From the Battlefield to the Boardroom: High-Stakes Cyber Security

Welcome to the Security Cocktail Hour. I'm Joe Patti.

I'm Adam Roth, the punching bag.

Oh, yes, you're going to be the punching bag. So right away, I'm going to introduce our guest, Karen Davila. Karen, welcome.

I am the puncher. Hi, how are you doing?

That's right, because we have to get right into giving Adam a bad time. We just had like five, 10 minutes of audio issues. First from Adam's hairdryer, which believe it or not, that was a weird thing. He had a hairdryer going.

It was a special moment. I will remember it forever. Yep.

It takes a long time to do this hair.

I know, but on the plus side, you now have the ultra snazzy official background and the official shirt, and it was Adam. who got that awesome shirt off to Karen that she's nice enough to wear too. So, well done, Adam. We love giving you a bad time.

I love it. It's, look, after I'm done with this podcast, I'm heading to the beach. Beautiful out.

Is it? It's not cold?

I'm not supposed to talk about the temperature. when it is. So I can't wait.

Okay.

Yeah, that's another thing. Since we record ahead, you know, I keep telling Adam, stop talking about the weather. Stop talking about it.

It doesn't make sense. That's right. It could be snowing.

Okay. Well, this is one time.

Adam is doing all the mistakes. That's what's happening right now.

We already did the episode of mistakes.

That's right. We're going to fix everything and we're going to fix it with cocktails, because at least we're not doing this in the morning. So we can have a proper drink.

That is correct.

So everyone, cheers Karen. Glad to have you on, Adam. We're good.

Joe will forgive you in the end, but he doesn't promise not to hold it against you, by the way.

Of course I'll forgive him, but I'm going to give him a bad time, especially since it makes for a good show. Why not?

I got to say, this is the first podcast that like 30 seconds in you feel so comfortable. I feel like I'm hanging out with my buddies. It's all good. No, no worries at all. I love it. Thank you.

Awesome. And you know what? We have audience participation too. We will tell everyone if you want to participate in giving Adam a bad time or even giving me a bad time, please drop a comment whether you're on. whether you're watching on YouTube or Spotify or anything else, and subscribe, follow, notifications. We definitely want to hear from you. And Adam, as you can tell, he's desperate for attention. So please tell us what you think.

I'm all over the place with wanting attention. But what they should do is go to the beautiful brand new Security Cocktail Hour online store and pick up some snazzy stuff for whatever holidays might be coming up or might not be coming up. That might be soon. That might not be soon. but it is the summer, but it is cold out.

We covered all the bases. Okay. Got it.

So Adam, how are we supposed to deal with that? Cause like I edit the episodes. Am I supposed to leave that in whole or just you covered everything so I can snip it to when we're going to release it and just have the right thing there.

I would just, just, just Joe, just go with it. Part of this episode is discussing how people in leadership positions are able to roll with what's going to hit them.

Keep being agile.

That's right. Keep being agile. And we'll actually talk about something resembling security. Talk about our guests. Karen, I believe you have probably been extremely agile and had to deal with a lot of stuff in your career.

Put it that way. That's a good way to describe it. Definitely. I needed to be very, very agile.

Okay. Can you tell us a little bit about your background? It's fantastic. It's very cool.

Thank you. Thank you. I appreciate that. Yeah, I had a very interesting and out of the norm career. My cybersecurity experience started in the military. I served the IDF for 18 years. The majority of the time of that, I was a CISO in a frontline, like a Green Beret unit, and had a lot of agile moments, let's say that.

That's really interesting to hear because, you know, you say you're essentially the CISO, the chief information security officer for frontline units, special forces unit, basically. And whenever you're doing that job as a security manager, you always have that interplay between what you want to do from a security standpoint and what you want to do, you know, from the business. They say, no, we've got to make money. We can't do things, whatever. And you know, one of our big things that we say, in fact, I had someone saying it just this week in my day job, he goes, you know what, if we don't have it secure or if you interfere or something, we might lose some money, but no one's going to die and nothing's going to happen. It sounds like you didn't have that. You were dealing with much higher stakes. I didn't have that privilege.

That's correct. Actually, I think that the CISOs that I feel closest to in the civil world are the CISOs in utility firms because their security is tied to their personnel security and into our nation's security. So it is true. When you're a CISO in a frontline unit, that means that every decision that you make, every failure can lead into losing life, having a very tough moments for units in tough situations. But that's just absolutely a no-go. That's not an option. That means that whatever you're doing, however you plan, however you execute, you need to be ready for everything and just keep that operation going no matter what. You don't have the privilege of having a failure and failures happen. Mostly not in the cyber side, mostly in the IT, the communication side. And when he does, then that is part of being ready for combat because you're going to go and you're going to find yourself alone in the middle of a battle, you know, battlefield, just standing in the middle between your front units fighting and the back, you know, communicating between the two to make sure that they are protected and safe and have the capability to get whatever they need. So it's part of the deal.

I have a question related to that. So, Karen, you're kind of a CISO, but you're also in a leadership position in the military on the front lines. And part of being a CISO is also having that fiduciary responsibility knowing where your budget is. Is that something that you consider while you're on the battlefield? Do you talk about in your mind, oh, wait, we can't use something because it might cost or you just go ahead with it and deal with the financial repercussions later on?

I think that there is a different state to it. So the daily day operation is very close to the CISO in the real world. Budget, you know, budget allocation, quality of the solutions that you get, quality of your team, the capabilities, the skill, the knowledge, the know-how, more What you invest the majority of your effort is to make sure that the entire ecosystem that you support, it's not just your soldiers, it's every single individual in that ecosystem. has the know-how that will save his life, that will make sure that he has what he needs to be protected, to have the communication, you know, always ready to go, whatever they need, whenever they are needed. And that requires to step out of, you know, thinking about budget or thinking about other stuff and just owning the responsibility. I think the major difference is that you don't have the privilege of saying, I don't have the budget or I don't have the system or I don't have the capability. It's an absolutely irrelevant discussion. You can have that with your commanders when you're, you know, sitting there and asking for more budget. But that conversation ends the minute you step out of that room and you deal with it, whatever you have. And you do the best that you can with whatever you have. And that's the state of mind. And for me, that's the state of mind that is lasted even when I crossed over to the other side, to the dark side of the civil world, right? That stayed with me and it goes to everything that I do. Like for me, I can argue with, you know, with my CEO, I can argue with my board as much as I want. Once the door is closed and we had made a decision, that's it. Like that's, that's it. It's my decision. Even if I 100% didn't agree with that decision. That decision is mine, that budget is mine, that whatever structure it gives me, that's what I'm going to do the best that I can with that and be as successful as I can with that. And it's a state of mind, it's a decision that I take with me and I force myself to comply with and that's just the way that it is.

There's one motto I live by and that motto is, the only decision that's bad is a decision that you didn't make. And what I mean by that is, There are people that don't wanna say yes. There are people who don't wanna say no. There are people who will sit there and just wait and wait to wait to make a decision. You gotta make a decision one way or another. And like you said, own up to it. So if it's yes, go ahead, make it. If it's no, that's fine too. But sitting there on the fence, waiting minutes, hours, days, sometimes can lead, in my mind, to tragic results.

I agree. I think that I try to go into every decision with as much information as I can. I try to be smart about it. I don't know if I always will say, if I think that there was a time that can be, you know, waited for me to gain more information or get a better clarity on that decision, then I will take it. But in the end of the day, I surround myself with both my bosses, which I choose, and my employees. are people that I trust, are people that I admire, are people that have qualities that I don't have, that have knowledge that I don't have, and I trust the people around me that we respect each other and we know that each one of us bring, you know, a set of knowledge and skills into the table. And if that's your knowledge and that's your skill, then the decision will be in the end, you know, influenced by you more than it would be by me. But if it's my territory, then I will force you to hear me out until the end and just respect the data, respect the knowledge, respect the experience, right? So we all bring something to the table, even if it's a fresh perspective. Even if you come without experience, but you bring a fresh perspective, that fresh perspective can be very, very valued.

Yeah, I do think it's the whole thing about decisions and information is really important. Yes, you want to make a, I've always said that, you know, good decisions come from good information. You want to get as much info as you can. And I think you're right, Karen, you need to wait. You very often need to wait, hopefully as long as, as long as you can reasonably, you know, to get as much as you can and see how things develop. But it is true that at some point you got to make a decision, you have to act. And I think that's where the team comes in also, where you have people who aren't looking to you with the expectation that, you know, you have all the answers that because you're saying, go this way, I don't want to say it's like God speaking, but you know, that they're so simple minded to think it's, it's that it's that easy.

You know, it's not, I've always had to make, you make tons of mistakes, right?

Yeah. And I've always had told my, my people the same thing to say, look, I'm going to make the best decision I can right now with what I've got.

Exactly.

Even if it ends up later on that it was totally wrong, you know, I need to be able to sleep tonight. I need to be able to say, well, maybe so, but you know what, based on what we had then, it was a good decision. Then we can go with that.

I agree. I think that in the long run, when you're clear on where you want to go, when you're clear on what is important in business, when you're clear about who your clients are, what your strategy, what your, you know, what is your, I would never. That is an important thing that a lot of leaders don't really talk about. What I would never do, what we would never be as an organization, what we would never do, what is our, you know, what, where is our lines, where, where, you know, Adam, is the border pusher. And for me as a leader, one of the most important questions in the first discussions that I have in the majority with board chiefs, peers, even with my team, is what you would never do. That is a conversation that is really important to have in the get-go, so you will plan whatever strategy that you have with clear lines that you never cross. And then your decision is actually narrowing down because you have clarity on where you want to go and you have clarity on where you're never going to be, which is your sides. And that's it. And then you just need to stick to that line. And then if needed, adjust. If needed, you know, keep agile, keep moving, keep, keep, you know, learning, keep adjusting. But in the end of the day. You need to know what you're never going to do and where you want to go. Those are the two really, really important questions.

There's two things I can, I can add to that. One, unfortunately, people always look at people in leadership, especially in the CISO level or the director level as being the cumulative knowledge of everybody in that team. And that's not true. The whole idea of a leader is to surround yourself with people, usually a lot smarter than you. And then you make the decisions based on information given by these multiple amount of people. Now, as far as making decisions go, I've never been in the military. I don't have a common reference to military. I've made life and death decisions as an EMT. There are few and far between where should I stay and treat the person or should we scoop and go? Jump into the bus, we call it a bus ambulance, and take him or her to the hospital. You don't always make the right decisions, but like you said, you make the decisions based on the information that you have at the time. And sometimes you don't even have enough time to make the right decision or the wrong decision, you have to make a decision. Am I in a dangerous place? Do I need to take that patient out of that dangerous place? Am I in danger? There's a lot of things you have to think about. And I have to imagine that transfers to your world, Karen, a little bit too. All the decisions I'm making, am I in a dangerous place?

I think that it's more, so while you were speaking, I was thinking on so many things that we do that we don't appreciate on a daily day, but they prep us for those moments. So as an MIT, for example, you have so much training. to help you make the right decision or the best decision in that moment, right? I think that when you're in combat, you have so much training surrounding, you know, going into combat that kind of get you into the autopilot's place. of decision-making in things that you don't need to waste your energy on. And then you only waste your energy on the smart decisions, right? On those that really, you really need to think about. You really need to deeply have the expertise or experience or perspective to be able to make those decisions. And I think also as CISOs in the real world, We have all the things that we're prepping on a daily day. We have frameworks, we have compliance, we have policies, we have incident, you know, how are we going to address incidents when they are occurring? You know, how we manage risk on a daily day. Do we have an execution plan if that risk comes along? So all of that helps us to narrow down the amount of those unautomatic decisions and actually just place your energy on the right one, on the important decisions. That way your team has the liberty of having those small decisions because they have clear guidelines and restrictions of like where Their decision needs to be placed then, and then you as a leader can empower them to make those decisions because they know where they need to be, give or take. And then you can kind of like coach them a little bit on how to make a better decision next time, but not overtake the competition and every time get it to be your decision, which is the worst kind of leader you would never want to be. So that's from my perspective anyway.

Yeah, I agree with that, but I found that in the civilian world, that can be really difficult to achieve. And one of the big things is the thing like you're talking about training and things being automatic. One of the things I've always envied about the military is that they do spend so much time on training. And when they say training, they don't mean classroom, they mean actual exercises, actual, real, literal war games, but also we call a war game an industry to really doing it over and over again so that when you hit the situation, It's not the first time you're doing that. Unfortunately, in the civilian cyber world, a lot of places, maybe they're doing that with incident response, if they're lucky. And everywhere else, things can be a lot looser. I think that's a huge challenge in general.

Jo, your observation is absolutely right. And I think that if it sits on one thing that a lot of people are missing out, you know, it's a one crucial element that I don't see the civil world do and the military world does all the time. We plan and train for the worst situation. We prep the equipment and the budget and everything that surrounds it. into the realistic situation, and then we execute with the hope that it would be, you know, easy kind of maneuver, right? But we always prep, you always put the strategy, the execution plan, the know-how, the training, it's all surrounding the worst case scenario. And the business world doesn't do that. Think about it in the small perspective and let's go up to the corporation. From a small business owner that's just now sitting right now and watching us or listening to us on Spotify and thinking about opening a business, one big mistake that no one does is they hate doing business plans. Why do they hate doing business plans? Let's talk about it.

Did Adam pay you for this? Because we've been fighting over business plans for weeks.

Business plan is exactly that. It asks you what is the optimum scenario and what is the worst case scenario and how are you going to prep for that. And it allows you to have the strategy with that Two really different point of views of what is the ideal scenario that this organization is going to come to and what is the worst case scenario now I'm going to act at it. We, like when I mentor startup owners, One of the things that I normally do is I ask them tough questions like, when is going to be the moment that you're going to break and say, no more, I'm not doing this anymore. This is my line. I can't do it anymore. Is it going to be financial related? Is it going to be influence related? Is it going to be impact related? Everyone has different lines, but what is it for you? That is one thing that people are failing to do. And even us as individuals, we go into relationships, we go into making parenting decisions. We don't think about those things. We don't really think about, okay, I'm going to talk about my kid about this issue that he has in school, but I don't really plan for the worst or hope for the best. Right. I kind of like go ads on into it and whatever. No set for a second. Think what is the worst. thing that you're going to do if you're going to address it in the way that you're planning to address it is it going to what the worst scenario is that it's going to make that situation even worse right that kid is going to have even more problems in school or he's going to go to drugs or whatever it is you're going to push him to be more of a rebel to So think about those things. And it goes to businesses as well. And it goes to CISOs as well. Like if you don't plan for the worst and then communicate in a realistic way, if you use fear tactics as CISO and not motivational speaking, but in your head, you don't plan for the worst and then build your strategies to mature your organization, to handle those tough situation, then you're failing as a leader. That's the reality of it.

Go ahead, Joe. Karen, you are absolutely killing me on two levels. Because first of all, you just told Adam he's going to hold it over me forever that he's right about having business plans. No, I'm not, Joe. At least for half an hour or so.

Karen didn't tell me to do business plans. I came back to Karen and said, I'm going to do business plans. But that's not the point. I've done business plans before. Look, a lot of things in life are about what Karen is saying is about thresholds. Where's your threshold? Where's your bottom threshold? Where's your... Correct. And what is your tolerance or appetite for risk? There are people that have thresholds at the bottom and have it at the top, but then they say, I'm going to take that risk. And some people have been extremely successful. And this goes for CISOs. This goes for incident response. I got to tell you, Joe, one of the biggest things in my life that I valued was doing the tabletop exercises with you and doing the other purple teams. That is at a tempo that people will never understand unless they've actually been in incident response. And we've had this conversation with other people as well. When you're doing incident response, that psychological effect to your body, that decision-making at that tempo is ridiculous. Do I pull the plug? Do I not pull the plug? Do I observe the threat actor? Do I not observe the threat actor? Where's your threshold? Where's your tolerance? Where's your risk appetite? And what are the laws that are required for letting the clients know that they've been compromised? So there's a lot of different things that go on, and I'm sure that happens in the military world as well. But from my perspective, you have to operate always at a higher tempo to increase your capability and your ability to lead.

Yeah, well, you're right. It is interesting. I think we've talked about it before that, you know, in the civilian world, most people can't make decisions to begin with in a low stress environment and you put them into a high stress environment and it's much tougher. Even when it's a simulation, it really is amazing how effective the exercises can be. But, you know, also, Karen, the stuff you're saying about thresholds is so interesting because, you know, I just think about my own life and all the things I've had to deal with, not just in business, but, you know, at what point do you say, well, you're going to at some point say, I've had enough. But you know, if you haven't thought about that in advance, you're going to eat a lot of shit, basically thinking about it while it's going on. And I'm thinking of how many times that has happened to me when I, when I then go back and said, you know what, I should have seen this was happening and stop this a long time ago.

And to be honest, I didn't have that, you know, understanding when I was younger. Um, I think that understanding came when I, find myself in really places that anyone that knows me would never think that I would find myself in. You know, stuck in an unhealthy culture, organizational culture, stuck with a boast that is like doing things that no one should ever experience. And find yourself in a situation and ask myself, wait, why didn't I leave immediately? Like, why was I am not clear about those lines that have been crossed? And I let that. And in one situation, I stayed four years after with that culture, with that mentality and with that, you know, state of mind. And I asked myself a really tough question afterwards. And my thing is like. I believe that in the end of the day, we will all make mistakes. We're all like, have a lot yet to learn. What you need to figure out is like, if you, if you do things and you find yourself in a situation that you didn't have the capability of making that decision, if you, if you made a decision and in retrospective, you questioned that big time, then you got to reflect on yourself and ask, ask yourself why. What was missing in that moment that I can make sure that the next time I will come more prepared, I will come better understanding. I think, especially as a female in a very male world, I needed to, to get clarity on, on where my lines are. So I will know that when a red flag is there, I don't dismiss it anymore. I used to dismiss it a lot because I was so caught up, you know, with being one female, like I was the first female, I didn't say that, but I was the first female in, in a combat unit. I was the first female in combat in the IDF. And part of it means that you are, you know, facing a lot of patriarchal, sexist things. And, uh, and, and, and back then I thought it's part of the deal, right? I, I was like, yeah, of course it's okay. It's their world. I'm just a guest. It's all good. And as you grow and mature, you learn, no, no, no, no, no. That's not okay. And those are my, this is my lines and you're not, this, this is where you're not touching. This is where you're not going to get, then you can try. And it's fine. And I will clarify that that's my line. And once you try again, then that's over. That's just the reality of it. And it comes with age, and it comes with experience. And we can't expect people. I think the new generation is better about that. They know their boundaries better than we did. We're more a generation that was supposed to do whatever their parents are expecting them to do, and do whatever their community is expecting them to do, and so on and so on. So we're different.

And we're a wreck, by the way. I don't know how it is in Israel, but like, you know, Gen X here, you think the millennials and the Gen Zs have a tough, we're a mess. Everyone's on Gen X or something, you know?

Let me add this, right? There are certain professions that are more tolerable to mistakes and some are not. So let's talk about that, right? If you're delivering a package, the mistake is more tolerable. If you're a surgeon and you made a mistake at somebody's life, But the irony, and this comes up a lot of times, you're a police officer, you're entering into a room, you have to make a split decision to save your life or save somebody else's life, and you might have shot the wrong person, or you might have shot to save your life, but people are telling you you didn't have to shoot. Or we can talk about things like, I try to save people on a train, and I went to go restrain the person, and I end up killing them. Mistakes are made. I'm not saying in any of these cases that was any mistake, but that's the point. Is your motivation correct? Is your motivation correct? Okay, but all right, but now you made a mistake.

And how are you trained? Yeah, I think that's a little abstract, to be honest, just because I'm coming from that world. I didn't say anything wrong. We have that split second to make the right decision. It's supposed to be within our training. I'm not talking about outside of the training scope, you know, situation, but if that situation, and you're in a police officer and your training should give you the capability of making that right decision every single time, because it should be something that is as easy for you as walking. Because that is, that is part of the, you know, so again, As a leader, I'm not talking about as the end of line police officer. As a leader, you need to ask yourself tough questions. If that happened to one of your officers, now it's the time to tough questions. Why was he not trained enough so he will make that right decision in that fraction of a second, right? That he needed to make the decision if to shoot or not to shoot. Same goes for... There's no one else to blame, like when you are in those situation and I think CISOs is the closest identity in the organization that have the share that, you know, burden that is in the end of the day. Whatever is going to happen, it doesn't matter if you didn't have the budget. It doesn't matter if it's someone that is outside of your team that made a decision to open a link and cause that whole incident to happen. It doesn't matter. It's still your responsibility and that's just the way it should be because it is part of the deal.

Yeah, I always say when someone's like, oh, we can't do this, we can't do this, we can't fix this. I say, okay, but you know what? The risk doesn't care. It's still there regardless of how you decide to handle it or whether you decide to train people.

It's risk versus reward. And we've had this conversation, and I'm going to bring something up and Joe's going to turn around and say, shut up.

It's going to kill me again.

That's okay. One of the things that I wanted to institute, which is financially enabled, was to do packet capturing. And the reason why I wanted to do packet capturing is packet capturing gives you a full story north, south, east, west of what's going on, minus the encryption. But guess what? Doing packet capturing could be as much as $2.5 million. So as a CISO, people make decisions based on budgetary is not an infinite amount of money. So you have to make a decision saying, yeah, it might help us tremendously, but what's really the risk and what's the reward? Are we really gonna stop more things? So there is a financial and fiduciary responsibility of a CISO to operate within that budget, but at the same time, you don't have an unlimited checkbook. That's my point.

Let me flip it around. I have two things to say about that. The first one is when I, some of the units that I served in, not all of them, but some of them didn't have, this is not the US military. This is IDF. That means that a lot of the units don't have the budget. They don't have the tools. They don't have the communication. They don't get $800 billion a year? No. Okay.

Well, pretty damn impressive what you're doing considering you don't, but anyways.

So I think about me, except of one unit that I served in, in all the other units that I served in, think about me as a CISO in a high risk environment that doesn't have a budget at all, that works with devices that are 20 years old, OT for that matter, right? And needs to bring it into execution of IT missions, right? It's like, what? Come on, guys, okay? Now, in the end of the day, that is where training and education and influence is coming into play. Leadership is the most powerful tool that you have as a CISO. It's more powerful than a budget. It's more powerful than any mechanism you're going to put, controllers that you're going to put in place. That is where 80% of the effort needs to be. The reality is that the majority of organization put maybe 10% on that and 90% is on controllers and technology and other aspects. And that's the sad reality of the world that we're living in. Part of it is that we don't also give the capabilities. Like our generation, we're post 9-11 CISOs. We used to build our own frameworks. We used to have the capability of having that agility state of mind of cybersecurity. Today, CISOs don't have, especially young ones, don't have that capability because they were not, even if they were taught that way in the university, in their reality, they come into an organization and they follow checklist, checklist, and that is not a state of mind you want to be. So if you don't have aspiration to break away and to really take control of what you can control, and yes, people are hard and it's a tough world, but that's the critical mission. The critical mission is to educate them, to train them, to give them the knowledge to make smarter decisions. And in the end of the day, if they make a dumb decision, it's my responsibility.

Yeah.

Go ahead, Joe.

I was going to say, yeah, I've always, when I have had a security team, it's always funny when you, you know, sit with them and you have something to do and it comes to the decision time and they all look at you and they say, what are you going to do? And I always say back, well, I'm not going to do anything. You guys are doing it. My job is really to get you prepared and to set you on the right path and to be accountable for that. But you guys are doing it. I don't trust, I don't touch firewalls and SIM systems and all these things anymore. You guys are doing it.

Yeah. So I'll tell you this, Joe, and obviously I've worked for you in the past. A lot of things that we do is not just about making smart decisions, but about also being innovative. And sometimes you don't have that budget. And I'll give you examples, not even for you, but there were times when I wanted a ticketing system. It was another organization. They didn't give me a ticketing system, and I was able to convince somebody to give me open source. Sometimes you've got to work outside of what your normal boundaries are, and then you have to present your argument of why this will or will not work, why this is not a risk, or why it's a minimal risk, or why it's a big risk, but it's even a bigger risk if we don't implement this. So it really is about how you phrase something, how you articulate it and how you sell it. And we don't always have to have a big budget, but we got to figure things out. And I'll give you another example. You know, I was really, when I was a young EMT and I started working with somebody and we had a pediatric and we had to immobilize their body or finger or whatever it was. Instead of using things that were really made for adults, we end up using an ice cream stick in order to immobilize a finger. But this is not in our normal training. This is about being innovative. This is about thinking outside the box. How do you get something done correctly? But, you know, you got to get it done. You can't say no. You got to be innovative. A lot of people are not innovative.

Do you know a lot of CISOs that are not creative? Because every CISO that I know is a creative person. You got to be creative in that job. Well, maybe some of them are not, but the majority are.

To be good, you have to be creative. I'm going to tell you that not every CISO should be a CISO.

Well, that's a different story, right?

You can say that about anything. What I'm getting at is I've seen people talking about me. Not openly. But in all seriousness, Joe, you and I have seen plenty of people out there and we had conversations saying, really? That person's doing that? So not everybody who's in a leadership position should be in leadership. But let's be honest also, there's a growth in everything we do. And some people are still growing and still maturing in that position. And it takes time. It takes time to... I have a lemon tree for five years. It first started growing lemons. So sometimes you got to be patient.

Well, you know, that also brings up the question is at what point is it, do you decide to cut? Yeah. Like, you know, the lemon tree. You're not getting lemons, Adam. I hate to tell you.

I'm getting lemons now, five years later.

I want to see these limits. Well, up to seven years, that's what the Torah is saying, right? Up to seven years, that's when you give the time to the tree to actually give you fruit. But really, to come to a realistic place, I think that leadership is much more abstract than we think about because some people maybe are in leadership positions and don't really And they're not leaders. They're just not. They're more controller, right? A checklist kind of person. And that's okay. That's okay. Because if you look carefully in that organization, if that organization is doing well, then you will find that the leader is one of the team. There's an influencer, There is someone else that has the leader position without having the role and definition of it. There is always, there is always someone, every failed leader have a leader in his back corner. There's always a leader in the room. It could be not the ideal leader. It could be not the ideal role that he is in, but there's always a leader in the room. And if you just open your eyes and you look, you will see that. And sometimes it's the one that doesn't say a word. Most often it's the one that doesn't say a word.

Quiet ones are the deadly ones, Karen. We know that already. They're the ones who stab you in the back, take over from you. You're right. I did martial arts for many years and we speak about the different leaders in martial arts and there's some people that lead in martial arts by striking fear into their people, their disciples or people that are learning. And then it is people that absolutely 100% follow that person based on respect and admiration. and confidence instilled by that leader. And it's funny, right? It's the same thing about military. It's the same thing about bosses. Some people, some bosses are really good at making money for the organization, but they're the nastiest people you've ever meet. And there's some people that make money, but they're also highly respected and they influence people based on their capabilities. So we know that some people are in leadership roles because they're bringing in revenue. and then constant turnover, but some businesses want that. It really depends on what the business corporate culture is, right? What the CISO corporate culture is.

I can tell you that I, as an officer, especially in the early years, I was the worst version of a leader that you can possibly have during off-combat moments, right? When you're in training, when you're like in a zone that is not, you know, executed, Cause I am like one of those people that are always wire ready to go, right? Like always, always in a combat state of mind. That's just the way I am. I don't go and, and, and I don't, I don't, I don't do that intentionally. I just, when I own something, I own responsibility. I own it all the way. I don't know how to let go. I am a really, you know, I have a stick up my ass. What can I say? It's just the way it is. I'm always serious. I'm always, you know, I'm always, I'm never the funniest person in the room. I'm never that, you know, the light person. I don't do casual conversation. All those things that a lot of leaders do and do well, and they're really excelling on the off moments, on the times that are not critical. But in the critical moments, Those are the moments that my leadership showed up, right? Those are the moments that I knew that my leadership was something because I would see that all the soldiers will kind of like be in line, right? Execute, execute, execute. And they would appreciate having me there. But in the off time, they would bitch and whine and complain about me all the time. I was the most hated probably officer in the off time. In combat, they wanted me there, but in the off time, they did not want me there, right? Listen, this is the part of the thing. CISOs are finding themselves in a situation in the majority of their service to a company, right? In the majority of their role, they're going to be the most annoying leader in the room. They're talking about hypothetical scenarios. They're always like having conspiracy theory speaking voice, right? And it's just, you are, You are aimed to fail unless you have that really high quality personal relationship feel to you, if you're really a good human in the natural things. And if you would have put me in as a CISO in the civil world, I would probably didn't last even two years. They're going to fire my ass because I was never a nice guy, right? I was never a nice guy. And you know, I'm the truth to your face kind of person. And, but I don't do fear tactics, right? I don't do, I don't act from fear. I seek your motivation and I will like lead you from there. But I probably would fail. I would probably didn't have even a slightly resembling career as I did in the military in the civil world if I was a CISO.

So, I don't know. I'll tell you this, right? So, a CISO usually operates in the core center and not in the revenue center. No one ever says, yeah, we need a CISO because they're going to help us bring in money. They bring in a CISO because it is a checkbox, it is required, and it is somebody that they can kind of tie a little bit of rope around their neck if something happens wrong. But when you do really well, it's great. But let's kind of talk about blending roles. Sometimes the CISO is also the chief product officer, the chief sales officer, the chief... So...

Even if not the chief, but having an important part in it.

Of course, absolutely. And Karen, while it pains me to say this, you don't always have to be the nice person or the nice guy or the nice woman. Every person's personality really depends on their leadership, their role and who they are. Sometimes it pays to be an asshole. It really does. So it really depends on your corporate culture, your specific role, what blended roles you have and what the expectations are from you that you need to return to the organization. Because at the end of the day, if it's a company, The expectation is you're going to protect the company, protect the assets, and help bring in revenue one way or another. Whether it's not you directly, it's you protecting the assets so revenues aren't lost.

A question though. Why do you say that a CISO is not aligned to a revenue stream?

Because most CISOs cost the organization money without bringing it in. I can give you parallels.

A lot of- But that is not correct.

Okay. It's a good one. There's a classic.

That is really not correct because everything that a CISO do is bringing money to the company.

Okay.

Positioning the company in a secure way in front of B2C clients. That is 1% like that is a huge percent of why the companies are trusted by their customers. If you are a health organization, the important part for me is to know that my data is safe with you. So they are aligned with the revenue stream. And this is just one thing. There's like a gazillion of other things. So if you want to go like into the tactical things, compliance. is demand out of customers' desires for you to have compliance. No organization starts to do compliance without a client comes and says, you have to have SOC2. you have to have CMMC or you will not have that contract. So your job is tight to a revenue stream. It's just a matter of perception that you're putting it in. Everything in the organization serves the revenue, the operations, the IT, everything serves Unless you're in a, and not a CISO, unless if you are the IT guy that is supporting the operational team that supports the, I don't know what, the contractor, then maybe you're not tied to a revenue stream. But CISO? CISO is not tied to a revenue stream.

CISO is a chief. I'll be the tiebreaker and I'm going to be too diplomatic. Now, Karen, you're right. So there, Adam. But the key thing that you said was perception. Yes, the CISO and many other support people contribute to the organization, in the very least, that if they weren't there, it wouldn't run. It couldn't operate. I agree with that. But it's not recognized. And it's very often not recognized by people in the business. It's a sad reality. Unfortunately. No, it's a reality.

One of the things that you learn early on as a combat soldier, is that on every combat soldier, you need at least eight support people, that without them, you're gonna lose your life, period. So for me, it's all tied together. I don't have the same perspective.

If I look at it from an accountant standpoint, from a department code, and I've seen this so many times, from a P&L, a profit and loss statement, you never see a CCO's department bringing in revenue. Now, don't jump on me yet, Karen, hold on. When I did EMS and I worked for an ambulance department, the ambulance department, the EMS department never brought in any revenue directly. However, a hospital operated on the fact, even though the ambulance department was always in the red, never made any money, it brought in patients that became admits to the hospital and that became revenue. But a CISO, an IT, A cybersecurity department never shows, from what I've seen, revenue on their P&L. It does support revenue. But it doesn't bring in revenue directly and that's how a lot of people look.

There are scenarios that they don't, but they are rare. If you're a technology company, you're bringing in revenue. If you are serving clients and handle sensitive data of customers, you are bringing in revenue. If you are tied to a contract, because that contract is tied to a framework that you must comply with, you are tied to a revenue. And I think that the sooner CISOs will see that and communicate that every single day, then the easier it will be to not see themselves and the organization not see them as something that is not tied to a revenue.

I would argue that the CISO recognizes it, the CFO and the CRO, the Chief Revenue Officers don't recognize that.

So choose the leaders that you surround yourself with. If I was in that place, I wouldn't stay in that place. If my value is not appreciated and not understood, then I'm not in the right place. I can agree with a lot of people. Especially if I'm in a CISO, which is a high a high level, you know, leader in an organization. If I find myself in that shitty situation, unless the market is really shitty and I can't find a job. I'm not going to stay there.

You shouldn't even get yourself into it. I mean, you know, I can tell you for, for many years, since I've been a manager, even before I was in charge of a security group, you don't want to go to work for a place where security is not important, where it's not recognized as being integral to the business as something that they can't run without. Because when you're in a junior position, it means you're not going to get promoted and you're not going to get trained. But when you're in a senior position, it means you are going to have you will not be successful. You will not get the things that you need to be successful, period.

Let's go back. Let's go back to the ticketing system. The reason why I instituted a ticketing system because of KPI.

What's going on? Joe, buy him a ticketing system. He's so obsessed with it. Ticketing system. Oh my gosh.

You see how he can spend money? I know.

So when I put a ticketing system, I was able to determine how much time was being put into other departments. And I always wanted to build up the apartment's money because I said, hey, we're doing work for you. Let us bill you like a client. Of course, that never happens. How much hours we're putting into ticketing, how many, how many minutes it takes to resolution, how long the ticketing goes, what parts we had to buy. So once you start tracking things, you can make the argument how you are performing for the organization. It's all about KPI. It's all about the numbers. If you can articulate it, you can show that you're doing work.

Right. But that goes to every single position, every single role. A lot of organizations are failing in having one single KPI that runs across the organization. They have separate KPIs for separate departments. Instead of having that one single KPI that is across the organization that have like this shared goal, shared metrics that everyone is measured according to. And more often than none, I would advise when I'm in that place, I would advise that would be related to customer success. And when you talk about CISO, when you talk about cybersecurity, and customer success, that is tied together very strongly. And again, I would not argue that, but I would say that we got to lead to a change in the organization. We got to lead to a change in the industry. We got to lead the change into the conversation that we're having. Come on. Guys, we're not before the internet. We're not in 90s, 80s. We're in 2024, almost 25. We're talking about like, sorry, I am going to say it again. I'm going to say it again. I'm going to say it again.

No, it's okay. We're in the 2000s. That's right.

We're in the 2000s. 2025 almost, if it's summer.

Right. You're correct.

Listen, we are really, we're not in the 1980s. We are past that stage. We are in a place when technology is all around us with AI entering, with regulation changing, with frameworks changing. See what's going on with CMMC. CMMC is leading us to see compliance past the first compliance aspect, which is a checklist, and push to have maturity. If you want to gain that second contract, you got to show that you matured over time. That is a requirement. by their regulatory, you know, the DoD. So now organizations are finding themselves in a position that they are forced to think about maturity management. They are forced to think about growing the culture, growing that organization capability, growing that organization knowledge surrounding cybersecurity. There's no avoidance of it anymore. Our national security is, you know, one of the biggest threat that we have right now as a country, as a nation, is cybersecurity. It's not people on the borders, although a lot of people would claim it is, but it is cybersecurity. That's the biggest threat, right?

That's exactly, yeah, sorry, go ahead.

And that's the, that's the biggest risk that is tight with value, with money, with life. That is like the biggest thing that we have right now as a nation. So how can we sit here and continue to deny organization, not respect C-cells? That's a conversation we need to get out of.

That's a maturity conversation and most people are not mature, but you know, it's funny, like I started pursuing a degree where I was doing ethical warfare and cyber security and we talk about this all the time. OT, operational technology, you spoke about it before, energy, utilities, gas, oil, critical infrastructure. The second that one country, like even Ukraine, they sustained 30 sorry, six months, I believe, of an outage of an electrical. Our critical infrastructure is at a point right now where we really need to protect it. And if we don't protect it, and we don't put things in place, we're going to find out how bad it is not to be really focused on cybersecurity.

And I am enjoying seeing, I work with a lot of, well, I have, I'm part of a startup myself, but I mentor startups as well. And I see a lot of startups in that environment that working to encrypt OT data on motion to avoid that gatekeeping mentality. and kind of think about how to protect that data in motion in a better way. And I see brilliant minds that are super creative, that are taking, you know, taking concept out of music and bringing it into cybersecurity and out of different worlds and kind of bring it up together. What we're doing as an organization in the GRC space, forcing organization or giving the organization the tools to think about maturity and how to manage it and not just check boxing of compliance like all the GRC tools out there. And like, there's a lot of startups like that, that are rising their head now and we see more and more organization that are tackling those problems of how to change the culture into a place that the organization will have that maturity aspect of cybersecurity. And I love our industry for that. I think our industry is doing great things, and it's an exciting time. A lot of changing, a lot of changing in technology, a lot of changing in the cybersecurity space, a lot of different discussions, very insightful discussions. So it's great. But I'm boring Adam. He's bored, so I'm going to stop talking.

Also, I'm not bored. Wow. Okay. Go ahead, Joe.

Well, I was going to say that is a very long discussion that we can have because I can get three or four episodes out of that, but it's been going on for a long time and it's going to continue and it's a place that we need to get to if we are going to be successful, especially with the hard stuff like operational technology. But with all that, we are actually at last call.

Well, I'm going to add one part to that, Joe, right? Except Adam's got one more thing he wants to put in.

But besides packet capture, what else do you want to buy?

No, I don't want to buy anything. I want to sell. I believe that one of the most important things in cybersecurity is situational awareness and having the ability to know what's going on at any one time. And I think it doesn't have to be this incredible invention, this incredible product. It has to be something simple and it's about monitoring and it's about visibility into your infrastructure. The more you know, but you can't be overloaded. the better it is. So it's about getting critical information to the right people at the right time. Let's talk about it. Well, I don't want to talk about it on the podcast.

No, let's talk about it. We have a virtual SSP at your service. You are welcome to come and check it out and see if it works for you.

She's good. She's got a plugin. Awesome. And so smooth.

Wow.

Awesome.

I didn't even realize I was talking about something else.

I need to protect myself afterwards and say that I connect to a revenue stream. So there is my revenue stream.

You know what, Karen? I think you led Adam to that. I think you mind controlled him and he didn't even know it that you were bringing him there.

That's okay. That's okay.

Well, okay. Well, this has been really heavy, but this is important stuff. And this really is gets to the heart of I told you I have a stick. I told you I have a stick up my ass.

That's okay. I said that before. It's all good.

Maybe you do, but it's not that stiff. I've seen people with much bigger sticks. Don't worry. You're cool. You're good.

This episode is never going to make it onto YouTube.

Definitely.

That wasn't copyright. It's cool. Wow.

We're going to get comments on that.

Yeah, we'll say, okay.

That's the alcohol in the middle of the day before I had lunch. That's not fair.

That's the secret to the show. You see, you get everyone lit up and then we talk.

Take out all your inhibitions.

No, but seriously, no, this is really important and serious stuff, even though we tried not to. We tried to inject a little levity, but this is a lot of stuff that is making the world go round. But Karen, Your final thoughts. What do you think on the end? And feel free to put in another plug. It's cool. It's fine.

My final thought is that we need to do it more often. This was fun. Thank you for having me. It is great.

Thank you so much for joining. This was a lot of fun. And you know what? You have heard Adam's packet capture story, so it's like you're part of the family now. It's like an initiation.

I think so as well. I think that I've seen the worst. That's it. I'm done.

Oh, he's got more. Don't worry.

I am. I'm speechless. You're speechless.

All right. Well, thanks again, Garrett. Thanks for joining. Adam, we always have fun. Oh, yep.

Absolutely.

We love you, Adam.

That's right. We love you, man. Okay. All right. And we love our audience too. Thanks everyone for listening. We'll catch you next time.