Securing Humanity is a collective responsibility. In this episode, Matthew Stephenson interviews Elsine Van Os, the founder and CEO of Signpost Six, Insider Risk Management consultancy firm with behavioral science at its heart. Elsine discusses cybersecurity and risk management within the organization, and shares the psychological aspect of it all. Elsine also drops gold nuggets and information bombs on psychology, security, technology, and more. Tune in now and learn what it takes to keep our world secure, one person at a time!
—
Listen to the podcast here
Elsine Van Os: Securing Humanity… One Person At A Time
We are bringing you the top experts in the industry for a chat about all that is interesting in keeping our world secure. Speaking of keeping our world secure, I get excited about this, but we are excited to welcome Elsine Van Os to the show. She is the Founder and CEO of Signpost Six, which is an insider risk training and consulting firm that specifically works to help organizations retain the value of their critical people assets and intellectual property while mitigating insider risks from nation-state espionage and organized crime.
She is also the Owner of Signpost Film Production, where their goal is to bring scientific research and balanced viewpoints into the everyday lives of people through film, specifically documentaries focusing on security-related topics. All of that being said, they produced their first documentary in 2018, which is known as Edward Snowden: Whistleblower or Spy? Stick around. We might talk about that a bit later. She also sits on multiple boards focusing on cybersecurity and intelligence that deal with both the private and public sectors.
—
Elsine, welcome to the show.
Thank you so much, Matt. It’s great to be here.
I can’t even imagine how we’re doing this. There’s the time change. You live in the Hague. I just violated your OPSEC there. Let’s dig in right away because something is fascinating about where you come from and how it has delivered you to the spot where you are. You are a clinical psychologist with a career in the intelligence world. With this background coming into doing all of the things that you have done and continue to do, how does this perspective give you a different view of the human element of security?
First and foremost, I studied Clinical Psychology, but clinical psychologists would say I’m not a clinical psychologist because I haven’t been a practitioner for a long time. I started my career basically in the forensic clinic at first, which was quite an exposure for me. Working with the most severe perpetrators, mass murderers, and terrible situations, I’ve seen the extremes of how people can go in the wrong direction. I lost my naivety immediately. Sometimes I wish I still had it. That was my starting point in working life. I realized these things are not just from the Hannibal Lecter on TV. I don’t want to exaggerate, but the experience was quite extensive and confrontational.
That’s where psychology started for me. It’s in the extremes. Immediately thereafter, I moved into the Ministry of Defense, more in the intelligence and security sector and went on from there. It’s been a short stint in psychology itself, but it has dictated and informed me throughout my career all the time around security types of incidents. I’ve worked in intelligence and security my whole life, and incidents always come from humans, whether it’s broader societal trends around terrorism that I’ve been focused on or individuals who commit malicious types of acts from all of these angles. It is always that one individual that has conducted a certain malicious act. You come back to that individual and psychology again.
Mass murderer and Hannibal Lecter in the opening answer to the question.
Sorry, what a start.
It’s fantastic. Seriously. Who’s not going to stick around? We could talk for four hours and we’re going to be like, “When is she going to get back to the mass murderers again?” “We mass murdered somebody’s data. That’s what we did.”
How do I bring this back to normalcy?
Normal is the last thing we want. I need to take a breath and think about the notion of that. As you made the transition, I couldn’t imagine a more intense situation than sitting across the desk from someone who has done something that horrible. Now you have been doing things where you’re sitting across a virtual desk dealing with people who are doing horrible things that affect hundreds, thousands, millions, tens of millions of people, whether it’s a nation-state actor or a villain in general. Of course, we blew this up on question number one.
Where’s the intersection to that? What do you bring out of what you first started out doing as young Elsine? How does that thread its way through your approach when you look at these things, both from the protection angle of what we like to consider the good guys and anticipating what the malicious actors may be doing?
What is interesting is that my career started on an extreme-angle of things. You see where it can go in its worst direction, but you also know it’s a pathway. The realization that you get in working in a forensic clinic, these people look like you and me. They come from similar types of backgrounds and oftentimes not, but it’s a pathway that they went through and it went more extreme. It didn’t start like that. Bringing it back to normalcy and business as well, if you know the extremes, you want to prevent it from happening. Prevention starts with minor development. Sometimes even an organizational culture that’s conducive to a more toxic type of leadership or small infringements of the organizational norm.
You want to be there at the earliest stage to keep a healthy work environment and ensure that people don’t derail within the organization. It’s been a bit of a journey for me coming from this type of extreme and bringing it more to normalcy, everyday business, and preventing X from happening. I’m not naive, that’s for sure. A lot of people are naive when it comes down to their business and trust in each other, which I understand. I’m a trusting person, even knowing my own background and what I’ve seen, so I understand that trust point of view. You do need to verify, keep each other in check and make sure that people are not derailing within the organizations.
You use the term normal people so I’m going to jump to what was going to be a much later question about the film production company. You have had to deal with distribution and competition, whether it’s Netflix or getting your film into festivals and theaters. When we look at how Hollywood, and I hate that term, how the entertainment industry presents hackers, whether organized crime or nation states, does that put additional pressure on you and your organization and the multiple boards you sit on? When you come in to talk about things, are there preconceived notions that this is what it looks like? It’s not necessarily a bunch of Eastern European villains sitting there twirling their mustaches. There are a lot of regular people who go in there and sit down on keyboards every day.
There are two things to this in the entertainment industry, your communication and training. Everything needs to be done in a short time span. If you want to attract attention to be a bit over the top and emotional, it’s going to attract attention. With the documentary that I made about Edward Snowden, we had a huge amount of material. We had a lot of speakers and had to cut down half of the speakers that we interviewed to keep the attention level high for people. I would’ve liked to have gone more in-depth, but it was difficult. If you want to keep the pace going and the attention of the viewer, you have to make choices, and these are hard choices.
If you want to attract attention in the entertainment industry, it needs to be a little bit over the top, and very emotional to attract the attention.
Also, the Snowden case, in particular, is a complex case with a lot of angles. It’s not a black-and-white type of situation. It requires an explanation. For instance, nobody had been deeply diving into what he shared. What were these documents that he shared? What were these documents about because that legitimized his act in the first place to a certain extent? Diving this information is not sexy or exciting to look into it but we did do it since it’s essential for a story. Nobody likes complexity, so we did add that. Nobody likes lengthy documentaries, so let’s compromise on that.
You’re saying that there’s a director’s cut-out that’s going to be four hours long with all the additional commentary on YouTube and all the things we can do. That’ll be the first joint venture between your team and ours. To that point, the idea of the human element and where it comes into play. When you said nobody likes complexity, that has to be part of the conversation. When your team comes in to speak with clients and board members, you have the amazing combination of being one of the legitimate people in the industry, but at the same time, you are also making narrative documentary films to explain things.
When you walk into that C-suite and you’ve got one grandpa or grandma who makes jokes like, “I always have my niece pull that up for me on my iPad,” it’s like, “It’s a little harder than that.” How do you get that idea across to people who may only have been raised on CSI when they think about this stuff?
It’s making it more personal in the first place, which means most organizations have had incidents in the past. It’s not about all the exciting stuff that might be out there, but it’s something that’s happening in your organization. It doesn’t have to be television-like material. It can be small but impactful. I’m thinking about this one particular case, American Superconductor. It’s been featured in a documentary from the FBI.
FBI does a good job at that and there was this one guy who was Serbian based out of the Czech Republic who had access to half of the source codes of American Superconductor and sold it to Sinovel. Their single clients took the other half of the source codes from the US as well. The American Superconductors lost their source codes. Sinovel was able to copy what they had. They lost their client and almost lost their full business overnight. It’s just one person who had access to the source code.
That person sounded insignificant but was able to have an impact on an organization. Something so small can become big. If you’re speaking to boards, what has been the motivating factor behind this person conducting this insider attack? Dejan Karabasevic is his name. He was a disgruntled employee. He openly annoyed the Chinese from Sinovel who were in touch with him. They were aware of his disgruntlement. They offered him money, women, and a house in Beijing. It was a straightforward, simple proposal, and he went for that.
Something so small can become really so big.
It can be relatively simple. A lot of organizations have disgruntled employees, which is an important factor to consider if we’re talking about insider risk. That’s one thing important to be aware of. It can be this disgruntled employee that has a big impact. The other thing is it is a complex topic and there is no right or easy answer to the topic if you’re talking about the strategic level. A lot of organizations that we work with are in the high-tech industry. They work in sensitive fields and have a global geopolitical footprint with a lot of geopolitical tensions.
They have the question, how do we operate within hostile countries? How do we do that, particularly in China, for instance? Russia is one of these countries as well. They cannot potentially afford to leave the country, but how do we operate to the best of our abilities? There’s no magic bullet, but you can make a good effort to change and reduce the risk. These conversations need to be held at the board level and that’s where we come in to look at how you need to conduct your business. What is essential to conduct your business? If this is the case, how can I do it in the safest way considering the risks at play?
Quick side note. The documentary that Elsine referenced is called Made in Beijing: The Plan for Global Market Domination, which is available on YouTube. We’re talking about disgruntled employees. In your experience, is it more difficult to anticipate and do the offensive and defensive work considering the idea of a disgruntled employee as opposed to the unwitting dupe, for lack of a better term, who clicks the wrong thing and thinks that he or she is doing the normal course of business compared to somebody who is like, “I’m mad at these people and I’m going to go do this thing?”
If we’re talking about insider risk management, you are talking about the unwitting employee. Even a cybersecurity company internally did some spearfishing exercises, and a lot of people clicked on the email despite their high level of awareness. We are all realistic that this happens and you can take measures against the unwitting employee to a certain extent. It is never enough and not easy.
With the witting employee, it’s a different range of measures that you need to take. It’s also a bit less tangible. For instance, the organizational culture has a big role to play in the insider threat level for the malicious insider. I was thinking of this case from Joshua Schulte. He has been convicted and awaiting his sentencing. He was a CIA employee and he’s been the worst leaker from CIA history. Are you familiar with this case, Matt?
I’m seeing and scrolling through Apple News and then scrolling and I do something else. I know there is a case but not the details.
He was convicted over the summer. His case ended in a mistrial a couple of years before. I’m mentioning his case because it started on the work floor when a colleague of his was shooting him with a nerf gun. There was this culture at the CIA department where they were a bit of a boyish, playful culture. He was angry when he was shot at by a colleague of his. Long story short, it escalated tremendously. He became incredibly disgruntled. The organization wasn’t picking it up completely well. He left the organization and leaked the most sensitive materials from the CIA to WikiLeaks. That’s where it all ended. It had a huge impact on the operations of the CIA. It all started with the organizational culture that was breeding disgruntlement in any case, and his disgruntlement wasn’t picked up completely well.
You mentioned the C word, and we have heard it from a few guests previously with interestingly different perspectives when you come in to speak with an organization about insider risk and talk culture. Nerf guns? Isn’t that fun if you’re at the CIA, of all places? How do you have that conversation and get people to understand the importance of considering everything and the things they’re not even thinking about? How good is the coffee? Is the soda free? Is somebody going to shoot somebody with a nerf gun? As we’ve seen, this played into a huge leak. What are we not thinking about? How hard is it for you and your team to get people to think about the things they’re not thinking about?
When we get into organizations, we take a holistic approach. A lot of people use that word, but we look from different angles at insider risk management. We do look at what technology you have in place to monitor what’s happening with your data inside your organization and the whole employee lifecycle. What is your recruitment and screening process? What are you doing to support and develop your employees? What is your departure process when the employee leaves the organization? It’s that employee lifecycle angle. We look at what training programs you have in your organization and also what your organizational culture is. What does your leadership say and share with the organization, and how do you position insider risk?
These are snapshots of what we’re looking at and you can hear it’s very broad. Most organizations look at one particular area. What comes to mind in the first place is, “I need to look at my screening programs. Who am I getting inside the organization?” It’s such a small element of everything that you need to look at. Most of the time, people commit insider X in the organizational process, and they become disgruntled over time.
If something happens over time, data theft happens when they’re in the process of departing the organization, which is the most sensitive area. Upon recruitment, you might be able to identify infiltrators and risk indicators of people, but it’s definitely not enough. What we need to convey to people who want to engage in insider risk management or take steps is that, unfortunately, you have to look at that whole holistic picture, otherwise, you’re giving a full sense of security if you’re doing one thing.
You mentioned technology, and as we talk about the human element of this, how hard is it to find the balance between installing the type of security tech on everybody’s machines, the servers that allow them to do their job and get creative and interesting in order to improve not just themselves, but the entire organization, but at the same time, making sure that you’ve got moats that are deep enough and walls that are high enough. Where is the Venn diagram in your experience of technology versus humanity to make a place safe yet creative and what evolving?
They’re very extension points. For instance, if you have a company that has a lot of IP intellectual property, you look at which employee group has access to that IP. Most of the time, it is researchers and engineers who thrive well in an open, collaborative environment. Nowadays, we also work globally, so there are teams that are based in multiple countries that need to connect over the development of certain innovation processes. They want to have broad access rights, while from an insider risk point of view, you want to have restrictions on that to be able to have some level of containment of a potential issue. If you have an insider threat or an insider that wants to steal data, at least you’re able to contain that a bit.
That’s the direct tension point with that open, collaborative environment and the containment of data thefts. That’s the case in the university sector, where the whole mindset is open and collaborative. We’re sharing this publicly most of the time anyway, so what’s the harm? An important tension point is you need to navigate through that to see how people are still happy to be able to do their jobs and capable of doing their jobs. That needs to be a conversation while having that sense of understanding that you do need to have some access restrictions. That’s one domain. The other domain is I don’t think you’re supposed to use data and not use tools.
If you haven’t done an insider risk assessment in the first place, you need to showcase why you are going to do this. What is the threat that you want to guard yourselves against? Why are you taking these measures? You need to bring departments on boards in support of this. Think of the workers’ councils, etc. Sometimes the unions have a role to play as well, which is an extremely sensitive matter, and this all goes down to the fact that tools could have a certain impact on the privacy of employees that needs to be taken into account.
It’s about how you position this in the first place. What tools are you going to use? Who has exposure to those tools, where do you apply these tools, and what are you doing with them? What is often forgotten, if you are using tools and monitoring the behavior in the systems of your employees, you are going to get information from this. What are you going to do with that information? You need to be clear on the processes that you have in place. In the end, it’s not about tools, but it’s about people.
It’s not like you haven’t done this all over the world for years. You queued up the question I was going to ask, but you asked two better questions. What are you going to do with this information? That’s the best question. When you have this information that you have gathered from your employees on how everything unfolds inside of your company, how do you apply that in a way that allows people to continue to flourish while keeping them safe from attackers and disgruntled? By the way, side question, is gruntled a word? We’re going to leave that out there for everybody on social media so we can get to that. If you’re happy, you’re going to be gruntled.
That’s a nice word.
We do hard-hitting journalism here on the show. When you have this and you bring it back to whether it’s the C-suite, the board, or whoever sits, here is what we’ve learned and the improvements that you need to make. Some of this is hard science and technology data that can fix things. People sometimes hate this term, but the soft science of humanity is the definition of chaos. How do you wrangle a workforce in order to get them to understand, “We like you? You’re great at what you do, but you can’t do this anymore because, blank.”
The soft science of humanity is the definition of chaos.
For instance, intelligence service is a no-brainer. You come in. You know the risks and what you’re working on, and you need to be careful. It needs to be communicated that your activity in the systems is being logged and monitored. There, it is a no-brainer, but in business, people are not used to this. They do want to downplay the threat and you also have to be careful about what it is that you’re doing and why it is.
The why is so important. Whatever you’re doing or the tools you are using, make sure the why is clear. It shouldn’t be that you are being paranoid towards your employees. It is also from the point of view of the duty of care towards your employees. I constantly have all cases that are floating through my mind. We had a case years ago in which a cybersecurity team member stabbed one of his colleagues. It’s his best friend in the team.
This is cybersecurity. We’re supposed to sit at desks and do Zoom meetings.
It does happen, unfortunately. I don’t know what else to say. The point there is it is a duty of care that you have. It’s not only about data theft. It’s about individuals that derail. Data theft is also terrible, and it can have large impacts. You don’t see it so directly as if it’s a workplace violence type of situation. The point is you want to prevent these things from happening because it has an impact on the individual themselves, colleagues and the organization. That is the most important part of the why. We live in a world where there are huge tensions going on, especially in certain sectors like semiconductors and the pharmaceutical industry. That is a reality. Organizations need to adapt to that reality as well as their employees.
You have done some high-profile work all over the world in high-risk areas, whether it’s Europe, the Middle East, Africa, South America, military education, and the private sector. Do you see differences in the approaches from those different types of things that you wish others would adopt, or is there more of a not singularity? Is everybody on relatively the same page or at least in the same book in the way they look at the notion of insider threats?
Not at all. There are many differences.
Good job, humanity. We still have nothing in common.
Between the public and private sectors, if we’re talking about the geopolitical challenges that we have and also state actors stealing data, some of the private sector companies are on the front lines. I do think that the private sector, like semiconductors and the pharmaceutical industry, is on top of its game. They have to because they are stolen left, right, and center. They are example-setting and in the process of picking this up. They’re not in a perfect place yet, but a realization is there, and they are taking measures. They’re example-setting also for governments. In the US, it might be different because insider threats came from the US government in the first place.
If I look at Europe, I do think the early adopters and best adopters now are in the private sector, not in government. The government can learn quite a bit from them. Regarding the types of approaches, there is a difference between the US and mainland Europe in the sense that the US is more leaning towards technical implementation of tools. While in Europe, there is more sensitivity about this and they’re leaning more towards the educational front. A lot of training around the subjects. You see a real difference there. I do believe both are necessary personally.
Have you noticed, and tell me if this is a special sauce and we’ll bleep all of it out in the approach of a nation-state attacker towards a vulnerable employee compared to organized crime? Do they come at it from different angles? Are they similar in their approach or option C being something else?
There is a difference between organized crime and the state actor’s focus on espionage. The difference is if we’re talking about espionage, people feel that they’re being lured into a net that they can’t get out of slowly. If you are in the business of espionage, you want to turn to someone to support you, so don’t make them your enemy. Coercion is not the most sustainable approach. If you want to run someone in an organization for a longer period of time and get high-value data, coercion is not the best approach, but they always have it in the back of their minds as an option.
For instance, if they have meetings in which they exchange money for data, they might be recording those meetings. They always have that coercion option in the back of their minds as a possibility. If we’re talking about organized crime, we also work in the harbor environment in the Netherlands. We have the roaming terminal as a gateway to Europe. There are thousands of companies based there, and organized crime infiltration is immense, huge, blunt, and straightforward. They hold a gun to your head and tell you to support them. if you don’t, you’ll be killed or a family member will be killed. It’s very clear, straightforward, and focused on coercion.
It’s a bit of a black-and-white approach. It’s all or nothing, and sometimes it’s for money because infiltration is rife. If you’re looking at it from a company and a team point of view, maybe sometimes 9 out of 10 team members are already involved, and the 10th person, why wouldn’t he be for instance? I’m exaggerating a little bit.
You are a filmmaker. That’s what we need to do.
It is a different world.
Speaking of different worlds, given the fact that you have worked all over the world in very different cultures, do you find that there are different approaches that you need to take to the teams that you have led when talking with companies? The difference between South America and Africa, the Middle East, Europe, and the United States are wildly disparate cultures. How much does that come into play when dealing with the human element of insider threats?
Case management, investigations and the approach to investigations are very different in cultures. For instance, in the US, it’s much more direct. If you’re involved in a case, the consequences are more direct. In Asia, the engagement around the topic is more indirect. The face-saving elements are extremely important. We do training in investigative interviewing. The challenges that people in Asia have are different from the challenges in North America. You do need to factor that in if you want to be effective and in support of their concerns and overcome these different concerns.
This one is coming out of nowhere. Obviously, we blew up the outline on this. Your first answer to question number one gives me a weird one. No names, no companies, maybe not even a country, but the one that you walked into, “Here’s the situation.” You’re like, “Why are we here? What happened? What are we even supposed to do?” What’s a good weird one that you’ve had to deal with the idea of, “How do we even think about expecting this and then explaining it to the board, and here’s how we fix it?”
It’s a difficult question.
Again, hard-hitting journalism.
I’ve had many weird ones.
Close your eyes, put your hand on the head, and pull one out.
The problem with the weird ones is that they’re very telling. In my mind, I’m going through how I can sanitize the situation a little bit.
Let me change the question because you may end up giving away details that people don’t need to know about. From the weird ones, what is it that you can pull and insert the knowledge you’ve gained into the more normal situations when it’s like, “I can’t believe this is what we’re dealing with,” and you go back to the more run of the mill situations that you deal with when it comes to insider threats? It’s like, “This was so bizarre. We should think about this going forward with the regular ones.”
It was very bizarre, but if I do not talk about it, it’s not so bizarre. What is a difficult situation is when nothing has happened. There is a bizarre situation on a bizarre personal level going on with a team member and employee. You focus on that person’s personal situation, which is bizarre. It could become an insider threat because of all the risk factors around that personal situation. If nothing has happened yet, how do you deal with it? Somebody is in a bizarre personal situation that has a lot of risk factors and is not committing an insider X but is vulnerable to committing an insider X.
If a foreign entity had found that person, something would’ve gone wrong. Sometimes everything needs to come together as a perfect storm to go wrong. If that doesn’t come together, it might go okay for the rest of that person’s life. It is important from an HR point of view to keep an eye out to see how that person is doing in the first place. There’s a security risk, but this is much more of an HR matter. That is where the difficulty lies most in insider risk management, where HR begins and security ends.
You need to find that way in the middle where there is a person with risk factors who is doing nothing wrong, but it could become a risk and then a severe security risk. HR needs to communicate with security, and security needs to communicate with HR. It could potentially be a security risk in communication between two different worlds and languages. It’s difficult to find that intersection between the two.
When someone is so boring, they become noticeable, and then you find out after a while that they’re just that boring. No offense to the boring people out there in the world. Good for you. You are the middle chunk of humanity, and we appreciate all the work that you do. Moving on to a different topic Given everything you’ve seen and the work that you and your team have done around the world. When you look at the near future, there is a lot of political unrest in culturally different parts of the world.
Obviously, what’s happening in Russia and Ukraine, election madness across lots of countries, and shout-out US, things are weird. What does it look to you for the notion of cybersecurity? Not specifically to the election process, but what’s happening in the next two years, and looking out to the next 10 to 15 years? Where’s your crystal ball focused?
On several levels, strategically, we find the right balance in doing business with and in countries where nation-state espionage levels are highest. We do live in a global society. There is a huge amount of tension. We cannot ignore each other, so we do have to continue in a certain way. How do we do that? It’s a real balancing act. Another theme that, in my mind, is extremely important is polarization which is happening in the workplace as well, and obviously around a wide variety of topics. It means we don’t have a shared sense of belonging to the organization. It breeds disgruntlement. People feel like they don’t have that loyalty to the organization anymore. It increases insider risk overall in organizations.
If we’re talking about polarization, we all have experienced this on a personal level. I can tell my uncle or someone that I don’t want to see him anymore because I don’t like his beliefs. In the workplace, you’re stuck with each other and have to work together. It provides a threat but also an opportunity if you are able to speak this through or have a common understanding of having a misunderstanding. Tackling this in the workplace is a threat but also an opportunity. That is an important area to look at. I know that some companies in the US are embracing this already and are having active communication programs on that polarization topic because they realize we have to do something about this.
It’s not so much yet happening in Europe, but if I look at my glass ball, I would definitely focus on this to tackle this better. Finally, we’re all talking about the subjects and we’re looking at each other and talking about cooperation. You see this with organized crime in the harbor sector which is seeping things through all the layers of society. Sometimes it excuses us from rolling up our own sleeves and tackling things. We need to start acting. Start with yourself in organizations, and take measures instead of being in these talk shops together in public and private engagements. We have to start doing things ourselves.
Signpost Six and Elevate Security, re-gruntling the disgruntled is our goal for 2023. Let’s talk about you, again, one more hard shift into a different segment. Let’s come into the Leadership Corner. Please check her out on LinkedIn because it’s amazing all over the world, doing all kinds of interesting things. What’s on your playlist? What are you reading? What are you listening to? Do you have magazines in the bathroom and books on the coffee table? What’s happening on Spotify if you go out for a run, to the gym, for coffee or whatever?
In terms of reading, I am reading a lot about polarization myself. At the moment, that’s the reason why I mentioned it just now. If you’re talking about absolutely crazy stories, then I would definitely recommend the book from Patrick Radden Keefe, Empire of Pain. He described the Sackler Dynasty and their company Purdue Pharma and saw the drugs Oxycontin that had become the new drug all over the world, especially in the US with absolutely immense impacts.
How? That company pushed through with this drug. It’s mind-boggling, so that was interesting to read. What I’m listening to is David Bowie, my all-time favorite. He is the best artist of all time. We bought a sailboat and called it Stardust. I love his career, work, and everything. Apart from that, all my friends laugh at me for this because it’s a bit out of the ordinary, but I like artists like Tenacious D. I find it very funny. Do you know them?
Shout-out to Jack Black.
That’s amazing, but nobody likes it around me. If they’re here in the Netherlands, I have no one to go to that.
I can’t say Tenacious D found a big audience in Holland, but you never know.
I still need to find friends.
Trust me, the hundreds of thousands of readers, there are some people out there like, “I love Tenacious D.”
It’s a lot of fun.
Producer Sharon’s eyeballs literally fell out of her head. She was rolling them so hard like, “Why are they talking about Tenacious D?”
I love talking about Tenacious D. I’m glad you asked the question.
Give me one more. Two bands, Bowie and Tenacious D are pretty opposite ends of the bell curve. What’s your guilty pleasure? What’s the one where people will ask you what’s on your list, and you’re like, “I like this song?”
I like loads of different types of music, I listen to The Prodigy. I love that music. It activates my sports moments.
I feel like that is an incredible spread from Bowie to Tenacious D to Prodigy. We’re good. I’m going to let you go.
I’m all over the place.
We will let you out of that one because otherwise we’ll just talk about music for 45 more minutes and nobody wants to stick around for that. Shameless plugs, all of the things that you were up to. Let’s talk about the website, any social media hits, events you’re doing, writings, TED Talks, or anything like that. What’s going on with Elsine?
At the moment, I’m writing a year-end review blog to have a look at what happened in the last year, which has been crazy, I have to say. That’s coming out. Follow my LinkedIn post, that will be interesting. We’re significantly upgrading our training platform. We have an online training platform on insider risk, for all the different types of employee groups which is quite interesting. We use a lot of video materials in this and storytelling, which might be nice. Organizations have to do an insider risk assessment. Of course, we help with that, but they need to understand where they are on this topic. They need to understand, where is my data? How am I doing in terms of my measures? That would be my shameless plug.
This is something I need to get better at in the prep calls on this. When I say shameless plugs, it’s when you’re supposed to say after that. make sure you check us out at SignPostSix.com and you can follow us on these various social media platforms. What do you get, give it all?
Don’t forget to follow us on, SignPostSix.com, and on LinkedIn, please do connect with me.
That’s the thing because she responds. I can speak to this personally because it happens. Final shots, what’s going on in the world as we’re rolling up to the end of the year? You can even crib from the blog to close out. One last thing that’s on your mind if you could say to the people in the world. I’m going to be quiet, which is hard for me to do. Your turn.
It’s going in most directions. What is on my mind now is that I’m following all the cases on insider risk across the world and Markus Braun’s case, the CEO from Wirecard has started, which is exciting. It’s the craziest case. I’m very interested in following all of this. Every day, there’s something interesting going on, whether it’s the end of the year or the beginning of the year, or whenever. That is on my mind to follow at the moment.
Every day there’s something interesting going on.
Elsine, thank you so much. Please consider the invitation is always open to anything that you’re up to which sounds like when you wake up in the morning until you go to bed at night. We got eyes that are dying to read. Thank you for joining us.
Thank you so much, Matt. I enjoyed it.
That is it for our episode. A general reminder, all comments reflect the personal opinions of the participants that are not necessarily those of their employers or organizations, or those of us at Friendly Fire and Elevate Security. I have to say that so we don’t get sued. For more information on all that’s good in the world of cybersecurity, make sure that you check us out on LinkedIn and Facebook and of course, The Mothership, ElevateSecurity.com. My name is Matt Stevenson.
You can find me @PackMatt73 across all the socials. All we ask is if you subscribe, rate, and review, you’ll never miss all the great folks who are coming on the show. You can find the show anywhere you go, like Apple, Spotify, and all those good joints. This is what we’re doing. People like Elsine are already everywhere. It’s great that we could steal an hour of her life to do this one. I guarantee you, if you do the Google search, you are going to be paging and paging because that’s how awesome she is in the work that she’s doing. Elsine, thank you. Everyone else is happy. Whatever the end of the year thing that you like to do, we will hear from you next time.
Important Links
- LinkedIn – Elevate Security
- Facebook – Elevate Security
- LinkedIn – Elsine Van Os
- Signpost Six
- Signpost Film Production
- Made in Beijing: The Plan for Global Market Domination
- Empire of Pain
- @PackMatt73 – Instagram
About Elsine Van Os
Elsine van Os is the founder and CEO of Signpost Six, Insider Risk Management consultancy firm with behavioral science at its heart. She is a Clinical Psychologist and Intelligence and Security Expert. Elsine has worked on high profile assignments for the Dutch Ministry of Defense and Shell International, and worked in various capacities in over 50 countries. Working for years in the Oil and Gas sector, a high risk environment for all forms of (cyber) security threats, Elsine experienced the growing threats in the cyber domain. She observed, however, the heavy reliance on technological solutions at the expense of the human factor. This led to Elsine focusing on Behavioural Intelligence and Threat Assessment as an integral part of Signpost Six’s Insider Risk program. She is also the owner of Signpost Film Productions and recently released a documentary about Edward Snowden.