersey chapter is amazing.

It is.

I should probably go.

You definitely, you should definitely go and you should definitely have Ken as a guest in the podcast.

You know, I went to one of those meetings, I think it was this past summer or something, and it's the New Jersey chapter. I'm in New Jersey, but actually, you know, when it comes to professionally, I'm mainly New York based, you know, and so I went to the New Jersey thing. It was like, it just happened to be a couple minutes from my house. It was really easy. And I was like, I'm looking around, I'm like, oh my god, I had no idea there were this many security people in New Jersey. You know, it was quite eye-opening. I understand Ken has done quite an impressive job in building up that chapter to something huge.

He has, he has, and he's reached out to many chapters around the world and he already led two global IC2 chapter events The first one was 2022, the second one was just now in December. And it was absolutely amazing because we had chapters from different time zones and different speakers, people from Ghana and people from Sri Lanka and people from Israel and people from the US. So it was absolutely amazing to see so many different people and hear so many different perspectives that I absolutely love those conversations. I think you can learn a lot from that.

You mean there are people in security besides Israelis and Americans? That's good to hear.

There are. We tend to spread around.

What are you talking about, Joe? There's Russians and Chinese and Syrians and all from those proxy groups.

That's awkward. Yeah. Where are people from all over?

Well, Adam, I'm sure we can find a group for you because like, you know, being in Staten Island, you can't be with the cool people in the Jersey chapter. Sorry, man.

What are you talking about? My soul sites are New Jersey. I live in New Jersey. Your soul sites are New Jersey.

Well, I think we'll just have to get you to start another chapter.

There you go.

Said the board member.

The Staten Island chapter.

Shameless.

I don't want to run anything. I think you've been challenged, Adam. I pride myself on doing the least amount of work possible. Joe, I worked for you six years. How do you not know that?

Yeah, that is true. That is true. Adam does what's got to be done. That's what we do.

And podcasting.

That's right. And, and podcasting. So, may you know it's interesting you said something that you were a see so once where you never do it again. And then you did it again you know we've had a number of conversations, including one with, you know, Chris Roberts in particular talk about. the stresses of the CSO job and how, especially here with the new SEC stuff, that it seems to be increasingly becoming a job for a complete mad, mad, mad woman. I think it always was. I guess you had enough at one point then, twice.

Well, more than twice, but two major companies. Yeah, I think that's one of the things that I noticed whenever I interview CISOs is how do you relax after a hard day? I drink. How do you celebrate your success? I drink. So I think cybersecurity, it will make you drink. That's the new motto.

No, that is very true. Every time we say CISO, we have to drink.

There we go.

I've said for a long time that I only know two people in security who don't drink and it's for religious purposes. And actually, I was corrected by someone I know last week in a bar, of course. It ends up as three.

So my apologies to the non-drinking community. May, I went to this event. I know you know Siobhan, right? So from Onyxia? And I went to an event and met a gentleman there and he runs a whole entire CISO, like, group or, or, or organization. And he was like trying to get me to join and great guy. But when I started speaking to him and having conversations, I mean like the membership was like, I think in the thousands, when you really think about it and they go offsite, I can't afford to be a CISO.

Yeah. Well, I think that today being a CISO, I mean, it's a super challenging job and it really depends on your leadership and how they perceive the CISO role. Because in some companies, especially in the SMB, SME side, some are still looking at the CISO as the all-in-one solution. That person will configure the firewall and build the policy and run the awareness training and talk to the board. Well, yeah. But that person is not going to do a very good job in all the different cybersecurity domains. That's absolutely impossible.

I think if you're a CISO today, you need to carry your own independent liability insurance because you don't know what's going to happen to you.

Well, some do. And Joe, you just mentioned the SEC and we also talked about it in my podcast and the, what's his name, SolarWinds. So we know that CISOs are now liable to whatever they say, even when it's just in GIST. They have to be, I don't know, I think that we have to look at the CISO role a little bit differently. And if CISOs want to be perceived differently, we need to talk the business side. We should stop talking about technology, start talking about the business.

You know, that's something that's been said for a long time. But, you know, I think it's really challenging because, you know, a lot of CISOs, you know, come out of, essentially come out of IT. And now some are coming from the risk side too. But I'm trying to think of how many have come from the business side. And it seems like the business still, even if they say, we're so committed to security, we want all this, whatever. It's like, you need to talk to the... One of the great cliches that drives me nuts is the CISO needs to talk to the board. From what I understand, the CISO gets maybe five minutes with the board a couple of times a year. You know, and that's, I don't know if that's a deep relationship, put it that way.

Yeah. Yeah. It's interesting. I'm just going to say, if you're from the risk side and you're from the compliance side and you work for a financial, there's a good chance. I'm not a large chance, but a good chance you're probably an attorney. So it's funny, right? Do you need to be an attorney to be a CISO? I'm not saying you do, but the point I'm making is a lot of compliance people are attorneys. So you have to find that niche. Are you a business person? Do you have the MBA? Or did you just go to high school? And there's nothing wrong with that. And you really know the business. So I don't think we typecast them anymore. It's really what your capabilities are.

Yeah, I tend to agree with that. But I think that a lot of CISOs today, or a lot of cybersecurity professionals today, not only CISOs, can and probably should go for an MBA. Again, many people in cybersecurity grew up in the tech side. So we don't look at things from the business point of view. And for many years, I thought that my MBA was a complete waste of time. I did pretty early on in my career. And only in later stages, I came to realize how much it changed my perspective, how much, how many tools it gave me that I only use like 10, 15 years after graduating. But it was absolutely wonderful having those tools. And even in the board of directors for RIC, people think that being in the board of a cybersecurity organization means that we're talking cybersecurity. Rarely, sometimes we do because, yes, when we have the conversation with the CISO, obviously it's a bit different than a regular CISO reporting to a regular board. We do all come from the cybersecurity industry. But at the end of the day, our responsibilities are as board members and running the organization and making sure that we do our due diligence to the best of our abilities from a business point of view, not from a cybersecurity point of view.

Of course, a fiduciary responsibility. You have a fiduciary responsibility to make sure that everything is covered, whether or not you had that vision for the next two years, three years, five years. What's the organization going to look like from a technology standpoint? Even though technology is not the main point, You're saying, what is our organization going to need? And if we're more on the vendor side, what is the industry going to need in the next two to three to four to five years? So, you know, so if you're, if you're on, if you're a CISO on more on delivery side, not only do you have to worry about your organization, you have to, you have to be clairvoyant. You have to know what's going to happen in the industry and predict that pretty damn well.

Absolutely. I think that that's, by the way, one of the opportunities I recognize for CISOs today, especially CISOs working for technological companies, obviously for cybersecurity vendors or cybersecurity companies in general, because in that way, if they offer the right advice to the board of directors, they can actually help the company build the cybersecurity strategy and make cybersecurity a business driver, not just a business enabler, but actually a business driver driving the business, giving actual monetary value to the company. And that's a whole different conversation and a whole different positioning for the CISO.

Okay. I'm going to put you on the spot because this will be fun. But no, you know, I've, you know, we've, heard for years, it's a bit of a cliche. We need to make security a business enabler. And frankly, when 90% of the people say that, they really mean don't make it a disabler. I don't care what they say. Or don't make it a horse shifter. Yeah, that's ultimately what they mean. But taking that next step to say, OK, we want security to be really driving the business. I mean, what's the, is there a magic formula? I mean, how do you, do you really do that? And I'll, and I'll tell you why I bring it up because I, I was a little depressed in the past few days about something, not that depressed, but I read about, I think it was the Procter and Gamble hack when they got hit with ransomware, you know, they make the soap and home products and everything. And they said, wow, their cleanup costs were ridiculous. I think it was like $59 million. It ends up that that was like .6% of their revenue for the year. And I saw that and said, okay, I can understand why the board isn't that worried about security, even after a ransom attack. So, I mean, how do you spin that? What do you think of spinning that around?

I don't think that every CISO in every organization can use cybersecurity to drive the business. That's why I said in technological companies, in cybersecurity vendors or service providers, that will be sort of the niche where cybersecurity can actually drive and give actual monetary value to the business. I think that we have to change the conversation in every industry, not just talking about, oh, it's going to cost us so much money or everyone is going to leave us, all the customers are going to leave us. No, to be honest, if I'm buying, I don't know, my shampoo from Procter & Gamble, I'm not going to stop buying my shampoo from Procter & Gamble because they were hit by ransomware, with all due respect to cybersecurity. And I am a cybersecurity professional, but at the end of the day, I don't care. They make my shampoo. I mean, I really don't care what their cybersecurity strategy is. But when we're talking about cybersecurity products, absolutely. When we're talking about big data companies, you know, today I had a conversation with someone online about Truecaller and me. And he said, but me is collecting data and aggregating data and they can show you, you work for this company based on your, you probably work in this company based on your friends and whatever. And we had a very long conversation on that, whether or not it's a problem or not. Because at the end of the day, yeah, you can find that data on my LinkedIn page. And you can also deduce that data from looking on at my profile, looking who my friends are. So do we really want to hide that? Are we really that concerned with privacy? And if we are, what are the, like, what would we do about it?

But would you go to 23andMe? knowing that they weren't able to create an infrastructure to protect your data. I wanna know certain things about my life, about ancestry, but I'm mortified, I don't wanna do that. And however, for a guy that was also in the healthcare system, who's been an EMT, I wouldn't necessarily go to a hospital that kept on getting compromised with PHI. So it depends on the product. Procter & Gamble might be okay for your shampoo, but what if it's medication? What if their data's getting out?

But if you need to go to the ER right now, would it actually go to a hospital further away because the one closest to your house was hacked last year and all the data was leaked?

No, and I might not even get that choice. If I'm having an MI, a mitochondrial infarction, and I'm in the closest hospital, the EMTs or paramedics are going to take me there. However, if I have elective surgery and I know one hospital was compromised constantly And I have to worry about my data getting out. I might consider that. I get what you're saying.

But how many people would do that? How many people would actually choose their curb provider based on whether or not they've been hacked?

I was going to say, you don't. I mean, we've experienced that. We talked about that with Jim Hoffman. It's like, yeah, you know, when the ambulance comes, you know, if they, you're not worried about their, you know, their HIPAA compliance or their privacy. I mean, I actually had the same thing with my wife. We got a, we got a standard, you know, disclosure, you know, notification, whatever that one of our vendors is actually a third party thing. lost all of our data. They basically sent the standard letter that says, we're sorry, we care about your data, right? And it's like, you know, what are you going to do because of that? You're going to change your oncologist? I mean, that's not very realistic. And that's and it's a really good question. And how do we kind of propel security forward in that in that kind of environment?

It was a there was a place I used to go for for film, like, you know, for like MRIs and CAT scans. This is years ago. And I told him, stop leaving, back then it was, stop leaving the clipboards on the counter with my PHI. Stop doing it. And let me tell you, I stopped going there because of that, because I didn't want people getting my data. And it really takes one person just to start gathering that data to do something. Look, I realized that 50 people probably have my data I don't know about. I've been probably compromised. If I go to, what's it called? Am I poned? I mean, the list is 17 pages long. I mean, like I have to, when I print it out, my printer runs out of paper, but, but the point I'm making is I guess what I don't know is what is good. Right. But I try to protect my data when I can, but does every one of us turn on multi-factor authentication and that only prevents somebody from the outside, not somebody compromising the backend. So I get it is, you know, is it really depends on how you want to slice it.

And the problem is, do people care and how much they care? Like, we're not the average person. Yes, I wouldn't choose a vendor that I know jeopardized my PHI a few times. But to be honest, the majority of people don't even think about that. And we talked about it before we started this recording. I don't consider my ID number in Israel to be confidential anymore. It's been leaked too many times. Chances of. Identity theft for me as an Israeli are so high that I don't consider my ID to be anything. It's not confidential. It's not as far as I'm concerned, that's public data. I don't care anymore. Now I don't care anymore. And I'm saying it with a lot of pain from like my professional ego is sore because of that, but it's been leaked so many times I can't treat it as. confidential data. And to be honest, I don't think there's anything to be done. What are they going to do? Change the entire population's ID number and ID, like everything? You can't really do that.

Yeah. Well, then here's the, here's the question then, you know, sometimes I, you know, I've said, I, I feel that sense of despair too. You're like, yes, your data has been stolen so many times. There's so many people you've given it to and it's, it's guaranteed to be out there. Okay. So it's out there. And if someone wants it, they can, they can buy it, whatever. Um, so, so where does that leave us then?

Um, I think mostly with education and awareness. that people will know what it means that their data is compromised, that they'll realize what they can still expect as privacy, like what's a reasonable privacy expectation in 2024, which was very different than 2018 and will probably also be very different in 2028. It's going to be very different, but I think that the majority... I just had that conversation last week with a colleague that has been doing device security for many years. And it was following a conversation I've seen in my Facebook community and thinksafecyber that people said, well, I'm opting to go from Android to iOS because then I'll be completely safe online. Dude, no, that's not the way it works. First, when iOS was less popular on a global scale, there weren't any malwares or very few malwares because it wasn't popular enough for the hackers to actually develop malware for iOS and moreover than that, even let's say it's the best operating system in the world and it's totally secured and there are no malwares in the app store and everything. At the end of the day, if someone clicks a link and it's a phishing campaign and they give someone else the password, Apple is not going to save you. Android is not going to save you. At the end of the day, it's only human awareness and being aware of social engineering. Yeah, exactly. So at the end of the day, the problem is not technology, it's people.

but when you're carrying your phone, you're carrying your phone, forget about malware, forget about someone hacking it, you're carrying a listening device. And I know that, and I have to say, and I say, my God, these conversations sometimes I have that are personal, they're already recorded somewhere because they claim that they use it. They do record, and we had that conversation with Jen, remember, Joe? She was a privacy attorney and she's like, She wrote that book about that vendor and these devices are constantly listening to you and sampling you and recording you for quality control and evaluation. So whether it's Apple or whether it's Google or whether it's Microsoft, you're always being listened to.

But even if they don't listen to us, they don't have to. At the end of the day, what I'm interested in and what my friends are interested in will probably be similar. So if I'm talking to my friend about, let's go on vacation in April to Cyprus. And I'm telling her, wow, that's a great idea. Let's go to Cyprus. And she already looked online in kayak or Google travel or whatever. And then I start seeing commercials to vacation in Cyprus. I will say, oh, wow. They listen to me. No, they know that I just had a two hour conversation with my friend. And this is what my friend has been clicking on for the last two weeks. So it makes sense. They'll show me the same things. And that's, some would call it social engineering, some would call it marketing, I don't know.

So me, I'm bad. My, my, my child has an Nvidia box. We have an Nvidia box for streaming and I purposely search for bad things. So that shows up in my child's feed when they're at college. They're like, dad, what are you doing, dad? Stop doing that. I know you searched for this. Sorry, Joe.

Adam, wait, wait, let's see what I've been watching on YouTube from the podcast account. Oh God. Yeah, but you know, it's, but it's a really interesting question. You know, there's a little different way of looking at it. It's like, okay, you have this stuff out there. We can't prevent this stuff. It's very hard to minimize it. But, you know, I'll give you an example, too. And, you know, maybe I'm too privacy conscious or something. But, you know, you're talking about You know, moving from kind of surveillance into really are you being manipulated at some point. Are you really, you know, there's marketing and there's deliberate manipulation. I mean, I'm going to. You know, when I take a trip, I go overseas very often, you know, people, they love WhatsApp. Everybody outside the US is like soccer. They all love, we're the only ones that don't use WhatsApp as much. And I, I mean, it's been a few times that I've gone and I've downloaded the app and I go and I start and I'm like, okay, I gotta do it. There are some people I need to talk to. And you see that big pop-up or whatever it is that comes up that basically says they are collecting every goddamn thing on the phone and your whole address book. and sending it to Facebook basically. And I'm like, you know, I just can't get comfortable with that because I know that they're dedicated essentially to, I don't want to say using it against you, but not using all that data in your best interest necessarily.

You know, but the question is, do I want to see commercials to things that I'm completely not interested in, or do I actually want them to give me commercials for stuff that will interest me? Will it make me buy more? Maybe, maybe, but at the end of the day, there's also the user's responsibility. It's not Amazon's fault that I scroll around and put things in my cart and buy. If I'm addicted to online shopping, then I'm addicted to online shopping. Did Amazon make me this way? They probably contributed their part. No, but at the end of the day, you can't just blame the big apps. And that's why I'm going back to education and awareness. If people are not being, if people are not aware of those manipulations, they don't even know that they exist. They don't even, one of the things that I always talk about in my, in many, um, in many talks that I do is about sort of between social engineering and marketing. And I see people like they're absolutely stunned. And for me, that's standard practice. When I go online to book a vacation, whenever you go on booking, I'm always in luck. I'm on, I'm the luckiest person in the world because there's always exactly one room left where I was looking. And if I change my search for, I need two rooms, I'm the luckiest person in the world. Seriously, I should start. I should start checking in the lottery. Yeah, absolutely. Because suddenly they have two rooms left because I'm such a lucky person or because they're trying to use urgency to get me. Don't think about it twice because those are the last two rooms. And if you wait, they'll be gone. So, okay.

I'll, I'll give you a step. I'll give you a step further because this I've seen, this is not paranoia. You know, recently booked a trip and you know, my, my wife, she's using a computer and she figured this out and she's not a security person at all. Believe me. But, you know, you use the browser, you're using Chrome, whatever you're searching, Expedia booking, whatever you're looking at, you see the flights. And you notice that over time, the prices aren't going down, maybe they're going up, they're stabilizing. But you go to another browser, or to another machine, and you look at the same flights And you're getting a different price. Difficult. Yeah, that's it. It's because they think, Oh, it's someone else. We're trying to cook them in with a lower price. To me, that's manipulative.

I don't subscribe. But when you talk about it and you know what, we just talked about it. Hopefully people will listen to this podcast. Hopefully people will talk about this part of the podcast with their friends and they'll know. So for me, when we were looking for to book a flight for. A big group of people, our entire family came over in the summer. So like, I think we're 10 or 11 people were on the same flight and we were looking on our computer and my father-in-law was looking at his computer and suddenly we see the price going up and he said, no, no, we have to book it now. We're going to wait for two days. Why today? We're going to wait for two days, but the price will go up. I told him, look, if the price goes up, I will pay the difference. How's that? And we waited two days and the price went back down. And we just use a different computer from a different IP from like different browser. Everything was different. And then the price went back down. And at the end of the day, when people hear this, for us, it's like standard practice, but a lot of people are not aware of that. Now they're using the same tools that hackers are using urgency, scarcity.

Yeah. So, so me, um, Joe and I have a friend, his name is Doug. I mean, I used to travel with him before I worked with him. with Joe, he used to use his UK browser. Like you would need to have somebody book the flights and stuff. It was always cheaper from the UK browser than it was from the US browser. So, you know, people do that.

I always do that.

Yeah.

I always play around. I play around with my VPN. Um, not when I'm in the UAE, of course, because you can't use your VPN in the UAE, but, um, but yeah, I'm using it all the time and I'll book something. For my dad, when he comes over, if he'll try and book the same flight from Israel, it will cost him more than if I try to book it from the UAE. And it's the same flight.

Interesting, huh?

You have to play around with it and check which one will be the best one now. Next time it probably will be different.

Yeah. So, so I guess that's an interesting perspective, you know, because we're, you know, I guess we think of ourselves when I would do is, you know, defenders, we try to stop the bad stuff. It almost seems like, like you say, in this newer age and going forward, it's like, you can't change the game, you got to just play it well, or do the best you can with it.

Kobayashi Maru scenario.

Yeah, but we have to adapt. Because what we see, and it's also a generation thing, because I don't know, five years ago, even today, if you go and interview for a big company and the HR rep will go through your social media account and will see all sorts of personal things, they might perceive you in a very specific way. We can say that we're against biased and we're against profiling and whatever, that's human nature. But I think that human nature does change and I think that Things that were frowned upon 20 years ago will not necessarily be frowned upon 20 years from now. And that's also something because even a tattoo was something that, Oh, people would always cover up their tattoos in a business environment. And today people walk around very. proud of their tattoos. I don't have any tattoos. But so even that's something that has changed. And you know what, I'm not sure that 20 years ago, we would have a cocktail during the podcast during a professional. I don't think it would have been accepted. Maybe in the US.

So you may I'm looking at the other way with the recording on at least. Yeah, if if I want to look like a really good person for a job interview, I mean, yeah, I guess I'm Jewish, but I'll put myself in a church. show pictures of a make a Facebook account, show me helping, you know, defenseless animals work in soup kitchens. I mean, you can do socially manipulative things. I might say that we really do that. But the point I'm making is what people use for bed and researching you, you could turn around and reverse it and make yourself look like, you know, you know, God's gift.

I mean, so, you know, people question, can we trust what we see on social media?

Well, no, of course. Oh, look, the only social media I really use very grudgingly, and it's largely for the podcast and for professional stuff is LinkedIn. And I'll tell you, on LinkedIn, everyone loves their job. Everyone had a fabulous time. Everyone's going to fabulous conferences. It's amazing. It's like Barbie world. It's like that.

Yeah, it's like Facebook used to be 10 years ago. Today, at least on Facebook and even Instagram, it's more about being authentic, being yourself, and sharing the good and the bad. Not for everyone.

Speaking of Barbie's world, do you know the CEO of Barbie? We're trying to get him on also.

No. Can I be the CSO? I'm willing to be the CSO of Barbie. I'm willing to do that job.

He's connected to Sivan and other people. I tried reaching out to him.

I'll talk to Sivan about it. I'll talk to Sivan. I want to be the CSO of Barbie. Yeah. Well, speak to Sivan.

The CEO of Barbie of Mattel. Also, we need God Godot God Godot.

Well, I am in Israel, but I'm not I don't have superpowers yet Although but Sivan knows God Godot. Yeah. Well, it's a very small place. Like it's very small point It's smaller than Jersey.

So I've been I've been to Israel many times and Tel Aviv is just about the size of my desk and

Yeah, yeah. Well, the Israeli cyber community is, everyone knows everyone for good and for bad. So when we're doing a webinar and we suddenly need a big speaker, it's pretty easy for us to call people from the big companies like Palo Alto or Checkpoint or Wiz or Orca. Some of us are, some of them are personal friends. Some of them are people that we work with or we know. So yeah.

Speaking of Checkpoint, is he really stepping down?

That's what he says. I mean, he said it years ago as well, so I don't know if it will actually happen, but we'll see.

I remember watching him do a farewell tour or something.

I think that I can totally get what he's saying. He wants to focus now on the future generation and the future of cybersecurity and the technological world and not just Checkpoint. I think it makes a lot of sense. Someone, I mean, he did more than his share for the cybersecurity community, and now he wants to help the next generation. I think it's actually admirable.

I always hear rumors that Dorit is the one that's running Checkpoint. I'm sure Dorit will know it.

To be honest, I'm not sure if Dorit will want to be CEO. I don't know.

I heard she's running it now, so.

Yeah, well, from a technological point of view, but I don't know, to be honest, if she's that inclined. At the end of the day, it's the same conversation we started with. Should a cybersecurity person be more technical or more business-oriented or both? And how can they combine those worlds? You know, I had a very interesting conversation with a good friend of mine, Idona Orr. He's a fantastic hacker and he's the CEO of SecurityJoes and they're doing incident response. And we had that conversation, I think probably two years ago, he said, And we talked about the fact that I hated hacking and I found it absolutely boring. It was like doing the same and very narrow and very focused on details. And that's not me. And I absolutely love that macro vision, looking at the entire organization, doing risk management. And he is completely the opposite. He hates those things and he loves the nitty gritty. And at the end of the day, that thing with any profession, I think, It has to be, you have to choose the career path that is suitable, not just for the lifestyle you want or the paycheck you want, but also what you actually enjoy and what you're actually good at. I mean, you can study anything, but the question if you're not passionate about it, you'll never excel.

Oh, completely. And, you know, we should, you know, one of the things we try to do on the podcast is say, like, you know, not everyone is a hacker in security, that there's such a wide variety of people. And just to let people know, you know, you're talking about, you know, penetration testing or ethical hacking or whatever you want to call it. The truth is, it's not glamorous at all, like in the movies. Much of it is very mechanical. It's going through checklists. Oh, it's not like swordfish? Over and over again. Yeah, yeah. It's not like swordfish where, you know, If you've seen that It ain't like that and uh, you know, mr. Rubble. No, you're not gonna have halle berry, uh, you know chasing you or anything, too, you know No, where do I sign up for that?

You know, you know, it's like um I you know, joe and i've had this conversation many times and and dave also um former of cygnia Um, we've had these conversations where I want to do this. I want to do that. I want to do this I want to do that. I want to be I want to do privilege escalation. I want to compromise machines. I want to do this. And you can't be the one-stop shop for everything. It's impossible. Nobody has that much time. Though I've seen people that are so incredibly talented and I don't think that's me. I think I'm capable, more than capable, but I just don't have that. And especially if you ever worked for a country where you were trained to do these compromises, you've had incredible training, whether it's the 8200, whether it's the NSA, no matter what country it is, I've never done that. So I've never had that capability of that luxury. But the point I'm making is exactly what you said, May. You got to pick your poison. You got to pick what you want to do, what interests you, what you want to focus on and focus on it tremendously, not go from here to there, to here, to here, to there. It's too much.

Yeah. Well, I think that my, my personal career took quite a few twists and turns. And it also comes from the fact that when we started 20 plus years ago, there was no clear path. I want to be a CISO in 10 years. That's what I have to do now. No one knew. No one even knew like the different roles we did. We were all in one cybersecurity people. I did configure the firewall and two hours later sat down with the ISO auditor because that was the reality. And I'm not. I'm not sorry for that. I think that was incredible, and it gave me a very well-rounded perspective on cybersecurity. But would I recommend people coming into the industry today to do that? No. No, I would tell them, you can do it in the first two, three years, and then you have to choose a path. You can pivot, but not every two, three, four years. It doesn't make sense.

But there are so many different levels now. You know, things have changed with security. It's gotten much bigger. It's gotten much more specialized. And yes, you kind of have to choose a path, and you can't choose them all. You need to go one way or another, even if you're staying technical. You know, you can't do everything. There are just too many specializations. But on the other hand, especially today in the, you know, in this era of cost cutting, you know, that we're seeing where, you know, hiring is tight and companies don't want to spend and they're trying to cut back. There still is a lot of call, especially in the smaller organizations for the security guy, the guy who's does, who does everything. And I've been, and I've been noticing, you know, in the, in the job postings and stuff where, and even talking to people, they go, Oh, I'm the, I'm the CISO. And like, you know what, when I think of the CISO, the CISO is a senior person is an executive is a, is a manager who's running all those things. But we have a lot of people who are, you know, say they're CISOs and they get the title or they're being, or companies are looking for a CISO where, you know, I say they're really looking for a senior engineer. who can do most everything and do a few of those other, maybe supervise a couple of people and maybe do a quarter. And there's nothing wrong with that. There's a, you know, there's a business need for that.

Yeah, but I'm sure you all agree with me that the CEO of a company with 50 employees is not going to be in the running to be the CEO of Checkpoint anytime soon. So even if he's the CEO of a cybersecurity company with 50 employees, he's not going to be in the running for Checkpoint just because it's different skills. And some CSOs, and to be honest, personally, I never enjoyed working for large enterprises. I did it and I learned a lot, but I didn't like it. I always preferred working for SME, SMB companies that you can really influence and you're really a crucial point in the organization. And again, that's a character trait. It's not good or bad. My husband on the other hand, he loves working for big enterprises. That's what he's been doing his entire career and he loves it. So it's very different.

I'm more like you, May. No, that's it. I'm more like May. I, I don't want to work for, I've worked for an enterprise company. I worked for many enterprise companies, but one specifically, and I would never want to do it again.

Yeah, I'm kind of with you there, too. I've worked at all sizes, and the big ones are too big, and actually, career-wise, you do tend to get too specialized and pigeonholed, and it's hard to break out of it.

And if you like it, it's great.

If you like that, that's fine. It's not for me. Absolutely. The ones that are too small, being the person who does everything, there are people who love it, who thrive on it. But that middle kind of thing, I find more interesting. And also because I find it's, I find it very challenging too. Because very often when you're in that mid-range, you have the, very often, especially depending on the industry, you have the requirements of the big guys without the budget and the team. And to me that's just professionally challenging.

Unfortunately, it doesn't pay as well, but it's not as high paying and it's not sometimes as glamorous as you will say on the see-saw or one of the big companies. But it's a matter of personal taste also and personal preferences. So I personally always preferred like the new or new enterprises like startups that are just pivot, that are just growing from the startup phase, like with 200, 400 employees, and they're just growing to the 1,000, 2,000 mark. And they're growing and they need to get their act together from a startup perspective to an actual mature organization with regulation, with compliance, with everything. So I always found that very, very challenging and fun. And no, I don't want to be a CISO. Don't, just don't ask me. A consultant, I can be a consultant.

So for me, when I worked for a very, very large enterprise organization, I didn't, I wasn't the rockstar I thought I was for many reasons. But when I started, when I worked for smaller organizations, I tend to be that rockstar. And for me, it was a culture shock because sometimes I feel those organizations at that level don't necessarily want you to be that rockstar. They want you to deliver, deliver, deliver. However, they want to make sure, I'm trying to be careful what I say. They want you to be somewhat suppressed. They always want to keep it at that level. You can't go further because then I think that encroaches on what they do and they fear for their jobs. Does that make sense?

Yeah, it does. Was that careful enough?

Was that careful enough?

Well, you guys are the Americans. We're Israelis. We just should first think later.

Oh, God.

It's not what is by the way, it's a cultural thing it is Israel's will first do then think hmm. Does anyone want to buy my startup? No, it's a great technological idea, but You know, you know how many people I've worked with that did startups here I can tell you what in Israel everyone everyone I I wish I was born Israeli that I would would have done a startup. Oh You don't want to do the startup. That's how we drink even more

I think I'm moving to Israel to do a startup.

I moved out and started a startup. Yeah. So again, it's a cultural thing. It's fun.

Okay. So we're, so we're getting to the, to the end, but before we do that, can you give us a little insight into what it's like doing security at a startup? Because in some ways that is the most challenging. That's when you, the most cost constraint, the most resource constraint and where the board They're not worried about profitability. They're fighting for survival very often, not for security. So what are your thoughts on that kind of environment?

Well, I think that's the funnest, can you say funnest? That's the funnest environment for me personally, because again, it's challenging. So it goes back to the point of being very creative with your resources. Use things not necessarily the way they were intended to be used. Like you have to be very creative. For example, take things that are free off the internet. Even you can use for awareness, you can use free content and use that. You can try and give benefit for the organization, especially in the startup sort of stage. that they're trying to get market involvement. And I can mention, I won't mention them by name, but there's a specific financial startup in Israel that did a phenomenal, their CEO at the time, did a phenomenal job. He said, okay, we're a financial, we're a fintech company. There's going to be a lot of scrutiny and mistrust when it comes to cybersecurity. And he decided to turn that into a marketing advantage. And they started doing live webinars about cybersecurity and they ran their own podcast and they gave so much content, so much free content. You could do a security assessment and they sent like security awareness emails to their customers and to anyone who wanted to and was on their mailing list. And they sort of positioned themselves. And the security FinTech, though they had nothing to do with security. They were totally a FinTech company. So I think that was very creative of their CISO. I love that. And I think that at the end of the day, it's doing more with less, you don't have the resources. So try and make sure that everything you get can be optimized and is optimized. And if you have a specific license, whatever it is, it doesn't matter which one, even if it's not the best of breed, try to use everything you can from that tool, because you won't have budgets to buy best of breed a thousand different tools. You don't have. You don't have manpower to run like 50, 60, 70 different security tools.

We often have to go with value, thinking about value, not just best to breathe.

Absolutely. And who do you have in the team that can manage? What are their skill sets? Make sure that you empower people within your organization. For example, in one startup that I worked in, there was an IT guy, very young, very eager. And he was super enthusiastic and he loved cybersecurity. And I spent the time after hours teaching him cybersecurity and sending him content and sending him trainings that I've seen that he might find interesting. And I gave him a shot to do different things in the security department because I didn't have anyone else. It started from the fact I didn't have anyone to do it and he was eager. So it was a win-win. And today he works full-time cybersecurity and I'm very proud of that. So I think that in a start-up organization, in the start-up state, you have to try and find those talents that will be your heroes, will push you forward, people in the R&D department that you can teach. Try and utilize as many people in the organization, not in a bad way, not like bad manipulation, but teach them, give them benefits. So they'll help you do, yeah, they help you do your job. And if you invest in people, that's what I always found. If you invest in people around you, they will help you do your job much better.

It's the old teach a man a fish type of thing.

Yeah. That's, that's interesting. It does take more, uh, more effort. I mean, very often it's, uh, You know, it can be easy to hire or easier to hire great people when you have a lot of budget or when you have a marquee company that everyone wants to join. But when you don't have that budget to attract people, it's almost like it's almost like the open source of the free software thing. You have to create the people. You have to train them yourself. You need to find them, pull them from some. We've talked about, you know, pulling people from the help desk or support or, you know, sysadmins and stuff. You got to do what you can.

So it's funny, remember the movie Boiler Room? No? So the movie Boiler Room is about trading and people who become brokers. So how many of you are already a broker? Get out. We train brokers, we don't hire brokers. So some organizations want to create the correct person, not hire somebody who's done something already differently.

Yeah, but let's just be clear, Adam. In that particular movie, weren't they training them to be criminals? Yes, but you missed a point, though.

You missed a point, though.

But you know, the one thing, um, if I have to say the one training I'm most proud of in my entire career, and I've been doing training for so many years, officially and non-officially, I've been an adjacent professor and I've been doing ISE2 certification and CISO training and all sorts. And when I was, I don't know, probably about 12, 13 years ago, my PA went on maternity leave and they brought me this student. He was 20 something, 24, 25 years old. He was a student of economics. And to this day, he always reminds me of that, that the first day he sat with me and I was sort of explaining like the basic of cybersecurity, CIA, confidentiality, integrity, availability. And he remembers me telling him, I don't know how much I should invest in teaching you because I don't know if you'll actually stay in this industry. And he's one of the best CISOs I had the privilege of working with. He's working for a very large gaming company. He's absolutely incredible. And if he's hearing us, Oren, this is for you. And thank you for challenging me to teach you.

Well done. I'm going to sign up for you. I want you to train me to be a CISO so I can get a CISO job.

Are you sure you want to be a CISO?

I don't know what I want to be when I grow up.

Me neither. Not a CISO.

You know, I still do and frankly, it's something I think I gotta work on with my shrink. I don't know, but it is in some ways. You know what? We can do a whole show just on that. It has its benefits and its joys, but it's not an easy job in a lot of ways that people probably don't expect. It's not easy at all. But it's fun.

It can be fun.

It is.

It could also cause you to lose your hair, hence me.

No, you see, that's fine.

Well, you got out of it, Mae, so you've got the long hair.

Yeah.

All right, so we are just about getting to the end here. I think we're heading towards last call. Mae, your final thoughts? And if you have any plugs, I think you were working on a couple books.

Oh yeah, wow. Well, the book is, the first book is coming out real soon. The working title is Think Safe Cyber, The Practical Guide for Online Safety. Again, it's a working title, so feel free to pitch in your ideas because I don't like it, but it does convey the point. So it's actually a translation of a book that I wrote a few years ago and published in Israel and it was very successful. And it's sort of cyber security for everyone. It has special stories that a lot of people in the community, in the cybersecurity community don't know. So I was trying not to bore. cybersecurity professionals to death, but it also is very practical and easy reading. That's what people say. It's not just me saying that. So yeah, it's basically for everyone, for your parents, for your spouse, for your kids, for everyone who's concerned with cybersecurity and wants to get a practical guide of how to stay safe online. So it's, yeah, so it started with the TEDx talk and with building the ThinkSafe cyber community. And at some point people told me, why don't you write a book? Why don't you write a book? So at some point I wrote a book. So yeah, so hopefully it will be released by the end of Q2.

Oh, great. Because you know what, I will take a bunch of. copies for like, you know, holiday presents. I got a lot of people who could use that. And we'd love to have you back on to talk about it.

Oh, absolutely. That sounds like a great topic.

I'll take an autograph book. I'll pay for it.

I will send you a copy and everything. Yeah. And you'll probably get it faster than I do because it's going to be on Amazon. So yeah. So you'll probably get it first. Yeah, so that's very exciting. I'm working on my doctorate, which is going to focus on the business impact of cybersecurity incidents, because I sort of had enough with us calling Wolf and saying the roof is on fire and everything is terrible. And if we have a cybersecurity incident, the company will collapse. I don't think that's actually the case. So I'm analyzing that. Again, my professional ego is suffering major blows during this research process, but it's all for good reasons.

That's great. Wow. I'm going to start my doctorate in September. I want to concentrate on cyber warfare.

Oh, nice. Yes. So we'll talk about that as well.

I can't wait for Joe to call me doctor.

I told you, Adam, you don't have to get a PhD. I'll call you a doctor anytime you like, if it'll get you to stop talking about getting a PhD. I'm not getting a PhD. This has been going on for years.

I'm getting a DSC.

What's a DSC? I'll bite.

A doctorate in security, cyber.

Where have you found that?

No, I mean, it's a doctorate in science. I'm sorry, cyber. It's capital tech. Really?

Well, I'm doing a DBA, a doctorate in business administration, because what I'm interested in is the business impact of cybersecurity.

So, um, one of our colleagues or one of the guys that worked for Joe at one point, his name is Eric. He had, he got his master's there and I applied for the doctorate and I got in and then I, I deferred it. And now I'm going to go in September.

Amazing. Good luck.

Thank you. Well, I think I may go for the same degree Hunter Thompson had, the Doctor of Gonzo. That's the best I'm going to be able to do. Involves a lot of drinking, but anyway.

That's how we do it.

There we are. Okay, well, Mae, thanks so much for coming on. Thank you for having me. A lot of fun. We definitely want to see the I'm definitely going to want to see your book when it comes out. And we would love to have real cocktails again, if we can have it at an appropriate hour. But thanks for keeping the faith. You're tougher than us. We whipped out on this one.

It is 930 for you guys, so it's fair enough.

Yeah, that's true. Adam, your thoughts? Final words?

I'm at a loss for words.

We're doing a podcast, you can't be at a loss for words. You gotta talk about that.

All right, give me about five minutes, I'll tell you my words.

Okay, we'll take five minutes of dead air and then chop it out. No, no. All right. This has been great. No, this has been great. Thanks again, it's been great having you on.

Thank you guys.

All right, take care everyone.