There are a lot of factors that cause problems within the cybersecurity space, but the human element ranks as the top reason. With the huge communication chasm among IT experts, C-suite leaders, and hiring managers, there is still work to be done in bridging these gaps. Matthew Stephenson discusses how to solve this disconnect with the Founder and CEO of Cyber Risk Opportunities, Kip Boyle. They explain why senior leaders must set the tone of cyber hygiene practices, particularly in today’s evolving hybrid business models. Kip shares tips on how hiring managers can create diverse teams to secure the best cybersecurity opportunities. He also breaks down the dangers of treating multi factor authentication as bulletproof security and misunderstanding the shared responsibility model of cloud services.
Listen to the podcast here
Kip Boyle: People Make the Cybersecurity World Go Around
Here in the show, we are bringing you all of the top experts in the industry for a chat about anything that is interesting, weird, broken, or fixed but mainly, what are we doing to help keep the world secure? Speaking of keeping the world secure, we are very excited to welcome Kip Boyle to the show. He is the Founder and CEO of Cyber Risk Opportunities. He is also a course instructor at Udemy and also LinkedIn Learning.
He also hosts a couple of excellent podcasts, Your Cyber Path Podcast and the Cyber Risk Management Podcast. He is also the author of the book, Fire Doesn’t Innovate, which has been a bestseller since it dropped on Amazon in 2019. It’s not one of those weirdo eBooks. This is a book. You could hold it in your hands. You could take it on an airplane or to the beach or whatever. Kip, I’ve talked enough about you. Let’s talk to you. Welcome to the show.
It’s great to be back in conversation with you where I know it’s going to be recorded and pushed out onto the internet in perpetuity. This is great.
You have spent a lot of time, not just in your role as a CISO, but in general, on the human element of cybersecurity. We’ve heard a lot of differing thoughts from our guests, and that’s the best thing. We’re not setting up on any particular angle of the notion of humanity involving cybersecurity but when we talk about the fleshy bits, where do you fall on the spectrum? Are we more of the problem? Or are we more of the solution? Where do we fall in the bell curve of people working to make things more secure?
If it wasn’t for people, we wouldn’t have these cool problems to work on, and that’s the bottom line. There are some things that come up in cybersecurity like a hurricane or an earthquake, which are not people made. They might be people exacerbated, but not people made. These days, I don’t hear people talking very much about hurricanes and earthquakes as top threats. I hear people talking about cybercriminals and insiders.
Compared to where we were many years ago, the human element is such a stronger theme in this space. To take this even one step further, I worked at two very distinct problem spaces. I would say that they’re both very people-driven problem spaces. Let me take a moment and give you a thumbnail sketch of these two problem spaces that I work in. The one that I’ve worked in for the longest time is the chasm between IT leaders and the rest of the C-suite.
Specifically, I focus on the chief financial officer because that’s the person that holds the purse strings. When an information person is trying to get their program funded, if they don’t speak the language of a CFO, they’re not going to have a great time. It’s not going to work very well. It’s not only about funding. It’s about fostering an ongoing conversation about what is our cyber risk, what are our top issues, and what are we going to do about them.
Since cyber is a dynamic thing, that conversation has to be going on all the time because the threats always change. That’s one problem space and it’s all people related. It’s about one person trying to talk to another person and having a conversation. The second problem space that I work in is conceptually the same. You’ve got people out there who want to hire other people like cybersecurity hiring managers.
They have openings on their team. They would love to find a wonderful person or 3, 10, or 20 to put on their teams to get stuff done. On the other side of this communication chasm, this other problem space, you’ve got people who desperately want to work in cyber but they’re struggling because they can’t connect with these hiring managers. I work in that problem space as well. That’s why I have two podcasts. I have one for each problem space. The big takeaway from this little monologue that I’m doing here is it’s all people driven.
You put two words together and that blew my mind. Communication chasm is an incredible descriptor of what the whole thing is. How do we bridge that gap? How do we get from both of the things that you do? How do we get people who are good at solving problems but maybe not trained in this thing into a place where they can help solve the problems? How do we also communicate the notion that we can get anybody in here who’s good at doing things in order to fix this thing? How do we bridge the chasm?
The way you bridge the chasm is a little different in each of these problem spaces but you’re building a bridge in both areas. You’re trying to build a bridge so people can meet each other. In some cases, you have to build a bridge so that one party can go to the other side of the chasm and meet the other party. When I think about an InfoSec leader or a cybersecurity leader, I see them as building a bridge to cross this chasm to talk to the CFO.
I don’t see the CFO often trying to go in the other direction, although it sometimes happens. I think the burden is on the tech or the cybersecurity leader. The bridge, on the other hand, is something that I think cybersecurity hiring managers need to take more responsibility for building because they are in the catbird seat. They have all the power. The power distribution between a job seeker and a hiring manager is that the hiring manager has way more power. They have way more resources.
What happened there is I started helping people who wanted to get cybersecurity jobs. After two years of helping them along the way, a light bulb went on and I was like, “Hiring managers are their own worst enemy and they are shooting themselves in the foot left and right making these mistakes. Now I have to do something to help them because there are all these people trying to build a bridge to connect with them and say, ‘Hire me. I want to produce great results with you,’’ but then these hiring managers either weren’t paying attention or it wasn’t clear how to connect with them. The job descriptions were awful, and so on.
In both cases, I think it’s about building a bridge and I think we have to think about who’s the primary bridge builder and each one of those problem spaces and how are we going to get across that chasm. My podcasts are both designed to help communicate to each side of each chasm. In the Cyber Risk Management Podcast, I’m talking to business leaders as well as InfoSec leaders. In Your Cyber Path Podcast, I’m talking to both people who want to get hired and as well as people who want to hire.
I’m trying to create a common vocabulary and that’s what my book is meant to do. It is to create a vocabulary that both of us can share because that’s one of the things I think is common in both problem spaces. You got people on each side of this chasm and they’re both talking different languages. They don’t know how to talk to each other.
You have authored a bestselling book. You are a host of two industry-leading podcasts but you are also a straight-up CISO. You’ve got your fingers down in the dirt, in the mud, and in the blood of all this stuff that’s going on. When we look back over the last several years, the impact of everybody going home and now being recalled back to work. Your thing has always been about cyber hygiene.
Have you witnessed any type of behavioral change from when you get to get up and whether you go to your home office, sit in your kitchen, your bedroom, or wherever you do it and now, having to go back and put long pants on in a collared shirt and go back in there? Talking about bridging the chasm as you are bringing people into the office, have things changed in 1) Notable, and 2) Quantifiable ways that CISOs need to be considering?
I think there’s been a lot of understanding about how our job as chief information security officers changed when we stopped all working in the same buildings. That’s been well discussed and it’s pretty well understood at this point. To put a thumbnail sketch on it, you’ve got people shifting from working in a protected local area network to working in a highly distributed wide area network with almost none of the benefits of being on a highly architected and protected LAN.
That’s the shift that got us into the situation. Now, what’s the shift of returning going to look like? I think that is still an open question to be answered. The reason why I say that is because some companies are never coming back to work in the office. I was stunned. There was an insurance company and insurance companies tend to be pretty stodgy places to work, old school and very relationship driven. They generally want people to be in a common work area.
It was about 9 or 12 months into the quarantines, they said, “We love remote. We didn’t realize how great it was. We’re closing all our call centers and we’re going to go fully remote.” They’re never coming back. That’s their intention and I’ve never seen any words to the contrary. For them, there isn’t going to be another change. There will not be another paradigm shift.
You’ve also got people who are struggling to bring people back 3 or 2 days a week, whatever. They have now figured out, “How do I adequately protect people in both of these environments?” A small percentage of companies where they’re trying to go back to five days a week in the office and I don’t know how successful that’s going to be. There’s so much reticence from the majority portions of the workforce.
I think of Goldman Sachs. The poor guy running Goldman Sachs has been beating the drum for months now. Everybody is going to come back to the office and he’s not making any progress at all. You got to wonder, “The CEO of Goldman Sachs cannot get his workforce back into the office in Manhattan. What hope does anybody else have?” It’s because if you’re Goldman, you can throw as much money at that as you want. You have all the resources to get these people back, it require people to come back and he’s not doing a good job of it. I don’t know that we’re going to see another massive paradigm shift.
Can we agree that you don’t want to call the CEO of Goldman Sachs that poor guy?
He comes off that way right now because he’s been out there beating this drum for so long. In my mind, I see him as getting sweaty and hoarse in the mouth because he keeps trying to get people to come back and they’re not doing it. What else would you say? “Stop playing the drum dude.”
What about the unfortunate as opposed to ‘poor?’ I’m not sure if that’s the right word.
If you want to pick on word choice, that’s fine. I’m not trying to disrespect the guy. I’m trying to observe that. I would expect that a person with as much power and resources as he has, I think it’s a bellwether to observe how successful he’s being. I don’t think he’s being that successful at getting everybody to return to the office.
It’s a really interesting point because we’ve seen some major retailers and entertainment companies publicly announce it’s time to come back. I was going to say not everybody, but it’s more like almost nobody is saying, “Let’s go back to the office and put suits on again.” This creates something very interesting for the CISO and the larger organization that he or she has to run and steer.
We’re leaning into not only bringing people back but also hiring new people. We’ve beaten the whole skills gap thing to death, but given the work that you have done as a teacher, as a CISO, and as an author focusing on hygiene, how hard is it to not just onboard? I feel like that’s probably something that’s speaking to death too. However, to build a security culture when you don’t have that Tuesday 10:00 AM meeting with the team and roll through everything in a way where everybody’s sitting around drinking coffee, eating bagels, and ready to go.
I don’t think it’s as tough as people imagine it is and I’ll tell you why. I’ll use my company as an example. We launched in June 2015 and we’re still here, which is wonderful. We are a remote-only company. I have never had an office. I’ve got six full-time people who work for me and support our customers. What I’ve told them is whenever the subjects come up, I’ve said, “Whenever there’s a compelling business case for us to have a shared physical space, I’ll do it,” but I haven’t heard one yet. Nobody’s brought me a truly compelling business case to be in a shared space.
I said, “I have never had a customer ask me to come and meet in my office. It’s never happened. I’ve never seen us as a team be unable to produce something that a customer needed or that we needed without being physically together.” We have met up in person at different times to enhance our connection with each other but it’s not required. I don’t think so. If I had hired a raging extrovert because I don’t know that I have any of those on my team, that person would probably struggle.
A cybersecurity team can produce whatever a customer needs even without being physically together.
I did have a person on my team a few years ago and he’s gone on to do other things. I remember he was disappointed that I said, “Unless a compelling business case comes up, I’m not going to pay for a shared physical space for us.” For him, it was disappointing because he’s wired as the kind of person where being physically present with another person is a really important part of the bonding experience for him. I respect that, but he’s the only person in eight years where I have felt he was suffering at all because we weren’t in a physical shared space.
We did other things to help him with that. What we do is we have a daily standup at 11:00 AM Pacific Time. We get together and we go from one person to the next. The question I ask everybody is, “What is it that we all need to know about what you’re doing now and how can we help you?” That’s the prompt. We’re inviting people to connect in a psychologically safe space and that seems to work for us.
I’m using myself as an example here. Your question though was, how do you build a culture where people will practice good cyber hygiene? First of all, you’ve got to be focused on being intentional about the culture you want to build. If you let a culture come together slap-dash, I don’t know, but if you could be intentional about it.
Tony Hsieh wrote a book about starting Zappos and in that book, he talked about his first startup. He left it partially out of disgust because the dominant culture was awful. He realized as a company leader that it was his responsibility for the company culture being what it was, good, bad, or otherwise. When he started Zappos, he was extremely intentional about how that culture was going to be put together and what its priorities were going to be. If you’re going to talk about a cybersecurity culture, you have to be intentional. I think you can do it whether you’re remote first, hybrid, or old school and you’re working together in a shared physical space.
There are so many different routes we can travel with that answer. As you are onboarding new people and looking at this, if I’m retreading some of the answers you said, you can tell me to go bleep myself, but have you noticed a difference in working with people coming into the new company now compared to before where we’ve all been home?
We’ve all been wearing soft and comfortable clothing, which can’t be understated. The notion of stuff you have to wear to work is not as comfortable. You tend to sit up a little straighter and wear different shoes with your feet flat on the floor. As far as the human element of what could possibly lead to risk, are there weird things that CISOs need to consider, or am I getting way down in the weeds on this stuff?
I’ll repeat one thing, which is culture is cyber hygiene and cyber hygiene is culture. There are some things that need to be done that I think are not as deeply connected to where you work as the fact that it needs to be done at all. For example, I talk with my customers all the time about the tone at the top. If the senior most decision makers are not setting the tone that cyber hygiene is an absolute requirement, it’s table stakes to be in the organization.
If they’re not doing that, it doesn’t matter where you work or what you wear. It’s not going to be a thing that people are going to care about. I’m working with a customer that we’ve had for years. They’re a professional sports team and they’re rolling out an information policy for their organization, mostly for the back office. This is something that we’ve had to talk about at length.
They wanted to build a video that they could show to everybody and that they could show to new employees during new employee orientation. I said, “If it were me, this is what I would do.” Fortunately, they did what I asked them to do. One of the things I asked them to do is I said, “I want 30 to 60 seconds interspersed in this video. It’s going to be a 30-minute video. Every ten minutes and also at the beginning and the end, I want the senior decision maker from the organization to be in the video. I want to see their faces and say something about why they think cyber hygiene is important.” That’s all I need them to do for the video.
Part of the other thing that we did in order to tune their culture is we said, “We want the person who is talking to individual contributors about the info security policy to be the direct supervisor.” They’re like, “Why is that?” I said, “Because if a direct supervisor tells you, the person whose performance review is going to get written by them, that this is important, you’ll do it.” If you go to your supervisor and say, “I watched this crazy video about cyber hygiene. Is that a thing?” The supervisor goes, “It’s just another thing. Don’t worry about it. Just get your work done.”
That’s where the rubber meets the road on cyber hygiene. Does the direct supervisor prioritize it or not? It’s because that’s all the individual contributors are going to pay attention to at the end of the day. We made sure that was something that was built into the rollout, the operationalization of this policy. They were a very be-in-the-building face-to-face-driven culture. They went through the pandemic and they’re never going back to 100% in the office is what they’ve decided.
People pay attention to what their direct supervisor prioritizes. This is where the rubber meets the road on cyber hygiene.
The benefits for the people who can handle hybrid work are tremendous for them. The quality of life and the flexibility they have found that it enhances the productivity of their workforce so it makes sense. This whole approach that we’ve designed with them assumes that it’s hybrid from now on. I hope that these thoughts are answering your questions.
Sometimes I’d throw things out there hoping that the guest is going to hit a 570-foot home run, which you did. Also, I would like to laud you copiously. I believe you were the one who coined the phrase “wash your digital hands to avoid cyber cooties.” Cyber hygiene has been a pillar for you for a long time. Again, the book, Fire Doesn’t Innovate is available at all of your finest booksellers. It’s been a few years. What have you witnessed in the evolution of cyber hygiene? Are we getting better or are we getting worse? Is it staying the same or anywhere in between?
I wrote the manuscript in the summer of 2018. It was published in January 2019 and it’s now February ‘23. That manuscript’s potentially long in the tooth. It’s been on my mind lately that I need to revise the book. I’ve been flipping through it lately. I’ve been asking people who’ve read it and the dominant feedback that I get is that the cases that you use are stale because I tell a lot of stories in there about people and organizations that have gotten hurt.
I use a lot of analogies and metaphors. The dominant feedback is that I need to update the stories that I tell. Other than that, in terms of good cyber hygiene practices and the facts of the situation, I’m not hearing anybody tell me that the facts have become stale. It’s the stories that have become stale. So far, what I’m focused on is upgrading the stories.
However, I will tell you that there is one thing going on right now, which I think is fact-related and I intend to address in the next edition of my book and that’s multifactor authentication. The fact that we thought for over ten years now that an MFA was a bit of a silver bullet. That if you turned on MFA, nobody could get you. We talked about different things like, “What if they do a sim jacking on you and now they can get all your SMS codes.” That’s an issue. Use an authenticator app and then you’ll be fine. That’s bulletproof.
What we’re seeing now is that because MFA has become so pervasive, it’s being directly attacked. One of the common attacks now is stealing session cookies. When you log onto a website and you check the box that says, “Don’t MFA me for another 30 days,” the site drops a cookie on your computer. When you go back there, it reads the cookie and it goes, “Kip has been here before and he MFA’d fourteen days ago. We’re going to let him right in.”
Now, the criminals are stealing those cookies from us, and they’re running around the countryside with our MFA-enabled credentials and they’re having a field day. The point about cyber hygiene that I want to make with this is there’s no such thing as a set-it-and-forget-it piece of cyber hygiene. We’ve got to continue to evolve what we are doing as we’re washing our digital hands because we didn’t need antibacterial soap. We just needed soap and now, all of a sudden, we need antibacterial soap.
In the future, who knows? We’ll need some different types of soap. These days, you can get ultraviolet rays in the restroom to sterilize your hands. There’s a digital equivalent of that. People need to realize that MFA is not the silver bullet that we thought. It was great for a while, but now we’re going to have to start transitioning to hard keys like FIDO keys, YubiKey, and that sort of thing. I think that’s where authentication is headed. People talk about password lists. Maybe, but hard keys are where a lot of people are going to end up going. That’s what’s changed with good cyber hygiene. Some of the specific practices are now getting actively attacked and we need to do something about it.
I love the analogy, “We didn’t need antibacterial soap and now we do.” It’s a great comparison. Leading to the notion of going back to hard keys, I still have probably a twelve-year-old key from RSA from when I worked for an unnamed cybersecurity company a few years ago but they were yellow and you probably know who I’m talking about. We didn’t need it, but now we do. Do we need this now because we got too weird about stuff? We built these things up. I am giving my music analogy here. Are we returning to vinyl and acoustic because it “sounds” better? Is that a shift? Does that analogy work for you?
It does. In the 2000s, they did a reboot of Battlestar Galactica. Have you ever watched that?
It was one of the greatest shows ever made. Yes. Please keep talking.
If anybody out there hasn’t watched the reboot of Battlestar Galactica, I’m sorry, but you’re going to have to go at least read up on it a little bit to understand this maybe. There was something in there that I think is instructive to what you are talking about which is, when the Cylons raided and decimated the human race in this show, there was one Battlestar, one human space battleship that survived. The reason it survived is that it was so antiquated. It was flying around. It was a showpiece, but it was so antiquated that it wasn’t fully digitally connected to the rest of the military command and control system.
When the Cylons defeated humanity by taking over its defense grid, and I’m just using the Hollywood there, this one space battleship was completely unaffected and couldn’t be attacked because it was so retro that it didn’t have the systems that could be exploited in the way the more modern stuff was. We think there’s safety in the old ways.
It’s such a great point because their connection was all wired communications.
No wireless and no connection back to the home world. I’m helping a customer right now that is migrating its audiovisual system in this giant building from analog to digital. They’re going to build two more IP networks and every audio stream and every video stream is going to be moved over IP. They’re going to abandon all the analog. The amount of cybersecurity engineering and architecture that we have to do in order to provide a commensurate level of security on an IP network that was inherent in an analog network is stunning.
This is an old guy yelling at cloud stuff, but I think it’s a question that’s worth asking. To say moving to the cloud, hasn’t everyone moved to the cloud? We’re all there. It takes so much out of your hands as to what you can do. With your CISO hat on, but also looking at humanity from the different perspectives that you’ve had the great fortune to create and to do, how do you balance those two things? It’s because there’s so much that’s out of your control but there are so many strategies and approaches that you can influence when it comes to the people who do the things that eventually leave the control of the organization.
First of all, I don’t think the cloud is the devil, just to be clear. I think the cloud providers are marketing cloud in a way that doesn’t give the people who are purchasing cloud the full picture of their security responsibility. The marketing machines out there are implying that if you come to the cloud, you’ll be secure. There’s a lot of security potential for the cloud, but it comes back to the shared responsibility model.
Oddly enough, all these cloud providers will show you and describe the shared responsibility model for security, but none of it shows up in their marketing materials. People get in and they don’t realize that you’ve got to put just as much effort into securing your cloud as you did with your on-prem. It’s just that it looks different. You’re going to use different tools and different interfaces and there’s some stuff in your security stack that you don’t have to deal with anymore like the locks, guards, CCTV, and all that because that’s all taken care of. However, you still have to secure your file shares.
That’s not different. That’s still the same. I’ll tell you what is different though, and what makes it even more urgent that you do it is that when you create a file share on the LAN in the on-prem old world, first of all, generally, a trained systems administrator made that share and they knew how to set the permissions on them to be correct. If they didn’t get that, the scope of the damage was limited to who could get on your LAN.
These days, if I share the same data in a cloud provider, a normal person or a non-IT administrator, sharing that data have never been trained how to do that securely and most of them turn on the file share and immediately dial down all the permissions because permissions are a pain in the ass to troubleshoot and you don’t even know how they work. You want to share something with somebody and get stuff done. That’s a problem.
The other problem is you’re not limited to who’s on your local area network. Now the entire internet can find out that you shared something and you didn’t do a good job of setting the permissions. The scope of your exposure is so much greater and the training of the person making the file share is in the dumpster compared to the way it used to be.
It’s the same problem, but we don’t see it for what it is. We don’t understand how much bigger the stakes are. If you’ve ever seen that statistic from Gartner, they say 99% of all cloud data breaches are going to be the responsibility of the cloud user and not the cloud provider because they don’t understand how they’re supposed to use that cloud stack securely.
That’s a great segue. We talk about these conversations before we get on here even though we pretty much pull out the outline question number one. You have spent a large amount of time helping and inspiring people to evolve in their career path, vocation, avocation, and realize that cybersecurity is not so esoteric that they can’t get into it.
From what you’ve witnessed over the years, as we bring differently-minded thinkers into this, what are the gains? What are the risks of having new people in there? Exactly what you were alluding to, people may not know how to do this because they didn’t do that, but what they’re good at is this thing that we desperately need.
Something that’s going on these days that I like is the focus on diversity. However, it’s been a very politicized thing. DEI, Diversity, Equity, and Inclusion, have been very politicized by some people. I am choosing to not politicize it because there’s a gold nugget in there. This is why I encourage people. I particularly talked to cybersecurity hiring managers about this. If I could, I’ll make one other plug.
When I was working in the communications chasm around people trying to get into cybersecurity, when I finally realized that hiring managers were their own worst enemy, I went, “I got to build something for them,” because I couldn’t do something for them. I raised a team. I found 50 cybersecurity hiring managers, experienced ones, and we built an open-source project called the Cybersecurity Hiring Manager Handbook. It’s out there on GitHub. If you’re a job hunter, you should be reading it too because it’s the owner’s manual for hiring managers. We also published it on Netlify. If you don’t like reading markdown files, you’re going to want to read it on Netlify.
What I had to tell hiring managers is to sweep away the politicized conversation about DEI and what I want you to focus on is the diversity of thought as a tool for your team. Bring people in who think differently than you think. Don’t hire clones. If my team was full of Kip clones, we wouldn’t do very well because I have a lot of weak points in my leadership style. There are things that I should be thinking about that I generally don’t. I like to have a team that is diverse from a thinking perspective and not from a “what color is their skin” perspective. I think that’s where politicization comes in.
As an example, I’m a Gen X-er. On my team, I’ve got a Baby Boomer, a Millennial, a Gen Z, and myself. I’ll tell you, that’s the diversity of thought right there. That’s one way that I’m doing diversity and I’m bringing in people who are talented. In other words, I’m bringing in people who bring in the skills I value that cannot be taught. How can you teach somebody curiosity? Isn’t curiosity a cornerstone for this whole career field? If you’re not curious, you’re never going to go out there and learn the new stuff you need to learn.
I look for people who are curious. I look for people who are people-oriented because I can’t teach people orientation. If I can find people who have these skills that cannot be taught and they have an aptitude for the job because there are people out there who I think would love to have a particular position, but they have no aptitude for the work. I can’t bring them on board. I do some screening in the hiring process to make sure that they have the aptitude.
I think that is a major opportunity for hiring managers in the future for bridging this skills gap if you want to put it in that language. It’s going out there and finding people who have those skills that cannot be taught but are highly valued. Bring them in. Make sure they have the aptitude before you bring them in and teach them what you want them to know.
I’ve got all this in the Cybersecurity Hiring Manager Handbook, and I teach a course at Wild West Hackin’ Fest on the Hiring Manager Handbook. I also go beyond that. I tell hiring managers why they need a strong team and how the handbook helps them build a strong team. Once they have a strong team, what opportunities open up for them that they couldn’t take advantage of if they didn’t have a strong team?
Also, setting them up for success as internal influencers in their organizations. What does that look like and how do you know when you’re doing a good job? How do you know when you’re not doing a good job? What are the tools and techniques for building a platform that you can stand on to be an internal influencer? Also, you don’t need an Instagram account in case anybody is wondering.
I love how you jumped right ahead to shameless plugs to get all that in there, which we’re going to get back to. Also, a team full of Kip clones. I’m all in for it. It would be the most uplifting and positive vibe thing I can imagine. I’ve been asking this question on a lot of shows. Some of this might be a little bit dated, but we are rolling into the big shows. South by Southwest is coming up, RSA and HIMSS. We’re going to move into the Hacker Summer Camp. How are you feeling about the industry right now? Any of these shows that you go to, companies that you talk to, or any of that sort of thing, how do you feel? That’s a very specific scientific question.
I don’t tend to go to any of these shows to be honest about it, because I don’t feel like my time is best spent talking in echo chambers. That’s what these shows have become for me now. When I was first on the scene and I was only a few years into the career field, I went to all these shows because I didn’t know anything.
We physically met in person at RSA.
My first RSA conference was I think in 1998 or 1999. I’ve gone to DEF CON and Black Hat. I’ve gone to all this stuff but I’ve gone to a point in my career where that’s not where I need to be. The problem that I have with them is beyond it’s not what Kip needs. It’s that the narrative on most of these conferences is being driven by the folks who are paying money to stand on the platforms.
In other words, we don’t have a lot of thought leaders in these places. What we have is people who spend money to be on a platform. God bless them, but most of their talks are awful. I don’t know what people are learning from them. They’re up there talking about how great their product is. I don’t find that to be the most helpful way for me to spend my time.
Tell us how you feel. Don’t pull any punches on me.
I have some frustration about that and I’ll tell you where the frustration came from. One part of the frustration came from the fact that after a while, I realized that a lot of the people that I was listening to were paid. I thought, “If this person didn’t work for giant Company X, would this person be on the stage as a thought leader?” No, they wouldn’t. They would never be invited to the stage as a thought leader. The only reason they’re on that stage is because their company is a sponsor of the conference and therefore they get the right to be on the stage.
That’s not what I need at this point in my career. Also, my ideal customer is a CFO who has a sophisticated risk management approach. It’s not all CFOs. I’m frustrated by the fact that the buyers of cybersecurity solutions are being led around by the nose by all of the people who are spending gobs and gobs of money on marketing. I’ve seen my customers waste hundreds if not millions of dollars on solutions that did not address their top issues.
It’s pretty frustrating how buyers of cybersecurity solutions waste hundreds and even millions of dollars on solutions that do not even address their top issues.
I get frustrated by that. I’m a little jaded by the pay-to-play nature of these conferences. When I first started going to these conferences, they had more of an academic bent. It’s like, “You wrote a paper. You responded to the call for papers and your paper was selected based on the merit of your ideas.” You don’t see that much anymore. You’ll see it in maybe BSides, which I love. I love BSides.
You’ll see it at other conferences. This is one of the reasons why I like to talk at Wild West Hackin’ Fest because it’s more of a meritocracy. The people on stage are like me. I’m a practitioner who teaches. That’s what I do. I go out and I do work. People pay me. I think about what I did, and then I turn around and I teach other people what I learned. Those are the kind of people I want to be around.
Shout out to BSides. Any big retail show, there’s going to be BSides that week. Whether it’s Vegas, San Francisco, London, Dubai, or wherever you go, they’re going to be there.
That’s where the good stuff is.
Let’s do a little bit of a shift there too when you’re talking about the things that fire you up because we are creeping up on time. Let’s go to the Leadership Corner. You and I have done enough of these things that I could leave this question open. What do you do when you’re not doing this?
I just bought a course on Udemy about ChatGPT.
This is you doing this. This is, “I don’t want to hear about that.” It’s when you’re outside, when there’s grass under your feet.
First of all, you must know this about me, Matt. I’m an infinite learner. This is what I love to do. I love to learn. I’m the weird, nerdy kid that loved going to school. I did and I cannot stop learning. I love it. I’m learning about ChatGPT because I’m genuinely interested in it but when I’m not sitting at a computer, what do I love to do? I love to be in the woods. I love to hike. It’s called rucking. I don’t know if you’ve ever heard of that.
Rucking is when you put dead weight in your backpack and you go out for a hike. I got rocks in a backpack and I go out and I hike as a form of exercise. I love being in the woods and doing that. It’s phenomenal. The smell of the Earth, the leaves, and whatever. It’s fantastic. I’m rowing now. I bought a rowing machine. This is the Tesla of rowing machines. This is a Peloton. It doesn’t hit anybody. I didn’t want a Peloton bike and I didn’t want the Peloton treadmill, but the rowing machine is out now. I bought that and I love it. It’s great. I’m rowing and rucking. That’s what I do.
What are you listening to? What’s on your Spotify playlist? Don’t tell me that it’s some Malcolm Gladwell thing, because I know that’s on there. Is there a horrific new metal? Do you like K-Pop? What gets you jumping up and down?
What am I listening to? Would you believe me if I said I listened to audiobooks when I’m rowing and rucking?
I would not be shocked.
There’s a great book I’m listening to right now. It’s called Project Hail Mary. It’s by Andy Weir. It’s amazing. I love listening to it because the guy does all the voices. It’s like a bedtime story. It’s fantastic. He’s the guy I think who wrote The Martian.
Done and dusted. You had me at The Martian.
Another series that I listened to is We Are Legion (We Are Bob). It’s by Dennis Taylor. It’s a four-book series. I’ve listened to that lately and it’s fantastic. Do you want to hear a crazy nerdy book that I listened to? It’s The Rise and Fall of the Third Reich. If you want to understand what’s going on in Vladimir Putin’s Russia, read that book. It’s the blueprint for what he’s up to right now.
This is why I’m embarrassed it took this long to get Kip on the show because we could probably do an hour talking about all of this stuff. You’ve been good at it throughout the thing. I’ve done some of it for you as well but Shameless Plugs. What are you doing? Where are you going? What’s happening? The book, the company, podcasts, and all the things. Where is it going?
This year I’m going to be at Wild West Hackin’ Fest. I’m going back to Deadwood. 2022 was my first year at Deadwood. Wherever they have Way West, I’m going to do that this year. I’ve got a course coming up with them called How to Be Irresistible to Hiring Managers As Told by a Hiring Manager. It doesn’t matter where you are in your career. If you want to change jobs, you want to go to this course of mine. I’m going to teach another course on the Hiring Manager Handbook. I’m releasing a new course on Udemy, which is How to be Irresistible to Hiring Managers, but as more of a standalone pre-recorded video course as opposed to the one that I teach live. You can decide which way you want to consume that content and more podcast episodes.
What are they called? It’s Shameless Plug time.
It’s the Cyber Risk Management Podcast. My co-host is Jake Bernstein and Cybersecurity and Privacy attorney at K&L Gates. Also, Your Cyber Path. My co-host is Jason Dion of Dion Training. I think he’s coming up on a million students taught on Udemy. There is A+, Security+, CEH, or whatever it is you want to get certified in. Jason’s got pretty much got a course for you.
We’re gonna be doing more podcasts and the events that I’m gonna be at. Here’s a special for your, for your listeners, if you want a copy of my book, Fire Doesn’t Innovate, all you have to do is drop me a note. You can send me a note at Kip@CyberRiskOpportunities.com. I will send you the PDF version for free and I’ll even give you an Audible version or a Kindle version if you can’t stand looking at a PDF. That’s for your audience for inviting me on.
On behalf of all of the Friendly Firer’s out there, we appreciate that. I can speak to this. In a previous incarnation of a show that I did somewhere else, we had Kip on the show. Somebody inside my company reached out to me a couple of months later and said that he was so inspired by listening to Kip that he started doing all of the coursework and moved from finance to cybersecurity 100% driven by what he had learned from Kip. We then had him on the show with Kip to talk about the way that you changed his life.
I personally observed that this has happened but that is it for now. We have run over time. Kip, as always, thank you. You are brilliant. I appreciate the time. Readers, go everywhere Kip told you to go. He didn’t even give you the website. This is how humble my man is. That’s it for this episode. Thank you for joining us. A friendly reminder that all comments reflect the personal opinions of the participant, not necessarily those of their employers or organizations.
Good news on this one, Kip owns his or take that for what it’s worth. For more information that’s good in the world of cybersecurity, make sure that you check us out, Elevate Security. You can find us on LinkedIn and Facebook, and the mothership, ElevateSecurity.com. You can find me @PackMatt73 across all the socials. Kip, is there any social anymore, or is everything so disgusting you don’t even play with it?
I’m on LinkedIn. That is where I live.
It’s Kip Boyle.
I’m the only Kip Boyle on the whole platform.
We talked about what a roomful of Kip clones would be like. There could be more of you out there. We don’t know.
That could lead to desolation.
All we ask is to subscribe, rate, and review. You can find us on all of the platforms where you get your show. As long as you come to check us out, you will never miss all the great folks who are coming in to try to make the world a better place. It’s not that much, isn’t it? Until then, we will see you next time.
See you next time.
- Cyber Risk Opportunities
- Your Cyber Path Podcast
- Cyber Risk Management Podcast
- Fire Doesn’t Innovate
- Netlify – Cybersecurity Hiring Manager Handbook
- South by Southwest
- DEF CON
- Black Hat
- Project Hail Mary
- The Martian
- We Are Legion (We Are Bob)
- The Rise and Fall of the Third Reich
- Way West
- Dion Training
- LinkedIn – Elevate Security
- Facebook – Elevate Security
- @PackMatt73 – Instagram
- Kip Boyle – LinkedIn
About Kip Boyle
Kip Boyle is a husband, dad, entrepreneur, and experienced cyber risk manager. He founded Cyber Risk Opportunities LLC in 2015 after 7 years as the CISO of PEMCO Insurance in Seattle. As a captain on active duty in the US Air Force, he served in the Combat Archer and F-22 Stealth Fighter programs, where he was the director of enterprise network security. These days, he serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals.