Elevate Security

Solutions

Use Cases

Security Awareness & Human Risk Management
For Security Awareness professionals, Elevate Security helps you engage employees to become your best defenders. By deeply understanding the behavior of each individual, Elevate helps you make better decisions for protecting your organization, and fostering a culture of security accountability.

Security Operations & Case Management
For Security Operations (SecOps) professionals, Elevate Security reduces operational burdens on the SOC resulting from high-risk user generated incidents. By injecting individual risk data into SecOps policies, tooling, and controls automation, you'll free up resources to fight real adversaries, strengthen workforce safeguards, and improve response efficiencies.

Identity & User Risk Authentication
For Identity and Access Management (IAM) and Identity Governance and Administration (IGA) professionals, Elevate Security provides proactive protection against workforce cybersecurity risk by applying the unique risk each user represents as a conditional factor in the authentication and access governance review processes.

Products

Elevate Engage
Actively deliver personalized feedback nudges, scorecards, and direct targeted training based on individual computing behaviors and current security risk.

Elevate Control
Inject user risk intelligence into security operations tooling and processes to accelerate incident triage and response, enable better help desk decision making, and automate controls for risky individuals.

Elevate Identity
Inject user risk intelligence into IAM and IGA systems and processes as a conditional factor for authenticating or revoking system access, and enhancing access governance workflows.

Use Cases

Security Awareness & Human Risk Management
Security Operations & Case Management
Identity & User Risk Authentication

Products

Elevate Engage
Elevate Control
Elevate Identity

Resources

Partners

Partners

Technology Partners
Value-Add Partners

Company

Company

About Elevate Security
Why Elevate
You: Elevated
In the News
Press Releases

Careers
Awards & Recognition
Contact Us

About Elevate Security
Why Elevate
You: Elevated
In the News
Press Releases
Careers
Awards & Recognition
Contact Us

Support
See a Demo

Search
Podcast

Dynamic Trust And Zero Trust – What’s The Difference? With Luke Simonetti

Elevate Security

Zero Trust has been a thing for a few years now, and people have leaned into it. However, Booz Allen’s Commercial Practice is changing that narrative and looking to the future to evolve the notion of Trust. In this episode, Matthew Stephenson welcomes the Vice President of Booz Allen’s Commercial Practice, Luke Simonetti. Luke explains what Dynamic Trust is and how it differs from Zero Trust. He also shares what being intentional means regarding security and not being a weak spot in the organization. Don’t miss this episode if you want to hear more from this informative chat about keeping the world secure.

Listen to the podcast here

Dynamic Trust And Zero Trust – What’s The Difference? With Luke Simonetti

We are always excited. I try to stay on the hinges of excitement all the time, but we are happy to welcome Luke Simonetti to the show. Luke, interesting story, two tours at Booz Allen Hamilton, separated by some quality time at a couple of companies that you may have heard of, but serving as the Vice President of Strategic Consulting and Advisory Solutions in previous lives, have several years in security and a couple of companies that may get your attention, Gartner and Pricewaterhouse Coopers. Welcome to the show.

Thank you so much. It is a pleasure to be here. I love the way that you introduced the tour concept there. It is one where it is always near and dear to my heart. I came back for two rounds here at Booz Allen because I didn’t have enough of helping companies succeed. I’m happy to be here and have a fun conversation. I’m sprinkling a little security while we are at it.

I liked when we were bouncing back and forth the ideas of what we were going to talk about, and when I sent you this, you replied to the idea of your introduction with the word tour. I want to give you some credit and respect for that because you responded by saying that you are sometimes hesitant to use the word tour because you are not someone who has served, but you have worked with a lot of people who have. I hate the notion of, “Talk about that a little bit.” I want to ask you that question. It is meaningful that we use that word flippantly and you don’t. That is cool.

I am always a little hesitant to use that term, or I use air quotes. I have the utmost respect for our military service members. I have a number of friends that have been deployed multiple times overseas in actual action. I am hesitant to use it, but it is one where I garner the sense of being mission-oriented from my experience and exposure to them. I apply that to the way I think about my career. As you look at my history, look me up after this show. You will see I have been around the block once or twice from a skills perspective block.

You designed the block, you built the block, and you helped pour the concrete on the block. Let’s respect where it is due.

I try not to, as my wife would say, “Don’t have an ego too big to fit through the door.” We talked about the tours where I got asked to come back, and it was like, “My mission is not done.” I wasn’t able to do as much as I wanted to while I was at Gartner. I was running their security consulting practice. It is a fantastic organization. We did lots of great work, but we had to stop at a certain point. We were never able to finish and help companies move forward with their security programs or even help move their businesses forward. I use that to that tour language succinctly to mean I’m helping companies achieve their missions and achieve them securely at the end of the day.

At the end of the day, we’re helping companies achieve their missions securely.

This is a record for the show. We blew up the outline before we got to question one. In the guest intro, we strayed from the things we were going to talk about. All of that being said, let’s dig in. It is always the worst. You have to guess with a good personality to match his or her very impressive CV. You guys are doing something interesting at Booz.

Zero Trust has been a thing for a few years now, and people have leaned into it. There have been some interesting things going on with the notion, the technology, and all of that. Booz is looking to the future to evolve the notion of trust and what you guys are doing, you refer to as Dynamic Trust. For people who may roll their eyes a little bit, and they were like, “Another marketing term,” it isn’t that. How does Dynamic Trust differ from Zero Trust?

I’m a consummate consultant at heart. Marketing is part of my job and throwing out the, “It depends,” which is my favorite consulting answer all the time to folks. When we think about where Zero Trust is, or even where it came from with Google and the BeyondCorp model, it is one way where we want to secure what is the benefit or what is important to an organization by trusting no one. Great in terms of protection but not so great in terms of being usable from a user standpoint here. How do we start to allow access and take it even further than that to do that on a dynamic basis?

We are locking everything down, and maybe we have granted some access, but what about the concept of allowing users access to things? They are supposed to have access. What happens when they get compromised? They are doing some extra things that they shouldn’t be doing, or they don’t even know any better. How do we dynamically make that decision from a risk-based standpoint about what they should have access to?

Even if they’re normally supposed to, what if X, Y, and Z or A, B, and C, those activities say, “Maybe we should not give them access to the financial records or something like that right now, even if normally we would?” It is moving that concept before to make security easier for the user but also beneficial. We are still protecting everything but not getting in the way unless we need to get in the way. It is what we are trying to look at here and leveraging technology to do that and some behavioral science behind the scenes to make it look ahead and be that Dynamic Cyber Trust underpinning.

Are we going to get philosophical right off the bat here? I think we are. We will go ahead and light the campfire, sit around, and start singing songs. When you look at the words to define, full stop, brick wall, and Zero Trust, as opposed to the notion of Dynamic Trust, there is fungibility there. Dynamic means that it is a moving and adjustable thing that works with it. Do you find that people have been receptive to the idea of something that is dynamic as opposed to something that is zero?

It is a journey for clients. When you spend some time and talk about it, like, “We want to restrict access to everything,” it depends. That is where I’m coming back to my consulting answer. Their willingness to accept that depends on their understanding of security at heart. Do they understand, “This is sensitive stuff, we shouldn’t let anybody have access to it?” If you talk to the business user, “I do need access to that to do my job, and now you are making me jump through all of these hoops. You are blocking me from it. How am I supposed to do that?”

Dynamic Trust: It’s one thing to restrict access to everything. It’s another to spend some time talking about it and understand the sensitivity of things and why nobody is allowed access to them.

Wouldn’t it be better if we could make a decision on the fly for somebody to say, “You need access to that, but because you did X, Y, Z, you are not right now. Get better and come back again.” Use it to elevate their level of security and understanding about why they are being denied access versus saying, “You are done. Do not collect $200. Do not pass that deal.”

Booz has a huge range of clients. They are a large defense contractor, but you also do a lot of commercial business. I’m not looking to name names, but I’m thinking about the various cultures that you have worked with. What have you found in your experience, and even going back to previous gigs with Gartner and PwC? When it comes to the human element of security and when we’re talking about insider threats, it is not people that are actively trying to do horrible things, but what are the general failings of people? What are the general failings of the companies that need to help their people get better and be better?

I will harken back to my days doing some red teaming and pen-testing. It is fun. I will be honest. I don’t know what it says about me when I go into this story, but this is part of what I would do when we were doing pen testing clients. They would pay us to do this. We had to get “get out of jail free” letters, but we could do some social engineering, which was both the telephone-oriented stuff for those Kevin Mitnick fans out there.

Don’t be shy. We had a guest who was paid to kidnap an executive from a bank. Please let it be.

I never did that, but we did do physical penetration testing too, which also had some social engineering aspects to it. Let’s say I had a high success rate. I don’t know if that means that I was a good or convincing liar to people or if I have a trusting face. It is one where you look at that or take a step back and think, it is my personal experience, is there a deeper underlying problem where people don’t understand the risk? We are not looking at the human side or the human element. People can easily say, “People are the weakest link from a security perspective.”

In some respects, it is true. When you look at the commercial clients and industries we work, there are varying shades of gray. If you look at financial services clients, they have a strong security culture. They understand that attackers are going to target them because that is where the money is, pun intended. When you look across the landscape at people like manufacturing organizations, maybe they are building some good ways.

Dynamic Trust: People can easily say that humans are the weakest link from a security perspective. In some respect, it’s true, but when you look at commercial and financial services industries, they’ve got a very strong security culture because they understand that attackers are going to target them because that’s where the money is.

Think of the chip manufacturers now. Many different thoughts there. They may understand we build great things for clients, but who would want to come after us? Why would they? How is our part or responsibility for protecting the company tied in? Is it, “Security got their hand on this. They are doing okay, and we will be fine. I don’t need to worry about that.”

It does blend in, and I like to use a lot of different analogies in my job. I spend so much of my time talking to boards and executives now. Less of it is in the deep technology, not sitting bolts, building the block, from the example you gave before. When you look at it, a lot of it is storytelling. Think about it. How do you tie in to make somebody care or understand it is partially their responsibility? I gave you a good example. When you leave your house in the morning, do you lock your own doors, or do you call the cops to do it?

I have heard the cop analogy, but that was not the one that I had heard before. I thought that was great.

If you make the example real and you think about these are real people. They have a responsibility to protect. Security is everybody’s responsibility, but they have a responsibility to help you protect the house or the company. Can we leverage that and help them get better for their own lives? How many times have we heard people be the victims of identity theft, different scams, or getting phished all over the place?

Security is everybody’s responsibility.

If we’re not only protecting the organization and doing everything we can, checking from a security standpoint, making sure we have locks on every door, we have the security cameras everywhere, and everybody gets issued the badge. We are not stopping tailgating. We are not stopping people from coming in or coming back to that other analogy. You can’t have the expectation that the cops are going to come and lock your door every morning. Their job is much bigger in scale than that. They are protecting every house on the block, not just you individually there.

Thinking about that and using that bit of how we influence people to make better decisions about security, using that information and understanding why they are making mistakes to help inform and drive that better decision-making while protecting the house is a dual-factor approach. We get to help them help themselves, but we are helping ourselves from a cyber perspective to make decisions about; should that person have access to that or not. It is true when we think about full circle, Dynamic Cyber Trust in that case. It’s an interesting topic to dive into. We could spend the rest of the talk going to find different stories.

I do want to give a quick shoutout to legendary bank robber, Willie Sutton, as you subtly dropped in the, “That is where the money is.” For those of you who may not be aware, he was a contemporary of John Dillinger. I’m not 100% sure this happened, but the legend is that a reporter asked Willie Sutton, “Why do you rob banks?” He said, “That is where the money is.” Your job is not necessarily to put Willie in jail but keep Willie from getting in. You also need to deputize everyone.

Addressing the notion of personnel to make them aware of their responsibility without being, for lack of a better term, big brother. How difficult is that for you, especially coming in as a consultant? It’s one thing when you are “part of a team.” It’s another thing when you are someone that the team has brought in. How difficult does that make your job when you are standing in front of a room of people who feel that they know how to do their job and you are here to tell them, “You might do it a little bit better?”

It depends again here, but you get to learn.

Everything that he is about to answer opens with it depends.

We will say that normal answer from now on. We will see if we can stick to that. To your point, if you are walking into a room like an intel sec room where people are security aware, it is one where you do have to know the audience a little bit and know how to talk to them in the right way. Put it in the right context, analogies, and pieces.

At the end of the day, this is where the fun is from being a consultant they hired you. They are looking for your opinion to challenge your opinion. That happens from time to time, but at the end of the day, they hired you to come in and help them do better. Some of it is to challenge their thinking too. Whether it is, “We got all these controls out. We got a completely locked-down environment.” Okay, but are you enabling the business?

I spend a lot of time working with clients doing risk assessments, helping them understand where they are, where they should be, and how they get there from a generality standpoint while super detailed. At a certain point in that journey, you flip from, “We are good enough. We got a lot of good things in our environment. Maybe we need to be a little bit better in security, but how do you know where and how?” It is not checkbox compliance, but we need to get the foundation in place first. If we want to go further or we want to put some extra façade and some fancy things, if we use the house building analogy, is that going to be worth it? Is it going to help the business? Are we going to be able to use it as a differentiator? Are we trying to be anticipatory of where the business is going?

I’m a big fan of Simon Sinek, Start With Why, as an example. If you think of how we are trying to get ahead of some of the things, the business is doing. Let’s say you are a software development company. You are developing things. Speed to market is a big issue. We want to push out the next update. What if we change to say, from a security standpoint, we exist to develop secure products hosted on secure platforms that enable a secure end-to-end ecosystem across some element there?

When you change that story and the way you present what you are doing to their business, it completely changes the way that you are going to be respected or brought into the conversation. When we think about how the CISO work positions itself to be that enabler, it is meant to help the business at a certain point, not be that department of no to come back to an older consulting term in this case.

When you change how you present what you’re doing to businesses, it completely changes how you’re going to be respected or brought into the conversation.

That transition is coming back to knowing your audience element and helping them to understand how these other people think. How and why are we trying to do something and using their terms or putting it in their context to drive it forward? That is where the whole behavioral science component comes into improving security for an organization.

That is going to be episode three when you and I do an entire thing on the behavioral science of security. Let’s talk about the notion of the user. As you said, “These are security-aware and security-savvy people.” How do you get better? What is it that you can show these are people who are almost by definition data-driven? What you are talking about coming in here is the notion of, “I hate this term soft threats.” It is social engineering. You are a good liar. I’m a good liar. This is why we do what we do.

They are going to be the ones that are going to want to see it. “Show me the data.” Is it a credit score that they want to improve? Is it a golf score that they want to decrease? How can you get the message across, “We can quantify what you do?” The gross relative is like, “You might want to consider this.” We can say, “These are some things where you can improve.”

Thinking back to where we started this conversation, one of the things I should have started with when we were talking about was, “What is Dynamic Cyber Trust and how does it work?” This isn’t Booz Allen doing it by itself. We are going into a strategic partnership with a company called Elevate Security. We help enable that model.

When you get into the data pieces, and it is one of the reasons that I have championed Booz Allen in this partnership with Elevate is that access to that data. For folks out there that love data-rich environments, it is a different look at user behavior in organizations. No longer are we looking to be punitive like UEBA or User Entity and Behavioral Analytics tools. We are looking to use it to help them improve themselves.

I love using the credit score analogy because it is a way to think about how we are scoring behaviors from an organization. When you think about how credit scoring works, how many accounts do you have? Are you paying on time? You think about those little pieces that factor into that. How many times have we had credit checks coming in? All those things build up to a number. It is a philosophical debate on that in a different conversation but how you are judged about your creditworthiness. The higher the score, in that case, the more creditworthy you are.

From a user standpoint and to your point is where we use the inverse of that from a golf perspective. This is the way Elevate does it, and I love it. The lower the score you have, the better. Using that credit-scoring mindset, we are looking at activities that are happening. You are doing and using that to generate a risk profile with some magic and algorithms behind the scenes to generate that golf course. The lower you are, the better, and the higher you are, the riskier you are of things like account fake over, being phished, or being something else but data-rich. Here is exactly what you did and why it is related to a higher score in this case.

Here is how you improve your score. Not to name names, but there are credit scoring things out there where they can say, “These are the behaviors that are going to influence a change in your score.” If you go do them, whether it is a training activity or it is like, “Reduce your debt in X, Y, Z manner. Consolidate your student loan debt.” Something like that but using that same methodology to apply to security behaviors now.

If you want to get better, take this training, or stop and think about this. You can introduce a little bit of gamification. It is switching that mindset from being punitive to where we are looking for the malicious insiders to unintentional insiders, from insider risk standpoints, but trying to improve them. They protect the house or the company a little bit better, but as a tangential benefit, they protect themselves better. They are less likely to fall victim to some of that stuff in their personal lives.

Dynamic Trust: We’re switching that mindset from being punitive, where we’re looking for just the malicious insiders, to unintentional insider risk standpoints and trying to improve them. They protect the company a little bit better, but as a tangential benefit, they also protect themselves better, so they’re less likely to fall victim to some of that stuff in their personal lives.

If we want to get a little even hippy about it, it makes them better professionals. It gives them a better handle on what it is they do and what they should consider. There is something else that you said when we were talking to get ready for the show, and this is such a great line, especially as to how to get buy-in from people to recognize their soft spots or their weaknesses. You said, “Be intentional about what you want to say and why.” Intentional is such a great word in this. What does that mean in terms of security not being a weak spot in the organization?

I love using this phrase. It is so much when my team called it my management word of the year. It comes up in many conversations, and I use the, “We are going to be intentional about this now.” It is applicable to many different things. Think about why. Why are you doing what you are doing for a particular area? We want to reduce risk in an organization. Why do we care? Why is somebody or the person we are trying to influence?

What is going to get them over the hump? How are we going to convince them that this is something they want to do? Work backward. What outcome are we trying to achieve for an organization? Is it a reduced risk of ransomware? Is it a reduced risk of account takeover that can lead to X, Y, or Z? Why would they care about that? We don’t want to get breached. We don’t want to be in the Wall Street Journal.

Security’s heart is a risk reduction measure. That is why security exists. You are there to understand, classify and help provide potential solutions to organizations to make a decision. To go off-topic for a second, but when people ask, “What is governance in an organization?” it’s nothing more than the process by which you make decisions about risk. You have to inform them. When you want to be intentional about a particular decision you want to be made by the business, you need the business to buy in, and you explain the problem.

Security’s heart is a risk reduction measure. That’s why security exists.

Whether it’s adapting that or thinking about it, I call it looking up from a security perspective. What’s their mission? What are they trying to achieve? How do we help them do that in a secure fashion so that we are not a roadblock? Being intentional about stuff is spending the time to think about it and not doing security for the sake of security. We have a purpose behind it. We are explicit about that purpose.

Without naming names, organizations, regions, or anything like that, do you have a good winning over a curmudgeon story where people came in and examined everything they were doing? They were like, “This is our analysis. These are our suggestions. We think this would help your organization.” Somebody was like, “No.” A little while later, I was like, “That was a pretty good idea.”

I’m trying to think of a good example for that one. There have been some fun times in boardrooms where they get surprised when you go. There is a story that I probably can’t talk about in any length of detail.

There may have been a room of five people at 4:00.

There was a curmudgeon security organization where it wasn’t so much like the CISO that was a challenge. It was more his counterparts, the CTO and the CIO, where they were differing opinions. They were trying to obfuscate some things from a security perspective when we were doing both an assessment and some technical work with them, like pen testing and so forth, trying to patch things over the weekend and so forth right before we did pen testing to cover their own butts. It all came to light in a board briefing because I personally have a lot of integrity.

The board hired me. I’m going to give them the truth. We had proof that there was some various stuff going on, not nefarious, but suboptimal things going on. It was messaged in terms of how we were presenting to the board. The chairman of the board stood up and said, “We are going to go into executive session now. The management team, you guys, go out, and you stay. Through the report, what is the real story, and how do we win this over? Why are we doing this? What do you think about this deal?”

It was interesting but to the point where you meet, circle back to being intentional. We did push back on that management team a little bit in terms of how we worded certain things. It would come across as clear that they weren’t necessarily power words or the whole story for a particular situation. I’m not trying to push to get that executive session but to say, “You might want to double-click into this deal.” That was an interesting time and the only time where I had the chairman go up and throw that report into a trashcan in the middle of a meeting. He goes, “What is the real story?” That is a good reminder that boardrooms can be fun at times and uncomfortable.

That is a physical and aggressive example of that, “Throwing that in the garbage. Everybody out except you. Let’s talk.” This was one I don’t think we were going to talk about, but it has been in and out of conversations with guests across the show, but since you brought it up when you are meeting with boards, do you find that there are people that are security natives? Is the number growing? Is it shrinking? How do you feel about who is sitting at those tables when you need to have those conversations?

We are going to go back to my normal starting answer. It depends. I come back to that industry segmentation there. We are seeing some cyber-savvy board members or even technology-savvy, but tying that to what industry they are in, like software and high tech, we got tech-savvy board members and some cyber-savvy ones on there too. If you look at other organizations where they don’t have to be tech-savvy, they are more titans from that particular industry. There is less of that.

What is interesting is that over the past couple of years, I have started to see that dynamic changing a little bit. We are starting to see a little bit of an acknowledgment that we want to be a little more cyber-savvy. That has been pushed a little bit by organizations like the NACD or the National Association of Corporate Directors. They put out a lot of things around cyber risk. The big stick that is being used in this case is the SEC.

For publicly traded companies, there is a new rule coming out. I’m trying to remember if it has been published yet, or if it is an interim rule where those organizations aren’t going to get a choice. They are going to have to have some cyber security expertise or representation on the board because it is a huge issue for organizations. We will see that quickly change. It is open to interpretation on how it is going to change yet, but it will drive and shift going forward.

For publicly traded companies, there’s a new rule coming out, and organizations aren’t going to get a choice. They have to have cybersecurity expertise or representation on the board because it’s a huge issue for organizations.

To come back to the underlying question, how savvy our boards are now, and how do you talk to ones that aren’t? That is a fun conversation. Using analogies is fantastic. I got one. It is great. You feel free to steal this one. It is like, “How do you explain network segmentation to somebody that has no concept of how that works?” It is a good analogy.

You know the floor plan of a brownstone. I’m thinking of the New York brownstone. It has a portico. You have it in the main living areas. When you are in the portico, you are in the house, but you are not in the house. You are in that little lobby area before you get in. That is like a DMZ. Once you get in the main door, you are now in the general user network. We can get access everywhere.

The developers and their development environment are out back in the sandbox. All your secure stuff, the stuff you want to protect, is downstairs in the basement, in a secure enclave, and in a safe somewhere. Using that analogy element there helps to visually connect people there. The floor plan analogies, for people that have brownstones, they get it. You pick your regional analogies from a house layout standpoint, but it works to break down a complex topic into something you could easily consume. They get it.

Anybody who doesn’t live from the Mid-Atlantic up into New England or Chicago has no idea what you are talking about, but for that segment of the population, we are there. Stick it with this, but also tieing in. This is going to be the last one. Another term you used, we were talking about was the notion of creating frictionless security and tying that into the question about the board. The boards want smooth, they want growth, success, and good news.

Unfortunately, your role doesn’t always mean delivering the good news. When you talk about bringing in new ideas, culture changes, and technology solutions, how do you reduce friction not from the boots on the ground but at the level of whatever the highest level of DOD is if we want to make the military comparison there in order to make it frictionless so that people accept this and things get better?

That was probably two topics ago, where we went on that fun analogy tangent. When you are intentional about what you are trying to do, in this case, we want to have security. We want to do things securely, but we don’t want to impact a person’s ability to do their job, to capture a particular segment of market share, or whatever piece you want to tie into that.

When you think about it from a frictionless standpoint, we want to be as transparent to the user as we can be. When we bring it all back around to Dynamic Cyber Trust and that element of being dynamic, it is the fact that we are looking at the activities that you are doing and making a dynamic decision, but you don’t see that until you need to see it.

That is the idea of being frictionless. There is a lot of security happening in organizations, and we don’t want to be an inhibitor. We don’t want to get in the way of people being able to do their jobs quickly and efficiently but introduce that recognition to folks that say, “This is sensitive. That is probably not something you should be doing.” That is where that training aspect comes in. When you put it in their terms and context, it helps to train, inform and drive the right culture.

Dynamic Trust: There’s a lot of security happening in organizations. We don’t want to be an inhibitor or get in the way of people being able to do their jobs quickly and efficiently.

When we think about the way that Elevate and Booz Allen are working together, it is a culture change engine to an element to the human risk side of an organization, but in a frictionless manner. You are thinking about it less from the punitive standpoint, but the enabling standpoint and not getting in the way, but rather enabling is where that idea of frictionless comes from. It is talking about two terms where we are helping you help yourself, and as a benefit, we are helping ourselves at the same time. It is a joint benefit in that way.

Enough about all this nonsense. Let’s talk about you. Leadership Corner, what is on your playlist? What are you reading? Magazines in the bathroom or on the coffee table. Are you cooking? Are you gardening? Do you watch Aussie rules football? What is going on?

I’m disappointed that they discontinued The Garth Channel. I have eclectic taste in music. I listen to music all over the place. It depends on the mood and what I’m doing, but it can be jazz or classical. It can be AC/DC or rave music. You are looking for the beat for some of it. It depends on what I’m doing and where.

What is the last song you heard?

It was called Soul by Lee Brice. Great beat and a decent one. It is country music, in that case. I live in Central Pennsylvania. It is a rural area here. I grew up to that. That was the last one. That was before this show.

It is about the hard-hitting journalism that we do here on the show.

You asked about what I read. I travel so much, and in my first tour in Booz, I had anywhere from 1.5 hours and 1/2 to a 3 1/2 hour commute every day to and from my client site. I picked up a lot of audiobooks. I have my earbud in all the time when I’m traveling, but I mix up what I’m listening to. I’m a big sci-fi fantasy guy. I call it right-brain listening, where I will listen to that stuff.

It is to do something completely different and disconnected from work, but also the left brain activities. They are different. Whether it is biographies, I’m in the middle of the Alexander Hamilton biography right now by Ron Chernow. I got This Is How They Tell Me The World Ends. It is by a New York Times author, Nicole Perlroth. It is a cybersecurity perspective, and it is an interesting book.

It is the third time someone has name-checked that book on the show. That is one that important people are reading, dear readers. You may want to check it out if you aren’t familiar.

There are some classics on there, too, like, how to get better leadership books, how to connect with different generations, and be a better manager. I’m all over the place in terms of reading. When I’m not traveling or when I’m visiting my family at home, and my stuff, I have four kids, so they take up a lot of my time. Mowing the grass and cooking dinner are passions of mine.

I’m doing some other outdoor activities like fly fishing or some other fun outdoor activities that get into boating and other elements. It’s a big outdoorsy element to it too, but also family oriented. Cooking is a true passion of mine. I do the normal cooking, and my wife does all the baking. It’s a great dissection of responsibilities there. It is a lot of fun.

I love the notion of normal cooking separated from baking, like baking is abnormal, but we will go with that. I get it. It is chemistry. It is a different thing.

In baking, you have to follow the ingredients list. The bread won’t rise if you don’t follow the directions. People will ask me for recipes. I’m like, “I don’t measure things. I wing it as I go through.” Not that it applies to my career, but I’m constantly tweaking it and trying to change something. I know the rough measurement I’m looking for in my head, but to write it down and give it to someone, it is not going to taste the same as I make it because I’m testing it as I go. That is a good thing or a bad thing. I’m not putting my fingers in everything every time or using the safe spoon. Anybody that eats my food, that is not the case. I am using a different implement every time, but I picked that up from my executive chef friend.

That is officially going to be the theme of your next appearances. How does cooking influence the way that you help save the world from the cyber bad guys? This is probably the key question to close out everything. Kenny Pickett or Mitch Trubisky?

I don’t know if I can answer that question. I feel like that is a setup.

Is it because they are both terrible or because you like one more than the other?

I don’t know if I want to pick one or the other. I don’t know what that says about me. I’m going to make you guess and all of our readers that are reading this.

Let’s go back to Consultant Theme 101, it depends. Shameless plugs. What do you get going on? What does Booz have going on? Are there any social media? Are you writing? Do you guys have good research reports, live events, or anything like that? I’m turning my mic off and letting you go.

Everybody can find us pretty easily at BoozAllen.com. If you want to search for what we do from a commercial perspective, navigate to the commercial markets and the commercial page there. We are active on LinkedIn both from a guerrilla marketing perspective as well as individual Booz Allen employees going to do some different things around 55 seconds in cybersecurity, for instance, or providing some of those elements. We are working on a series with our partnership with Elevate on some blog posts, some other potential articles, and such coming out. Who knows? Maybe we will continue some elements on these shows and explore some different topics in the future going forward.

We have a number of different events that we attend throughout the year. Many of the ISACs were out there. I will be out at FS-ISAC. We got a presence at NetDiligence and maybe potentially some RSA or some speaking at RSA. We are going all over the place in terms of what we are doing around this Dynamic Cyber Trust offering as well as more broadly when you think about what Booz Allen commercial does from strategic consulting to advanced cyber defense to security architecture and engineering, and when stuff hits the fan being there to support you from an incident response perspective. Look us up. Look me up on LinkedIn. I’m happy to chat about that. Send me a message or look at some of the posts that were out there. That would be a great time to connect.

If you haven’t noticed, Luke is happy to chat, which is one of the great things because sometimes people don’t talk enough. Who should? This is someone who is willing to talk and has good answers and information. That’s it for now. Thank you for joining us on the show. For more information and all that is good in the world of cyber security and how to help everyone inside and outside of your organization, stop being as threatening as they are whether they know it or not.

Make sure you check us out. You can find us on LinkedIn and Facebook. The mothership is ElevateSecurity.com. You can find me @PackMatt73 across all of the socials. For Luke, even though I said shameless plugs, he didn’t plug himself. He was too busy talking about the mothership. One more time, Luke. For people looking for you, where do they go?

They can find me on LinkedIn. Pretty straightforward. Luke Simonetti, or reach out to me via my email. It’s Simonetti_Lucas@BAH.com.

Get out of here. You can find the show anywhere that you go. All we ask is that you subscribe, rate, and review but I am going to rip this off from my guy Bomani Jones. If you review us, please give us five stars because if you give us four, I am inclined to think you are a hater. Make sure you check us out because that way, you will never miss all the great folks who are coming on the show, helping save the world like Luke. Until then, we will see you next time.

Important Links

About Luke Simonetti

Luke Simonetti is a Vice President in Booz Allen’s Commercial Practice and leads the firm’s Strategic Consulting & Advisory Services Portfolio. He and his leaders help clients to understand and envision their current and future Cybersecurity goals. His portfolio works with the top clients across industries to help them address the tops Cybersecurity issues they face while achieving the business goals the organization desires using an outcome-driven, risk-based approach.

Luke is a seasoned professional with a variety of technical and executive level leadership positions in both the Federal and Commercial markets. Prior to joining Booz Allen, Luke was responsible for the Global Security and Risk Management Consulting Practice at Gartner. He has served as an Executive Team advisor, Team leader and experienced information Security subject matter expert, with deep levels of hands-on experience in network security, application security, information protection, business/IT integration, security operations and monitoring, process improvement, risk management, and board of directors/senior executive communications. Luke holds a BS in Information Sciences and Technology from Penn State University and maintains several industry certifications. Including: Certified Information Systems Security Professional (CISSP) and System Security Certified Practitioner (SSCP).

Share This

Elevate Security

The Elevate Security Platform identifies and responds proactively to your organization’s riskiest users, providing security teams with the visibility and playbooks necessary to prevent the next security breach.

Navigating The Intersecting Worlds Of Cybersecurity Threats, AI, And Government Policy With Mark Weatherford

As technology advances, so does the threat posed in cyberspace. In this episode, Mark Weatherford, the SVP and Chief Security Officer at AlertEnterprise, navigates us […]

Read More

Decoding the Most Common Social Engineering Attacks: Pretexting, Phishing & More

Over the years, hackers have turned away from trying to break through firewalls in favor of a much broader and accessible attack vector: the human […]

Read More

Stop Dancing With Risk And Start Driving User Cyber Behaviors With Andre Russotti

People make mistakes, and these unintentional mistakes drastically impact an organization. You shouldn’t dance with risks and wait for cyber attacks to steal your stage. […]

Read More

Get Started Today

Quantify risk across the organization, and identify areas where increased safeguards and processes are needed to reduce your risk profile and protect your team.
Book a Demo
>