welcome to the cyber rants podcast where we're all about sharing the forbidden secrets and slightly embellished truths
about corporate cyber security programs we're ranting we're raving and we're
telling you the stuff that nobody talks about on their fancy website and trade show giveaways all to protect you from
cyber criminals and now here's your hosts mike rotondo zack fuller and
laurel chavez hello and welcome to the cyber ants podcast episode 50 something
this is your co-host zach fuller joined by mike rotondo and laura chavez and today we were talking about the who's
who of cyber security but before we do mike why don't you kick us off with the news
hey good morning i i only have a few headlines today it was kind of a odd news week
but starting out with something critical danish windmill manufacturer hit with ransomware investors a windmill wind
turbine manufacturer located in denmark confirmed that its company network was hit with a ransomware attack on 19
november several computer systems were affected by the attack and the company stated that data was lost to the attackers oh
man i just said i just had five went danish windmills on order through amazon
i was waiting on them i thought it was weird that they were delayed yeah well i actually found him laying in a
ravine in alabama somewhere so i i think we just need to go pick them up
okay good good plan good plan uh tis the season for fishing emails
beware the holiday season is a favorite time of the year for cyber criminals who never seem to run out of ideas for their
email phishing schemes those crafty criminals that still result in hordes of
victims that fall prey to them promises of amazing deals for hard to find goodies especially during a time of
supply chain issues is one ploy another is bec or business email compromise
scheme one of the ones that i've seen i've gotten uh this one five or six times is a
geek squad notifying me of my uh my upcoming support contract so be careful
with what you click on out there if you didn't order it don't click on it don't do it out of curiosity just delete it and move on
yeah and actually even santa claus this year is getting used because i almost fell for the santa claus as you know
just wants to verify your wish list that you made this year and so i almost clicked on santa claus list that he had
for me and then i was like santa claus you sneaky guy
you know i should have forwarded it to you guys but um the other day i actually got
in african prince phishing email i think they're coming back around it
might be long enough they've been gone long enough that people have forgotten
and they're about the old prince yeah i might be back in style but
at least i have over a hundred million coming to my bank account now so
that's pretty pretty nice pretty nice christmas present for me so i just gotta just gotta wait a couple weeks here
it'll be good yeah you can almost buy one of those danish turbines now that's my plan it takes a school district to scan children's devices which
my own commentary on this is a disgusting invasion of privacy a school district in east texas will start scanning digital devices used by its
students to find out what they have been saying to and about one another
longview independent school district has partnered with technology and web hosting company gaggle to scour district
issued devices and student emails particular set of keywords with gaggle software they're looking for bullying or
whatever it's just getting ridiculous behind the man in the middle attacks for connected cars real life interception of network
traffic between connected car and back-end platforms man in the middle attacks are one of the most dangerous threats to connected vehicles because it
allows you to intercept communications between the car and back-end platforms record and modify the network traffic
extract conventional credentials and install malicious updates as the
automotive center continues to sector continues to integrate connected technologies in their technology in
their vehicles to offer customers higher performance and advanced experiences the risk of
cyber attacks against cars increases making automotive cyber security vital
firewalls yeah i wrapped it in cellophane and foil so you know but the wi-fi pineapple
still works for some reason maybe that's because it's inside the cab with me
that's the news laurel what do you got that's wow that was that was a short week awesome let me see i've got an equally
as short exploit presentation today so i think i can i can see your news articles and
reduce you another like four so i've got one exploit to talk about this week there's a whole let me just tell you
there's this is a slew of right is that still a good word of slu or should i say a plethora
there's a i like the rock you like slow i like slu it has multiple meanings but
uh it it very much describes i think where you're headed yeah because i think i know who's coming
up i think yeah who's coming up and i also do exactly like a muddy gross marshy
just like a yeah like a like a like a refuse runoff slew of this yeah
it's wordpress i'm not gonna talk about anymore but look if you're if you're running the
crap-aware you better check because there is a slow this week i wouldn't even bring it up if there hadn't been a
slew but we don't talk about that anymore what i am going to talk about is the get lab 1310 remote code
execution okay this is unauthenticated now this has been out since the beginning of the month okay but i want
to bring it back up because it's very obvious that this is kind of going um this is kind of
kind of kind of settling behind the seeds unfortunately right and so as an example all right so showdown everybody hopefully knows what
showdown is i did i did a search dork on showdown for git lab and server in genex
and i got 55 383 results
for systems using the vulnerable version of git lab on ingenix so
it's rampant and i mean i don't know if i can use slu here but there's a it's not as
slewy as the other but this this is bad so if you're if you're leveraging git lab please check that you're off of 1310
and that you're on the the version that isn't compromisable anymore because um
obviously there are still a lot of devices around the world um in the united states we've got 7 300.
china has the most at 17 000 so um you know they're their numbers are
slightly higher than ours in this case um but still what seven thousand is a lot to have in
the united states they're using gitlab and those these could be very large companies would be very small companies so
if you're running the get lab packages for your code um or any of the work that you're doing even if your labs are doing
this make sure that you're off of 1310 and that is it for exploitation zach we
talking about something today what what episodes so that is i just need to clarify a slew
is greater than 10. to be precise so slew is greater than 10. that is the cyber ranch definition so
of a snake 55 000 we got a big salute that's a big that's a big one that's
many times more than 10. today we're going to be talking about people
and positions we're talking about youtube oh oh we're not talking about people like that
yeah we don't get to talk about me this time unfortunately but we are going to be talking about that as a reminder all
the news articles are on the podcast website
at cyberrantspodcast.com as is a form you can reach out and
suggest future topics and make comments and rant and anything else you want to
do so that being said we're going to dive right into it after a quick commercial break want even more cyber
rants be sure to subscribe to the cyber rants podcast get your copy of our
best-selling book cyber rants on amazon today this podcast is brought to you by silent
sector a firm dedicated to building world-class cyber security programs for mid-market and emerging companies across
the us silent sector also provides industry-leading penetration tests and cyber risk assessments visit
silentsector.com and contact us today and welcome back to the cyber ants podcast let's dive into it we're talking
about the who's who of cyber security and i think it's important for people to
understand this what we're specifically talking about are the different roles positions
separations of duties and identifying who you need when and this is important for growing
organizations because you are probably started with no security professionals and grow to a
point where eventually you need to start hiring uh so that's what we're going to talk about today
and before we dive into some of the finer nuances do one of you guys want to jump in and explain
kind of the hierarchy of a cyber risk management team or an information security department however
you'd like to label it and describe the various roles and who's involved
sure yeah you want me to take it mike let's always wait for i always wait for
mike mike yeah yeah why don't you run with that i wasn't expecting uh to think that hard this early in the
morning yeah me neither but godly zach like we can't be doing this stuff to us i'm like why like you didn't even tell
us what we were talking about today it's just by the way oh and before i jump into this for those out there that are
listening to the podcast and you're filling out that sheet stop asking me to talk about wordpress and microsoft i will not i will not talk about wordpress
microsoft that's it you should ask us to talk about something else you've already broken the names too many
times i've already dropped the names of the unnamable too many times we don't we don't talk about the evil disgusting
so all right um so the who's who of cyber security right so yeah let's let's talk
about what what that would look like in so what it looks like really today is one person with a bunch of hats
so you're you're driving your car listen to this you're probably like i am the security team you know like what security team i am the team and that may
be um typically right when we go into a large organization that you know may already
have some cyber security you know you know professionals that are that are dedicated to that role i mean they're
not i.t or finance do in that role they've actually brought in some cyber trade professionals and we try to actually you
know state that hey this is um this is kind of where you should be going so
i guess let's we'll start at the we'll start at the top i guess it's easier that way you need leadership now
typically that leadership role is in previous you know places has been
referred to as a chief information security officer okay it can be a risk officer it can be a risk executive it
can be a technology associated it really doesn't matter what you name it as long as the
the position um is fulfilled by somebody who has directed by the company to be the leader
or the the focus of leadership for cyber security in the organization okay so
most cases you'll you'll you'll certainly have somebody um that's that's heading the department right the
department lead for it could just be a manager right security manager doesn't matter what you call it you have to have
leadership and ownership for the security program at whatever organization you're working at now suspending disbelief that you're not
the only one doing all this work in a perfect world underneath the chief information security officer you would
you would have a couple a couple different tracks okay um you're gonna have your what i'll refer to as architecture and
engineering on silo right we'll get into that then you'll have your project management silo
right underneath cyber security leadership and then you also have your your compliance and governance
silo underneath that cyber security leader so going back over would you am i am i am i
on track mike did i miss anything yet yeah i mean you're building out the ideal cyber security function yeah like
if you yeah like if you had all the money in the world and you could just hire all the people and you know you can you can attract talent that whole bit so
you got these three silos right you've got your your architecture engineering your project management your compliance
and government so let's talk about architecture and engineering that hierarchy should look like at the
bottom you should have your security analysts right and those are your entry level people
that would come in and sometimes these terms can be interchangeable right and it's all going to be on your hr department but i believe that there
should be a um professional development track for entry-level people right so if you come
in you shouldn't be an analyst for 30 years okay you should be an analyst until you move
up to an engineer level okay so a cyber security engineer or a security engineer information security engineer would be
the next level up okay and you can tier that right you can have analysts one two three and four and
they can have engineer one two three and four and then the next track up above engineer would be security
architect okay and in some places these are called the main architects and so you may have a bunch of domain architects for the
different middleware and database and everything else you got but you should have a cyber security architect as well
that is involved heavily in the architecture that's being deployed for the business you know generally
speaking and then has the focus in cyber security to look at that architecture and be able to determine where risks may
be introduced or were risks and be you know redacted so that that should be the track for
architecture engineering you start as an analyst you move into engineering and you move into architecture now
the key um to that is is kind of its counterpart which is compliance and governance i'm going to jump over to the
other silo right so your compliance and governance track you have to do self-compliance right so
you have to have compliance um personnel that are looking at the business saying okay we made a change to production
website did the production change follow our procedures did it go through the change board did you know the
architecture drawing naked did people sign off on the change before it actually got changed in production so
they're also going to conduct your pci compliance and and and spot check you
for iso or for stock 2 or for any other governance hipaa everything you've got going on your compliance governance team
should be facilitating the internal checks and balances for compliance and governance okay making
sure that you are doing what you say you do that you didn't just develop a policy that says we do
you know we we do mobile inspection of all mobile devices anytime it connects to the network well compliance is here
to validate that when they connect a mobile device that your network access control is checking that device okay they're validating that you do what
you say you do which makes audit time so much more pleasant so these are very
necessary individuals and a necessary team to have underneath that cyber security umbrella right underneath the
the leader now these individuals in some cases may not be technical and
that's okay in some cases they are i generally believe and you know mike may also i'm not speaking for you sir but
you may agree that sometimes in most cases
engineers will make better compliance governance individuals than
just coming in having no engineering experience or i.t build experience and just studying the
fundamentals of what the you know the framework is in the nist 853 as an example i i think having engineering
background uh for any of those type of compliance functionalities um as well as auditing or any of that
nature is should be a requirement uh thank you in order to understand you know
it'll it'll allow you to it'll make for a better functioning environment um and not everybody wants
to go from engineering into compliance but certainly it is a career path yeah and it's favored yeah i
didn't want to you know i didn't want to jump in there and say that it it you do get a lot of benefits if you can cross
track people from engineering architecture over into compliance governance
because otherwise you may have a compliance governance individual non-technical that may draw a red line on a control state and
then it's going to be your architecture and engineers from cyber security they're going to come and correct that person
so if you can float part-time people or even rotate positions from the
engineering architecture track over to compliance governance you're certainly going to be um a lot better off than if
you bring just some book smart you know people that have just they've taken the pcip or
the isa and they're super well versed in pci they can requote you know compliance
requirement 12.1 states this doesn't mean that they necessarily can translate that into the technical
control that may be required now i know 12 is policy related so let's not draw conclusions on there but
a requirement you know as an example to for reports and protocols those sorts of things right
and and i think the the real magic of making architecture engineering and
compliance governance work underneath the cyber security umbrella leadership here is going to be the middle truck
which is project management and and i cannot i cannot like stand on
this line harder than i am now is it's almost as hard as hating
wordpress but you need project management in cyber security or
things will falter there is too much going on between your compliance and governance
work streams and your architecture engineering work streams to not have
project management oversight for all of those deliverables and all of those
projects so i'm not going to say that that they're more important than your analyst
or your architect or your governance and compliance individual but they are
the ringleaders of said circus
good pm is worth the waiting goal oh my gosh yeah it's like i trade you
threes i trade you three governance i'll trade you two governance compliance humans and and one engineer human for
one project manager yeah you know it's they're literally the you know they are a very very important
role and it's it's hard to it's hard to quantify that value until
you actually have a good project manager working and you can see the efficiency that is
brought to the work streams is just eye-opening and then you get into the mode where you
couldn't it's just like right now if we took everybody's internet away people would lose their minds but you couldn't you can pretend to tell
people how valuable the internet was going to be in the 90s you just couldn't people like i read a paper you know i like flipping
through my time magazine you know i like waiting for commercials on tv not that youtube doesn't have commercials now but
you couldn't you could not convince how wonderful and useful this technology is
going to be the same with project management you don't realize how useful and beneficial these individuals are
until you get them in your shop and they start working for you and then you have to figure out how you ever lived without
them and so we have one of those individuals and so i can speak from experience that you know
claire our our project manager is is a saint she is
she is the the the if i will god sends it to to our
work streams right because it is it has helped so much and we've been a place as mike where you know we've not had
project management and we've suffered in corporate america and then we've also seen the benefits when they do
prescribe project management how how much easier those those deliverables are to achieve when you've when you've
got you've also seen the the downside of bad project managers
well of course i mean you got to have a good project manager you can't so
yeah it is it's a two-edged sword but you've got to find a good one barney life in there
so you you might say there's a slew of people involved in a complete cyber security department
obviously in a perfect world so i appreciate you sharing that kind of the ideal i think it's important to see the
vision for a larger more you know mature organization that has the resources to
build this but let's talk about those that don't they'll get there
they'll get there someday right but those that are working up now a lot of organizations of course start with
outsourced services right third party services that's why we exist for example as a company
people will bring us on before they can have a security department and a fully staffed you know multi-million per year
expenditure type program going they can bring on a company like ours
right so a lot of times that's the first step for organizations well i should i should back up a little bit a lot of
times the first step is to kind of try to figure it out yourself maybe they have a small i.t department and they
kind of put the tasks on them and say hey try to figure this out try to get us compliant try to get it done that
usually results in bringing in a consultant or a third party service provider or something along the lines um
and then let's suppose for for instance the organization starts to grow so
we go in we build a formalized security program formal cyber risk management program now they're at the point where
they can bring somebody internal who should they look for as kind of
their first hire for their internal cyber security team the the even if it's a team of one a
one-man wolf pack or one woman wolf pack what does that look like
the single human wolf pack i'm gonna go with engineer i'm gonna go with the security engineer what do you think mike
i think it depends on what their compliance requirements are so
i think if you have say you know your hipaa
hipaa requirements or you have something of that nature you're going to need someone with a compliance backs i think you need the engineering but i think you
need some of the compliance background as well again it's subjective ideally engineering first
but uh you may need someone with a compliance background as well
yeah if you're if you're like embedded in hipaa or something like that then yeah it would or pci it would be
beneficial to to bring in a compliance and governance individual that's that's well versed in that
in that framework um what what i see a lot of is is you
know typically they've you know so what we recommend you know typically because you you made a good point zach these are you know these
departments will cost you millions of dollars in salaries alone not not to mention benefits right because you know
your average chief information security officers you know make you know gonna make a couple hundred thousand dollars a year
um and your architects are gonna be you know below that and then your engineers i don't think you're gonna have anybody on
your team making less than 80 grand at this point right so it's going to get very expensive so typically what happens
is leadership for cyber security has been double delegated to another leader that already exists so the i.t manager he's
now the chief information security officer right he's been given that title because they they don't have the money to hire another person and then i t
people will get also the double pseudonym of you know it
analyst slash security analyst right and um
you know that that may work for a while too and so like you said mike it's subjective what what are your what are your real initiatives and goals that you
need to meet and what human is going to better serve that role for you do you if you've got enough engineering in-house
that's really good and you could leverage that then maybe you know mike in that case maybe the compliance
governance person is perfect they can cut through the the requirements translate them effectively to it it can
implement those requirements right and translate that to a control state so yeah in in that
sense it it makes a lot of of like practical sense to spend your money
in that place if if you are already a leader that's been reading up on this stuff and you
got your isa and all this you know from pci as an example and you're you kind of got the dual leadership role then maybe
an engineer is a good idea to bring somebody in what what i see though is a problem
is that is that you'll have it
you'll you'll have somebody okay i'll i'll use a i'll use an example from um
from a real world instance here okay it company they have help desk analyst
okay the help desk analyst individual is actually acting in the capacity of help
desk engineer architect they're doing the deployments they're managing the tools they're managing the
compliance frameworks and you're still calling them a help desk support specialist
i have a problem with that and so while i'm while i can't i ca you know i i would
never impact the practice of of overpaying people in the business and all this but
you you certainly need to reward your humans monetarily if they're doing above and
beyond and you certainly need to at least give them the title because i can guarantee you in the world today
cyber security engineer you're going to get a lot more job opportunities than help desk support specialists if that
was your previous title if i hand you a resume and it says help desk support specialist
versus cybersecurity engineer you're gonna there's just a lot of bots that are gonna scrape your resume a
lot faster than the help desk support specialist title will and it's not fair to your humans to
put them in a very small box a very um i'll say
non-maneuverable position right to kind of keep them
um in this kind of a low kind of segment on your i.t food chain and and then expect them to do a whole
lot of stuff and i think that's i mean that's rampant out there right we we we've served lots of organizations that
that are the are the one the one man band the one woman band right they're one human
facilitating the functions of the of the whole 13-person department right
yeah good i was going to say i have a theory on that and maybe it's a conspiracy
theory but i wonder if companies do that so that their people don't get poached
by others having this better title right title that's more
applicable to their role well there's certainly some human hoarding going on right with companies
they don't wanna you know there's there's a big there's a big move of resignation happening today and and it's
not due it's in in my opinion it's due to bad leadership yeah okay so if you lose your humans
it's because of bad leadership if you give that human the working
environment they're looking for they have problems to solve every organization solve those problems and
pay them accordingly let them do the things that are fun to them and and be that good leadership be that enabler to
help that individual solve the problems for you if you put them in a box and you try to you know kind of hoard
over them and and i'll call it like work satisfaction suffocation
if i if i may right where they can't do the projects they do or they come to you with problems and you consistently back
that away that's not important this year well you're going to lose that person regardless of what
title or pay or you know you've given them so you can give them a million dollars a year and isolate them in a box
where they can't do their job and they'll still leave so to your points i may not think
they're getting rewarded well they might stay they might stay i might
i might sit in the basement with my red stapler for a million a year i can't i can't say i wouldn't
i can't i guess that's a lot of money is there a job that might actually hire me to sit in the basement and do nothing
for a million dollars maybe i do a very valid point though but yeah everybody has their price
everybody has their price well as an example okay look i i worked for a defense contractor at one
point and i got paid a lot of money to do this defense contract work okay and i had this project
that i i had to get done in a year okay so they're paying me to put in these pieces of equipment at
military installation well i got it done in like five months okay it didn't it didn't
take me 12 months it took me five months to do it they had they would not give me they
refused to give me any other projects for the year i asked in writing probably half a dozen times
for new work the defense contractor would not give me work so i surfed the internet
for another you know seven or eight months before i got a new project it drove me mad actually um i actually
kind of threatened to quit several times and i i stayed on the premise of
well we have a new project coming this week we could put you on it and then of course a week and a month would go by the only thing that saved me was the
code red um worm if you remember this so this dates me right um not that you couldn't look
at my picture and mike and i are not datus anyway right you can always tell mike's older than me but um i'm just
kidding anyways but the code red came out and attacked the military installation that
i was at and i got pulled in by osi to help facilitate a forza investigation and stop the attack that was the only
thing that saved my bacon for staying at that government contractor because i was ready to leave i actually had job offers
and after that i did leave largely because they could not keep me engaged at work they just they couldn't
they refused to give me another project and so i wasn't making a million dollars a year and zach to your point i probably
would have stayed if i had been making a million dollars a year but they were spending all that money on the million dollar hammer at the time and not on
their personnel so right now keep in mind that there are motivators and we all know this for i.t people to bit
people beyond money right so we want to do the job we want
to satisfy this need we want to go ahead and solve problems and fix things and and do our cyber security work and you
know and um so money is not always the answer when it comes to cyber security research
resources no fulfillment at work you know i think it's you got to feel good about the work
that you do so getting paid million dollars to sit in a basement i mean yeah you're going to you know you know go
straight crazy yeah it's time i i'd use that million dollars to start a cyber security
company while i was working in the basement there you go there you go put it to use
well hey let's talk about one more one more uh thought before we jump off here um
for the organization that starts to build out their cyber security team will you touch
a little bit on when you start implementing separation of duties between it and cyber security
what that looks like i know you know a lot of there's a lot of overlap especially can be for a growing company
but at what point do you do you have the it team kind of let go
so to speak um from the uh of the
cyber security and maybe compliance matters well then they'll never really let go um
because i you still need the it teams to do a large majority of the work right
you know you may have security engineers assist in building you know like hardened operating systems for it to
deploy or you may have security engineers managing security tools like the vulnerability scanner right that
doesn't mean that it didn't build it for you and get it positioned for you so that you can use it so it
still has to be super ingrained in the process what what i think really provides that separation is that the
security individuals will come in and they'll digest the governance frameworks and say
there has to be separation of duties and what that kind of falls down to is is change management and so now it
you know says oh you know we gotta we gotta patch this window server we're just gonna we're gonna patch it it'll be
done right and and that may sound like a simple task it's the same as let's deploy a new windows or linux system and publish it
to the internet that may sound like a normal task change management comes in with cybersecurity and says okay did we
do risk impacts on this change that you're making did you make sure that you've elicited back out plans for
um if you roll this code change and prod and it blows something up that you can roll back have you identified rollback
plans for this have you identified risk impacts so you know not not that the i.t security
you know because the it teams like sometimes they're frustrated with i.t security because at first it it can
be a rocky road but essentially what they're trying to do is provide that separation of duty so
the it's not making changes without the the thought process or the change review
by a greater group of individuals okay the change board right the advisory
board or a change board would include you know other leadership tiers as well as cyber security to come
in a way and say okay this change that you're doing looks great because this business unit
needs it but you're gonna actually gonna you're gonna be installing a version of apache that's vulnerable to a zero day
and it may not know that they're like wow that's weird because the the client and finance told us that
we had to be using this version of apache to host their tool so that is where the security review and the separations
of duties with change management and deploying changes um is going to kind of save your bacon so
that it you because you know it is they're cooking in the kitchen okay waiter says
look these people want to stay medium rare get it to me fast and so you're trying to please the customer by getting
that steak out fast and you know once in a while it might get dropped on the floor and picked up and
put back on the plate and you know the customer is unbeknownst to this right and what
has to happen is i.t security has to be there to say okay well you know let's we'll scrub that stake we'll put another stake on
we'll tell the server to let the the people know it's going to be one more minute we want to make sure that their steak is done just perfect so we'll have
you wait just two more minutes and so you kind of you you alleviate this process of giving a dirty floor state to
the to the customer by having somebody back there say look we drop a steak i know you're trying to produce it as fast
as you can and as efficiently as you can for the customer but let's just let's pause for a second and understand what's
safe and what risk is assumed by the organization by making this change and so i think that's where separations
of duties really plays its role because i t still has to do a lot of stuff they
still have to run the technology but they they have to do so with the understanding that change has to flow a certain way and
that change has risk impacts that need to be analyzed by cyber security
well if that stake is on the ground for less than five seconds it's still good
yeah i agree i think that rule applies in cyber security right yeah i mean my thought is if i drop the
steak on the floor i eat the steak that i drop i don't i don't give it to the customers i'm like well that'll be my lunch you know i've been standing here
my shoes are relatively clean so i rinsed it off and i threw it back on the grill it's fine it's not gonna hurt me but i'm not gonna give it to a
customer i mean that's just if you come to my restaurant very well said
very well said well any final snarky remarks ideas words of wisdom before we
jump off stop using wordpress
no that's just common sense that's just common sense yeah it's like you know don't don't look down at the street
while you're walking close to street signs if you're gonna hire people make sure that you are
you know michael back me up here make sure you're putting your money where it's most needed
and if you can't afford cyber security professionals but you have individuals being dual rolled in cyber security nit
it's honestly better for that human for their morale and for the job that they're doing to go
ahead and title them appropriately okay doesn't mean you got to give them more money but you need to give them the title for what they're doing it's going
to make them feel better about the work that they're doing and the part in the world that they're playing in your organization so make sure that you're
treating those humans well and and in return i think you'll you'll find the um the return on investment
most certainly yeah if you're worried about you know giving them a title and then they're going to leave because they've got the
nicer title create a create a career progression thing for them give them training
uh you know ensure that they don't want to leave create a good environment be a good
leader you know i mean it's it's as simple as that these you know think about this way if you're
if you're an i.t manager or cyber security leader and you've got individuals and you're you know listen
to this podcast i want you you're sitting in your car i i understand i see you that's a very nice shirt by the way but
i want you to ask yourself one question if everybody left tomorrow all of your people could you do the job that they do
could you could you step in there and do all of those jobs if you can't then you rely on those people you need those
people you need to act accordingly you need to treat those people accordingly because if you can't just waltz in there and do all the jobs because
you've angered individuals and they've left because you've created a bad environment now i'm not saying you created a bad
environment no the light's green go ahead and go but i'm just saying that if if you can't step into those roles and
do all of that yourself treat your people nicely and kindly and be a good leader yeah
absolutely the golden rule well thank you everybody for joining us today i hope you enjoyed the podcast
please subscribe check out the book on amazon and again reach out with any questions
you have topics for future discussion all that good stuff at cyberrantspodcast.com
and have a wonderful day pick up your copy of the cyber ants book
on amazon today and if you're looking to take your cyber security program to the next level visit us online at
www.silentsector.com join us next time for another edition of
the cyber rants podcast
