Everybody Makes Mistakes – Including Cybersecurity Pros

Welcome to the Security Cocktail Hour. I'm Joe Patti.

I'm Adam Roth.

Adam, another fabulous, lovely day in the world in general, but always it's special in Staten Island.

And I've heard this three times in the last 24 hours with the last three podcasts. I'm getting a little bit tired of this, Joe.

Yeah, I know. We've done a lot of recording. We record things in batches, and I'm just running out of banter lines, you know, at least to start off.

Yeah, Joe. This is like the Matrix all over again.

Yeah. Well, fortunately, we have not one, but two guests, so I don't have to talk that much. We have some longtime friends of the show, Yehuda Kirshenbaum and Andy Esterman. Gentlemen, welcome to the show. Please, if you're watching on YouTube, like and subscribe. And if you're listening on Spotify or another podcasting platform, please follow us. We're trying to build the audience for the show, and that really helps us a lot. So thanks a lot.

And to add, if you're in the middle of creating a will, please leave your money to the Security Cocktail Hour so we can persevere.

Yeah, that's going to work. Okay. So, gentlemen, we have a special panel because, you know, we usually have security people or people associated with security. And so we have a mix of people, you know, Adam and I, we're hardcore security guys. And Andy, I know you've been in security for years, but you're actually in sales, right? Correct. Okay. Don't tell anybody. No, he's okay. I've known him a long time. He's cool. And Yehuda, you are in marketing, right?

Yeah, marketing. And this is my first couple years in security.

Oh, really? Okay. And you haven't run Screaming yet, so that's good.

Not yet, no.

You guys have been too welcoming.

Well, I mean, let me let me not welcome them. These two are associated with mistakes.

Yes. Well, this this is the mistakes panel. And speaking of which, this is, of course, the security cocktail hour. So today's drink is whiskey, basically, our guest choice as usual. And so cheers, everyone. Cheers. Cheers. Yeah, we're going in hard on this one. And there's a little story behind the drink was that this is our panel on mistakes and on how to recover from mistakes, which is and deal with them and move on, which is important in life and also very important in security. So, yes, mistakes happen. both our own and other people's we got to deal with. So we were trying to come up with a drink that was invented by mistake. We picked whiskey and I think we were going with, Adam, didn't you say something like alcohol was invented by mistake by cavemen or something like that?

I might have made a mistake when I googled it, but it said alcohol was created by mistake.

I don't know. What do you guys think?

Have you ever heard that before? Is that true? Somebody just left something running too long and, you know, the person who had the first sip got knocked out. So that looks like fun.

So let me just say this. Anything that we say right now is all about mistakes. So if we say something wrong, it was a mistake. Full disclaimer.

Half the lies they tell about me aren't true. Yogi Berra.

That's great. That's good. That's really good.

All right. So let's start off. This is going to be like group therapy, I guess. We're going to share with the group, share our feelings or whatever. So we're going to start out with everyone. Tell us about a mistake that you made that might have felt like the end of the world, but really, you know, whatever you ended up learning from. Or not, you hit in the corner in a fetal position. Everything happens. So we'll go in alphabetical order. Sorry, Andy, why don't you go first?

Sure. So first of all, thanks for having me on the podcast. I'm sure that agreeing to this was a mistake in a long series of mistakes. At least you get a drink out of it. Well, there's that. So, yeah, mistakes. I have a long, sordid background that includes cybersecurity, but prior to that I was a carpenter for many years, and I was on a job site, and I was tasked with laying out a wall. It was between a room and a hallway, and it had two pocket doors and two doors that opened, swung open. And I laid out and built half the wall, and it was five-eighths inches off where it should have been.

That's a lot, actually, five-eighths of an inch. I'm sorry? That's a lot, five-eighths of an inch, when you try to put things together, right?

That's the width of a piece of sheetrock. That's the thickness of sheetrock. So I didn't account for the sheetrock in one plane. And happily, the whole thing wasn't finished, but I had put in a day or two of work to get it up and sort of in place. And there wasn't any choice but to own it and take it down and rebuild it. And my philosophy with these sorts of things is when you make a mistake, run towards it. And in this case, I didn't have much choice I mean the wall was off and you know there was no there weren't any ways to fudge it or hide it or you know in high-end carpentry everything has to line up and it's very precise and you know I just had to bite the bullet and take it down and put it back up. I'm happy to say that the second time it didn't take twice as long.

Well, that's it. Did you ever make that mistake again? Put it that way.

No, that mistake I've never made again. Clearly, I've made other mistakes since then.

So, Andy, there's always a light at the end of the tunnel, and it's probably that train that's going to hit you.

Yeah. This is supposed to be inspirational, Adam. Remember? I mean, come on.

Oh, it is inspirational. You get past what you did, and you persevere. Look, you can get hit by a train and still persevere.

You just learn to jump out of the next one. Hey, not by Jersey Transit. Those things, they don't have a good record.

You're lucky if it even shows up to hit you, Jersey Transit.

Yeah, that's true. That's true. Yeah. That's the safety mechanism. All right. So, Yehuda, what have you got? Lay a story on us.

Oh, wow. So, I haven't always been in cybersecurity. And one of my earlier positions, I was in e-commerce website. I was responsible for setting up coupon codes and all the discounts and all that. And I just was not paying attention or just missed one switch on a button. And I made a coupon that was live without any other check across an entire website. And it was an 80% off coupon. And anybody can use it. They can use additional coupons. going that way for like three hours, costing our company about three grand. And it got shut off. It got found. Very minimal damage. Let's just say $3,000 is not minimal. But my boss, the next morning, he started talking to me. He's like, with that amount of money, I could have bought a dolphin. And I said, there was nothing I could have said. It wasn't my fault. I couldn't pass the blame on anybody. It was my fault. I made the mistake. And I said I was sorry. And a few days later, I decided I was going to, obviously, own up to it like I did already. But I wanted to make it a little bit more fun and just a way to say I'm sorry. Because my boss, he didn't need the three grand. But it's always nice to have. But that dolphin thing stuck with me. And I ended up adopting a dolphin from an ocean conservancy project. And to his mail, he got a certificate. He got a little stuffed animal. So you know, he kept it on his desk. And again, for me, it was something that I've done those codes hundreds of times, and I never made that mistake before. But Like you know, and like Andy said, you're never making that mistake again. You're double checking, you're triple checking. You're making sure that all the buttons are squared away the way they're supposed to and the settings are set up.

Well, you got off easy. I mean, besides the whole dolphin thing, which is just flat out bizarre. I don't know who talks like that.

I mean, that could have been hundreds of thousands if it were a high volume site. Exactly. Got off easy, and again, that's why it was, you know, I was able to have fun with it because it was a minimal amount of sales that happened. It was an early morning thing that, you know, had it gone all day, it would have probably tripled or quadrupled the value, but, so I was able to get away with just a little plus adoption.

How did you figure it out? How did you find that out? I'm sorry.

Honestly, I didn't figure it out. Our customer support team did. They were like, seeing all the transactions come through at a ridiculously low, you know, value. And they're like, what's going on here? And they realized somebody left this coupon code on active for the entire site. I heard a rumor that 80% less phone or less bonus. Thank God I wasn't on commission.

I don't know. So Andy, you ever miss a zero on a purchase order or something like that?

Plenty of other mistakes, but that's not one of them.

Oh, that's good. That's cool. So Adam, I know I could recite your many mistakes that I used to put in your performance review, but what would you like to share?

Well, I made the mistake of working for you. No, I'm kidding. By the way, that was not a mistake I had no choice you shots fired No, it's funny. It's like when I listen to all these things, you know I have so many mistakes to recite but you know, I always say other people's mistakes When I bought the door for the front of my house We measured out of four inches. We took my carpentry the front door and when we got the door I We forgot to um, i'll take blame for it, too. We forgot that we have uh Stucco on the front of the house and because we had stucco at four inches coming out We forgot that the frame overlapped the stucco. So we had to build an eight inch um four inch for the door and four inch for the um, for the enclosure in order to meet the door to the house. So thankfully, my carpenter was really good and he fixed the issue, but it could have been a lot worse. It just took an extra three or four hours to resolve it. And then you talk about making mistakes in, you know, purchase orders. I have a friend of mine that wanted to show the mistakes of a well-known company that he worked for, and he put in a PO for a helicopter. and the helicopter actually got purchased by mistake.

Like a real helicopter?

A real helicopter. Wow. And when they went to go cancel it, not that it left the warehouse, but they had to pay a restocking fee, which was in the six figures. Oh my God. Mistakes that I made, one that I always laugh about, back in the day when I was doing networks and I was doing PIXs, Cisco PIXs, which are firewalls, for those who don't know, I was in Bermuda And I spent three or four hours configuring a firewall, unbeknownst to me that the hardware didn't match on the primary and secondary pixels. And there's a cable between...

Okay. Wait a second. Just so everyone knows, you're talking about firewalls and you install these things in what's called high availability pairs. Sorry. One breaks, it goes to the other. And with those older ones, especially, they have to be identical. They have to be exactly the same one.

Thanks, Joe. Where were you 20 years ago?

For the technical people in the audience, it's called failover.

Yeah. Thank you. Yeah, it's called failover or as Adam just failed I made a mistake in the way I presented the story so I Spent hours configuring the firewall with something called access controllers Basically, what I'm doing is I'm telling what's okay for the firewall to talk to and and to go through the network and what's not? okay, but unbeknownst to me when I went to go sink it I Because the hardware was not identical in both firewalls So you couldn't failover correctly instead of syncing from the primary to the secondary Somehow or another the secondary sync to the primary and because I didn't save my access control list the things I programmed Everything got written over and I had to spend another two three hours reconfiguring it and I missed a really good barbecue in Bermuda

So I guess I got to fess up, too. The original idea for this came when I made a mistake in doing our usual posting to LinkedIn when we promote a podcast. I got something wrong. I like usually put in a little mic emoji. And instead, I put in my little tag from our template that actually says insert mic emoji here, whatever. And then, of course, immediately, I laugh it off, we let it go, I put a little joke in the comments, and then Adam says, let's do a whole show on how you screwed this up. I'm like, oh, that's great, Adam. That's good.

Paul, let me fess up before you go on. I said, instead of survey says for our game show, I said surgery says.

You'll never be able to live it down. If this show is successful, you're going to have to relive this mistake for on and on and on.

I will gladly relive the mistake if the show gets a million subs, as we say. But I've made other podcasts, and we say, because you know what? And this is kind of a bit of a lesson too. Adam and I are not media people. We're security people. And so what you can probably tell from watching this show, but we've had to learn to do all this stuff. And I just realized yesterday, as I was prepping the show, like I said, we knew we were doing three shows, so I've got to get my stuff all together. I couldn't figure out why my mic wasn't getting the right sound and everything. And it ends up that for the past over a year that we've been doing this podcast, I've been using the mic exactly wrong, exactly the way you're not supposed to do it. Like you may notice in this one in the past I've had the mic where it kind of sticks up a little bit here because I got on the cool arm like the people. on YouTube do to make it cool? Well, it ends up my mic is not the kind where you do that and it's facing you. Mine, you're supposed to be looking at the mic upright. It's called a, what is it? A side address mic, not a top address mic or something. So yeah, I screwed that up. And you know, somehow we lived.

So you chose this moment on this show to tell me that and I can't curse the living beep, beep, beep out of you.

You can if you want, but I control the editing of the show, so go right ahead.

That would be a mistake. So you're the captain now.

I guess so, so to speak. But yeah, but actually, so and you know, that's an incident of, you know, some little mistakes, whatever. A little one doesn't matter. Another one that no one would have noticed if I didn't say it. But in my real profession in security, I have made some mistakes that are a little bit bigger. There's been the internet facing vulnerability that I missed that might have caused a little bit of trouble that we had to take care of quickly. There's the pen test I had done where we might have left a thing or two out of scope. And the bad guys found it before we did. These things do happen. Yes, Adam.

And you made a hiring mistake and it wasn't just me.

Yes, I made a hiring mistake. Adam loves to tell the story of how we were hiring. It was between two people, two very good people, whatever. And Adam told me he was advocating for one. He's like, Gotta take this guy, gotta take this guy, gotta take this guy. And I said, you know what? I'm going the other way. It was not to spite Adam. When you sit in the big chair, you gotta make decisions.

He ended up not working out so good.

And we ended up subsequently hiring the other guy who's a superstar.

Look, I'm here to point out your mistakes, but don't point out mine.

Thank you. Well, we only have an hour, and we have guests we have to hear from.

Live and burn, live and burn. I mean, those mistakes happen all the time. You got to go with your gut. And I think, you know, that's why you have other people around you to help catch some of those mistakes and question, you know, again, those like, you know, controls so that, you know, are set up so that you can trust your gut but also have somebody check you.

You know, I joke around with Joe, and Joe makes a lot of good choices, right? But we all are the, I should say we all are, because I'm not really like that. And a lot of us, even though we joke around, people love to point out the mistakes that you make, but they don't always praise you when you do really good things. And I kind of like that to the fact, I'm an EMT that really hasn't worked in the last seven, eight years. But when I did work, no one came up and said, oh my god, I'm so happy to see you. my husband's having a heart attack, great to see you. They're not happy to see you, you're there. But when you do something good, they never say, oh, that was a great job. And that's part of life, right? People are there to point out your mistakes. But a lot of people don't praise you when you do something really good. So.

That's true. And I've gone out of my way when I've gotten good service to let people know, including owners of small businesses, where I felt well taken care of. And they usually think when you're like, hey, can I speak to the owner? They're like, oh, here we go. And then you're like, hey, you know, I really like your business. This guy did a great job. And I mean, the look of happiness that comes on their faces is indescribable. Definitely. Well, first, there's a look on camera.

Yeah, go ahead. I'm sorry. No, you know, so my wife is a journalist and she gets a lot of hate mail. She gets a lot of complaint mail and all that stuff. But you know what? A lot of people do also reach out and be like, what a great article, you know, this really impacted me. And, and, you know, as few and far between as those emails come, they make up for all the, the negative comments that she gets because, you know, they're so unexpected. She expects the negative mail and, oh, you made a mistake or or you did this wrong, or whatever. But the one or two people that will, per article, will say, hey, thank you, this was great. And like you're saying, Andy, go out of your way to say something if somebody did a great job, even if, you know, whatever. It means, it's so appreciated.

Yeah, yeah, it goes a long way. It's really important, too, as a manager, because, you know, you have this interesting sort of thing where it's like, Especially with your more junior people, you need to train them. You need to bring them along. And you need to give them things that they can be successful at to pump up their confidence. But you also need to stretch them a little bit and do some things where it's not entirely a lock. They're going to get it right. And some of the art of it is to make sure there's not going to be something It's crushing to them. You also find out a lot about them, how resilient they are. But the other thing is insecurity is you need to give people something when you're doing something like that. When you're stretching them, you can't give them something where a mistake is catastrophic. Otherwise you have a problem. And that's the manager's fault then, if they put too much on someone that they're not ready for.

My recommendation is that if somebody is not doing the right job, Don't necessarily, and I'm not saying we all do this, don't necessarily run to speak to the manager or the supervisor. Unless the issue is so egregious, try to speak to the individual themselves. Take them to the side, don't embarrass them, speak to them quietly. Hey, look, I just want to let you know I wasn't happy with your service, you know, and this is why. Don't just tell them you weren't happy. Give them some critique if they're willing to listen. But sometimes people really do have bad days and you don't know what's going on. And I've seen the back and forth where people say, look, it's an experience. You can't have a bad day if you're a waiter or a waitress or this or that. You can. You try not to bring your stuff from home to work. But sometimes you can't be the chipper person, an incredible person, but it doesn't mean to be disrespectful either. However, conversely, if somebody is doing an incredible job, Ask to speak to the person's manager, but before you go they say listen, I want to speak to your boss, but I want you to know I'm not saying anything negative about you. I want to tell them how good you are I don't want you to fear me telling tell them that so this way they don't have that That credible heartbeat like oh You know, they're stressing out.

So that that's my feelings I was just gonna add, you know, Joe when you were saying about the manager putting someone in the wrong position and maybe this will lead into my next mistake, but when you're putting into someone in a position, you have to also empower them to ask for help. If they don't know what they're doing, you can't just say, here, take this and go run with it. And one of the things that when we talked about earlier was this next mistake that I'm gonna share, it was about me not having the confidence to ask for help. It was a new, it was a new thing that I wasn't comfortable with. I've never, you know, I was, I was tasked with putting in, uh, an in-store display. Um, and, and, and that is top to bottom. That's like getting the, the, the rack that the equipment is being sent in coordinating with the people who are installing the, the, the rack and all the materials and all the equipment working with graphic design to make sure that like all the, features are called out, speaking to the different vendors to get everything done and printed and set up and lighting. And I, you know, we had to then create a digital video for the, you know, for the display to have on the screen that we were putting on there. And we didn't have a hard deadline. So I pushed it off, I pushed it off. And, you know, after a few months, you know, the director of sales for that particular region is like, where's this thing? I, you know, I, I, I've been waiting for months. I know we pushed it off, but where is it? I was like, oh, I didn't work on it yet. And my procrastination came from I didn't know what to do. And at that point, my managers got looped into the conversation. They were able to kind of give me advice and help loop me in and kind of set me up. And we built this thing. It was gorgeous. We put a lot of money into it. It was going to be this power display power filtration display in a seven-foot server rack on the floor of a national electronics retailer, big chain. And it took a while to get everything set up. But once we got it rolling, it was rolling. We had the courier come and box it up and ship it to the location. It showed up. We called the sales manager who was on the other side who was setting it up for their side. It lasted one day on the floor of this retailer. The president of the retailer does a nightly walk on the floor just to, you know, his check. He wants to make sure everything is tip-top in his showroom, and he said it didn't meet the standards of the show floor, and it was there for 24 hours. We probably invested, I can't even say how many hours, hundreds of hours, into building this thing and probably up to $20,000 in getting this thing set up and created. And it lasted for 24 hours on the floor. And my hesitation in getting it started was a mistake on my part that I didn't go ask for help, but also not managing it from the start of, hey, is this even allowed? Put me in contact with somebody on that side to make sure that we're doing it correctly or whatever. And that was also another mismanaged aspect, not even by my boss, by the salesperson, but for me, I didn't even have the questions to ask at that point. That was a big mistake. We salvaged it. We moved it to another retailer, a smaller regional retailer who was so happy to have it. It ended up working out, but that was just something that, again, I'm going to learn from and learn to ask for help, learn to Check all the boxes and double check everything.

Yeah, it's interesting how you said that you procrastinated and you didn't ask for help because of fear. And I've heard it said, they said that, you know, procrastination is actually a manifestation of fear. You know, you put things off because you don't want to deal with it. And, uh, you know, and unfortunately when you do that, your worst fear ends up coming true. You actually make it happen. But, you know, just in the context is okay. You did, it did fail in a sense. It didn't do well. Did the world end? Put it that way.

Right. No, exactly. You will it into reality. So many things go through my mind with that. Um, And I've been in situations, not with Joe, and not with my current employer, where I purposely- In a parallel universe. In a parallel universe with a blue moon in the middle of the desert while eating ice cream with the snowing. No, in all seriousness, I purposely procrastinated because not out of fear, but more out of The level of anxiety I was going to experience due to a certain organization because it was such a toxic environment, I didn't want to bring it to the next steps. So I purposely didn't do what I had to do because I was set up purposely to fail. So sometimes you do things in order to survive, in order to live another day. And that's just how life is. And I don't and I don't think what I did was wrong in order for me to deal with very toxic people.

So I have a great quote on procrastination. Never put off till tomorrow. What you can do day after tomorrow just as well. Mark Twain.

That's my man. You're great. We're gonna have to put quotes on the on YouTube and LinkedIn when we post this. There you go.

I thought that was going to be Yogi Berra, but I guess not.

But I also have another mistake to admit to. It was a measurement mistake. It's got funny religious overtones. Certainly a good thing in this day and age. So I'm Jewish. I was raised Jewish. The woman I married was raised Catholic. I was tasked with getting the Christmas tree at Christmas. And so we had a pair of French doors in the apartment and we really, there was only one that was active and it was my job, you know, it was my job to get the tree and we would put it in front of the inactive tree, inactive door. So I go out to get the Christmas tree. If you've gotten Christmas trees before, they're wrapped up when you go to get them, especially on the street in New York. So I come home. I open up the thing, and it completely covers both doors. So what's the lesson there? The lesson is when you send a Jewish carpenter to go get a Christmas tree, remind him to take his tape measure.

You know, I'm kind of surprised at you, because every place I've ever been to that sells Christmas trees says, Jewish people be aware, tree is bigger than a look in the mirror.

Andy, when you set it off,

When you started off with measuring and a religious story, I thought this was going in the way of circumcision. Oh!

Well, I'll tell you what I've gotten out of Andy's stories and Adam's, too. I think it's that security people shouldn't do home improvement. Maybe not. Oh! Just a minute.

You see those shelves there?

Yeah.

I built them and hung them up. I could build LEGO.

Well, Andy, I'd like to say that it would make for a really great, unforgettable show if they collapsed on you in the middle of this recording, but that actually wouldn't be cool. Oh, wow. I wouldn't wish that on you. What happened with CrowdStrike, we're not going to get into it deeply, but what happened with CrowdStrike is something that it has in common with a lot of other security events, and that is a mistake. There is a mistake there. I mean, they're claiming it's a mistake at one time with one kind, whether it's a mistake of that or not. Who knows? Only they know. But, you know, insecurity in particular. Mistakes are problematic. And, you know, we say, well, mistakes happen and we want to be forgiving and we need to expect it. But at the same time, you don't want something to happen that's catastrophic. And, you know, that's why, what is that? I think it's Toyota, the Japanese, they say something like, people don't fail, systems fail. And the trick is to have more people with eyes on something, more checks and everything to minimize the possibility of errors.

Yeah, I don't want to throw stones in a glass house or whatever the metaphor or saying is. You mean me? You too. My feelings are that any one of us can make mistakes and I don't want to sit there and be a quarterback, something I was not involved with, but I realize people make mistakes. We don't want mistakes is when you get in surgery and other things and guess what I Know plenty of people at EMTs who've made mistakes and When you're in very highly active situations and you're making You know decisions in a moment's notice and this is the same thing with police same thing with firemen and fire people same thing with soldiers sometimes you're such in a highly volatile situation and it might not be with crowd strike but you know to me my quote is the only mistake that you make is a mistake is a is a is a decision that you didn't make don't let other people make decisions for you and then that sounds like a weird you know saying or or quote but you gotta make decisions sometimes you do make a bad decision Hopefully, it's not life-threatening and whatever happened with CrowdStrike will eventually come out a little bit more and more but CrowdStrike is not the only organization that's gonna make that mistake and other companies have made mistakes with DNS Other companies have made mistakes with not re-registering their domain and then failing Microsoft did that believe it or not, you know So so we all make mistakes. So it's not our matter of if It's a matter of when and how big that mistake is going to be.

I'll tell you also with the CrowdStrike thing. It is true. Very briefly, it was so catastrophic because it's a particular type of software that has to dig very deep into Windows in a specific way that can make it unstable. I will bet you, I don't have any inside information, but I will bet you all the other companies that do the same thing and make their competitors. Learn from it. Yeah, instead of fixing stuff, we're going and saying, make sure we're good on this. Double check everything, put in more checks, you know, make sure we don't have this. Sometimes you, I personally prefer, much prefer to learn from other people's mistakes than to learn from mine.

Yeah, I'd rather not have a mistake, but I don't want to start like, you know, saying things about an organization, then three years later, they come to the podcast and say, Remember when Adam said that? Well, he took down, you know, the Western Hemisphere.

Yeah, but at the same time, what I'm saying is that, you know, everyone in the space, you know, knows that, you know, by the grace of whatever, it wasn't us. A lot of these things, it can happen to anyone because nobody's, obviously some people are better than others in certain things, but no one's perfect.

These things can happen. The media, all the coverage was about how could this happen? How do we avoid this the next time and all that and all the costs and things like that? But what I saw the next day on Friday on LinkedIn, so much of the response from within the security community was, how can we help? Is there anybody that needs help? Come to us, we'll help you. Not trying to ambulance chase or go after CrowdStrike or call them out or anything. It was so much, how can we help? How can we come together as a community to solve this problem together? And again, everyone's gonna, like you said, they made a mistake. They owned up to it. They're still talking about it. And everyone's gonna learn from it. And if they don't, they're making the mistake.

I know there was another quote, and I know it was like, to error is human, not the actual one, to forget divine, but it was another one. But like, you know, to forget is human, to really F things up, you need to, you know, be whatever.

You need a computer.

Something like that, yeah.

I think it's the error is human, to really screw something up, you need a computer or you need something else. So, so, so, so let me ask, talking about mistakes, Andy, since you've been in sales for so long, have you ever been in a situation where it was something like that, where the company has done, where your employer has done something painful and you've had to go to the customers and deal with it. And, you know, like you say, run towards it, try to manage the crisis.

When that happens, I think a lot of it has to do with emotional management, right? You make the mistake, you have to start by managing your own emotions, right? In a company setting, you're going to have to somewhat manage the emotions of your colleagues. And then there's always going to be a person, a party on the other side. And you can't manage their emotions, but you can control your own actions such that you can sort of mitigate their reactions and try to make things as diplomatic as possible. So in sales, that happens all the time. I mean, that's day in, day out, you know. There's some, you made some little mistake. The client perceives it one way. I mean, I can give you a non-technical pen test example where my current company was doing a pen test for a large asset manager, half a trillion dollars under management. We were pen testing against their infrastructure and we found we had some positives that they questioned and we went back and forth and there were questions about the report. And, you know, they started to get a little testy, we started to get a little testy and I had to manage, you know, between my side and their side, just to help move things forward. Ultimately, there were false positives, but there was a certain amount of back and forth that just had to be dealt with, and so things didn't escalate, you know. And we got to the end of the engagement. Everything was fine. Everybody's on good terms. But prior to that, you know, there were things that had to be dealt with. That's more project management than a real sales story. In a way, it's the same thing.

I got one for you, Andy. Let me know if you have experiences. I work for a company where we used to bill clients, and the salespeople would end up selling the stuff. Not their fault. And then we end up finding out eight months later, seven months later, six months later, that the billing people weren't billing the client. So the salesperson has to go back and manage the client and say, hey, Mr. or Mrs. whatever. Hey, how you doing? We haven't been billing you for the last eight months. You owe X amount of dollars. Just want to let you know we're going to start billing you. And a proper client should probably say, hey, we get it. We still owe you the money. We'll pay you, but that's a lot of money to come up with. Can we come up with a payment plan? But something like you didn't bill me, that's your problem, not mine. Don't don't charge me.

I mean, I would, you know, I'm in sales, right? So I would try to get my company to agree to say, well, we're going to hold the price for next year. I would try to I try to give something. in order to get something. And I would start by giving, rather than demanding. You're not in a great negotiating position there. You're right, the client might, it could be a lot of money to come up with.

I'm good at giving, I give attitude.

Oh, there you go.

We meant something valuable.

I mean, that's the mistake, right? Andy, you're working on a relationship. You have to understand and say, yes, there was a billing error on our side. They have to pay for it. what they owe us, but how much is it worth to us to lose this client, right?

Yeah, I would want to be able to say, of course we can set up a payment plan and on top of that, you know, we're going to hold your price steady for two to three years or, you know, something to give it to, you know, make it easier for them to pay. We don't want to give up the revenue. We admit that it's our mistake. We're owning it, but we don't want to make it too painful for the client either.

You know, I think it's really important, you know, like you're saying to kind of step back a bit to say, when you make the mistake, you want to fess up to it. But it's harder when it doesn't just impact you, but it impacts someone else. And you've got to make it, you know, got to make it right. And, you know, that's one of the things that's really tricky in security, too. You know, you see all these things about these breaches and stuff, people getting you know, hackers getting the personal data and stuff. Yeah, the company screwed up, but the truth is the real impact very often is to their customers. Correct. Not to them so directly, you know, only to their relationship because they let their customers down. And that's very tough when you let someone else, someone down, you need to work on, you know, repairing the relationship, getting the confidence back.

And that's very tricky with business-to-consumer companies. You know, business-to-business, it's fewer personalities. Business-to-consumer, you know, you have 5 million customers or something. How are you going to regain their confidence?

Right. Yeah, my dad showed me something. He got a letter, I don't know, from his doctor or his medical group or something. And it's the standard form letter that says, you know, whatever, we take your privacy very seriously, but we let all your data out, blah, blah, blah, we're doing everything we can. So, you know, he knows I know about these things, so he gives it to me. He goes, what does this say? What does this mean? What do I do? And I read it. It says they screwed you. I'm like, there's nothing more to it than that. I'm like, what? But in that case, and they're not going to do anything about it, which is what I can be a little bit glib about.

And they're not even trying to do the right thing, Joe. They're doing it because they're obligated by a law, whether it's a New Jersey law or a New York law or if it's a federal law. All they're doing is doing the checkboxes. If they didn't have to send that letter, they would never send it anyway.

Yeah. That's true.

Yeah. I mean, when I go on Am I Pwned or Not? I go through 17 pages of how many breaches I've been in. It's only a matter of time. I would love to get a scorecard and see who gets more breaches over another person and play a game with that. It's only a matter of time before every organization gets breached. Every organization gets breached. And it's and it's hard to control. So some of it's zero days Some which vulnerability is not disclosed yet. Some of it is pure mistakes speaking of mistakes Joe and I used to you know, do a firewall review every year and sometimes the firewalls were open to any any And we're like why? Oh, I didn't know that, you know, so sometimes what any any means that anybody doesn't know that means it's open to any port anywhere in the world um to any destination IP.

Which, I mean, to totally translate it out, it's like you got this firewall with all these rules, this big configuration that's supposed to say what goes in and what goes out, and there's this one little line at the end that says ignore all that stuff and run everything through.

That's like the nightmare.

That's a big mistake that makes people freak out. That's why my hair is this color.

That's why my hair is this color.

I don't have the excuse. I haven't been in cybersecurity long enough.

Yeah, but you're a brother.

Just wait. Right. Just wait. And you have the same hairdo as Adam. I know. We go to the same barber.

There you go. All right. So I think we're getting towards the end here. We've got plenty of liquor, but I don't know how much more I can go through this. I need something a little more positive to deal with. I don't know.

Well, let me say this, Joe. To those listeners, We would love to hear about your mistakes. I mean, please don't put anything really personally identifiable, but if you want to send us your mistakes via email, post them on LinkedIn, under Security Cocktail Hour, in the comments of YouTube, we would love to hear about your mistakes. If your mistake seems pretty cool, maybe we'll have you on a second show. But we would love to hear more about your mistakes.

Especially if you've had the most breaches. Adam and Joe really want to meet you. If you've had the most breaches, they're dying to meet you. Yeah. That's right.

Well, we always like funny stories. And we like, you know, war stories as security guys. But, you know, we do want to keep it a little bit inspirational. So, you know, the point of this is not to... It's not to condemn you. It's to get... better and also to recognize that these are things that are realities that we need to deal with and you're going to have to deal with it one way or another. Dealing with it the right way or the more effective way will not only make you better at what you do, but improve your life and your blood pressure and everything.

Should we dare say that the best mistake sent to us will get a mug? Okay, why not? I don't know over what period of time, but

I don't know how we're gonna decide, but we'll see. If someone sends us a good one, we'll send you a mug.

Why not? Or maybe we'll, depending on how many we get, maybe we'll put a LinkedIn poll or something.

Okay, and we'll have mugs for our guests too, of course.

Absolutely, yes. Future guests, not current, right?

No, current guests. No, current.

We'll get you mugs. What are the parameters of a good mistake versus a bad mistake?

A good mistake is one that doesn't hurt you, right? I can share one mistake that I made. It was a personal mistake that ended up not biting me in the ass. To my very lucky marriage, it didn't bite me in the ass because my wife and I, we were coming to New York and we were living in San Diego at the time, coming to New York and then The school system there had three weeks off between Christmas and break. Obscene, right? Three weeks off, what are you gonna do? So we brought our kids to New York, dropped them off at grandparents, and we were gonna go to Portugal for a week during that one week break. I actually didn't have my passport. It was expired. But because it was the height of the Omicron variant, Uh, we decided it was too risky to leave the country. We might not be allowed back in. We ended up canceling the flight, pushing it, you know, six months later. And because of that, I was able to get my passport renewed and, and not have to ruin my marriage. So a mistake that didn't hurt me. And, you know, at the end of the day, you know, I now have a, a calendar reminder and whenever my Passport is gonna expire. So I know in six months beforehand to get that taken care of But again, you learn from these mistakes whether they're personal professional Big or small and you know that kind of shapes what you do and how you act in life.

So there's a thing that just came out and It's about 9-eleven and it's about some of the people that made mistakes going to work and how they missed a train and or they forgot to do something and they had to stay a little bit later and again I'm not looking to downplay it's a horrible thing that happened but there are people still alive today because of the mistakes they made not being able to make it to the World Trade Center or to the plane that unfortunately was driven into the ground in Pennsylvania so some mistakes even though there's devastation and other things actually was in was good for the person that made that mistake. Right. And those are why some of those people are still alive today. And it is it was a whole article or video or something. I forgot what it was. I just saw it. I don't remember what I saw, but I saw a glimpse of it. And, you know, sometimes mistakes do error in your favor. And sometimes they don't. So it's just a point.

So in our quest for better outcomes, we should make as many mistakes as possible. That's my takeaway.

Yeah, possibly. I left the lights on in my car. I couldn't make it to work. I didn't get up in time. I missed the clock. And I didn't miss the train. Things like that. Those things have happened, too. So even though Some things are associated with really horrible things that those mistakes actually have saved people's lives as well.

Well, my final thought will be, as I tell my kids, always just do the best you can. No one expects you to be perfect, even though you might think your boss needs you to be perfect or your customers. You're not. Set those expectations and understand them yourselves. And for all the married guys out there, if you do make a mistake, that's what jewelry stores are for. There you go. Flower shops. Flower shops, that's right.

Flower shops, restaurants.

Restaurants, that's right.

So that's true. And as soon as I get my wife flowers for the hell of it, she's like, what mistake did you make? I'm like, I'm just giving you flowers. All right.

OK, well, everyone, thank you for coming. This is not the most comfortable topic for people to talk to. We really appreciate you coming on and opening up. This was great. Weight off your shoulders. That's right. Well, we could also have an intense session of hardcore confessions or something. That would be a little weird though.

You know what? The next episode we're going to have our priest on. We'll do a confessional. We can have a rabbi, but I don't think they do the same thing. How many Hail Marys?

We can wing it. We can wing it. No. Well, wasn't there that Seinfeld when Elaine talks to the rabbi and thinks it's like she's talking to a priest and it's confidential and he starts telling everyone her business? All right. Thanks a lot, guys. This has been a lot of fun. All right. Thank you. Take care. Thank you. Take it easy.