Hello and welcome to the hundredth episode of the Cyber Rants podcast.
This is going to be a good one. Certainly not scripted or anything else. We are just going to talk about how things came to be
where they are today, so this should be a lot of fun.
Looking forward to it. So we're going to kick that off here shortly,
but we will start in our usual fashion and make this a good one.
Mike, you want to kick us off with the news?
Here we go with our 100th news report.
Ransom demands, recovery time, payments and breach
lawsuits all on the rise/. Baker Hospital's annual
Data Security Incident Response report shows
ransom demands, payments, recovery times and
data breach lawsuits are on the rise in most sectors,
including cases tied to the use of pixels within the healthcare environment.
2022 saw increases in average ransom demands,
average ransom payments and average recovery times
in most industries. The low in ransomware that marked
the start of this year is over. Ransomware groups
have resumed attacks and organizations must increase their
efforts to defend themselves against increasing attacks.
The average time to recover from ransomware rose
in nearly every sector, in most cases significantly in 2021.
The average recovery time for all sectors was just over a week.
Last year, the retail, restaurant and hospitality sector saw an
increase in the average recovery time from 7.8 days in 2021 to 14.9 days in 2022.
Healthcare saw a 69% rise, followed by 54% for energy
and technology sectors and 46% in the government
industry sectors. The increased merit of spike in ransom
demands in six out of eight industries, with an average
payment of over $600,000. In addition to ransom vans,
companies are facing greater forensic investigation costs,
which data shows are up 30% from last year on average
when tied in network intrusion accidents. Anybody knows
those costs are up based on simple. The new insurance premiums
that you're being paid for cybersecurity insurance.
It's what I've talked about last week in a very thrilling Laura's Corner.
Facebook warns of new information stealing malware dubbed Node Stealer.
Node Stealer is a new information stealing malware distributed
on Meta that allows stealing browser to hijack accounts on
multiple platforms, including Facebook, Gmail, and Outlook.
The malware was first spotted in late January 2023 while
targeting the browsers of Windows systems. It can target
multiple web browsers including Google Chrome, Microsoft Edge,
that bundles the Node JS environment. The author uses node JS to
allow Malware execution on multiple OSS, including Windows, Linux and macOS.
The social network giant took action to disrupt a malware campaign
and support victims in recovery against their accounts.
There's a very simple fix of this stop using Facebook.
Hackers are taking advantage of interest in generative AI to install
malware threat actors are taking advantage of the interest in AI
like chat JPT to trick victims into installing malware
The hackers attempt to trick victims into installing malicious apps
and browser extensions on their devices and marked security experts at Meta.
Also, Facebook found multiple malware posing as chat, TPT or similar AI tools.
Security analysts have found ten malware families
posing as chat TPP and similar tools to compromise
accounts across the Internet, where actors create malicious
browser extensions available in official web stores that claim
to offer TPT related tools, per Meta's Q 123 security report.
So again, don't use Facebook. Microsoft patches serious
Azure Cloud security flaws Microsoft has patched three
vulnerabilities in its Azure Cloud platform that could have
allowed attackers to access sensitive info on a targeted
service, deny access to the server, or scan the internal network to mount further attacks.
Researchers from. The Hermatic research team discovered
the flaws in the Azure API Management Service, which allows
organizations to create, manage, secure and monitor APIs
across all their environments.
The flaw all rated high risk, including two server side
request forgery vulnerabilities in a file upload path
traversal on the internal Azure workload. SSRF allows
an attack to send a crafted request from a vulnerable
server to a targeted external or internal server or service,
or even target in the denial. Of service in a DDoS attack.
Abusing these flaws means an attacker can access sensitive data
stored on the targeted server overload targeted servers using
DDoS attacks, scan the internal network and identify potential targets for further attacks.
This is an interesting one for anybody working with insurance.
Court rejects Merck insurers attempt to refuse coverage for
non petia damages an appellate court this week officially
shot down an argument by insurers for Merck and company
that they are not liable for this pharmaceutical giant's
1.4 billion in losses following a 2017 cyberattack.
New Jersey appellate court judges said that in order
for the cyber attack to fall under any type of war exclusion,
that must involve military action.
The reasoning is that because it was Ukraine branch
of Merck that was attacked by Russians, they were trying
to get out of paying because they were saying it was an act of war.
So the pellet court didn't allow that? Just a couple of quick
headlines how to spot Chat GPT fishing website melissa
state HTML attachment volumes are surging DNA sequencing
and equipment vulnerability adds a new twist to medical device
cyber threats and hotel risks are at risk from a bug in Oracle
property management software.
And with that, I will pass it on to Lauro's with a special
Lauro's Corner for our hundredth episode. Mike, thank you.
And welcome, everybody, to the hundredth episode, not
necessarily the 100th episode of Lauro's Corner,
but we'll roll with the 100th episode of
Lauro's Corner message for the day.
Even though I don't have the beard that you see on the
cup anymore, I am here today to dig this, I guess to lay to
rest a long time argument that has been a part of the tech
and the gamer community for some time.
And that is the word and the spelling own, spelled P-W-N.
So, as requested by some of my most hated listeners, finally, it's here,
Lauro's recollection of how this came to be. Now, I'm not Chat GBT,
but you can ask Chat GBT and double check some of my facts here,
as I have also done prior to this conversation.
Okay, so snuggle up, buttercup, and let's learn about
the origin of the word own. So how did I get into computers?
This is going to start kind of in the back just a little bit.
So what really got me involved in computers, a lot of people
don't know this is video games.And my mom would not let me play them.
She was very much Bobby Boucher's mama.
Video games of the devil would not let me play.
So I got to go to friends houses that were part of
my soccer and other types of sports.
And they had an Atari, one of my buddies did.
And I got to play some games on his at over there.
So fast forward a little while. Mom and dad get divorced.
Good thing for me, because guess what? Dad bought me atari.
Oh, yeah. And a whole bunch of games at a garage sale one day.
And my favorite game was moon patrol. Another game that was
in there. That was actually one of the very few non game cartridges made by the 2600.
Was basic programming, and that's a conversation for for another day.
But in 1992, my brother and I built our first computer,
which was a Hewlett Packard 386.
I believe it had four megs of Ram, and we spent, like, an
extra $500 to go from, like, two to four.
And it had, like, a 40 meg hard drive, but all that mattered was
that we could play Do Two and Castle Wolfenstein on this game.
So if you're not familiar with the novel by Frank Herbert Dune,
there's a new movie out.
It's fantastic. The novel is fantastic. There was a game actually
a couple of games that were bathed in the computer world
on this novel. June 2. Building Dynasty, I believe it was called,
was one of the first ones I actually got to play, and I still have a
copy of Dune 2000, which is the third one on an old Windows Seven
computer not connected to the Internet that I do still play from time to time.
Keep that quiet. Okay. So, in high school,
I got to be a part of the computer lab just by simply knowing
how to spell the word computer. In the 90s, this was kind
of a big skill set to have, right? They're like, wow, you built a computer.
I'm like, yeah, I plugged in a couple of cables and sat the monitor on top of the box.
You got the job. So, great news. I got to be a part of my high school computer lab.
And the whole reason that I wanted to be a part of the computer lab was because
I needed to install games.And I needed to play those games while
I was at school, on break, on lunch, before school, after school,
between games, anytime that I had an opportunity, I wanted
to play video games on computers.
And I couldn't afford a computer of my own, right?
My brother and I had to share, and I think that computer cost,
like, $2,500, and I pitched in, like, 900 of it,
and my brother pitched in the rest from working for, like,
three years to save up that money back when minimum wage was like.
Anyways, Doom and Castle Wolfenstein and the game
Dune were all like big time things. And Command and Conquer
was one of the very first real time strategy games that came out there.
If you, if you're a gamer, you might remember this is I'm showing my age.
This is old school. This is ninety s okay. Warcraft orcs
and humans and you may be familiar with the warcraft legacy,
I'll call it. That's been out since 1994. Okay, so the very first
Warcraft Orcs and Humans came out in 94, and it offered
a very primitive multiplayer mode where you could use
an IPX modem or like a dumb hub where they don't even
make totes anymore, do they? Mike, can you find a three
hub someplace on the Internet? US. Robotics, you know what I mean?
I'm pretty sure those have all been destroyed. Destroyed.
And they're going to be added to the T 1000 when they come out.
All the three modems. Now, the plastic has been recycled.
It's like the fender of a Prius. Now, you know what I mean?
But you could play this game one versus one, and you
could play on the computer. So this was a lot of fun.
Commander cog of these strategy games were great.
I went out to graduate high school, thank God, and I joined the army.
Probably not the best idea, but it was a lot of fun.
And I got to participate in a lot of the land parties of the 90s,
because I was a young father. I was a computer nerd.
I was in the army for signal and electrical engineering,
and I wasn't a partier. So what did us nerds do?
Well, we had land parties where we brought our
giant computer workstations down and carry them
into the break room or the common rooms and the barracks,
and we'd hook them up and play them. Well, if you are familiar
with your history, you'll remember that Warcraft two came out in 1996.
Warcraft Two had the ability of a greater multiplayer version.
In Warcraft Two, you could actually play up to, like, I want to say, eight players.
On a land. So you only had the choice between orcs and humans.
You couldn't pick any other races, but you could play up to eight players,
which is a really cool thing. So we had these land parties with like
50 people all waiting their turns in a tournament to play this
eight v eight game in several stages.
So we had three or four of those set up like 30 some odd
players playing at a given time. So it was a lot of fun. And this is
where the own comes from, is that that game Warcraft Two specifically had in game messaging that would play when you lost.
Okay? There was game that messaging that played when you won.
And this game messaging is part of all games, right?
There's just subtitles and language in the game that's
just part of the game. So when they added this language when
you lost a game, sometimes it would essentially say this was auto generated,
so you'd lose to player whatever and it would say you have been vanquished by Player One.
Or it wouldn't say it like that, it was just text. But in my head,
that's kind of how it sounds. Anyways, for the purpose of radioyou
have been annihilated. And also one of the other ones was that you
have been owned by Playo One. If you notice on the keyboard,
the P and the O are very close to one another. So this auto text, t
his auto generated messages that was pre populated
in the Warcraft Two game included the misspelling
of the word own in this one specific in game losing message.
It wasn't holistic through the whole game for the letter O, it was just
in this one losing message when you lost and it didn't
come up every time, it was again, it was an auto random
When you lost your game, one of the messages that would
display was you have been owned and it was misspelled with a P.
And we kind of thought this as a Kaha. Funny, right? Well.
Later in 96 Blizzard released the battle.net support and that
resolved that misspelling in the in game messaging.
But the connotation for the usage of the word own and the
misspelling has been a historical throughout hacker and techie
geek speak since its warcraft's inception in 1994 when they did actually use the
word own in some of the in game messages it wasn't misspelled.
So that's all great. So we know it came out of the game
warcraft Two in 1996. So how do you actually say it?
Because a lot of people say well it's pone and you say no it's owned.
And you're like no it's poned.
Well I'm just going to be very simple, okay?
Sometimes you see words, for example Christmas has been shortened, right?
Instead of spelling it C-H-R-S-T-A-M-I-S people spell it Xmas.
Right. Well when you see the word x MAS you don't go oh it's Xmas man,
happy Xmas, merry Xmas.
No you don't, you say Merry Christmas because
that is the intent of the word's pronunciation and articulating. I
t properly denotes the message of cheer and joy for that type of season.
Right? Own is the same way, even misspelled with a p.
Okay? So own was misspelled of the word own. It was intended to
berate your opponent, to be owned for losing.
t's like a salted battle cry of victory. It was a term that insulted, you know what I mean?
You cannot win against me in this game, okay?
The strategy you think you're going to use to win I already
anticipated and I know it, you have no chance, I own you in this game.
And that's exactly how the term of endearment is supposed to be used amongst the gamer collected.
So as it relates to game and the subculture's abundance
of uses for the word in modern civilization.
Quite simply put you must ignore the p when you say i
t but you must honor the. Anytime you type it.
And that, ladies and gentlemen, is the 100th episode,
Laura's Corner. So I hope you enjoyed that. And if you disagree, I
'd love to hear your background information in the comments section.
Cheers. Zach, what are we talking about today?
Wow, outstanding history lesson there. That's need to write that
all down and make a book out of that. That should be taught in
schools everywhere, I believe. Thank God this is recorded. And you can just play back.
There you go. And transcribed, right? You have a book there.
And then maybe the next episode will be on CISO versus Siso. T
here you go. There's a can of worms. Call it the Mandela effect,
you know what I mean? And that could be a possibility here.
But I have distinct visual memories of seeing this come up in the crazy,
crappy 16 bit text, you know what I mean?
Like in the game multiple times, because guess who lost a whole lot?
Me. A lot haunts you to this day. It haunts me.
It haunts me when I have interns come in saying,
oh, man, we poned that cringe, cringe, cringe.
Well, outstanding. Hey, we're going to kick off our
100th episode here shortly.
Well, I guess we've already kicked it off, but we're going to
continue it shortly after a quick commercial break.
All right, we are back with episode number 100
of the Cyber Ants Podcast. Did I already say that?
Did I already say we're on the 100th episode? I don't know.
Jill edited it out. If we said we're on the 100th episode too many times,
I think it's 100 times already. I think so.
If they don't see it in the title, they know we're going to.
Turn this into a drinking game afterwards. So every time
I say 100th episode, you have to take a drink,
you're welcome for that. But no, this is a good benchmark,
good celebration. I mean, certainly most podcasts never
make it to 100 episodes. We're just grateful for people listening
and hope that this has been tremendously beneficial
from people that we've heard from Big, been good feedback.
People have been able to take this material and run with it
and improve their organizations and make the world a better
place in a small but meaningful way, I guess you could say.
We're going to take this episode and look back a little bit
and just kind of chat about how we got started in the business
in launching Silent Sector. I should say we've already heard Loro’s
background here. We've talked about backgrounds and stuff in
previous episodes. So we're just talk a little bit about how
he started the Silent Sector
and then how cyber rants came to be.
So I'm happy to kick us off with that.
Or if one of you guys want to jump in and give the story,
by all means. There was a time when Mike
and I were angrier than we are now.
Bad leadership, I guess. Let me specify my
anger directed towards really poor leadership.
Yes. So what did you do about it? Tell me more.
Well, I pissed and moaned a lot. Didn't get me anywhere.
We wrote a bunch of emails. Really didn't work either.
And I guess what I'm talking about.
Is probably some of the pain that maybe some of the engineers
and architects and whatever you are out there in it or technology feel
when you have a great idea and you know it needs to be done
and you take it to leadership and they say, yeah, go back in color.
We're not worried about that right now.
And even though that in the details of your job description,
it says, we'll improve upon offer capabilities, you know
what I mean? Offer architectural consulting, and you get shot down.
And I think that Mike and I know that I think just like a
PTSD victim, we know, right? We fill that pain.
And I think that's really kind of what I don't know if that was
necessarily a spark, but that was certainly some of the
first tender that helped ignite what silent sector is today, I think.
And that ability to it was definitely a driving force. I
took kind of the Andy Kaufman approach.
And for those of you who don't know, Andy Kaufman's
a comedian from the 70s famous for playing
La Cagris on Taxi, but he was a comedian tha
t would put the joke on the audience.
So you would come to one of his shows and expecting comedy,
and he'd play opera music for an hour or something of that
nature and make the audience very uncomfortable.
So I would do things to basically mess with management,
just to mess with their heads because they bored me and annoyed me.
Little manipulation, little social engineering, entry level stuff going on here.
But as a senior guy, that's what I started doing. I once told a
client to stop pontificating. The circumlocutions getting wild in here.
Okay? Really? I think it was we weren't getting anywhere
in our corporate worlds, right? And I think that's the
advantage and a disadvantage to being in a corporate monolith
is that you kind of get this tunnel vision and you have to play this
internal political game that's going on. And Mike and I were like, man,
we're just trying to make the world a more secure place.
We're just trying to do the normal. Just things that are part of our jobs.
And we felt like we were getting I mean, it's quite literally,
walking uphill in sand with a bunch of gear on.
And so I think it was out of that that really gave us the initial push to be like,
we can do this better. There should be a better way to do this.
And even not happy with some of the third party vendors that we got to come in and do cybersecurity.
We were watching them just waste company dollars.
Like, this company would throw a million dollars at a project,
and it wouldn't even get finished. And the consulting company
that would come in and do this would just like,
at least they were stealing money.
It was crazy how some of the stuff was happening.
And when these It budgets are in the tens of millions of dollars,
things just get thrown around kind of crazy.
So I think we both knew that we could do this
better, and there was a better way to do this,
and there was a better way to support our businesses here in the United States.
Well, and a lot of times we would see these companies come in
and get a million dollar deal, do an ultimate failure,
and then get another contract right after it oh, yeah. To fix what they botched.
Yeah. And there was this whole much frustration on dealing with that.
I mean, it really got to the point where it's like,
what is the point of me being here?
You're not listening to me. I spend all my time in meetings
accomplishing nothing, and it's the same meeting over and over again.
How many times can I say, no, you can't have any rule on the firewall.
No, you can't do that before you got to move on.
Otherwise you're driving yourself crazy.
And what would happen? A third party would come
in that they paid hundreds of thousands of dollars more to
say the exact same thing we just said in an architectural review not a month before,
and they would take the advice and move forward with it.
And it's just like, what are you paying me for?
Right? And I think that was the realization that the
political game is thick. And in some organizations
and this isn't all organizations, right.
The listeners can you're going to hear these you're listening
to this going, yeah, I know it's happening to me.
Or I don't really have to see that in my organ, for those of you don't.
That's great if you have one of those organizations.
It's not like that. Because it is prevalent, unfortunately.
Well, the scary thing, Loro is that we're the Bobs now.
Yeah, we are. We actually get stuff done. We do.
I mean, the Bob's got stuff done at that company in Inatech
as well, too. Right. I mean yeah, so and we very much are.
And I like to think that we we bring a little better skill set and personality
than some of some of the bricks that come from some of the big players
that we've seen in the past.
But again, we're doing that good, meaningful work as practitioners
of this field, and it's making a difference. And I think that's really
all that we ever wanted in our job was t
o feel that this was good, meaningful work.
And at the end of the business day, I can be satisfied with the
stuff that happened because it made a difference.
So, Zach, what exactly would you say you do here?
Yeah, good. With the engineers,
so the customers don't have to because I have people skills.
I'm good at dealing with people.
Clearly, you see that movie too many times.
I'm still trying to figure that out. It depends on the day.
And I wish I had a set job description. It'd make light.
So really what happened is Zack's an opportunist
and he saw Mike and myself in the pit of despair,
like Elvis Presley, you know what I mean?
I reached down with a helping hand and offered you a way up and out of this.
That's true. But really, what did.
What did what made you want to want to start cybersecurity?
My story is a little different, of course,
so I've been an entrepreneur my whole life, like,
even from a kid, you know, other than my time in the military,
so but, you know. Zach put heroin in his lemonade stand at the
age of six so he can get repeat customers, you know what I mean?
Brilliant. Get him addicted on that lemonade, right?
Well, being in the Army, I got to do cool stuff that was kind of
behind the scenes, under the radar.
But there's a lot of meaning in being able to
protect the United States and citizens and a lot of stuff
that gratefully most people will never, ever hear about
or know about, and coming back, as in the private equity world
and doing great things there.
But I just realized that, hey, America is under attack still,
and our fight is not necessarily out there in other countries.
It's here within. And a lot of what's going on is just this
slow war of attrition on our resources through cyberattacks.
You hear about it more and more in the news.
I felt drawn to this industry in that, well,
one I grew up doing. I was total nerd, let's just say.
Didn't have many friends growing up because
I spent all my time on computers,
that entrepreneurial route, and kind of stepped out of the
hands on tech side, but always still interested in that.
So it all came full circle and realize, hey, we have
the ability to do something different here.
I was grabbing cigars. Um, first with Mike and then and then with you, Loro.
When we were when Mike introduced us,
and just in talking to you guys,
I could tell there's something wrong in this industry.
There's something that needs to be done because we're
hearing all this stuff on the news. We're seeing a lot of motion in this industry,
but not a lot of results, I guess I would say, at the time.
And I think the industry's gotten tremendously better overall.
Still a lot to work on. I mean, we've all got a lot to work on,
but that's opportunity, right? And what you guys had revealed
and how things generally work, we realized, hey, we can build a better mousetrap.
And it's that old saying, if you want to do something right,
you got to do it yourself. Well, that's certainly not true.
All situations like, don't ask me to do salsa dancing or
throw a basketball and expect to make it in the hoop.
Right? But there are certain things that I think we bring
the right skill sets to the table, and we all have complementary
skill sets. And that's ultimately how Silent Sector came to be.
We knew something needed to be done.
We knew there were better ways to do things.
We have the expertise in the various areas.
And then it was time to start going out and going after it.
And as we grew, we started shaping the business, realizing,
learning more and more along the way.
Hey, what are companies really struggling with?
Who are the companies that are worried most about this?
Who are the ones that are going to be the most proactive
or need to be the most proactive?
Who else do we need on the team to support this
and give our clients the best possible experience and so on?
It's been an awesome adventure because we started with really just an idea.
Well, and cigars and scotch, but that helps. That help AIDS in the creativity process, right?
And then here we are. It's been a huge learning experience, still a lot to learn,
but it's been great because as a company that's kind of against the grain in the tech world, we do stand out of it.
So most people are after the latest SaaS startup or the latest technology tool or whatever, because
that's the sexy business model, right? You get the big multiples on sale, you get venture capitalists
just throwing money at you because you write cyber security on your branding.
Granted, that's changing now, but for a long time that was the case.
And so it's pretty cool, though, to be able to see we've taken a steady route, professional services,
it's the fundamental activities that people need, the expertise portion and the support,
and built something different that you don't really see every day.
And so that was fun. And then in terms of maybe we switched
gears a little bit here in interest of time, but talk about cyber rants and how that came to be.
Again, we were angry. I think we needed a soapbox to dis, to bullhorn the things that the industry was getting wrong.
And I think that also the things that were being misconstrued
by business leaders and I think there was a lot of that.
There was a lot of confusion. Five years ago.
Again, cybersecurity has been out since 1983, right?
The Orange Book, so don't tell me otherwise, everybody's behind.
But in the last five to eight years, things have moved quite quickly.
But initially there was a lot of confusion, a lot of nobody understood what they needed to do.
Everybody's throwing a tool at youth saying,
this is going to solve your problem.
There's been overturn situations in the professional portions of this,
and so there's been a lot of chaos in this.
And I think that's where we helped display some of that stuff in cyber rants.
And I think that's where we live comfortably within that chaos.
So the writing started with the two weeks to slow the spread.
I don't know if you guys remember, but we had this thing.
That's right. You may have heard about it in the news,
but anyway, yeah, so that's when the writing started
because we were like, well, we're going to be a little slow for a while.
So we have all these white papers we've already written and let's put them in the book.
Let's string them into something that makes sense and creates a story and kind of a manual.
And we augmented some, threw some away and then started writing this book.
I think it took us only like three or four months to write the book.
Yeah, we all took pieces, so yeah, I think so
. We had a lot of source material and we all took pieces and we went from there.
And I think actually one of our interns, Hayden Store, wrote part of it.
I think there's a shout out to her in the book.
We haven't talked to her in a while. I hope she's doing well.
But anyway, so we wrote this out and remember taking like
almost a month to do the front cover?
Yeah, the front cover, the art layout. That was like a long process.
It was like longer to do that than it was to write the book. People judge a book by its cover. Exactly. You got to get that right.
Yeah. Who cares if it says anything?
nd pull important if you can't get past the label, you know what I mean?
Exactly. And comments like Zach just said is why
he didn't have a lot of friends as a child.
I thought it was because every time he started to talk to me,
he pulls out a notebook. I'm just saying. Yeah, that too.
Hey, you got to take notes. Data collection. Right?
We got to collect and build the plan.
But it was dispelling. I don't guys the right term,
but, yeah, we were trying to bring some truce
out of the darkness in this industry, and again,
there's a lot of smoke and mirrors, and, you know, like like a shady
mechanic might tell you that, you know, you need you need your flux capacito
r resolved if you don't know any better.
And that's what we were seeing, that there was a lot of misinformation in the industry,
and there's a more efficient, direct, cost effective way to do these things and make your business more profitable while doing so well.
The other thing is that we really wanted to bring I mean, Loro
and I, we joke about we have a lot of talent.
We worked in very large companies, very large organizations.
Most small to medium size or whatever the term is
emerging to medium or whatever the politically correct term is
for these companies is can't afford one of the
big five consulting companies come in and talk to them.
Can't afford that and potentially wasting their money.
Yeah, exactly. But better chance than that.
I remember talking to one large consulting company.
I was like, who's your client? He's like, Anybody that can
write me a check for $50,000.
I never want us to have that mentality. I mean, we really don't want that
If you can write a check for $50,000, zach will gladly take that
and give you our PO. Box and or our routing information for ACH.
But that's not what we're looking for.
We're actually looking to help, and we have kind of
an altruistic bent to us as well.
All totally. It's like, was the Tomahawk steak
at Al NassurA worth the $1,200 you paid for it?
Right. Or did it taste a lot less as Mike's backyard?
Tomahawk taste, you know what I mean? Or at least equivalent.
I like to think Mike's a pretty damn good cook,
so from what I've tasted so again, are you going to
be able to tell $1,200 a difference?
There are two bobs sitting out there somewhere right now
that are just really upset with what you're saying. That's fine.
I'm not here to be nice, too. I'm here to say the truth. We're here to rant, right?
We're not here to be politically correct. It really is too
.Like, if you're working just to work,
you spend the majority of your adult life working.
When you're on your deathbed, looking back, are you going to wish that,
hey, you were able to bill those extra dollars?
Or are you going to think about the great things that were done
, accomplished relationships, built, helping people succeed and all that?
And we all want to make money that 100%, and there's nothing wrong with that.
But there's an additional component to it as well, right?
I think that's a big piece of it. Plus, we are in an industry
and those people that listen to the podcast that are in it,
or security, we all have a major part to play in what's going on in the world right now.
We have to protect the backbone of the American economy
and our way of life and other countries as well. Of course, t
hat just happens to be our particular mission.
But there are a lot of people that want what we have able to take it.
So there is a fight going on here.
We are in this realm of cyber war, and it's not about shutting down
the electrical system or cutting off all these
kind of critical infrastructure resources. I mean, granted.
You know, certain certain scenarios can happen,
but it's about dollars and cents.
It's about financial drain over time.
And the enemy is playing the long game.
We have to recognize that.
And so we need to get in there and we need to match them
and we need to understand that, hey, the more resources that we're given up to them, the stronger they're going to get.
And so it's that constant battle.
I think that's why so many people that were huge into video games
as kids are in the cybersecurity world now. Right.
I think that's pretty safe to say that most security professionals are also gamers.
Yeah, probably. It kind of fits, right.
The problem solution and the addiction to finding a problem and solving it is,
I think, a huge part of the attractiveness to this realm.
But you're right. I mean, we are in a cyber war
and I think a lot of the frustration that Mike and I had
is because we've kind of always known that.
But you can't articulate that to business leaders.
You can't tell them why we don't need any rule.
Again, some of these individuals, they're so tunnel visioned.
They've been in the organization for their whole lives.
They've never worked anyplace else.
And that's what they care about, is their legacy at that company.
And whatever you say, if it doesn't go against their narrative,
they might shut you down.
And that's frustrating when your own intent is to simply just
to protect the integrity of the business.
Exactly. And so it's a terrible misfortune that some have
to bear that are out there doing this job
and listening to this going, yeah, that's like me at work every day.
That's me in real life. Right. IRL. And I'm sorry, but things can get better.
And there are ways that you can draft messaging
and call in third parties to help you. And I mean, we do that a lot.
Right. We have lots of organizations that we represent
where their own staff have tried to do this
and they can't get they like to call it Teeth.
Right? And they say that when we come in, we do an assessment.
It gives them the teeth that they needed to get the budgets
and the changes and all this stuff done.
And then what happens is that the company becomes
profitable and they get bought and you know what I mean?
It's like this giant success story and it all started because
somebody wanted to do the right thing. Somebody saw that there was a misalignment and they wanted to fix it.
It and leadership didn't want to listen to them at first, but they continued with that.
Right. Or they're unable to get the bigger and bigger
deals because they can fill out the security questionnaires.
Sure. But I want to just give a caution out there
There's a lot of people that want to get into cybersecurity
because of the money or the prestige or something like that.
You're not going to last long. I'm just going to be honest with you.
If you're here for money, forget it. You're better off.
Go and be a broker or something somewhere.
Yeah, YouTube. Be an influencer, whatever.
Again, there's a lot of talented individuals out there in the world,
but there are a lot of cybersecurity YouTube channels
that talk about these hacks and these bypasses to things.
But what they don't tell you is they're using a rigged application.
So they're incentifying you to think that this is easy.
This is not easy. And just like Mike said, I talk to probably at l
east one individual a week that's a friend of a friend or
somebody throws my way that wants to get into this field.
Because it's booming right now, right? I mean, it is.
And people are asking me, do you need to go to college?
There's an MIT program.
What certificates do I need? And I just flat out tell them
like, if you really want to see if you've got the mustard, you go to hack the box
and get recapture the flags.
Just go there and see if you can even got the mustard to hook up
the compute connection that you need to even use the lab.
And that'll tell you if you got what it takes to make it in this industry.
Just a little bit of it.
You can capture the flags at Hack the Box, you might have a chance.
That's a good test, it's a good litmus. You can be a mercenary
in this business totally if you want to be, but you still have to have a passion for the work.
You can't be a mercenary who's just doing this to go through the numbers,
because you know you're going to get paid for it.
There's a difference. You have to have an acumen.
You have to have a mindset.
You have to have an understanding of why this is important and what it is.
And if you want a job, hop for an extra ten grand from company
to company to company or whatever it is, that's fine. You can do that.
I did that the beginning of my career. The longest I ever stayed in
a job in the first 10-15 years of my career was 18 months.
Yeah, I don't think it's uncommon. I mean,
I, too have changed jobs for money.
I think that's a big problem in the industry of why we have
high turnover in some of the companies that reside in
States where the pay grade for those types of technician positions
is kind of low based on the United States number.
So you've got with work from home, ability, you have talented
individuals going wherever they want, and it's hard to retain talent.
But I think the other side of that coin is you don't want to jump right.
Pick an organization that you like that you want to serve
because you like doing this discipline.
Like Mike said, you got to have a love for this job
if you're going to do it for money. You're probably going to burn out.
You're not going to last long. Can you make money doing this?
Yes. But you're probably better off doing YouTube. Don't come in.
And we've had this at some clients. We get a security guy comes in,
says, oh, this endpoint protection software you got is wrong
We need to put in this and spends up millions of dollars
and months of projects, puts this new software in, and then leaves.
Because all they wanted was to put it as a project on their resume.
Went to this company, was in charge of a $1.3 million project
to upgrade the endpoint
security protection process. Saw it completed in six months.
All success. Just to go make like you said,
Mike, another ten grand someplace else.
But who's left holding the ball, right?
I know some might think it's perverse to be empathetic to the business,
but if it's a good business, it's not, right?
And that does hurt organizations because most of you listening.
You're working on an inherited It infrastructure right now.
Well, there's a chapter in the book
called Tools, Tools, Tools and it's actually based
on some real stories and definitely finding a beta version of endpoint
protection software that got started three It regimes ago
that was still running and still being paid for.
It's one of those things. Why is the server still running?
I don't know. Jim used to run it. Well, Jim doesn't work here anymore.
Well, who took it over? Oh, the guy that sat next to Jim. Well, he's gone too.
So who's in charge of this infrastructure? Jim's Pencil? Yeah.
I think there's some notes somewhere. It's like, great. Go ask Lumberg.
Exactly. He was here. I think there's so much that
the industry can change when it comes to people.
And we've talked about that before, right?
We've talked about just the better utilization of the people out there.
And I think it's going to take the people, like the people
that are listening to this, or people that really are passionate
about the industry to go in and kind of force that change.
I think things like job hopping and stuff, well,
it's not certainly not good for the company.
At a certain point, companies should also wake up and say,
hey, we need to offer more,
offer something different for our team to keep them
and get better at retention, create better cultures,
places that people want to work.
So. That stuff's all important.
I think from the cyber rants perspective,
our goal is basically to get as much information
out there as we can that's transparent, that says
it like it is, that really guides people in the right way
because there's still just a lot of marketing fluff and hype out there.
And I think one of the big realizations over the few years,
kind of one of the lessons learned for me at least,
has been that the process there's a lot of complexity i
n cybersecurity and technology, no doubt,
but the process itself is actually much simpler
going into it than most people realize.
People think that it's this mystical realm, a new world that you walk into.
They don't realize there are process flows out there.
There are checklists, there are things that you can follow as
an organization and you don't have to make it up as you go.
I think part of our job is also to educate those non technical
individuals out there that leadership.
And that's pretty cool because the space that
we're in now compared to where you guys came from,
out of the corporate world, now we get to work with
mid market and emerging size companies.
So not so much startups, although once in a while and
not Fortune 500 and such, but sometimes large enterprise,
but mostly that kind of that mid market and lower mid market range
They seem to be moving quickly.
They seem to be receptive.
They're incentivized to do it.
So I'm really encouraged because if our client base is a sample
set of what's going on across the country, that means that companies
are getting more and more proactive.
So we started this business in 2016.
Everybody that we worked with, basically their hand was being forced.
omebody was telling them, hey, you got to do security
and these are the things you need to have, and so on.
Whether it's compliance or whether it's a customer.
Over the last, I'd say, two to three years, the tides have started to turn,
and more companies have reached
out to us out of a true desire to be proactive in their cyber risk management.
You know, they're seeing what's going on. They're waking up to it.
They're really realizing, hey, we're not invisible out there.
We can be on the criminals radar, and we need to do something about it.
So I'm I'm encouraged with kind of the overall mindset shift,
and I think we used to rant about, hey, cybersecurity is a fact of doing business.
You have to do these things, and on and on and on.
Now people are actually realizing, wait, that's true.
You have to wash your vegetables before you eat them.
I think it's a whole new era that we've kicked off.
What's the thing where you fan the air or you throw a
feather or something and it has reached the butterfly.
Effect, is what you're talking about. I like to think that
we're responsible for quite a few of the new terms in t
he industry as well as ideas, because I think nobody pushed
the stuff harder than we did.
That's entirely possible. Yeah. Some of the new terms don't make any sense.
Yeah, that's true. Why do we got to keep renaming.
Things that we've been doing forever? Yeah.
DevSec ops, you know what I mean?
Like threat hunter. Threat Hunter. But again, these are marketing
individuals going, we need to rebrand that.
We need to rebrand our Bud Light. It's a good idea.
You know what I mean? Sometimes it is.
Sometimes it's eye. You just kind of never know. It'S working.
Mike Laughs let's move on. Yeah. Well, hey, there's so much more
we could talk about, but. Over our typical time allocation here.
So one thing, I really want to thank all of our team members, first of all,
at Silent Sector, because they enable us to grow and thrive
and just do awesome things for our clients.
And I want to thank our clients out there.
Since we started, I mean, we've just worked with some incredible companies,
incredible technology, business leaders, and that's who makes our business possible, of course.
And then thank all the listeners, all the people that have read the book and really, more importantly,
the people that have listened and read the book and actually taken action on those items. Right.
Take an action on anything that you've learned.
And I know some of the things that we talk about,
people will know and understand, but there's
always nuggets of information to learn and hopefully
that's being put into action all over the place.
I know it is. I shouldn't say hopefully because we see it.
We do see it. Yeah. That being said, any last words of
wisdom or lessons learned or anything you want to share
before we wrap up?
I have a friend of mine that'll get mad because I said this,
but there's a saying that goes, if you love what you do,
you'll never work a day in your life.
It's not quite true to the essence that you might hear it, but it feels a lot like
less like work when you are on the path of something you believe is
for the greater good. So if you are in this field, then you're in it for the right reason.
Hopefully. If well, great. Yeah. There's there's three burnout points,
18 months, three years, seven years after you've been in this for seven years,
you're unfit for anything else. Yeah, good point.
I like that. Mike, you. Can no longer speak human.
You can't function in normal society. He's just the way it is.
Well, outstanding. Hey, thank you all for listening to the 100th episode.
Did I say this is the 100th episode of Cyber Rant Podcast?
I want to see everybody drinking out there. After the 100th episode,
we're going to have well, once we finish the 100th episode,
the next episode after the 100th episode is going to be the 101st.
Screaming Eagles. The 101st. The screaming chickens. Screaming chickens.
All right, well, outstanding. Thanks, everybody.
Have a great day and we'll catch you next time. Make sure it's own, not pone.
And CISO, not siso. Yeah. CEO CIO CTO CAO. Not Cow. Right.
And not chief administrator officer Cow C. AO. So it's CISO. CISO. There you have it, people.
True. All right, that's a wrap. Have a great day.