A lot of cybersecurity assessments are done with a checklist of how many high-risk, medium-risk, and low-risk vulnerabilities there are. It’s very non-human, which is something a lot of people will get turned off by. If you really want executive leaders to start paying attention to cybersecurity, you need to tell a story that is more humane. Tell them that a hacker has access to everybody’s home network, or everyone’s password just got stolen. Every day employees can relate to that because those are human problems. You need to tackle cybersecurity in a much more human way.
Join Matt Stephenson as he talks to Gary Barnabo and Eric Eames of CrossCountry Consulting, a trusted business advisory firm that provides customized finance, accounting, risk, operations, and technology consulting. Tune in and learn how they tackle cybersecurity and why the C-Suite needs to start looking at the human aspect of things.
Listen to the podcast here
Gary Barnabo And Eric Eames: Inspiring The C-Suite To Think Different
Hopefully, we’ve spent some time together talking about cybersecurity over the past year. Here at Friendly Fire, we are bringing you all of the top experts in the industry for a chat about everything and anything that is interesting in keeping our world secure. Speaking of keeping the world secure, we’re always excited. Why wouldn’t we be? The guests are amazing.
That’s why we are stoked to welcome Gary Barnabo and Eric Eames to Friendly Fire. Gary Barnabo is an executive at CrossCountry Consulting, which is a leader in cybersecurity and private practice at a company you might have heard of in previous episodes, Booz Allen Hamilton. A part of his focus was building cyber-focused businesses in the United States, the Middle East, and Southeast Asia, working across large public sector agencies, and Fortune 500 and Global 2000 companies. Not anything that had any impact on your lives, except it totally did. He also has a key role in developing company-wide cybersecurity across market verticals.
Eric Eames is the Head of CrossCountry’s offensive security team called Icebreaker. I love offensive security teams. They’ve got a cool name. Hopefully, they’ve got logos, t-shirts, and all kinds of stuff like that. He is seasoned in red teaming, penetration testing, and threat modeling. He has led dozens of sophisticated red team engagements at companies across multiple industries in previous lives, some places that you haven’t heard of and you probably shouldn’t, but just know they keep you safe.
He was a red team at FusionX, and later a team lead at a startup that specialized in adversary simulation. Also, he spent a little time working with the Federal government because we want to keep all of the citizens safe. He was focused on pen testing across classified software at three-letter agencies. We’re going to leave it at that. Gary and Eric, welcome to Friendly Fire.
Matt, it’s great to be here. I’m sure the audience has heard the two bios. They said, “That Gary guy, we’re absolutely not interested in hearing from him. He’s a very boring management consultant. Eric Eames, Icebreaker, offensive security, three-letter agencies. That’s who we want to hear from.” I’m happy to be here riding Eric’s coattails.
There we go. Let’s get this out of the way though because consulting sometimes can be a little bit of a dirty word. It turns out it’s not. I want to rip off office space in this. What would you say you do here?
What I do is put together PowerPoint slides and send them around to people. That’s what consultants do. For about fifteen years, that has been my life. Jokes aside, you’re right. Especially now with some of what’s in the news about some of those legacy strategies, consulting firms can get a bad rap. I think about consulting as being fundamentally problem-solving. Clients come with a very specific problem that they think they have. For whatever reason, they need an outside perspective and outside expertise. Great consultants know how to solve problems that move the needle for companies and government agencies, and then move on.
Great consultants know how to solve problems and move the needle for companies and move on.
There’s a nuance to that and it’s particularly relevant. We’ll begin with what cybersecurity consulting looks like. What I found in my career is it’s less about solving the problem. It’s more about the framing and the definition of the problem. Great consultants solve the problem, but they spend a lot of time doing the equivalent of sharpening the axe, which here is defining the problem correctly.
Regardless of industry or domain, many clients come and say, “This is my problem.” When you start to unpack it, you realize the stated problem isn’t actually the problem that needs to be solved. Again, a great consultant will spend so much time sitting with clients saying, “Let’s figure out what the essential problem is before we dig in and solve it.”
In an area like cyber, it’s often hard to know out of the gate what cyber challenge is facing the company. What’s the gap that needs to be closed? It takes so much time to get into a client environment and get into an organization, and discover where the skeletons are, where the gaps are, and where the pitfalls are.
That’s what Eric’s team does so well. He’s going to talk about this here. Bringing to life the essential problems in ways that are visceral, compelling, and make sense to non-technical leaders are going to be a big theme of what we’ll get into. At the end of the day, cybersecurity consulting is about finding the essential problem. It’s looking at that problem holistically with a focus on people. It’s bringing those problems and those solutions to life in compelling ways.
Let me ask you this and give me a little bit of rope here. If we go Game of Thrones style on this, where you get to come in and you don’t have the baggage of working inside of this company. You can look at their situation and speak freely because they have brought you in to listen to what you say. How difficult is it when you come in and say, “This is right. This is wrong. This is great. This is average.” These are the presentations that you are making to them because you don’t have to go back there every day the way that people that are part of the organization do.
A couple of quick thoughts on that, and then Eric’s perspectives will be good. In some ways, we don’t want to stick around for the sake of sticking around. If we go into consulting engagement with these explicit views that we’re going to dump a bunch of findings on our client, and tell them what’s good, bad, ugly, and what they need to do, and then step away, it’s probably not going to result in the client being able to turn the corner. That’s another problem.
We’re going to come and say, “It’s not always about how we take all your money for five years.” We want to be real partners with our clients. A lot of that too is we got to meet our clients where they are. What I’ve learned in my career is giving a client a view that says, “You’re a mess. You got 30 things that you need to do to get your cyber program. It’s a basic level of functionality.” Those are the kinds of messages where clients are going to disengage and walk away.
It’s about always having integrity. Tell the truth. Be honest, direct, and clear. At CrossCountry, we put a lot of emphasis on where we’ve got to meet our clients and where they are. We’ve got to be able to see the world from their perspective. We’ve got to be able to spend a lot of time putting ourselves in their shoes and understand what they need to get done, what they are capable of getting done, what timelines, and what is going to matter most to them. It’s not just giving them this long wandering list of go-dos from your consultants, and then stepping out and saying, “Call us if you want to check in on your progress.”
Eric, you are the guy. Gary comes in as the head coach and the general manager talking to this, but now you are the defensive and the offensive coordinator. It’s your team that’s on the field. Similar question. You’ve got to come in there and start sticking all ten fingers and all ten toes in every pie, and come back and say, “Here’s what we got to do.”
It’s nice in some ways to come in as the outsider because you have a little bit more freedom to operate. Our team is a hacking team and an offensive security team. When you work for a company, a lot of times there are more internal politics and “Don’t touch Mr. Smith’s division. You don’t touch this part of the network. You’re not allowed to do this.”
When you come in as an outside expert and you have the blessing of the CISO or someone at a high level, you maybe have more free rein to act like an actual adversary would act. These artificial scope limits are not going to be obeyed by a real attacker. It doesn’t necessarily make sense when you’re simulating one to observe them either. You have a little more free rein to operate and get something a little more realistic done.
To your other point, when you are presenting the results, you have to be a little bit sensitive. You’re calling babies ugly saying, “There’s a problem here.” You have to do it in such a way that you’re not personally embarrassing anybody. You’re not out to get anybody in trouble because you’re really not. You’re trying to help them make things better. Some organizations have a little more culture of finger-pointing, “That was Bob’s fault.” You want to try to discourage that and say, “We’re all in this together. Let’s all put our heads together and make these things better.” Focus on that more than assigning blame.
For both of you, I’ll let you fight for who gets to go first on answering this. As we look at the notion of insider threats being outsiders brought in to look at this thing, it’s almost family therapy. There’s a very hard science. Eric, that’s what you and your team are tasked with. Gary, yours is more of you have to explain what you have found. When you come into these companies, you find where the weak spots are. Hopefully, there aren’t any, but there always are. How hard is it when you walk into the boardroom, whether it’s the C-suite or the investors of the board, and say, “Here’s where you suck, these are the facts, they are in evidence and indisputable?”
When you’re done, you’ve set everything up correctly, you’ve conducted something that’s a realistic engagement, and you’ve got the evidence in hand, you feel a little better about having that meeting. You have that case that you’ve built. There’s always somebody that wants to shoot it down in every room.
If you go into a room like that and you’ve only done a basic pen test and they’ve given you access to their network in order to conduct that pen test, someone is going to object and say, “We gave you access. None of this counts.” What we like to do is that full end-to-end red team where we get our own access. We act like an actual adversary would to build this case. It can be a little nerve-wracking when you’re presenting the results. You’ve got that security of knowing. You’ve got an airtight demonstration and the proof on your side.
I’m going to add to that. Perhaps you’re going to go in this direction. What’s happening in cybersecurity is that there is a rotation toward technology and it’s supernatural, and the products the vendors are producing are on the defensive side.
Is it super space natural like it’s totally natural or is it supernatural?
I’m not a sci-fi guy. You may be drawing the distinction there. This is Gary, the consultant, speaking in very conventional terms. It’s understandable because there is so much promise and the potential impact that we’ve seen in the industry over the past decade or more with technologies and tools on the defensive side. We know our adversaries are leveraging these for nefarious purposes. What Eric’s team does so well and what the best leaders and practitioners in the industry do is they don’t lose sight that at the end of the day, it’s about people. It’s people in an organization that is responsible for defending systems, assets, and networks.
It’s people that are the bad guys sitting in a room somewhere in the world with their own mental models and concepts of how to launch and sustain attacks. Also, their own lived experiences as human beings that are informing how they’re trying to go against your networks. In this conversation about how we work with our clients as cyber practitioners and consultants, they are human beings as well.
Every organization’s culture is a little bit different. Culture is just aggregated behaviors of leaders and employees. Every point in the journey of cybersecurity or cyber consulting is about coming back to the people and understanding who’s playing defense, offense, stakeholders or whatever it might be. How do they see the world? What are their mental models? How are they innovating in their own heads? What is EQ to them? That’s where the industry goes more and more. Tools will solve everything, “Just buy this and plug it in, and you’ll be good to go.” Eric and I and others are trying to bring a little bit about, “Don’t forget about the human factor of all this.”
How do they see the world when your teams come in to do the things that you’ve been hired to do because you are so good at it? They recognize that and they pay you to do it, and then you have to come in and tell them, “Your baby is really ugly.” How do they react to that thing? You have to deal with it on different levels.
Eric, for your team, it’s ones and zeros. Gary, your team is like, “These are why those ones and zeros matter.” Those are difficult conversations to have. Someone at some point had convinced that team to buy these products, spend this amount of money, and pay these people to do those things. How hard is it for you to explain to them, “That may not have been the best decision.”
We created a report for our client and it ended up in the CEO of the company’s hands. The CEO read the report and was so frightened. He called up the CrossCountry’s CEO and said, “I read your report. This is terrifying.” Our CEO didn’t know what he was talking about. He hasn’t read it yet. He said, “I’m not sleeping. I read this report. This is terrible. What do I do next?”
Our CEO finds me somehow. He talked to me and we got to him, but this happens a lot. These are high-impact things that go all the way to the top. You got to write it perfectly. There are a lot of people that want to analyze every word that you write and say, “Is that true?” It’s got to be perfect. You got to tell a great story and you got to choose your words very carefully.
It’s that interesting dichotomy of you’ve got to have the facts laid out super clearly and no judgment, “This is what we did. This is what we found. These are the implications.” At the same time, you have to find a way to bring that to life in a way that’s memorable and meaningful for people. Particularly when you get it out to the technical audiences.
The reason that our CEO fielded a call from a client CEO was that those facts came to life in a story that meant something to the CEO’s business. It wasn’t like, “You didn’t have X, Y or Z configured properly on your networks and the bad guys wreak havoc.” It was, “Here is the business that could happen.” Somebody’s sitting up and going, “I get it now.” It’s that visceral gut punch. Humans have been telling stories for millennia. This is just another area where the power of storytelling is so vital. If it’s just fiction, it’s got to be grounded in the facts, but you got to have the story. It’s a hard balance to find.
That’s the huge thing that sometimes gets stepped on. People want to dismiss, “She’s in sales. He’s in marketing. He’s a tech guy.” I’m bringing you a 4-inch thick Calculus textbook. When it’s time to go and present that to the board, they don’t read Calculus textbooks. When you talk about the notion of the human element and why everything that you’ve paid so much money for has put you at a 93% successful security rate, and they only want to hear about 7%, that’s the difficult part. For both of you and the teams that you lead, when it’s time to lead that discussion, how do you get them to understand the human element? The chaos of humanity has to be considered. What do you do? Is it people, process, technology, or all the cliches?
This is in our use case from the Icebreaker team. The client in this case was a major pharmaceutical company. What the team proved was that essentially an adversary could access systems and reroute the planned delivery of opioids, which is the product of this company. If you thought your trucks were going to A, B, and C, but you sent the trucks to X, Y and Z, it doesn’t matter. That’s the kind of story that’s going to resonate with a business leader. Not the, “You’re 93% good and 7% bad. Here is the technical uplift you need on that 7%.” If the narrative starts there with all these technical footnotes and then data, the eyes glaze over like, “What does this mean?”
What it means in this case is your business can go off the rails. That’s the thing that people go, “Okay.” It’s about leading with stories like that that put cyber and technology into a business context and a much more emotional context for leaders. They’re going to say, “What do I do to make sure that doesn’t happen again, and to make sure my trucks are going to the right place with my drop?” You then get into, “Here are the things you need to do around your cybersecurity posture.”
Lead with stories that put cyber and tech into a much more emotional context for leaders.
Eric, you were about to say.
A lot of cybersecurity assessments will do things and will do a whole assessment like, “You got 8 high-risk vulnerabilities, 10 medium-risk vulnerabilities, and 12 low-risk vulnerabilities.” You look at that report and say, “I guess we have a to-do list. Is that good? Is that bad? How does that stack up? I’m not sure.” If you go in and you say, “We just stole $1 million” or “We rerouted drug deliveries” or “We got access to everybody’s home network.”
Those are the kinds of things that even a non-technical person can say, “That’s really bad.” That’s how we want to set ours up. It’s not just a technical story. These things have an impact on the business. It’s also important when you frame it that we try to give credit where credit is due. No one network or enterprise is 100% secure or 100% insecure. It’s always a complicated story of moving parts. We try to give credit where it’s due and point out areas of improvement because nobody’s 10 out of 10, and nobody’s 0 out of 10.
Eric, your team comes in and starts red teaming and you start attacking. When you get your results if they are human-related as opposed to leaks in the technology that they have paid for, how do you roll that up to the next level and say, “This is psychology. This is humanity.” You can spend as many zeros of dollars that you want on this thing. In the end, it’s still people on the other side of what is happening. How is it telling that story in order to get people to understand the evolution they need to make?
Pretty much everything we do has a human component. There could be a spear phishing campaign where you’re trying to deceive someone into clicking a link. It could be sneaking into a building or tailgating somebody behind a locked door. We had one where we got into the headquarters of an energy company and we were walking around in their office after hours. There were passwords on every wall. Smart cards were still left in the readers. Everyone had it on their desk doors, had the door passed, and opened the door.
Those are all human problems and human issues. A lot of these come up in a lot of assessments. We always obfuscate names in the reports. If our person really wants to know, we might tell them in a separate phone call. We’re not trying to get people in trouble. We’re trying to educate and say, “Here’s an example. This is bad. Leaving your smart card in the reader is like leaving the key in the lock. It doesn’t do you any good.”
The door is locked but my key’s in it when I get home.
That’s very convenient. I got to open the door right up, but that didn’t help. There is training and education, and making people aware that we can’t just rely on the outer door being locked all of the time. We need to have defense in depth. We need to take our smart cards home with us. We can’t leave our passwords on the wall. Those are human training issues, and the example helps drive it home.
Gary, on your side, you talk about storytelling. I love the big thing. When you tell the story when you have those moments to sit down with the leaders, how willing are they to accept this? You’ve got the data. It is quantified and cited. Here it is. “I paid $10 million for that security solution. Why doesn’t it work?” Is that something you have to face?
It is. To bring it back to the first part of the conversation, that’s true in any consulting engagement. There’s always that small minority of clients that you work with that don’t want to hear it. In my experience doing this for the better part of a decade now, the number of clients that fall into that bucket if they don’t want to hear it, it is very small.
There are degrees on this. There are some where they’ll hear it, but you get the sense that your report, your finding, or even your beautiful story is going to go in a drawer. It’s going to get buried and be forgotten about. A lot of our clients have a genuine desire to improve, learn, roll up their sleeves, and dig in. We work with a lot of cybersecurity leaders and practitioners that are in the field and that are in their roles because they want to stop the bad guys. They’re motivated as much as the bad guys are.
They tend to see the Erics’ of the world and the me’s of the world and others as, “You’re part of our toolset.” They are from another company, you’re consultants or whatever. They are going to call you, but you’re part of the team here. Let’s all get together and fight the good fight. We’re trending in a good direction overall in the industry.
In my lived experiences with clients, there are always pockets of resistance. There is often a voice or two in a room that you have to navigate around or work hard to bring them along even if others in a client environment are getting it. We’re trending in a good direction here, whether that’s practitioners, CISOs, board members, or broader C-suite members.
For both of you, when you present your findings of everything that you’ve been brought in to do and you give them the bald-face, “This is what your network looks like. These are our recommendations on steps that need to be taken in order to get better,” how do they react? Are they happy? Are they angry? What is the thing where you’re like, “We’re great at this,” and they’re like, “You know what, you’re not,” or you say, “We’re terrible at this.” “You know what? You’re pretty good.” Where is the thing where you present, “This is what it looks like. You’re going to have to spend more money to get better.”
I’ve had that conversation a few times, and people are receptive. If you have the evidence to back it up, there may be some denial at first. When they see the evidence and the evidence is solid, there’s a, “We got some work to do here. Let’s do it.” I had one CISO that described it like this, “I feel like I’ve been touched in the stomach, but now I have something to work on and I know what I need to do. At least I’m hearing about it from you and not reading about it in the newspaper.”
That’s the best case. It’s when you don’t have to read about it the following morning when you’re scrolling through Apple News. Gary, what about on your side? You tend to have those meetings wearing blue suits. Nobody wears ties anymore. You’re sitting down and they’re like, “Seriously?” and you have to look and say, “Yeah, this is it.”
Often there’s even a greater level of receptivity among non-hands-on executives who do have those very formal broad responsibilities for corporate governance and for the stewardship of a corporation overall. To be clear, Eric is in a lot of these meetings too. He’s sometimes doing a lot more talking than I am because he’s got lived experiences. There’s a credibility that Eric in a hoodie and a backward baseball cap can bring that I just can’t.
It’s not like I only live in the boardroom and Eric only lives on the networks, but it’s all good. I take your point. If you’re a CEO, a CFO, or a part of an executive leadership team and you’ll be getting a briefing if you’re part of an audit committee on a board or the board in general, there’s a natural sense of I’ve got to lean into this.
Whereas for a CISO or a VP of Security Engineering, it might be a little bit harder to take because it is more of a direct gut punch. What we’re finding in those executive levels is there’s a gradual increase in cyber enlightenment. My view on this is just like technology, in general, came about twenty years ago. There’s now some technology acumen that is a requirement to be an executive leader in any company.
Cyber is trending in that direction. Five or ten years from now, we’re going to be seeing some 201-level familiarity with cyber. That is going to be a broad leadership competency that we’re going to look for in anybody in the C-suite. It doesn’t mean you have to be 501 level, but you need to be 201 level. I think we’re trending in that direction.
Leaders are able to ask better questions, process findings, and independently understand, “I get the business impact of this deficiency and of this not going well.” It’s a little bit of an easier sell when we say, “We think this is going to cost you $5 million over the next year. You need to hire ten more people or you need to invest in these tools and technologies, or you need to bring us back for a larger engagement to dig in on this.”
Every company is different. Every leader is different. Some companies understand that their business depends on secure and resilient technology, so they made the investments. They got the right leaders in place around the corporations. Others haven’t had that a-ha moment yet. Those are obviously the hard ones.
Eric, to Gary’s point, how often do you go into meetings wearing hoodies with a baseball cap turned around backward?
I don’t do actual hoodies and baseball caps in meetings, maybe in a Zoom meeting. You know what? People don’t want their hackers to wear a suit. I have noticed that. People don’t want their hackers to look like lawyers. They don’t believe it. They do want a little bit of flair to establish credibility.
I’m going to come in a white tuxedo instead because why not? Let’s dig a little deeper into this. Eric, for your team in Icebreakers, when you bring the red team into a client, how much do you want to know upfront? Do you want to come in cold or do you prefer an idea of the landscape somewhere in between? What is the bell curve?
Most of the time, I want to come in cold because I’m always thinking about that last briefing that we kept talking about at the very end. I’ve been doing this for long enough that I have an idea of how it’s going to go. I know there’s going to be a naysayer in that room. That naysayer is itching to poke holes in my argument, so I got to set this up right from the beginning.
I generally say, “I want to know the name of the company and what my goal is. Do I want to move money? Do I want to steal personal information? Do I want to steal intellectual property? What’s my goal? What’s the name of the company? Go.” I want to start completely cold as a real attacker would. That’s hard. That takes time to get the lay of the land and figure things out. It’s a long process to start like that. If I start like that and I succeed, that’s a good story.
Are you going full bare metal like, “Give me the name of the company and I’m going to google it and we’ll go from there?” That might be some secret sauce, so you tell me.
Google is not the super secret sauce. We’ll Google the company. We’ll go on LinkedIn and find all their employees. We’ll look at their job ads and what kind of technologies they are using in security, job postings, and people’s LinkedIn resumes. Open source research is where we start, just learning about the company. Once we get inside, there’s another round of research. We’re looking through their SharePoint, Confluence, Wiki or whatever they have internally. We’re learning about the company.
If you want to let’s say get the Mergers & Acquisitions information for our company, how do you even orient yourself once you’re inside a network? There are going to be weeks of new employee orientation, just reading documentation and orienting yourself to the network and the company, and who are the right people to target, and the right network and the right applications.
When you are looking for any and all threats and when the notion of the human element and the insider threat comes into play, how much do you consider off-keyboard? You mentioned earlier about leaving your key card in or all my passwords. I think about what my parents’ desk looks like. I’m not giving up their OPSEC. How much of non-digital things do you consider when you look at what you need to red team?
We do that pretty often actually. A lot of our red teams have a physical entry component where sometimes it’s easier to walk in the door than it is spear phish. It depends on the organization and where they’ve allocated their budget and their resources. Sometimes if they’ve spent a whole lot on state-of-the-art security controls, it’s easier to sneak into the building and connect to what we call a jump box or a little computer to their network with a little cell phone modem that we can call into, then now we’re on their network. We do that. We can clone badges. We can use a build trick as a can of compressed air above the door that triggers the heat sensor and unlocks the door from the other side.
Did you just give one away?
No. Everyone knows that. You can google that one too. There is a lot that you can do to sneak into a building. There’s a lot of human element stuff to that, and we do that frequently.
Gary, how do you explain that when it’s time to present all of the ideas? You’re having those conversations and Eric is in these meetings too. When someone looks across the table at you and says, “Really, a can of compressed air?” You’re like, “Yeah. It costs like $4. You can get it at Office Depot.”
Your question is also the answer. Sometimes it’s not as hard or as sophisticated or as elaborate as maybe you think it has to be. A lot of this gets down to basic blocking and tackling on the defensive side. It’s doing the simple things well. It’s like anything in life. You can look through these very elaborate scenarios and explanations.
Somebody left their key card in the door. Somebody let Eric’s team walk in behind them without asking for their badge. In some ways, it’s normal human behavior. That’s why I like Elevate the host of Friendly Fire, because you’re coming at it as well from the human perspective. We’re trying to come at it from the human perspective of both putting ourselves in the shoes of the adversaries or the APT out there.
We’ve also got to put ourselves in the shoes of employees who’ve got a million things to do. They shouldn’t be expected to always be thinking about security every hour. They aren’t going to have a behavioral transformation because they do an annual security and awareness training that they click through while they’re responding to emails.
All of this gets back to sometimes the message is to put yourself in the shoes of the people that are either have inadvertently done something silly inside your corporation. I’m like, “Don’t fire them. Don’t write them up.. They’re precious to you. Just understand what their behaviors are. How can you firewall them off?” Also, keep using the Erics of the world. Understand how adversaries think and operate. That is such a critical part of cyber. It’s so easy to miss this piece of the human element and all of its forms with the rush to tools, technologies, and magic bullets.
I just thought of one more while Gary was talking. We did one at a Silicon Valley software company one time. It was something a coworker of mine said to me. He says, “Eric, no one will ever shut the door in your face if you’re holding a box of donuts.” I went to the donut store and bought a box of donuts. I walk up and tailgate behind somebody, holding my box of donuts. Sure enough, he held the door for me. It worked. We got in. We planted our jump boxes. A month later, we had the code signing keys and the ability to deploy malicious updates to the software that has millions of users all over the world.
You’re exactly right. We had a previous guest, Freaky Clown, who is a second-story man. He breaks into banks. He has been doing it for 25 years and steals things. He and I once did a movie review of Sneakers. There’s an incredible scene where Robert Redford comes in with giant balloons and a cake. He talked his way through because it’s like, “Who’s that guy? He’s not breaking into my server room. He’s got balloons and a cake.” Yours is a box of donuts. Who doesn’t want a donut? Especially for anybody sitting up front who is totally underappreciated, “I brought you some coffee and donuts.” They’re like, “Thanks.” That’s well-trodden territory, but it still works. What do we do?
The best you can do is you can give them real-life examples and say, “We hired a consulting company and they broke in with a box of donuts. Please be careful.”
It’s not a tank but a box of donuts. That’s what they waived.
It was a can of compressed air. It’s training these people that this happened. It’s not just theory. That’s a big story with cybersecurity. People think it’s a technical problem and it’s a very theoretical problem. It’s very real life. Real results happen from it. People steal money and information. A lot of times, they trick humans in order to do it.
For both of you, as we look at the evolution over the last several years, everything has been trendy and sexy. TikTok hasn’t been around long enough. If it would’ve been, they would’ve been all over TikTok. It went from cloud to virtual to blockchain to NFTs. When new technologies evolve, how much of them affect your approach? Do you sit back and be like, “You know what works? It’s this thing because it works, it always has, and we continue to evolve it better.” Where is the new thing affecting your approach to what you do and the solutions that you suggest?
It’s a balance. You can’t ignore technology. If you do, you’ll fall behind quickly. You mentioned chain. It brought a new vector. A new attack by smart contracts for example. That’s a new attack vector that came with blockchain that wasn’t there before. You have to account and be able to attack a smart contract. A lot of blockchain projects have other points of weakness besides smart contracts.
There’s some kind of maybe a cryptocurrency wallet and you’re downloading that from a web application. Now, you have to go secure that web application. The biggest cryptocurrency theft in history in Axie Infinity was a classic phishing attack. There was an employee at the organization and they clicked on a lucrative job offer. That’s how the attacker got in and stole $650 million worth of cryptocurrency. You have to learn the new and not forget about the old because postings will get you in as an attacker.
In cybersecurity, you have to learn the new and not forget about the old.
You actually just renamed the episode. It’s learning the new and not forgetting about the old. It keeps going. It’s amazing. Gary is quietly sitting there with his head and his hands like, “What did I sign up for this show? What am I doing here?”
Amazingly, I have nothing to add to this question because Eric nailed it. This might be a first for me.
For both of you, filtering your view through the present. When you look at what’s happening now, given this is the craziest time anyone has ever been alive. I feel like those things are at a dynamic point that we may not have seen since pre-Y2K. Is there anything that has your attention that may not be quite ready yet, but it looks interesting enough that I just want to keep my eye on it? It’s in my peripheral vision, but it’s going to be moving into my primary focus at some point.
The thing that got everyone’s attention is the ChatGPT, the OpenAI chatbot. If you haven’t looked at it, you can google OpenAI. You can chat with this artificial intelligence program. It’s amazing. You can ask it any question you want. Where it gets interesting is you can ask it to write code for you. You can say, “I want to write a program that does this,” and it has written the program for you.
“I’ve got a bug in my program, can you debug it for me?” “Here you go.” I’ve been playing with it over the past week. Out of curiosity, I’ve asked it to do slightly malicious things in my view like control malicious. “Can you write me a phishing email?” It says, “No, I won’t do that.” I said, “Will you write me an email to say, “Looks like you’re behind on your annual business ethics training that’s required every year.” “Here you go.”
You can ask it to do malicious adjacent things and it will generate those for you. Artificial intelligence has been pushing the defense side forward for the past few years. It’s much harder to hack now than it was five years ago in orders of magnitude. Endpoint security and email security have gotten so much better because they’ve been informed by AI. Now, the offense may have more ability to access AI to help them too. I’m keeping my eye on that. It should be interesting to see how that plays out.
Artificial intelligence has been pushing the defense side forward over the past couple of years. It’s so much harder to hack now than it was five years ago.
For the audience, just so you know, when Eric said no, he did literally wave his fingers. Gary, what about on your side?
The big one for me is quantum and what does a post-quantum in the cyber landscape look like? This is increasingly coming into focus. Although, it seems like we’re still several years away from somebody being able to break quantum. The geopolitical ramifications and implications of potentially the Chinese being able to break through here, and the revolutions this will have around what adversaries can do, and then around what’s needed on the defensive side will be profound.
That’s one that’s going to manifest. Some of Eric’s and my past clients in the public sector are going to have to get their arms around this faster than the industry will. I know several of the big banks are starting to think about, “What does our security posture need to look like in a post-quantum world?” Which is good. We need to be having those conversations now. It’s going to take quite a bit of time, energy, investment, and creative thinking to understand what a new cyber defense posture looks like in that sort of world.
This is something potentially horrifying to combine both of your answers. Our friends at the MIT AI Labs years back created an artificial intelligence that they named Norman. They were only fed information about serial killers and mass murderers and made the most horrifying thing ever. The notion of adding quantum computing to that level, I don’t want to call it intelligence yet, but if you add the quantum thing to it, I just made myself nervous. Everybody else, you don’t have to do any of that. Enjoy your holiday season. Next up. When it comes to good guys versus bad guys, from your experience and the clients that you’ve been able to work with and the adversaries you’ve had to address, how are we doing?
It’s a split decision. The medium and larger businesses are doing better than they were. Good guys have the upper hand for now. Doesn’t seem like they have the upper hand because all the high-profile hacks that do happen make the newspaper. It’s harder to break into a large company now than it was five years ago. It’s much harder.
A lot of adversaries now are targeting small companies without the resources to do that. They’re targeting the doctor’s offices, the lawyer’s offices, and the real estate offices. On that side, the bad guys have the upper hand. The larger companies that are able to buy these AI-informed products like Office 365, endpoint security, and email security gateways have a little bit more edge now. We’ll see what happens in the future.
That constant back-and-forth arms race is a cliche, but I’m with Eric on that diagnostic. Everything is so interconnected. With software supply chains, whether it’s SolarWinds or it’s Log4j, you can find your way in through a doctor’s office. Maybe then you’re at a mid-market company and then you’re getting close to one of the big boys. That’s one of the challenges that we’re seeing. It’s the ongoing interconnectedness of these technologies, particularly around software.
Gary, among all the things that we’ve been talking about with regard to insider threats, what do you do? How do you handle the recommendations that you do? Elevate has made its bones in this space.
When you look at what you need and what your users need with regard to what Elevate does, how do you get into that? How do you bridge that conversation in a way that makes them think, “It’s not just this designer hammer. This is the actual hammer that we need in order to build this building to make things better for everybody?”
It comes back to one of the big themes from our whole conversation, which is the people’s side of cybersecurity. It’s why I find Elevate’s work and the legacy it is starting to build now 4 or 5 years in is extremely attractive because sure, it’s a product company, but fundamentally it’s a people company. The issues that Elevate is trying to solve are human risk issues. It’s around what are the behaviors of employees.
As I’ve said throughout, in an era where cyber has rotated toward tools, technologies, and the magic bullet of artificial intelligence and machine learning, Elevate is bringing it back to basics. It’s about understanding what your users are doing and how we help them cause less inadvertent damage. How do we help them to be more thoughtful and responsible?
Cybersecurity has rotated towards tools, technologies, and the magic bullet of artificial intelligence.
It’s treating those people and those employees with a great deal of care and respect. It’s not like, “You’re doing the wrong thing. We’ve got to punish you.” It’s, “We have an opportunity to help you maybe change your behavior. Also, help your company understand how you’re working and what that means from a cyber risk perspective.” We’ve talked about it at CrossCountry, we’re very focused on the people side. We see Elevate as a kindred spirit in that regard of also coming at modern cybersecurity with that focus on people.
That can be a harder message to convey to buyers sometimes. You do want to say, “It’s all about technology” or “It’s such a complicated problem.” We always see at Elevate what we try to do at CrossCountry. We say, “80% of your challenges are around insiders, your employees, and doing things they shouldn’t be doing unintentionally.”
It’s not malicious. It’s just a behavior that you need to understand, see, and try to stop in its tracks. It’s not always rocket science. In cyber, we can overcomplicate it. At the end of the day, it’s a lot of the basic blocking and tackling that we still have to do well. Not to diminish what either of our companies is doing, but some of this focus on people is returning it to a little bit of that blocking and tackling.
Let’s understand what our users are doing or let’s understand what the threat actors are doing, and understand their behavior on networks. Let’s start to wall off, isolate, contain, prevent, and correct those behaviors. Whether you’re looking at it down and in at how your users are working, which is what Elevate is good at or you’re looking up and out at what your adversaries are doing, which what Eric was describing what CrossCountry is good at. There’s a beauty there focused on how actual human beings are behaving, operating, and working. What can we do to nudge, change or contain those behaviors in a way it’s going to improve defensive posture?
We’re not just going to throw thousands of dollars of AI and robots at this and be like, “That’s good. We’re going to solve the human risk problem because people act like people.” Eventually, it’s going to be Skynet and machines battling machines.
I don’t think we’re going to see that in my lifetime. I hope not. As we’ve talked about it, there are some very interesting and impactful emerging technologies, maybe not so emerging. Maybe they’ve emerged now that defenders and adversaries are picking up. It’s got to be the harmony and the balance among technology, people, and process as we’ve talked about throughout the time we’ve had together here.
Harmony in the balance, I think you’ve officially named your next appearance on Friendly Fire. Please consider that as the official invitation to come back. Let’s lean in a little bit to the leadership corner. What do you do when you’re not doing this? What’s on your playlist? Whether it’s Spotify, Apple Music or SoundCloud. Trust me, nothing is too embarrassing. It could be the worst Mumblecore rapper ever or a terrible pop-punk band or Celine Dion.
We do hear a bit of Celine Dion in my house because Celine is my wife’s all-time favorite. When my wife and I were dating very early on, I surprised her with a trip out to Las Vegas where Celine had a residency, and we saw Celine Dion at Caesars. It’s was a very nice trip.
Look at you.
I think I scored some points that helped me accelerate along the trajectory to a ring and a wedding, and now a child. We had our first daughter in the summer. I’m just trying to figure out how to be a semi-competent parent. As somebody who likes structure and order and as a lifelong consultant, everything can go into our project plan with chevrons, tasks, and work breakdown structures. Our six-month-old does not respond to project plans or work breakdown structures and time boxing. Mommy had to be a little flexible.
Given what you do, tell me if this is too weird and esoteric of a question. I’m trying to think of something more chaotic than a six-month-old and I’m not sure if I can. In any way, as you are learning how to be a parent, do you even think about, “Here’s this six-month-old who’s crawling around. All I need to do is this 30-minute Zoom call.” Do you find any type of inspiration in your approach to the human element of security from witnessing this very new creature on earth who just wants to absorb anything, which is a metaphor for clicking on links that get sent to him or her?
I’d be lying if I said I had spent many minutes or hours thinking about the connection and the relationship between my six-month-old running wild and how we contemplate cybersecurity. I do think there’s something to be learned from the unpredictability of a baby and the unpredictability of what people are going to do that does feed into how we think about our approaches to security.
It’s understanding that individuals, whether it’s a bad actor, an employee or a kid, are going to get some new ideas. They’re going to contemplate some new behavior. They’re going to do something that was unexpected. As cyber defenders, how we’re able to respond and be resilient in the face of adapting to those unpredictable behaviors.
Whether it’s employees that we care about deeply or the threat actors that have innovated on the fly to find a new way to go against us, that’s so much of what cybersecurity is. Can you adapt and respond a little bit faster than the adversary? As a parent, can you adapt to the latest behavior that your baby is showing you? Find a way to at least manage that behavior such that the house doesn’t go on fire or she doesn’t drown herself in the toilet or whatever else she might be getting on the day.
He wins the bell curve. The house is on fire or drowning in the toilet. Let’s hope neither one of those happens. I went back into host mode. I got in the way. Obviously, it’s Celine Dion on the playlist. Anything else? Do you get good books on the coffee table or magazines in the bathroom? Are you like, “You know what I want to do? I want to cook Jamaican food tonight.” What’s happening in the Barnabo household?
There’s a Peloton behind me, which you can see and our audience can’t. I spend as much time on that for physical fitness but also for mental and emotional outlets. My wife and I do love to read. We often try to use that week between Christmas and New Year as an opportunity to dig into longer books that are maybe a bit hard to get through when you’re working full-time.
We’ll take the week off and I’m going to try to read a book called Power Failure, which is a bit of a tome with a history of General Electric, its rise and fall, broader applications, and lessons learned for corporate American corporations. I don’t know a whole lot about GE, other than it was a pretty interesting company that went pretty sky-high and far into depths. I’m looking forward to that one.
I read a great novel a couple of months ago that I recommend to anyone. It’s called Undermoney by Jay Newman. It’s this wonderful blend of high-intrigue finance, CIA spooks, and politics. It’s a well-done plot. A lot of moving pieces and they’re pulled together. The book does suggest that there will be a couple more from this author that maybe have some of the same characters. For folks that like the high world of global espionage with a little finance twist to it, Undermoney by Jay Newman is a good one.
I am so happy that you mentioned that. I am not familiar with that particular book, but we have had some incredible guests here. Luminaries in their positions in their field. When I ask the question about books, inevitably it’s always business, motivation, and self-improvement. Every once in a while, I like reading a trashy novel or a smart novel.
It’s the week between Christmas and New Year. Let’s kick back and have some fun. Let me ask you this about that particular one. I feel like there is a burgeoning interesting segment in TV, movies, and fiction. We’ve got science fiction, steampunk, and all this stuff. Now, we’ve got this interesting financial fiction. That’s what you were saying. It’s the combination of high finance, espionage, and all this stuff. That is every bit as good as a Bourne thriller or that kind of stuff. Is that your thing?
I don’t know if it’s my thing. It’s certainly a thing of mine. Without getting into all the details, it goes back to some of my experiences earlier in my career where I was working more directly with the US Defense & National Security community. Some of the topics I worked on were around illicit global networks, transnational organized crime, and counter-narcotics. The link between illicit economic activity, dirty money, and things like terrorism and other things that go boom.
I feel like I was a little bit there before the genre boomed. We’re seeing a lot more attention on it now given Putin’s war in Ukraine, and understanding that Putin has captured the Russian state and he himself is entirely propped up by the extraordinary web of dirty and illicit money. A lot of us are looking at the Russian oligarch world with a sense of, “How much money do these people have and where is it all?” Now, we’re seeing these TV shows and books all play on that theme. Money made the world go round as we have all known for millennia. It’s the latest manifestation of that.
What you’re saying is you’re a FinFi hipster. You were into it before it was cool.
I’m saying I was into it before it was cool. I’m making that claim. I don’t have a lot of shameless plugs but I’m saying I was into the FinFi craze before it was cool
A shout-out to those who haven’t seen Margin Call. It’s maybe the greatest FinFi movie ever made, with all due respect to The Big Short and Wall Street. Make sure that you check out Margin Call because it’s right up that line. I’ve got to ask you though, we got to do shameless plugs. You’re on the internet at some point or the company is or maybe Eric. Give us one cool thing.
I just don’t have this body of articles or conference points online, which is maybe nice for your audience. They’re like, “Now, I got to hear this guy’s probably last TED Talk he gave. I know he went to Davos and talked about that.” That’s just not me. I think what I’m most proud of is the team that Eric’s built here at CrossCountry Consulting. The Icebreaker offensive security team that he described.
This is a new boutique brand that we launched over the summer. We actually launched it at a BlackHat in Vegas. Eric and his team were running around pool parties, rolling this thing out. Go to Icebreaker.team. It’s a simple URL. Take 2 or 3 minutes and see exactly what Eric and his merry band of offensive security hackers are up to. It’s high-impact work of valuable and useful services.
Every time we go into a customer environment and to a client, and then turn Eric loose, the outcome is inevitably a wide-eyed client saying, “We had no idea. This is so extremely helpful. When can you come back?” I’m proud of the service that we’ve built. It’s very much like Elevate, the way we deliver that to our customers with a great degree of care, seriousness, and commitment to making our client organizations better. To round things out, it is part of the shared DNA between CrossCountry and Elevate, and why we’re so excited for the partnership that’s to come.
There is a CrossCountry Consulting page on YouTube. Check that out. You can see a lot more about what’s going on there. They have a great presence on LinkedIn. If you would like to learn a little bit more from the people who are inside the joint, they’re also on Glassdoor. To our audience, you certainly don’t think that I am guilty of false humility, but let me tell you that Gary is not.
This is 100% accurate in his portrayal of his approach to all of these things. He only wants to point the spotlight in other directions. Also, make sure that you check out Eric Eames on LinkedIn because they’re doing some cool stuff. It only took two episodes to record across multiple days because apparently, my internet connection is terrible. Gary, thank you for making the first time, and then coming back and forgiving us and making the second time.
Matt, it was great fun. Thanks for having me. On behalf of Eric, thanks for having him as well.
We’re going to come back and we got more stuff to break. Trust me, this is only the beginning. Until then, thank you all for joining us on Friendly Fire. This is a friendly reminder. All comments reflect the personal opinions of the participants and not necessarily those of their employers or organizations. For more information on all that’s good in the world of cybersecurity, make sure that you check us out at Elevate. We are on LinkedIn, Facebook, and of course the mothership, ElevateSecurity.com.
My name is Matt Stevenson, you can find me @PackMatt73 across all the socials and podcasts. Wherever you go, that’s where we’re going to be, Spotify, SoundCloud, Apple, Google, and all the fun stuff. All we ask is you subscribe, rate and review. You’ll never miss out on all the great folks who are genuinely humble. We’ve had a few that are not so genuinely humble, but they don’t try to be. That’s also the fun part. Until then, we will see you next time.
- LinkedIn – Elevate Security
- Facebook – Elevate Security
- CrossCountry Consulting
- YouTube – CrossCountry Consulting
- LinkedIn – CrossCountry Consulting
- Glassdoor – CrossCountry Consulting
- Eric Eames – LinkedIn
- Gary Barnabo– LinkedIn
- Booz Allen Hamilton
- FusionX – LinkedIn
- MIT AI
- The Metaverse
- Power Failure
- @PackMatt73 – Instagram
About Gary Barnabo
Gary is an executive at CrossCountry Consulting, leading and driving growth for the cybersecurity & privacy practice across the U.S. and internationally.
Gary brings stellar management consulting tradecraft to domains like cybersecurity, digital, AI, and 5G – helping corporate and government leaders harness and secure game-changing tech. Throughout his career, his clients have spanned national ministries on multiple continents, to Fortune 10 across industries, to Global 2000 firms looking for step-change gains in technology and security.
Recently, at Booz Allen Hamilton, he built cyber-focused businesses in the U.S., Middle East, and Southeast Asia, and was responsible for developing corporation-wide cyber and broader growth platform strategies across market verticals.
His “secret sauce” in all of this is the ability to distill complexity and translate the technical to the business.
Earlier, he worked with defense and national security clients on strategy development, policy, leadership, and org change. This included guiding Senate-confirmed officials through re-orgs, writing strategies on transnational threats, and traveling through Asian capitals talking U.S.-China competition.
About Eric Eames
Eric leads Icebreaker, CrossCountry’s elite offensive security team. Eric specializes in red teaming, penetration testing, and threat modeling. Eric has 20 years of experience hacking (with permission of course) into banks, casinos, energy companies, pharmaceutical companies, ISPs, television networks, and government agencies.