1 00:00:31,239 --> 00:00:33,280 Speaker 1: It always comes down to can I have a meaningful 2 00:00:33,320 --> 00:00:36,240 business discussion to talk about the risk. What's the risk 3 00:00:36,280 --> 00:00:38,079 that we're facing, how can we reduce that risk? And 4 00:00:38,119 --> 00:00:40,600 can we actually pull this off with the resources that 5 00:00:40,640 --> 00:00:40,920 we have. 6 00:00:45,520 --> 00:00:49,600 Speaker 2: Hey, everyone, and welcome to the Industrial Security Podcast. My 7 00:00:49,679 --> 00:00:52,840 name is Nate Nelson. I'm here as usual with Andrew Ginter, 8 00:00:53,200 --> 00:00:57,920 the vice president of Industrial Security at Waterfall Security Solutions, 9 00:00:58,159 --> 00:01:02,159 who's going to introduce the subject guest of our show today. Andrew, 10 00:01:02,320 --> 00:01:02,799 how's it going. 11 00:01:03,399 --> 00:01:05,959 Speaker 3: I'm very well, Thank you, Nate. Our guest today is 12 00:01:06,040 --> 00:01:10,280 Tim McCrate. He is the CEO and founder of Tailcraft Security, 13 00:01:10,319 --> 00:01:13,879 and his topic is the book that he's working on. 14 00:01:13,959 --> 00:01:19,159 The working title is We Don't Sign Shit, which is 15 00:01:19,200 --> 00:01:22,640 a bit of a controversial title, but he's talking about risk, 16 00:01:22,920 --> 00:01:26,560 lots of technical detail, lots of examples, talking about who 17 00:01:26,640 --> 00:01:30,680 should really be making high level decisions about risk in 18 00:01:30,719 --> 00:01:31,599 an organization. 19 00:01:32,840 --> 00:01:39,480 Speaker 2: Then, without further ado, here's your conversation with Tim. 20 00:01:39,760 --> 00:01:41,959 Speaker 1: Hi, folks, my name is Tim McCright. I'm the CEO 21 00:01:42,079 --> 00:01:45,719 and founder of Tailcraft Security. This is year forty four 22 00:01:45,959 --> 00:01:49,079 now in the security industry. I started my career in 23 00:01:49,159 --> 00:01:51,359 nineteen eighty one when I got out of the military, 24 00:01:51,879 --> 00:01:54,560 desperina needed a job and took a role as a 25 00:01:54,560 --> 00:01:58,719 security officer in a hotel in downtown Winnipeg, Manitoba. Shortly after, 26 00:01:58,959 --> 00:02:01,159 I was moved into the chief security officer role for 27 00:02:01,280 --> 00:02:04,560 that hotel and others and had an opportunity to move 28 00:02:04,599 --> 00:02:07,040 into security as a career path, and I haven't looked back. 29 00:02:07,640 --> 00:02:10,400 I decided I also wanted to learn more about cyber 30 00:02:10,520 --> 00:02:14,759 security Holy Smokes ninety eight ninety nine, took myself out 31 00:02:14,759 --> 00:02:17,240 of the workforce for two years, learned as much they 32 00:02:17,240 --> 00:02:20,400 could about information systems, and then came back for the 33 00:02:20,439 --> 00:02:22,719 latter part of my career. And I've held roles as 34 00:02:22,719 --> 00:02:25,719 a chief information security officer in a number of organizations. 35 00:02:26,159 --> 00:02:28,039 So I've had the pleasure in the honor of being 36 00:02:28,080 --> 00:02:30,759 both in physical and cyber security for the past forty 37 00:02:30,800 --> 00:02:31,560 some years. 38 00:02:32,199 --> 00:02:33,560 Speaker 3: And tell me about Tailcraft. 39 00:02:34,479 --> 00:02:37,840 Speaker 1: It's a boutique firm that two of our lines. Our 40 00:02:37,879 --> 00:02:40,120 first line is that it's new skills from the old 41 00:02:40,199 --> 00:02:43,960 guard and we are here to help give back and grow. 42 00:02:44,120 --> 00:02:48,280 And it's our opportunity to provide services to clients focusing 43 00:02:48,319 --> 00:02:51,599 on a risk based approach to developing security programs. We 44 00:02:51,719 --> 00:02:54,759 teach security professionals how to tell their story and how 45 00:02:54,759 --> 00:02:58,240 to use the concepts of storytelling to present security risks 46 00:02:58,280 --> 00:03:01,400 and ideas to executives. And finally, we have a series 47 00:03:01,439 --> 00:03:04,599 of online courses through our Tailcraft University where you get 48 00:03:04,599 --> 00:03:07,080 a chance to learn more about the principles of ESRM 49 00:03:07,400 --> 00:03:09,199 and other skills that we're going to be adding to 50 00:03:09,520 --> 00:03:11,800 our repertoire of classes in the near future. 51 00:03:13,000 --> 00:03:16,800 Speaker 3: And our topic is your new book. You know, I'm 52 00:03:18,000 --> 00:03:23,240 I'm eagerly awaiting a look at the book. Can I 53 00:03:23,280 --> 00:03:25,039 ask you, you know, before we even get into the 54 00:03:25,800 --> 00:03:27,560 content of the book, how's it coming? When are we 55 00:03:27,560 --> 00:03:28,479 going to see this thing? 56 00:03:29,439 --> 00:03:33,599 Speaker 1: Yeah? Well, thank thank you for asking. I had great 57 00:03:33,800 --> 00:03:38,319 intentions to publish a book, hopefully this year. Unfortunately some 58 00:03:38,400 --> 00:03:41,960 things changed. Last year. I was laid off from a 59 00:03:42,039 --> 00:03:47,240 role that I had and I started Tailcraft Security. So sadly, 60 00:03:47,319 --> 00:03:50,159 my days have been absorbed by the work that it 61 00:03:50,199 --> 00:03:52,560 takes to stand up of business, get it up and running. 62 00:03:52,919 --> 00:03:56,080 And I hats off to all the entrepreneurs out there 63 00:03:56,120 --> 00:03:58,919 who do all of these things every day. I'm new 64 00:03:58,919 --> 00:04:01,400 to this, so understanding what you have to do to 65 00:04:01,479 --> 00:04:04,039 stand up a business, get it running to market it, 66 00:04:04,199 --> 00:04:07,039 to run the finances, et cetera. It has been like 67 00:04:07,120 --> 00:04:10,759 all consuming. So the book has unfortunately taken a bit 68 00:04:10,759 --> 00:04:13,599 of a backseat. But I've got some breathing room now, 69 00:04:13,680 --> 00:04:15,759 I've got into a bit of a rhythm. It's a 70 00:04:15,840 --> 00:04:17,720 chance for me to get back to the book and 71 00:04:17,759 --> 00:04:20,600 start working through it. And it's to me, it's appropriate. 72 00:04:20,639 --> 00:04:22,759 It's a really good time. If I'm following the arc 73 00:04:22,800 --> 00:04:25,160 of a story, this is the latter part of that 74 00:04:25,319 --> 00:04:27,160 story arc. So I get a chance to help fill 75 00:04:27,160 --> 00:04:29,959 in that last part of the story, my own personal story, 76 00:04:30,000 --> 00:04:31,439 and to put that into the book. 77 00:04:32,160 --> 00:04:34,879 Speaker 3: We have talked about the book in the past. Let 78 00:04:34,879 --> 00:04:38,319 me ask you again sort of big picture. You know, 79 00:04:38,519 --> 00:04:41,279 I'm focused on industriald cybersecurity. I saw a lot of 80 00:04:41,399 --> 00:04:44,720 value in the content you described us as being produced. 81 00:04:44,720 --> 00:04:47,839 But can you talk about, you know, how industrial is 82 00:04:47,879 --> 00:04:50,959 the book? What you know we're talking about risk, we're 83 00:04:50,959 --> 00:04:57,079 talking about about leadership. How how indust field does it get? 84 00:04:57,120 --> 00:04:59,000 I know, you do you do a podcast, you do 85 00:04:59,040 --> 00:05:02,720 Caffeinated Risk with Doug Lease, who's you know, a big 86 00:05:02,720 --> 00:05:06,720 contributor at Enbridge. He's deep industrial. How industrial are you? 87 00:05:06,800 --> 00:05:08,079 How industrial is this book? 88 00:05:09,120 --> 00:05:13,160 Speaker 1: It spans around forty years of my career and starting 89 00:05:13,240 --> 00:05:15,959 from you know, physical security roles that I had, but 90 00:05:16,079 --> 00:05:20,120 also dealing with the security requirements for telecommunications back in 91 00:05:20,120 --> 00:05:24,040 the eighties into the nineties, getting ready for and helping 92 00:05:24,160 --> 00:05:26,759 with the security planning for the Olympics in early two thousands, 93 00:05:27,439 --> 00:05:30,600 working into the cyber space and understanding the value of 94 00:05:30,959 --> 00:05:33,759 first information security, then it turned into cyber security, then 95 00:05:34,199 --> 00:05:36,480 focusing on the ot environment as well when I had 96 00:05:36,480 --> 00:05:38,920 a chance to work in critical infrastructure and oil and gas, 97 00:05:39,360 --> 00:05:42,160 and then finally, you know, the consistent message throughout the 98 00:05:42,160 --> 00:05:45,639 book is this concept of risk and that our world 99 00:05:45,759 --> 00:05:48,040 when we first, you know, when we first began this 100 00:05:48,160 --> 00:05:51,199 idea of industrial security back in the forties, bringing it 101 00:05:51,279 --> 00:05:52,600 up to where we need to be now from a 102 00:05:52,639 --> 00:05:57,079 professional perspective and how we view risk. I do touch 103 00:05:57,120 --> 00:05:59,399 and do speak a little bit about the worlds that 104 00:05:59,439 --> 00:06:01,959 I had a chance to work in from an industrial perspective. 105 00:06:02,319 --> 00:06:04,879 The overarching theme though, is really this concept of risk 106 00:06:05,079 --> 00:06:07,800 and how we need to continue to focus on risk 107 00:06:07,879 --> 00:06:10,560 regardless of the environment that we're in. And some of 108 00:06:10,600 --> 00:06:13,519 the interesting stories I head along the way, some of 109 00:06:13,560 --> 00:06:15,639 the honest to God, some of the mistakes I made 110 00:06:15,720 --> 00:06:18,439 along the way as well. I've I've learned more from 111 00:06:18,480 --> 00:06:21,519 mistakes than I have from successes and understanding the things 112 00:06:21,560 --> 00:06:23,480 that I needed to get better at throughout my career. 113 00:06:23,879 --> 00:06:25,519 I'm hoping that folks, when they do get a chance 114 00:06:25,519 --> 00:06:27,360 to read the book, that they recognize they don't need 115 00:06:27,360 --> 00:06:29,959 to spend forty some years to get better at their profession. 116 00:06:30,240 --> 00:06:32,360 You can do it in less time, and you can 117 00:06:32,399 --> 00:06:34,639 do it by focusing on risk regardless of whether you're 118 00:06:34,639 --> 00:06:36,600 in the it, the ot or the physical space. 119 00:06:37,480 --> 00:06:40,000 Speaker 3: So there is some some industrial angle in there, but 120 00:06:40,040 --> 00:06:42,319 you know, like I said, industrial or not, I'm fascinated 121 00:06:42,360 --> 00:06:46,040 by the topic. I think we've you know, I've I've 122 00:06:46,319 --> 00:06:49,920 I've been beaten around the bush enough. The title that 123 00:06:50,160 --> 00:06:52,920 you know, the working title is is we Don't Sign Shit? 124 00:06:53,560 --> 00:06:56,360 What does that mean? Can you can you talk about? 125 00:06:56,480 --> 00:06:59,319 You know what we're what's in the book? What are 126 00:06:59,319 --> 00:06:59,920 you telling us? 127 00:07:01,240 --> 00:07:03,480 Speaker 1: Thanks for? Yeah? I came up with we don't Sign 128 00:07:03,519 --> 00:07:05,759 Shit and it's I have a T shirt downstairs on 129 00:07:05,800 --> 00:07:09,199 my office so that I got from my team with 130 00:07:09,240 --> 00:07:11,360 an oil and guest company I worked with, and Doug 131 00:07:11,439 --> 00:07:14,160 Leash was in the team as well, and it really 132 00:07:14,240 --> 00:07:17,439 came down to this, the principle that for years, security 133 00:07:17,519 --> 00:07:20,800 was always asked to sign off on risk, or to 134 00:07:21,000 --> 00:07:23,720 accept it, or to endorse it, or my favorite, well, 135 00:07:23,759 --> 00:07:26,639 security signed off on it must be good. Wait a second, 136 00:07:27,040 --> 00:07:29,759 We never should have That never should have been our role. 137 00:07:29,879 --> 00:07:31,519 We never should have been put in a position where 138 00:07:31,560 --> 00:07:34,160 we had to accept risk on behalf of an organization, 139 00:07:34,199 --> 00:07:37,439 because that's not the role of security. Security's role is 140 00:07:37,480 --> 00:07:41,560 to identify the risk, identify mitigation strategies, and present it 141 00:07:41,639 --> 00:07:43,240 back to the executive so that they can make a 142 00:07:43,240 --> 00:07:46,160 business decision on the risk that we face. So in 143 00:07:46,199 --> 00:07:47,959 my first couple of weeks when I was at this 144 00:07:48,079 --> 00:07:51,199 oil and guests organization, we had a significant risk that 145 00:07:51,240 --> 00:07:53,079 came across my desk and it was a letter that 146 00:07:53,120 --> 00:07:54,079 I had to sign off on. 147 00:07:54,480 --> 00:07:54,560 Speaker 3: You. 148 00:07:54,680 --> 00:07:56,800 Speaker 1: A brand new staff member came in and said, high Boss, 149 00:07:56,800 --> 00:07:58,879 I just needed to take a look at this. I'm like, Hi, 150 00:07:58,920 --> 00:08:01,800 who are you team to your work on? What's the 151 00:08:01,839 --> 00:08:04,360 project you're working on? When I read this letter, I'm like, 152 00:08:04,360 --> 00:08:07,160 are you serious that we're accepting a potential billion dollar 153 00:08:07,319 --> 00:08:11,120 risk on behalf of this organization? Why? And like, well, 154 00:08:11,160 --> 00:08:14,800 we always do this, not anymore? And we went upstairs. 155 00:08:14,959 --> 00:08:16,800 We got a hold of the right vice president to 156 00:08:16,800 --> 00:08:18,399 take a look at this, to address the risk and 157 00:08:18,439 --> 00:08:22,079 work through it. And as I continued to provide this 158 00:08:22,199 --> 00:08:24,360 type of coaching and training to the team there, I 159 00:08:24,439 --> 00:08:26,319 kept bringing up the same concept. Look, our job is 160 00:08:26,319 --> 00:08:28,360 not to sign shit. That's not what we're here for. 161 00:08:28,639 --> 00:08:31,000 We don't sign off on the risk. We identify what 162 00:08:31,040 --> 00:08:33,799 the risk is, the impacts of the organization, what the 163 00:08:33,840 --> 00:08:37,200 potential mitigation strategies are, and then and then we provide 164 00:08:37,240 --> 00:08:39,840 that to executives to make a business decision. So when 165 00:08:39,879 --> 00:08:41,960 I did leave the organization for another role, they took 166 00:08:42,000 --> 00:08:43,840 me out for lunch and I thought it was pretty cool. 167 00:08:43,840 --> 00:08:45,679 The whole team got together and they created this amazing 168 00:08:45,759 --> 00:08:47,720 T shirt and it's a team we don't sign shit. 169 00:08:48,120 --> 00:08:50,799 So it worked right, and that mindset still in place today. 170 00:08:50,919 --> 00:08:52,679 I have a chance to touch base with them often, 171 00:08:53,519 --> 00:08:55,440 ask how they're doing, and all of them said the 172 00:08:55,440 --> 00:08:57,639 same thing. They said, Yeah, it's that mindset is still 173 00:08:57,639 --> 00:09:00,000 there where they've embraced the idea that security is rules 174 00:09:00,200 --> 00:09:03,480 is to identify the risk and present opportunities to mitigate, 175 00:09:03,720 --> 00:09:05,919 but not to accept the risk on behalf the organization. 176 00:09:06,480 --> 00:09:09,000 That was the whole context of where I took this 177 00:09:09,039 --> 00:09:11,200 book is wouldn't it be great if we could finally 178 00:09:11,200 --> 00:09:13,840 get folks to recognize, no, we don't sign shit, This 179 00:09:13,919 --> 00:09:14,480 isn't our job. 180 00:09:17,480 --> 00:09:20,000 Speaker 2: So Andrew, I get the idea here. Tim isn't the 181 00:09:20,000 --> 00:09:22,320 one who signs off on the rest. He identifies it 182 00:09:22,360 --> 00:09:25,519 and passes it on to business decision makers. But I 183 00:09:25,559 --> 00:09:29,720 don't yet see where the passion for this issue comes from, 184 00:09:29,759 --> 00:09:32,320 Like why this point in the process is such a 185 00:09:32,320 --> 00:09:32,840 big deal. 186 00:09:33,519 --> 00:09:35,960 Speaker 3: Well, I can't speak for Tim, but I'm fascinated by 187 00:09:35,960 --> 00:09:41,480 the topic because I see so many organizations doing this 188 00:09:41,919 --> 00:09:47,240 a different way. You know, in my books, the people 189 00:09:47,360 --> 00:09:53,440 who decide how much budget industrial security gets should be 190 00:09:53,519 --> 00:09:57,879 the people making decisions about are these risks big enough 191 00:09:57,919 --> 00:10:00,200 to address today? Is this? You know? Is is that 192 00:10:00,200 --> 00:10:04,200 a serious bottom? Because they're the ones that they have 193 00:10:04,440 --> 00:10:08,240 the business context, they can compare the industrial risks to 194 00:10:08,399 --> 00:10:10,879 the other risks the business is facing, to the other 195 00:10:11,000 --> 00:10:14,559 needs of the business and make business decisions. When you 196 00:10:14,679 --> 00:10:20,480 have the wrong people making the decisions, you risk there's 197 00:10:20,639 --> 00:10:24,159 real risk that you make the wrong decisions. Because the 198 00:10:24,919 --> 00:10:29,279 people executing on industrial cybersecurity do not have the business 199 00:10:29,360 --> 00:10:32,000 knowledge of what the business need. They don't have the 200 00:10:32,080 --> 00:10:34,039 big picture of the business. And the people with the 201 00:10:34,080 --> 00:10:37,639 big picture of the business do not have the information 202 00:10:37,879 --> 00:10:41,039 about the risk and the mitigations and the costs, and 203 00:10:41,080 --> 00:10:43,919 so each of them is making the wrong decision. When 204 00:10:43,960 --> 00:10:47,360 you bring these people together and the people with the 205 00:10:47,399 --> 00:10:50,919 information convey it to the people with the business knowledge, 206 00:10:51,000 --> 00:10:53,200 now the people with the business knowledge can make the 207 00:10:53,279 --> 00:10:56,360 right decision for the business and again the industrial team 208 00:10:56,480 --> 00:10:59,879 execute on it. If you have the wrong people making 209 00:11:00,080 --> 00:11:06,279 the decision, you risk making the wrong decision. So let 210 00:11:06,279 --> 00:11:08,519 me ask. I mean, you take a letter into an executive. 211 00:11:08,559 --> 00:11:10,480 You do this over and over again in lots of 212 00:11:10,480 --> 00:11:15,000 different organizations. How do how is that received? How do 213 00:11:15,120 --> 00:11:17,080 the executives react when you do that? 214 00:11:17,960 --> 00:11:20,320 Speaker 1: My standard approach has always been, and I use this 215 00:11:20,360 --> 00:11:23,240 as my lithmus test, is if the role I play 216 00:11:23,240 --> 00:11:26,399 as a chief security officer or SISO and you're asking 217 00:11:26,440 --> 00:11:29,200 me to accept risk, I come back and the first 218 00:11:29,240 --> 00:11:31,159 question I'm going to ask is if this is the case, 219 00:11:31,200 --> 00:11:32,559 and you're asking me to do this, and I'm going 220 00:11:32,600 --> 00:11:36,039 to say no. Invariably, the room gets really quiet. People 221 00:11:36,039 --> 00:11:39,240 start recognizing, Oh, he's serious. Yeah, because I have no 222 00:11:39,360 --> 00:11:41,240 risk tolerance. When it comes to work, I would be 223 00:11:41,279 --> 00:11:44,120 giving everybody like paper, notebooks and crayons, and I want 224 00:11:44,120 --> 00:11:45,080 it back at the end of the day. So I 225 00:11:45,080 --> 00:11:47,799 don't have any tolerance for risk. But to test my 226 00:11:47,879 --> 00:11:50,440 theory is when I ask executives, if you're saying that 227 00:11:50,519 --> 00:11:52,639 my role is to sign off on this, then I'm 228 00:11:52,639 --> 00:11:56,320 not going to Does that stop the project? It never does. 229 00:11:56,720 --> 00:11:58,799 So the goal then is to ensure that the executives 230 00:11:58,840 --> 00:12:02,159 understand it's their decision and it's a business decision that 231 00:12:02,200 --> 00:12:04,320 has to be made, not a security decision, because my 232 00:12:04,399 --> 00:12:06,080 decision is always going to be I start with no 233 00:12:06,240 --> 00:12:09,279 and non negotiate from there. But when we look at 234 00:12:09,320 --> 00:12:13,000 what the process is that I've provided and others have followed, 235 00:12:13,360 --> 00:12:15,879 is I'll bring the letter with the recommendations to the 236 00:12:15,919 --> 00:12:18,960 business for them to review and to either accept the risk, 237 00:12:19,039 --> 00:12:21,440 sign off on it, or to find me an opportunity 238 00:12:21,480 --> 00:12:23,960 to reduce the risk. That's when I start getting attention 239 00:12:24,000 --> 00:12:26,799 from the executives. So it moves from shock to be 240 00:12:26,960 --> 00:12:29,519 serious to okay, now we can understand what the risk is. 241 00:12:29,600 --> 00:12:32,159 Let's walk through this as a business decision. That's when 242 00:12:32,159 --> 00:12:34,759 you start making headway with executives. Is taking that. 243 00:12:34,720 --> 00:12:39,120 Speaker 3: Approach that sounds sim simple, but in my experience what 244 00:12:39,159 --> 00:12:43,000 you said there is actually very deep. I mean, I'm 245 00:12:43,039 --> 00:12:45,039 on the end of a long career as well, and 246 00:12:45,080 --> 00:12:48,200 I've never been a CISO, and in hindsight, I come 247 00:12:48,240 --> 00:12:53,600 to realize that blundly, I'm not a very good manager 248 00:12:54,679 --> 00:12:57,759 because when someone comes to me, it doesn't matter you know, 249 00:12:58,279 --> 00:13:01,440 anyone outside the the you know, my sphere of influence, 250 00:13:02,080 --> 00:13:04,919 h you know, my sorry, my spait of responsibility saying 251 00:13:04,960 --> 00:13:08,039 you know, hey, Andrew, can you do X for me? 252 00:13:08,799 --> 00:13:10,679 You know, whenever one of my people comes to me 253 00:13:10,720 --> 00:13:13,320 with an idea saying hey we should do why, my 254 00:13:13,399 --> 00:13:15,399 first instinct is what a good idea? 255 00:13:15,600 --> 00:13:15,919 Speaker 1: Yeah? 256 00:13:16,080 --> 00:13:20,879 Speaker 3: Yeah, Whereas I know that strong managers their first instinct 257 00:13:20,919 --> 00:13:24,679 is no. And now whoever's coming at us with the 258 00:13:24,720 --> 00:13:27,559 request or with the idea has to justify it, has 259 00:13:27,600 --> 00:13:32,399 to give some business again. So that's you know, this 260 00:13:32,480 --> 00:13:34,919 is this is deep. It's a deep difference between between 261 00:13:34,919 --> 00:13:36,159 you and people like me. 262 00:13:36,879 --> 00:13:39,759 Speaker 1: It is, and there's don't get me wrong, there's an 263 00:13:39,759 --> 00:13:42,440 internal struggle every time when I've worked through these types 264 00:13:42,440 --> 00:13:46,399 of requests where I want to help people too. But 265 00:13:46,399 --> 00:13:49,360 but I understand that the path you got to take 266 00:13:49,559 --> 00:13:52,279 and how you have to get business to understand it 267 00:13:52,320 --> 00:13:55,200 accepted to move forward with it. It's different, right. This 268 00:13:55,279 --> 00:13:57,039 is why some great friends of mine that I've known 269 00:13:57,080 --> 00:14:00,200 for years and they were they're technically brilliant. I have 270 00:14:00,360 --> 00:14:02,919 some amazing skills, Like, honest to god, I stop being 271 00:14:03,399 --> 00:14:05,440 a smart technic person a long time ago, and I've 272 00:14:05,440 --> 00:14:08,720 relied on just wizards to help move the programs forward. 273 00:14:09,159 --> 00:14:10,679 And you know, I've chatted with them as well, and 274 00:14:11,240 --> 00:14:13,759 they're similar to you Andrew. They've they've got great technical skills. 275 00:14:13,799 --> 00:14:16,399 They've been doing this for a long time. And you know, 276 00:14:16,440 --> 00:14:17,919 one of the one of the folks I chatted with 277 00:14:17,960 --> 00:14:20,600 are just like, I can't. I can't give myself the 278 00:14:20,679 --> 00:14:23,159 lobotomy to get to that level. I'm like, oh my god, okay, 279 00:14:23,159 --> 00:14:26,360 fair enough, and I get it. But the way I've 280 00:14:26,360 --> 00:14:29,240 always approached this it's different, right, So I take myself 281 00:14:29,240 --> 00:14:31,279 out of the equation of always wanted to help everybody 282 00:14:31,559 --> 00:14:34,600 to how can I ensure that I'm reducing the risk 283 00:14:35,120 --> 00:14:37,039 And if I can get to those types of discussions 284 00:14:37,080 --> 00:14:40,080 and have them with executives, for me, that's where I 285 00:14:40,120 --> 00:14:42,080 find the value. So all of the work I've done 286 00:14:42,080 --> 00:14:44,440 in my career to get to this space, the amazing 287 00:14:44,440 --> 00:14:46,279 folks that I've met along the way, the teams that 288 00:14:46,279 --> 00:14:48,399 I've helped build, the folks I still call on to, 289 00:14:48,559 --> 00:14:51,200 you know, to mentor me through situations. It always comes 290 00:14:51,200 --> 00:14:53,679 down to can I have a meaningful business discussion to 291 00:14:53,759 --> 00:14:56,720 talk about the risk? And then it takes away some 292 00:14:56,759 --> 00:14:59,600 of the emotional response. It takes away that immediate I 293 00:14:59,639 --> 00:15:02,919 need to help everybody do everything because we can't. But 294 00:15:02,960 --> 00:15:04,799 it gives us a chance to focus on what the 295 00:15:04,840 --> 00:15:07,399 problem is, what's the risk that we're facing, how can 296 00:15:07,440 --> 00:15:09,240 we reduce that risk? And can we actually pull this 297 00:15:09,399 --> 00:15:12,320 off with the resources that we have? So yeah, I 298 00:15:12,639 --> 00:15:15,320 get it. Not everybody wants to sit in these chairs. 299 00:15:15,360 --> 00:15:17,480 I've met so many folks in my career that they 300 00:15:17,559 --> 00:15:19,919 keep looking at by going Jesus timble, why would you 301 00:15:19,960 --> 00:15:22,159 ever want to be in that space? You know? Why 302 00:15:22,159 --> 00:15:24,879 would you ever accept the fact that you're they're trying 303 00:15:24,879 --> 00:15:27,840 to hold you accountable for breaches or for events or incidents. 304 00:15:28,240 --> 00:15:31,320 And I challenge back with it. For me, it's that 305 00:15:31,440 --> 00:15:34,399 opportunity to speak at a business language, to get the 306 00:15:34,399 --> 00:15:36,799 folks at the business level to appreciate what we bring 307 00:15:36,840 --> 00:15:39,960 to the table. Whether it's in ot security, it or cyber, 308 00:15:40,720 --> 00:15:43,399 physical or cyber it's it's a chance for all of 309 00:15:43,480 --> 00:15:46,440 us to be represented at that table, at that level, 310 00:15:46,559 --> 00:15:49,480 but at a business focus. So for me, that's why 311 00:15:49,559 --> 00:15:52,159 I kept looking for these opportunities is can I continue 312 00:15:52,159 --> 00:15:54,200 to move the message forward that we're here to help, 313 00:15:54,440 --> 00:15:56,039 but let's make sure we do it the right way. 314 00:15:56,759 --> 00:15:58,720 Speaker 3: Can you give me some examples? I mean, you know, 315 00:15:58,799 --> 00:16:01,519 tailcraft is about telling stories. Can you tell me a story? 316 00:16:01,600 --> 00:16:03,799 You know, how did how did this work? How did 317 00:16:03,799 --> 00:16:06,120 it come about? You know? What kind of stories are 318 00:16:06,159 --> 00:16:06,759 you telling here? 319 00:16:08,120 --> 00:16:10,639 Speaker 1: So there's a lot that I've I've presented over the years, 320 00:16:10,639 --> 00:16:12,639 but a really good one is I was working with 321 00:16:13,720 --> 00:16:19,159 Bell Canada many years ago. We had accepted, were awarded 322 00:16:19,159 --> 00:16:22,320 the communication contract and some of the advertising media supporting 323 00:16:22,320 --> 00:16:25,240 contracts for the Olympics for twenty ten for Vancouver, and 324 00:16:25,480 --> 00:16:28,200 I was working with an amazing team at Bell Canada. 325 00:16:28,440 --> 00:16:30,399 Doug Leaks was on the team as well, reporting into 326 00:16:30,440 --> 00:16:32,240 the structure. So it was very cool to work with 327 00:16:32,320 --> 00:16:35,679 Doug on some of these projects. We decided that the 328 00:16:35,720 --> 00:16:38,480 team that was putting in place the communications structure, decided 329 00:16:38,480 --> 00:16:40,679 they want to use the first instance of voice over 330 00:16:40,720 --> 00:16:43,120 IP commercial voice over IP. It was called hosted IP 331 00:16:43,320 --> 00:16:47,080 telephony and it was from Nortel. If folks still remember Nortel, 332 00:16:47,200 --> 00:16:50,759 it was from Nortel Networks. We looked at the approach 333 00:16:50,799 --> 00:16:53,080 that they were taking. How we're going to be applying 334 00:16:53,159 --> 00:16:56,840 the technology to the Olympic village, et cetera. Dug in 335 00:16:56,879 --> 00:16:59,200 the team. They did this amazing work. When the risk 336 00:16:59,240 --> 00:17:01,879 assessment came auro us. But they were able to intercept 337 00:17:01,879 --> 00:17:06,319 the conversation, decrypt the conversation and play it back as 338 00:17:06,799 --> 00:17:09,160 an MP four like an MP three file. You can 339 00:17:09,200 --> 00:17:11,599 actually hear them talking. And it was at the time 340 00:17:11,640 --> 00:17:15,079 it was the CEO calling his executive assistant to order lunch, 341 00:17:15,319 --> 00:17:17,000 and we had the recorder. You could actually hear it. It 342 00:17:17,039 --> 00:17:19,319 was just as if it was they were speaking to you. 343 00:17:19,839 --> 00:17:22,079 So that's a problem when you're trying to keep secure 344 00:17:22,119 --> 00:17:26,599 communications between endpoints in a communication path. We wrote up 345 00:17:26,599 --> 00:17:29,359 the risk assessment, we presented it to the executives. We 346 00:17:29,359 --> 00:17:31,960 we presented the report up to my chain and it 347 00:17:32,039 --> 00:17:35,799 was simple, here's the risk, here's the mitigation strategy. We 348 00:17:35,839 --> 00:17:37,920 need a business decision for the path that we wanted 349 00:17:37,920 --> 00:17:43,200 to take, and that generated quite the steward. My boss 350 00:17:43,400 --> 00:17:44,559 got back to me and said, well, we have to 351 00:17:44,599 --> 00:17:46,079 change the report, and no, I said, no, we don't. 352 00:17:46,079 --> 00:17:48,519 We don't change the shit. We just you move it forward. 353 00:17:48,920 --> 00:17:51,960 We've objectively uncovered the risk. The team did a fantastic job. 354 00:17:52,160 --> 00:17:54,440 Here's attached recording. If you want to hear it. Let's 355 00:17:54,519 --> 00:17:56,960 let let's keep moving forward. So it went up to 356 00:17:57,039 --> 00:17:59,839 the next level of management and same thing. Would you 357 00:17:59,839 --> 00:18:02,519 all to report? No? No, I would not move on. 358 00:18:02,599 --> 00:18:04,440 Move on. Finally get to the chief security officer and 359 00:18:04,480 --> 00:18:06,200 I remember getting the phone call. It's like, well, Tim, 360 00:18:06,240 --> 00:18:08,400 this is this is going to cause concerns. No, it's 361 00:18:08,440 --> 00:18:11,680 a business decision. It isn't about concerns. This is the 362 00:18:11,720 --> 00:18:14,559 business decision. What risk is the business willing to accept? 363 00:18:14,960 --> 00:18:18,440 So he submitted the report forward. Next thing, I'm getting 364 00:18:18,440 --> 00:18:22,960 a call from an executive office assistant telling me that 365 00:18:23,039 --> 00:18:24,799 my flight's going to be made for the next day. 366 00:18:25,119 --> 00:18:26,759 I'll be flying to present the report. And I'm like 367 00:18:26,839 --> 00:18:29,240 Jesus King, So all right. I got on a plane 368 00:18:29,519 --> 00:18:33,000 headed out east, waited forever to talk to the CEO. 369 00:18:33,039 --> 00:18:35,720 At the time, and all they asked, all they asked 370 00:18:35,839 --> 00:18:40,319 was is this real? Would you change this? I said, no, 371 00:18:40,400 --> 00:18:43,400 the risk is legitimate, and here's the resolution, here's the 372 00:18:43,440 --> 00:18:45,720 mitigation path, here's the strategy. So they asked how much 373 00:18:45,720 --> 00:18:47,839 we needed. What we needed for time. So it's about 374 00:18:47,839 --> 00:18:49,599 six months worth of work with the folks at Nortel 375 00:18:49,640 --> 00:18:53,240 to fix the problem, and all of that to state 376 00:18:53,359 --> 00:18:57,559 that had we done this old school many years ago, 377 00:18:57,920 --> 00:18:59,720 we would have just accepted the risk and move forward 378 00:18:59,759 --> 00:19:02,240 with it. That wasn't our role, that's not our job. 379 00:19:02,359 --> 00:19:05,359 Right in that whole path, that whole risk assessment needed 380 00:19:05,359 --> 00:19:08,400 to present it to the point where executives understood what 381 00:19:08,440 --> 00:19:11,839 could potentially happen. We already proved that it could, but 382 00:19:11,880 --> 00:19:14,200 they needed to understand, here's the mitigation strategy. We found 383 00:19:14,200 --> 00:19:16,799 a way to resolve it. We need this additional funding, 384 00:19:16,839 --> 00:19:20,400 time resources to fix the problem. So that that stuck 385 00:19:20,400 --> 00:19:22,200 with me. That was like almost twenty years like that 386 00:19:22,240 --> 00:19:25,039 was over twenty years ago, and that stuck with me 387 00:19:25,119 --> 00:19:28,839 because had I altered my report, had I taken away 388 00:19:28,839 --> 00:19:30,599 their risk, had he accepted it on behalf of the 389 00:19:30,599 --> 00:19:33,599 security team, we don't know what could have happened to 390 00:19:33,640 --> 00:19:36,119 the transmissions back and forth of the Olympics. But I 391 00:19:36,160 --> 00:19:39,599 do know that in following that process, you never read 392 00:19:39,640 --> 00:19:43,720 about anyone's conversations being intercepted at the twenty ten Olympics. 393 00:19:44,240 --> 00:19:47,359 It works, The process works, but what it takes is 394 00:19:47,440 --> 00:19:50,359 an understanding that from a risk perspective, this is the 395 00:19:50,400 --> 00:19:52,720 path that we have to take. It's not ours to accept. 396 00:19:53,079 --> 00:19:54,759 You have to make sure you get that the executives 397 00:19:54,759 --> 00:19:57,319 and let them make that decision. Those are the stories 398 00:19:57,319 --> 00:19:59,480 that we need folks to hear now as we move 399 00:19:59,480 --> 00:20:05,440 into this next base of developing the professional security. 400 00:20:05,559 --> 00:20:09,759 Speaker 3: So Nate, you might ask, you know, the CEO had 401 00:20:09,799 --> 00:20:16,039 a conversation intercepted ordering lunch. Is this worth? 402 00:20:17,039 --> 00:20:17,200 Speaker 1: You know? 403 00:20:17,640 --> 00:20:19,519 Speaker 3: The big deal that it turned into? 404 00:20:21,160 --> 00:20:21,319 Speaker 1: You know? 405 00:20:21,400 --> 00:20:25,240 Speaker 3: And I discussed this offline with Tim and what he 406 00:20:25,279 --> 00:20:27,839 came back was is was you know, Andrew think about it. 407 00:20:28,000 --> 00:20:31,720 Imagine that you're nine days into the ten day Summer 408 00:20:31,759 --> 00:20:35,319 Olympics or two week whatever it is, and someone, you know, 409 00:20:35,839 --> 00:20:40,039 pick pick someone. Let's say the Chinese intelligence is found 410 00:20:40,240 --> 00:20:44,599 to have been intercepting and listening in on all of 411 00:20:44,640 --> 00:20:49,920 the conversations between the various nations teams, coaches, in the 412 00:20:50,000 --> 00:20:54,160 various sports and their colleagues back in their home countries. 413 00:20:54,359 --> 00:20:56,559 I've been listening in on them for the whole Olympics. 414 00:20:56,599 --> 00:20:59,359 What would that do to the reputation of the Olympics. 415 00:20:59,400 --> 00:21:02,079 What would that do to the reputation of Bell Canada. 416 00:21:02,559 --> 00:21:05,920 This is a huge issue. It was a material cost 417 00:21:06,279 --> 00:21:08,960 to fix it took six months and he didn't say 418 00:21:08,960 --> 00:21:13,519 how many people and how much technology. But this is 419 00:21:13,599 --> 00:21:16,720 not something that the security team could say, Okay, you know, 420 00:21:16,759 --> 00:21:18,640 we don't have any budget to fix this. Therefore we 421 00:21:18,640 --> 00:21:21,920 have to accept the risk. That's the wrong business decision. 422 00:21:22,480 --> 00:21:25,119 When he escalated this, it went all the way up 423 00:21:25,160 --> 00:21:29,680 to the CEO, who said, yeah, this needs to be fixed. 424 00:21:30,599 --> 00:21:34,480 Take the budget. Fix it. You know, we cannot accept 425 00:21:34,559 --> 00:21:37,799 this risk as a business. That's a business decision the 426 00:21:37,839 --> 00:21:40,759 CEO could make. It's not a business decision he could 427 00:21:40,759 --> 00:21:44,279 make with the budget authority that he had four levels 428 00:21:44,279 --> 00:21:49,480 down in the organization. You mentioned stories at the very 429 00:21:49,519 --> 00:21:53,519 beginning when you introduced tailcraft. Can you tell me more 430 00:21:53,559 --> 00:21:58,640 about tailcraft? How does this idea of storytelling dovetail with 431 00:21:59,000 --> 00:22:00,000 the work you're doing right now? 432 00:22:00,759 --> 00:22:03,960 Speaker 1: No, good question, Thanks for that. When I was first 433 00:22:04,200 --> 00:22:07,440 designing this idea of what tailcraft could be. We reached 434 00:22:07,440 --> 00:22:09,000 out to a good friend of ours here in Calgary, 435 00:22:09,039 --> 00:22:12,119 Mike Diego. He does some amazing work. He spent some 436 00:22:12,200 --> 00:22:15,720 time just dissecting what I've done in my career and 437 00:22:15,799 --> 00:22:18,000 what I've accomplished. More importantly, some of the things that 438 00:22:18,039 --> 00:22:21,640 he wanted to focus on from a company perspective, and 439 00:22:21,680 --> 00:22:24,079 one of the parts he brought up and this is 440 00:22:24,079 --> 00:22:27,720 how tailcraft was created. The word taiale was. I spend 441 00:22:27,880 --> 00:22:30,839 a significant amount of my time now telling the stories, 442 00:22:31,200 --> 00:22:34,359 and it's to help educate and to inform, and stories 443 00:22:34,359 --> 00:22:37,920 to influence and to provide meaning and value to executives. 444 00:22:38,279 --> 00:22:40,200 But the common theme for all of this has been 445 00:22:40,200 --> 00:22:42,559 this concept of telling a story. One of the things 446 00:22:42,559 --> 00:22:46,079 I found throughout my career is as security professionals moved 447 00:22:46,079 --> 00:22:48,559 through the ranks as they begin, you know, junior levels, 448 00:22:48,599 --> 00:22:51,480 moving into their first role as management and moving into 449 00:22:51,519 --> 00:22:54,960 director positions and events be chief positions. The principles and 450 00:22:55,000 --> 00:22:57,160 the concepts of being able to tell a story or 451 00:22:57,200 --> 00:23:00,279 to communicate effectively with executives. I found that some of 452 00:23:00,279 --> 00:23:02,640 my peers weren't doing a great job, or they were 453 00:23:02,759 --> 00:23:04,799 I don't know about you, Andrew. But if you sit 454 00:23:04,839 --> 00:23:07,759 in a presentation that someone's giving and if all you're 455 00:23:07,799 --> 00:23:10,279 reading is the slide deck, Jesus, you could just send 456 00:23:10,279 --> 00:23:12,240 that to me. I got this. I don't need to 457 00:23:12,359 --> 00:23:15,119 spend time watching you stagger through a slide deck or 458 00:23:15,799 --> 00:23:18,279 the slides that have a couple of thousand words on 459 00:23:18,319 --> 00:23:21,359 them that you're expecting us to read from forty feet away. 460 00:23:21,720 --> 00:23:24,680 It doesn't happen. So what really bothered me is that 461 00:23:24,720 --> 00:23:26,880 we started losing this skill set of being able to 462 00:23:26,920 --> 00:23:29,960 tell a story and to effectively use the principles of 463 00:23:29,960 --> 00:23:34,000 storytelling to provide input to executives to make decisions for 464 00:23:34,039 --> 00:23:38,359 things like budget or resourcing or allocating staff resources, et cetera. 465 00:23:38,920 --> 00:23:40,279 So that's one of the things that we do with 466 00:23:40,319 --> 00:23:44,359 Tailcraft is we teach security professionals and others the principle 467 00:23:44,400 --> 00:23:47,319 and the concept of storytelling and how the story arc. 468 00:23:47,440 --> 00:23:49,640 Those three parts to a story arc that we learned 469 00:23:49,640 --> 00:23:52,400 as kids. The beginning of the story, the middle where 470 00:23:52,400 --> 00:23:55,200 the conflict occurs, the resolution, and finally the end of 471 00:23:55,200 --> 00:23:57,319 the story when when you're closing off and heading back 472 00:23:57,359 --> 00:24:00,480 to the village after you slay the dragon. Those three 473 00:24:00,519 --> 00:24:03,000 things that we have we learned as kids, they still 474 00:24:03,039 --> 00:24:06,359 apply as an adult because we learn as human beings 475 00:24:06,400 --> 00:24:09,480 through stories. We have for hundreds of years, thousands of 476 00:24:09,559 --> 00:24:12,359 years used oral history as a way to present a 477 00:24:12,400 --> 00:24:15,039 story from one generation to the next. We can use 478 00:24:15,039 --> 00:24:17,599 the same skill sets when we're talking to our executives, 479 00:24:17,799 --> 00:24:20,400 when we're explaining a new technique to our team, or 480 00:24:20,440 --> 00:24:21,960 when we're giving an update in the middle of an 481 00:24:22,000 --> 00:24:24,119 incident and how you're going to react to the next 482 00:24:24,119 --> 00:24:26,960 problem and how you're going to solve it. Those principles exist. 483 00:24:27,119 --> 00:24:30,799 It's reminding people of what the structure is, teaching people 484 00:24:30,880 --> 00:24:33,680 how to follow the story arc when they're presenting their material, 485 00:24:34,119 --> 00:24:36,680 taking away the noise, the distractions and everything else that 486 00:24:36,720 --> 00:24:38,279 gets in the way when we're listening to a story, 487 00:24:38,599 --> 00:24:40,880 but focus on the human. And that's one of the 488 00:24:40,920 --> 00:24:42,880 things that we're doing here at Telecraft is we're teaching 489 00:24:42,920 --> 00:24:46,119 people to be more human in their approach and the 490 00:24:46,160 --> 00:24:48,640 techniques work. I just my wife is up in Edmonton 491 00:24:48,759 --> 00:24:51,839 doing a conference right now for the Cio Cio Conference 492 00:24:51,839 --> 00:24:54,680 for Canada, and she actually asked me to this is 493 00:24:54,680 --> 00:24:56,480 a first folks, for all those of you who are married. 494 00:24:56,519 --> 00:24:58,599 You know what kind of a progress I've made. My 495 00:24:58,640 --> 00:25:01,519 wife actually asked if I could dissect her presentation and 496 00:25:01,599 --> 00:25:04,240 help her with it. I thought that was pretty amazing. 497 00:25:04,640 --> 00:25:07,359 We restructured it so that she was able to use props. 498 00:25:07,440 --> 00:25:11,039 She brought in a medical smock and a stethoscope to 499 00:25:11,079 --> 00:25:13,000 talk about one of the clients that she worked with. 500 00:25:13,319 --> 00:25:15,119 And it sounds like it worked because she got some 501 00:25:15,240 --> 00:25:17,599 referrals for folks in the audience and she's spending time 502 00:25:17,680 --> 00:25:20,240 right now talking to more clients up in Edmonton. So yeah, 503 00:25:20,759 --> 00:25:22,400 I crossed my fingers. I was going to get through 504 00:25:22,400 --> 00:25:24,599 that one, and it seemed to have worked. But these 505 00:25:24,640 --> 00:25:27,319 principles of telling a story, if you have a chance 506 00:25:27,359 --> 00:25:30,240 to understand how a story works and you're able to 507 00:25:30,240 --> 00:25:33,119 replicate that in a security environment, all of a sudden, 508 00:25:33,160 --> 00:25:35,200 now you're speaking from a human to a human. You're 509 00:25:35,200 --> 00:25:38,039 not bringing in technology, you're not talking about controls, you're 510 00:25:38,079 --> 00:25:40,319 not spewing off all of these different firewall rules that 511 00:25:40,319 --> 00:25:42,359 we have to go through. Nobody cares about that stuff. 512 00:25:42,799 --> 00:25:44,599 What they want to hear is what's the story and 513 00:25:44,640 --> 00:25:47,000 can I link the story to risk And at the 514 00:25:47,039 --> 00:25:49,519 top end of that arc, can I provide you an 515 00:25:49,599 --> 00:25:52,680 opportunity to reduce the risk and then finish the story 516 00:25:52,720 --> 00:25:56,079 by asking for help. If we can do that those 517 00:25:56,119 --> 00:25:58,400 types of presentations throughout my career, that's when I've been 518 00:25:58,440 --> 00:26:00,640 the most successful is when I can focus on the 519 00:26:00,680 --> 00:26:03,440 story I need to tell, get the executives as part 520 00:26:03,519 --> 00:26:05,759 of it, and focus on the human reaction to the 521 00:26:05,759 --> 00:26:08,319 problem that we have. That that's one of the things 522 00:26:08,319 --> 00:26:09,799 that we're teaching at Telcraft. 523 00:26:10,240 --> 00:26:12,359 Speaker 3: That makes sense in principle. Let me let me ask you. 524 00:26:12,440 --> 00:26:15,640 I mean I again, I do a lot of presentations. 525 00:26:16,000 --> 00:26:19,319 I had an opportunity to present on a sort of 526 00:26:19,359 --> 00:26:23,599 an abstract topic at S four, which is the currently 527 00:26:23,640 --> 00:26:28,920 the world's biggest ot security focus conference. And you know, 528 00:26:29,200 --> 00:26:33,039 if you're curious, it was. The title was Credibility Versus Likelihood, 529 00:26:33,160 --> 00:26:37,319 So again a very sort of abstract risky risk type topic. 530 00:26:38,359 --> 00:26:41,400 And the the advice I got from Bill Peterson, the organizer, 531 00:26:41,599 --> 00:26:46,839 was Andrew, you know, I see your slides. You can't 532 00:26:46,880 --> 00:26:49,000 just read the slides. You've got to come to this 533 00:26:49,119 --> 00:26:54,799 presentation armed with examples for every slide, for every second slide, 534 00:26:54,839 --> 00:26:57,440 get up there and tell stories, you know. So I 535 00:26:57,440 --> 00:27:00,759 would give examples. Sometimes they would be a tax scenarios, 536 00:27:01,200 --> 00:27:05,240 you know, is that is that the same kind of 537 00:27:05,279 --> 00:27:05,720 thing here? 538 00:27:06,839 --> 00:27:10,880 Speaker 1: It is, I think, And congratulations for being asked to 539 00:27:10,920 --> 00:27:13,359 present at that conference. That's amazing, So kudos to you. 540 00:27:13,599 --> 00:27:16,599 That's awesome, Andrew, that's great to hear. But you're right. 541 00:27:16,799 --> 00:27:18,680 You touched on one of the things that a lot 542 00:27:18,680 --> 00:27:23,160 of presentations lack is the credibility or how I view 543 00:27:23,359 --> 00:27:26,480 the person providing the presentation. Do they have the authority? 544 00:27:26,599 --> 00:27:29,880 Do I look at them as someone who's experienced and 545 00:27:30,000 --> 00:27:32,319 understands it. And you do that by telling the story 546 00:27:32,720 --> 00:27:36,119 and providing an example for let's say unattacked scenario where 547 00:27:36,119 --> 00:27:39,000 you saw how it unfolded, how you're able to detect it, 548 00:27:39,039 --> 00:27:41,440 how you're able to contain it, eradicate and recover back. 549 00:27:41,880 --> 00:27:43,640 Those are the stories that people want to hear because 550 00:27:43,680 --> 00:27:47,240 it makes it real. For people providing nothing but a 551 00:27:47,279 --> 00:27:51,000 technical description of an attack or bringing out us as 552 00:27:51,039 --> 00:27:53,240 an example, a CB and breaking it down by different 553 00:27:53,240 --> 00:27:55,519 sections on a slide, oh my god, I would probably 554 00:27:55,519 --> 00:27:57,640 poke my eye with a fork. But if you walk 555 00:27:57,720 --> 00:28:00,920 me through how you identified it work that you guys 556 00:28:00,960 --> 00:28:05,519 did to identify, to detect it, to contain it, to 557 00:28:05,599 --> 00:28:08,000 eradicate it, and then recover if you can walk me 558 00:28:08,039 --> 00:28:10,720 through those steps from a personal example that you've had. 559 00:28:10,920 --> 00:28:13,480 That to me is the story. And that's the part 560 00:28:13,480 --> 00:28:15,720 that gets compelling is now you've got someone who's got 561 00:28:15,759 --> 00:28:19,759 real world experience, expertise in this particular problem. They were 562 00:28:19,799 --> 00:28:22,079 able to solve it, and they provide it to me 563 00:28:22,119 --> 00:28:24,599 in a story. So now I can pick up those parts. 564 00:28:24,640 --> 00:28:26,799 I'm going to remember that part of the presentation because 565 00:28:26,839 --> 00:28:29,240 you gave me a great example, which is really you 566 00:28:29,279 --> 00:28:31,599 gave me a great story. Does that make sense? 567 00:28:32,319 --> 00:28:36,359 Speaker 3: It does to a degree. Let me let me distract 568 00:28:36,359 --> 00:28:39,400 you for a moment here. I'm not sure this is 569 00:28:39,400 --> 00:28:45,640 the same the same topic. But I've again, I've I've 570 00:28:45,720 --> 00:28:48,559 written a bit on risk, you know, I've tried to 571 00:28:48,559 --> 00:28:51,440 teach people a bit about about what you know, what 572 00:28:51,559 --> 00:28:54,039 is risk? How do you manage risk in especially critical 573 00:28:54,119 --> 00:28:59,799 infrastructure settings? And I find that a lot of risk 574 00:29:00,119 --> 00:29:05,480 assessment reports are you know, it seems to me not 575 00:29:05,559 --> 00:29:11,119 very useful. They're not useful as tools to make business decisions. 576 00:29:11,559 --> 00:29:13,599 You get a long list of you know, you still 577 00:29:13,640 --> 00:29:22,359 have eight thousand unpatched vulnerabilities in your OT environment. Any 578 00:29:22,440 --> 00:29:30,799 questions yes to me? To me, you know, what what 579 00:29:30,920 --> 00:29:34,920 business decision makers understand more than you know a list 580 00:29:34,920 --> 00:29:40,599 of eight thousand vulnerabilities is attack scenarios. And so what 581 00:29:40,680 --> 00:29:44,119 I've argued is that every risk assessment should finish or 582 00:29:44,440 --> 00:29:48,680 lead if you wish with you know in physical security, 583 00:29:48,680 --> 00:29:51,240 you're probably more familiar than I am. The concept of 584 00:29:51,480 --> 00:29:54,799 design basis threat a description of the capable attack you 585 00:29:54,880 --> 00:29:57,920 must defeat. You're designed to defeat with a high degree 586 00:29:57,960 --> 00:30:02,400 of confidence. And you look at your existing security poster 587 00:30:02,599 --> 00:30:05,720 and decide this class of attack we defeat with a 588 00:30:05,759 --> 00:30:09,480 high degree of confidence. These attacks up here, we don't 589 00:30:09,720 --> 00:30:12,960 have that high degree of confidence. And what I've argued 590 00:30:13,200 --> 00:30:17,240 should tell the story, go through one or two of 591 00:30:17,240 --> 00:30:21,000 these attack scenarios and say, here is an attack that 592 00:30:21,119 --> 00:30:23,400 we would not defeat with a high degree of confidence. 593 00:30:23,720 --> 00:30:27,640 Is it acceptable that this attack potential is out there? 594 00:30:27,680 --> 00:30:31,519 Is that an acceptable risk? Is that the kind of 595 00:30:31,559 --> 00:30:33,960 storytelling we're talking about here? Have I drifted off into 596 00:30:34,039 --> 00:30:35,279 some other space? No? 597 00:30:35,599 --> 00:30:38,480 Speaker 1: I think you've actually applied the principles of telling the 598 00:30:38,559 --> 00:30:43,000 story to something as complex as identifying your particular response 599 00:30:43,079 --> 00:30:47,480 or your organization's response to either an attack scenario or 600 00:30:47,480 --> 00:30:50,319 a more sophisticated attack scenario. So no, I think you've 601 00:30:50,400 --> 00:30:52,599 nailed it. What it does though in the approach that 602 00:30:52,640 --> 00:30:55,160 you just talked about, it gives a few things to 603 00:30:55,200 --> 00:30:58,160 the business audience. One, you have a greater understanding of 604 00:30:58,200 --> 00:31:00,680 the assets that are in place and how they apply 605 00:31:00,799 --> 00:31:03,559 to the business environment, whether it's in a physical plant 606 00:31:03,559 --> 00:31:06,079 structure for ot, or whether it's a pipeline, et cetera. 607 00:31:06,440 --> 00:31:09,680 If you understand the environment that is being targeted, you 608 00:31:09,839 --> 00:31:12,440 understand the assets that are in place and the controls 609 00:31:12,440 --> 00:31:15,319 that you have there in place. That gives you a 610 00:31:15,359 --> 00:31:18,480 greater understanding and foundations for what is the potential risk. 611 00:31:18,960 --> 00:31:21,839 By telling the story then of what a particular attack 612 00:31:21,880 --> 00:31:24,839 scenario looks like, and if you have a level of 613 00:31:24,880 --> 00:31:27,359 confidence that you'd be able to protect against it, you'd 614 00:31:27,359 --> 00:31:28,960 be able to walk through the different parts of the 615 00:31:28,960 --> 00:31:31,440 story arc. This is the context of the attack, this 616 00:31:31,599 --> 00:31:33,880 is what the attack could look like, Here's how we 617 00:31:33,880 --> 00:31:36,319 would try to resolve it if we can. And then 618 00:31:36,359 --> 00:31:38,720 here's the closing actions that we would be focused on 619 00:31:39,000 --> 00:31:42,279 if the attack was either successful or unsuccessful. So all 620 00:31:42,319 --> 00:31:44,279 of those things I think apply to the principles of 621 00:31:44,319 --> 00:31:46,519 telling a story. What you've given is a great example 622 00:31:46,559 --> 00:31:49,599 of how to take something that's very technical, or you know, 623 00:31:49,799 --> 00:31:52,359 the typical risk assessment I've seen in my career where 624 00:31:52,400 --> 00:31:54,920 you know, you nail that, Andrew, here's your two hundred 625 00:31:54,920 --> 00:31:56,720 page report, the last ten you know, the last one 626 00:31:56,759 --> 00:31:59,559 hundred pages, or all the CVEs we found, and let 627 00:31:59,640 --> 00:32:01,680 us know if you needed help. But that doesn't help me. 628 00:32:02,200 --> 00:32:04,799 But if you walk me through a particular example where 629 00:32:04,839 --> 00:32:07,880 here is in this one set of infrastructure we're liable 630 00:32:08,000 --> 00:32:10,319 or we're open to this type of attack, I think 631 00:32:10,359 --> 00:32:13,960 that's amazing because it gives the executives the story they need. 632 00:32:14,240 --> 00:32:18,960 You understand the assets, here's the risk, here's the potential impact, 633 00:32:19,200 --> 00:32:22,200 Here's what we can and cannot do to defeat or 634 00:32:22,480 --> 00:32:25,279 defend against this, and then we need your help if 635 00:32:25,319 --> 00:32:27,559 this is a risk that you can't accept. So no, 636 00:32:27,680 --> 00:32:29,680 I think you've covered all parts of what would be 637 00:32:29,720 --> 00:32:32,640 an appropriate story arc for using that type of approach, 638 00:32:32,960 --> 00:32:34,640 and honest to God, if you could get more folks 639 00:32:34,680 --> 00:32:36,640 to include that in reports, I would love to see 640 00:32:36,680 --> 00:32:39,559 that because I'm like you, I have read too many 641 00:32:39,599 --> 00:32:42,720 reports that don't offer value. But the description you just 642 00:32:42,799 --> 00:32:45,799 provided and the way we break it down that offers 643 00:32:45,880 --> 00:32:47,799 huge value. To executives moving forward. 644 00:32:50,680 --> 00:32:54,240 Speaker 2: All right, Well, Tim's spending a lot of time emphasizing 645 00:32:54,279 --> 00:32:59,440 the importance of storytelling and conveying security concepts to the 646 00:32:59,480 --> 00:33:03,920 people who decisions. Andrew in your experience, is this sort 647 00:33:03,920 --> 00:33:06,039 of thing something you think about a lot. Do you 648 00:33:07,480 --> 00:33:11,319 frame your information in the same ways that he's talking 649 00:33:11,319 --> 00:33:13,160 about or do you have a different sort of approach? 650 00:33:13,799 --> 00:33:15,440 Speaker 3: This makes sense to me. It's sort of a step 651 00:33:15,480 --> 00:33:19,400 beyond what I usually do. So I'm very much thinking 652 00:33:19,400 --> 00:33:21,720 about what he's done and you know how to use 653 00:33:21,759 --> 00:33:24,160 it going forward. But you know, just to give you 654 00:33:24,200 --> 00:33:27,880 an example, close to a decade ago, I came out 655 00:33:27,920 --> 00:33:33,240 with a report the top twenty cyber attacks on industrial 656 00:33:33,240 --> 00:33:36,960 control systems. And it wasn't so much a report looking 657 00:33:37,000 --> 00:33:40,480 backward saying what has happened. It's a report looking at 658 00:33:40,559 --> 00:33:43,359 what's possible, what kind of capabilities are out there? And 659 00:33:43,440 --> 00:33:46,759 I tried to put together a spectrum of attack scenarios 660 00:33:47,200 --> 00:33:50,079 with you know, a spectrum of consequences. Some of the 661 00:33:50,079 --> 00:33:51,839 attacks were very simple to carry out and I had 662 00:33:51,880 --> 00:33:55,400 almost no consequence. Some of them were really difficult to 663 00:33:55,400 --> 00:33:58,000 carry out and would you know, take you down hard 664 00:33:58,039 --> 00:34:01,039 and cost organization billions a dollar or you know, dozens 665 00:34:01,039 --> 00:34:04,920 of lives and everything in between. And I did that 666 00:34:05,160 --> 00:34:12,880 because you know, in my experience, business decision makers understand 667 00:34:13,280 --> 00:34:18,360 attack scenarios, you know, better than they understand abstract numeric 668 00:34:18,559 --> 00:34:22,480 risk metrics or lists of vulnerabilities. And so, you know, 669 00:34:22,559 --> 00:34:25,960 I described it as the tax scenarios. In hindsight, you know, 670 00:34:26,199 --> 00:34:30,280 I think really what I was doing there was telling 671 00:34:30,360 --> 00:34:33,639 some stories, and you know, I need to to update 672 00:34:33,679 --> 00:34:37,000 that report. I'm going to do it by updating the 673 00:34:37,000 --> 00:34:40,320 the it to read in more of a storytelling style, 674 00:34:40,400 --> 00:34:44,519 so that you know, people can hear stories about attacks 675 00:34:44,559 --> 00:34:49,039 that they do defeat reliably and why, and attacks that 676 00:34:49,119 --> 00:34:52,400 they probably will not defeat with a high degree of confidence, 677 00:34:52,400 --> 00:34:54,519 and what will be the consequences, so that they can 678 00:34:54,599 --> 00:34:56,079 make these business decisions. 679 00:34:56,480 --> 00:34:59,880 Speaker 2: Yeah, and that sounds nice in theory, But then I'm imagining, 680 00:35:00,559 --> 00:35:04,400 you know, you tell your nice story to someone in 681 00:35:04,400 --> 00:35:07,239 the position to make a decision with money, and they 682 00:35:07,239 --> 00:35:10,400 come back to and say, well, Andrew, your story is 683 00:35:10,519 --> 00:35:13,320 very nice, but why can't we defeat all of these 684 00:35:13,360 --> 00:35:15,239 attack scenarios. 685 00:35:14,760 --> 00:35:16,119 Speaker 1: With the amount of money we're giving you? 686 00:35:16,159 --> 00:35:17,840 Speaker 2: What do you tell them at that point? 687 00:35:18,280 --> 00:35:21,320 Speaker 3: Yeah, and that is a very common reaction saying, you know, 688 00:35:21,920 --> 00:35:23,760 you've asked us where to draw the line. We draw 689 00:35:23,760 --> 00:35:27,880 the line above the most sophisticated attack, fix them all, 690 00:35:28,559 --> 00:35:31,239 and then I explain what that's going to cost. You know, 691 00:35:31,239 --> 00:35:33,760 they haven't even really paid attention to the attack scenarios. 692 00:35:33,760 --> 00:35:35,800 They haven't even asked me about the attack scenarios. I've 693 00:35:35,840 --> 00:35:37,960 just explained the concept of a spectrum. They said, yeah, 694 00:35:38,039 --> 00:35:39,840 put it on, put the line on the top. Fix 695 00:35:39,880 --> 00:35:43,440 them all. And then you have to explain the cost, 696 00:35:43,639 --> 00:35:46,920 and they go, ohh okay, so what are these and 697 00:35:46,960 --> 00:35:49,760 they ask in more detail, and you give them the 698 00:35:49,960 --> 00:35:54,360 simplest attack, the simplest story that you do not defeat 699 00:35:54,440 --> 00:35:57,199 with a high degree of confidence, and you ask them, 700 00:35:57,559 --> 00:36:00,119 you know, is that something we need to fix and 701 00:36:00,159 --> 00:36:03,920 they say, yeah, that's nasty. I could see that happening. 702 00:36:04,000 --> 00:36:06,239 Fix that. What else do you got? And you work 703 00:36:06,320 --> 00:36:09,039 up the chain and eventually you reach an attack scenario 704 00:36:09,239 --> 00:36:12,679 or two where they look at it and say, that's 705 00:36:12,800 --> 00:36:15,000 just weird. I mean, let me give you an extreme example. 706 00:36:15,599 --> 00:36:19,760 You know, imagine that a foreign power has either bribed 707 00:36:20,119 --> 00:36:25,440 or blackmailed every employee in a large company. You know, 708 00:36:25,559 --> 00:36:28,880 what security program, what policy can this the CEO put 709 00:36:28,920 --> 00:36:31,760 in place that will defend the organization, Well, there isn't one. 710 00:36:33,000 --> 00:36:35,880 You you know, your entire organization is working against you. 711 00:36:36,440 --> 00:36:40,199 Is that a credible threat? You know the business is 712 00:36:40,199 --> 00:36:42,599 probably going to say no, this is why we have 713 00:36:42,760 --> 00:36:45,599 background checks. This, you know, a conspiracy that at large, 714 00:36:45,639 --> 00:36:48,280 the government is going to be you know, going to 715 00:36:48,320 --> 00:36:51,800 come in and you know, arrest everyone that's not a 716 00:36:51,840 --> 00:36:55,079 credible threat. And so you know the initial reaction might 717 00:36:55,079 --> 00:36:57,599 be yeah, fix it all. Draw the line across the 718 00:36:57,679 --> 00:37:01,800 very top of the spectrum. And when that becomes clear 719 00:37:01,840 --> 00:37:04,000 that you can't do that, this is where you dig 720 00:37:04,079 --> 00:37:07,000 into the stories and they have to understand the individual 721 00:37:07,039 --> 00:37:09,800 scenarios and they will eventually draw the line and say 722 00:37:10,119 --> 00:37:12,039 these three here that you told me about, fix them. 723 00:37:12,079 --> 00:37:14,519 The rest of them just don't seem credible. That's the 724 00:37:14,599 --> 00:37:19,280 decision process that you need to go through. And you know, 725 00:37:19,360 --> 00:37:22,159 you need to describe the attacks, and I think the 726 00:37:22,280 --> 00:37:27,880 right way to describe the attacks is with storytelling. If 727 00:37:28,360 --> 00:37:31,360 you know, I don't know a big business is CISO says, 728 00:37:31,480 --> 00:37:34,400 you know, tailcraft makes sense to me, and they bring 729 00:37:34,480 --> 00:37:37,519 you in, what do you actually do? Do you do 730 00:37:37,559 --> 00:37:40,719 you run seminaris. Do you review reports and give advice? 731 00:37:40,840 --> 00:37:44,280 What what does tailcraft actually do? If we if somebody 732 00:37:44,320 --> 00:37:45,079 engages with you. 733 00:37:45,760 --> 00:37:48,440 Speaker 1: Good question and thank you for ashing that. I appreciate it. 734 00:37:48,559 --> 00:37:50,760 So there are a couple of things that we can 735 00:37:50,880 --> 00:37:55,199 offer to organizations that bring us in from Tailcrest perspective. First, 736 00:37:55,840 --> 00:37:58,320 what we offer, let me talk about storytelling first. What 737 00:37:58,360 --> 00:38:01,400 we offer from the storytelling approach is we will go 738 00:38:01,639 --> 00:38:05,400 to the client site. We will run workshops anywhere from 739 00:38:05,440 --> 00:38:07,840 a for our workshop to a two day workshop. We 740 00:38:07,960 --> 00:38:10,320 will bring team members from the security group as well 741 00:38:10,320 --> 00:38:13,000 as others that the security team interacts with. We'll go 742 00:38:13,079 --> 00:38:16,079 over the principles of storytelling and the concepts of storytelling, 743 00:38:16,400 --> 00:38:19,800 how to be more mindful in your public speaking and 744 00:38:19,840 --> 00:38:22,199 in your preparation. And we'll spend the first day going 745 00:38:22,239 --> 00:38:25,000 through the theory and the concepts of telling a story 746 00:38:25,280 --> 00:38:27,760 and becoming a better public speaker. Then on the second 747 00:38:27,800 --> 00:38:31,199 day of the workshop, we then ask all participants to 748 00:38:31,239 --> 00:38:34,000 stand up for up to ten minutes and provide their story. 749 00:38:34,920 --> 00:38:36,559 At the end of each one of the sessions, we 750 00:38:36,639 --> 00:38:40,679 provide positive feedback and provide them opportunities to grow and 751 00:38:40,760 --> 00:38:45,320 experience more storytelling opportunities, and then we close up the workshop, 752 00:38:45,760 --> 00:38:48,480 we provide reports back to each of the individuals on 753 00:38:48,679 --> 00:38:52,320 how we observed them absorbing all of the content from 754 00:38:52,400 --> 00:38:55,400 day one, and then offer opportunities for individual mentoring and 755 00:38:55,440 --> 00:38:57,840 coaching along the way. So that's one of the first 756 00:38:57,840 --> 00:39:01,079 services we offer. The second as we can come into organizations. 757 00:39:01,519 --> 00:39:05,119 If a CSO or CSO contacts us and ask us 758 00:39:05,119 --> 00:39:09,039 for assistance, we can do everything from helping them redesign 759 00:39:09,159 --> 00:39:12,719 their security program using the principles of enterprise security risk management, 760 00:39:13,119 --> 00:39:16,039 review the current program that they have today, assess the 761 00:39:16,079 --> 00:39:18,960 maturity of the controls that they have in place, identify 762 00:39:19,039 --> 00:39:21,599 risks that are facing the organization at a strategic level, 763 00:39:21,880 --> 00:39:23,639 and then we can come in and help them map 764 00:39:23,679 --> 00:39:27,159 out and design a path the greater maturity by assessing 765 00:39:27,199 --> 00:39:30,320 the culture of security across the organization as well, where 766 00:39:30,360 --> 00:39:33,039 we go on and interview stakeholders from across the organization, 767 00:39:33,280 --> 00:39:36,559 from different departments, different divisions, and different levels of employees 768 00:39:36,599 --> 00:39:40,400 in the organization and identify their perception of security, the 769 00:39:40,519 --> 00:39:43,159 value that security brings to the organization, and how the 770 00:39:43,199 --> 00:39:46,239 security team can become greater partners and trusted advisors to 771 00:39:46,280 --> 00:39:49,119 the company. That's part of the work that we do 772 00:39:49,159 --> 00:39:50,119 with tailegraph security. 773 00:39:51,360 --> 00:39:55,280 Speaker 3: I understand as well that you're working with professional associations 774 00:39:55,800 --> 00:39:58,639 or something. I mean, I know that in Canada there's 775 00:39:58,679 --> 00:40:03,320 the Canadian Information Processing Society. It's not security focused. Security 776 00:40:03,360 --> 00:40:06,599 is an aspect of information processing in the IT space. 777 00:40:07,159 --> 00:40:12,480 In Alberta there's a PEGA, the Association for Professional Engineers, 778 00:40:12,480 --> 00:40:21,559 Geologists Geophysicists. Did I get that right? Yeah, Okay, we'll 779 00:40:21,559 --> 00:40:27,800 cut this out. And you know, to me, industrial cybersecurity 780 00:40:27,800 --> 00:40:34,000 is increasingly becoming part of the engineering profession. I would 781 00:40:34,039 --> 00:40:39,719 dearly love to see, you know, these professions embrace cybersecurity 782 00:40:39,840 --> 00:40:44,760 and you know, established professional standards for practitioners for you know, 783 00:40:44,920 --> 00:40:49,280 what is considered acceptable practice, so that there is sort 784 00:40:49,320 --> 00:40:54,800 of a minimum bar. So tell me you're working with 785 00:40:54,840 --> 00:40:57,119 these folks, what what is it that you're doing. How's 786 00:40:57,119 --> 00:40:57,519 that going? 787 00:40:58,280 --> 00:41:02,440 Speaker 1: Yeah? So this and I've been thinking about this for 788 00:41:02,440 --> 00:41:05,199 probably the last twenty some years, and it always bothered 789 00:41:05,239 --> 00:41:08,800 me that the security you know, the security director, the CISO, 790 00:41:08,880 --> 00:41:11,559 et cetera in an organization, if they did get a 791 00:41:11,639 --> 00:41:13,920 chance to come to a board meeting or to be 792 00:41:13,960 --> 00:41:16,400 invited to act to executives you got a forty five 793 00:41:16,400 --> 00:41:18,360 minute time slot. Most times it was less. You had 794 00:41:18,360 --> 00:41:20,320 a chance to drink the really good coffee and then 795 00:41:20,360 --> 00:41:22,199 you were asked to leave the room and that was 796 00:41:22,199 --> 00:41:25,760 your time. Where your peers who were running other departments 797 00:41:25,800 --> 00:41:29,239 across the organization in legal, finance, hr etc. They stayed 798 00:41:29,239 --> 00:41:31,199 the entire weekend to help map out the strategy for 799 00:41:31,239 --> 00:41:34,320 an organization. Yet we weren't invited to that party, and 800 00:41:34,360 --> 00:41:36,239 that kind of annoyed me for the last sun years. 801 00:41:36,800 --> 00:41:39,519 So I took it upon myself to begin a journey, 802 00:41:39,719 --> 00:41:41,559 and I brought some folks along with me. There's about 803 00:41:41,599 --> 00:41:43,639 fifteen of us now that are working on the concept 804 00:41:43,639 --> 00:41:47,119 of designing and developing the profession of security, focusing on 805 00:41:47,159 --> 00:41:50,280 Canada first and then working through the Commonwealth model to 806 00:41:50,280 --> 00:41:53,960 all those countries that followed the Commonwealth parliamentary system. And 807 00:41:54,039 --> 00:41:56,039 it made sense to me. I couldn't do much work 808 00:41:56,079 --> 00:41:58,719 when I was the President of ass twenty twenty three. 809 00:41:59,119 --> 00:42:01,360 I didn't want to have any perceived conflict of interest 810 00:42:01,440 --> 00:42:03,360 or anything that I was doing. But what we looked 811 00:42:03,400 --> 00:42:06,280 at from this concept of designing the profession of security, 812 00:42:06,639 --> 00:42:10,840 it's an opportunity for those who call this our profession 813 00:42:11,239 --> 00:42:13,800 and want to be recognized as such, to borrow some 814 00:42:13,840 --> 00:42:15,920 of the great work that kIPS has done and that 815 00:42:15,960 --> 00:42:18,599 a Pega has done here in Alberta, kIPS across the country, 816 00:42:18,840 --> 00:42:21,360 to recognize the path that they took, how they were 817 00:42:21,800 --> 00:42:25,400 recognized and established, how they developed their charters, etc. So 818 00:42:25,440 --> 00:42:28,199 we've had an opportunity to chat with some folks from kIPS, 819 00:42:28,199 --> 00:42:30,199 but also to look at the work that they've done. 820 00:42:30,360 --> 00:42:32,679 And I've had a chance to review a Pega and 821 00:42:32,800 --> 00:42:35,920 it made sense to me. So now spin forward to 822 00:42:36,199 --> 00:42:38,360 twenty twenty five, we have a group of individuals who 823 00:42:38,360 --> 00:42:41,199 are focused on designing and developing what we consider to 824 00:42:41,239 --> 00:42:44,800 be a model that will provide a professional designation for 825 00:42:44,960 --> 00:42:48,840 security professionals in Canada. It's an opportunity to demonstrate your 826 00:42:48,920 --> 00:42:52,880 expertise and your body of knowledge. It's an opportunity to 827 00:42:52,880 --> 00:42:55,880 take all of the designations that you've received from groups 828 00:42:55,920 --> 00:42:59,880 like ISIC Square, at ISACA Asis etc. Use them as 829 00:43:00,119 --> 00:43:03,079 stepping stones to the next level where you're accepted as 830 00:43:03,079 --> 00:43:07,039 a professional designation, so that a security designation, whatever we 831 00:43:07,079 --> 00:43:09,960 can land on for the postnomenals, would be recognized the 832 00:43:09,960 --> 00:43:13,360 same as an engineer or as a doctor or as 833 00:43:13,440 --> 00:43:17,039 potentially a lawyer. It gives us the validation of our 834 00:43:17,159 --> 00:43:20,199 work that we do. It gives us the recognition of 835 00:43:20,239 --> 00:43:22,840 the value that security brings stro an organization, and it 836 00:43:22,920 --> 00:43:27,679 ties together OT, it, cyber, physical, all of the different 837 00:43:27,760 --> 00:43:30,639 parts of makeup security, and it's a chance for us 838 00:43:30,679 --> 00:43:33,320 to come under one umbrella. So the way I describe 839 00:43:33,360 --> 00:43:35,480 it is that you know, for years I said I 840 00:43:35,559 --> 00:43:37,679 ran a department, it just happens to be security. Now 841 00:43:37,719 --> 00:43:40,119 we can say I'm a security professional and my expertise 842 00:43:40,199 --> 00:43:44,039 is in OT security, or in forensics, or in investigations 843 00:43:44,199 --> 00:43:47,840 or in crime prevention. Through environmental design, it gives us 844 00:43:47,880 --> 00:43:51,360 an umbrella designation for security and a chance to specialize. 845 00:43:51,360 --> 00:43:54,039 So a good friend of mine is a surgeon. He 846 00:43:54,119 --> 00:43:56,639 started off as a doctor and now he's a thoracic surgeon. 847 00:43:56,679 --> 00:43:59,480 So whenever he recognizes himself is that you know he's 848 00:43:59,519 --> 00:44:02,719 a doctor. My specialty's thorastic surgery, and now he's Chief 849 00:44:02,719 --> 00:44:06,119 of thoracic Surgery at Vancouver General Hospital. Super great guy. 850 00:44:06,159 --> 00:44:08,280 But the path he took was become a doctor, demonstrate 851 00:44:08,320 --> 00:44:12,039 your expertise, spend more time to create your specialty, focus 852 00:44:12,079 --> 00:44:14,760 on that be recognized for that, and now that's his designation. 853 00:44:15,280 --> 00:44:17,440 I want to do the same here in Canada for security. 854 00:44:17,880 --> 00:44:20,880 The reason why is, look, you and I both know this, Andrew, 855 00:44:20,880 --> 00:44:22,440 and we've seen this. If I go do a risk 856 00:44:22,480 --> 00:44:25,360 assessment for a client or internally, and if I do 857 00:44:25,400 --> 00:44:27,079 a bad job, I just go to the next client. 858 00:44:28,280 --> 00:44:30,679 But if we have a doctor or a lawyer who 859 00:44:31,039 --> 00:44:34,559 mishandles a file or mishandles an operation, or is liable 860 00:44:34,559 --> 00:44:37,320 for their actions, they're held accountable to it. We are not. 861 00:44:38,159 --> 00:44:39,480 What I want to be able to do is put 862 00:44:39,519 --> 00:44:42,679 in the standards that demonstrate the level of our expertise, 863 00:44:43,079 --> 00:44:45,880 that we're held accountable for our actions, that we maintain 864 00:44:46,119 --> 00:44:49,320 our credentials throughout our career, that we're able to give 865 00:44:49,360 --> 00:44:52,199 back to the profession of security, and that if something 866 00:44:52,239 --> 00:44:55,199 does happen, we're actually accountable for the work that we do. 867 00:44:55,519 --> 00:44:58,039 And I think that's important. Right here in our new 868 00:44:58,039 --> 00:45:01,199 house and engineer stamped our plans, he's accountable for the 869 00:45:01,239 --> 00:45:04,079 work he did. Why can't we have the same for security. 870 00:45:04,119 --> 00:45:07,440 I think we need to because then that provides executives 871 00:45:07,480 --> 00:45:09,840 a greater understanding of how important the work that we 872 00:45:09,920 --> 00:45:12,920 do every day to secure your organization so that you 873 00:45:12,960 --> 00:45:16,119 can achieve your goals and objectives. That's what I've been 874 00:45:16,440 --> 00:45:18,000 doing on the side of my desk for the past 875 00:45:18,000 --> 00:45:20,039 twenty years. I finally got some breathing room to do 876 00:45:20,079 --> 00:45:23,039 it now with Teilcraft giving me the space to do it. 877 00:45:23,400 --> 00:45:25,960 So I'm looking forward to trying to roll this thing 878 00:45:25,960 --> 00:45:27,400 out between now and the end of the year, at 879 00:45:27,480 --> 00:45:29,400 least the structure of it, and then you engage more 880 00:45:29,400 --> 00:45:31,679 people to get their comments and their perceptions so that 881 00:45:31,960 --> 00:45:34,199 we're trying to reflect and represent as many folks as 882 00:45:34,239 --> 00:45:35,800 we can across the security profession. 883 00:45:36,599 --> 00:45:38,800 Speaker 3: Well, Tim, this has been tremendous. Again, I look forward 884 00:45:38,800 --> 00:45:41,239 to your book. Hopefully you find some time to work 885 00:45:41,280 --> 00:45:43,280 on it before we let you go. Can I ask 886 00:45:43,320 --> 00:45:45,440 you to sum up for us what are the what 887 00:45:45,440 --> 00:45:48,079 should we take away from the discussion we've had in 888 00:45:48,119 --> 00:45:51,440 the episode here and use it going forward. 889 00:45:52,840 --> 00:45:54,800 Speaker 1: Thank you for that. I appreciate it, and yeah, fingers crossed. 890 00:45:54,840 --> 00:45:56,639 I can get working on the book over the summertime, 891 00:45:57,039 --> 00:46:00,360 that's my goal. But for this particular episode, I think 892 00:46:00,400 --> 00:46:03,639 a couple of things. One, as security professionals, it's not 893 00:46:03,840 --> 00:46:06,239 our job to accept the risk. It's our job to 894 00:46:06,320 --> 00:46:09,280 identify it, provide a mitigation strategy, and present it back 895 00:46:09,280 --> 00:46:12,280 to executives. So that's that's one of the things that 896 00:46:12,320 --> 00:46:14,519 I want to keep stressing for everybody. Our role is 897 00:46:14,559 --> 00:46:17,440 to be an advisor to the organization. It's not to 898 00:46:17,519 --> 00:46:20,880 accept the risk on behalf of the organization. Second is, 899 00:46:21,320 --> 00:46:24,400 we all have a story to tell. We all understand 900 00:46:24,559 --> 00:46:27,039 the value and the power of a story. We all 901 00:46:27,079 --> 00:46:29,880 see how important it is when we tell a story 902 00:46:29,920 --> 00:46:32,239 to our executives, to our leaders, to our teams, and 903 00:46:32,280 --> 00:46:35,320 to others. You need to focus on those skill sets 904 00:46:35,320 --> 00:46:37,519 of how to tell us story, particularly in the role 905 00:46:37,559 --> 00:46:40,800 of security, because not everyone understands the value that we bring. 906 00:46:41,559 --> 00:46:43,559 And the second and the last point for me is 907 00:46:43,559 --> 00:46:47,039 that you need to continue to look for mentors, for instructors, 908 00:46:47,079 --> 00:46:49,800 for trainers who can offer you these skill sets and 909 00:46:49,840 --> 00:46:51,559 you can provide this type of training for you so 910 00:46:51,599 --> 00:46:54,440 that you can continue to build your career. We can't 911 00:46:54,519 --> 00:46:56,800 do this alone. You need to make sure that you 912 00:46:56,880 --> 00:46:58,719 have an opportunity to reach out to folks that can 913 00:46:58,760 --> 00:47:01,159 help you, whether it's looking at your security program and 914 00:47:01,199 --> 00:47:03,559 trying to build it on a risk based approach, or 915 00:47:03,599 --> 00:47:06,119 teaching people the value of telling a story and then 916 00:47:06,159 --> 00:47:09,320 applying those skills the next presentation you give to executives. 917 00:47:09,719 --> 00:47:12,719 If folks remember those things, that'd be terrific. So for 918 00:47:12,760 --> 00:47:15,800 those folks listening to the podcast today, if those points 919 00:47:15,880 --> 00:47:18,760 resonate with you, and if you're looking for opportunities to 920 00:47:18,840 --> 00:47:20,760 learn more about telling a story, of how to be 921 00:47:20,800 --> 00:47:23,280 effective doing that, how to look at your program from 922 00:47:23,280 --> 00:47:25,639 a risk based approach, and how to find mentors that 923 00:47:25,679 --> 00:47:27,599 can help you in your career path, reach out to 924 00:47:27,639 --> 00:47:31,360 Tailcraft Security. This is what we do. It's our opportunity 925 00:47:31,400 --> 00:47:34,960 to give back to the professional security to help organizations 926 00:47:35,000 --> 00:47:38,079 build their security programs and to grow the skill sets 927 00:47:38,119 --> 00:47:42,079 of people who want to learn more about telling a story, 928 00:47:42,280 --> 00:47:45,079 becoming a better security leader, or understanding the concepts of 929 00:47:45,119 --> 00:47:47,519 a risk based approach to security. That's what we're here 930 00:47:47,519 --> 00:47:49,920 at Tailcraft for us to help to give back and 931 00:47:49,960 --> 00:47:50,320 to grow. 932 00:47:53,960 --> 00:47:56,440 Speaker 2: Andrew that seems to have done it with your interview 933 00:47:56,480 --> 00:47:58,960 with Tim. Do you have any final word you would 934 00:47:59,000 --> 00:48:00,000 like to say us out today? 935 00:48:00,960 --> 00:48:05,880 Speaker 3: Yeah, I mean, I think this is a really important topic. 936 00:48:06,480 --> 00:48:10,039 I see way too many security teams saying this is 937 00:48:10,119 --> 00:48:12,559 my budget, this is all I have budget to do. 938 00:48:12,679 --> 00:48:16,239 I do not have budget to solve that problem. Therefore, 939 00:48:16,360 --> 00:48:20,559 I will accept the risk of that problem. And you know, 940 00:48:20,719 --> 00:48:23,840 especially for new projects, for risks that you know we've 941 00:48:23,840 --> 00:48:32,280 never considered before, that is often the wrong decision. You know, 942 00:48:32,519 --> 00:48:35,199 when we have new kinds of decisions to make, we 943 00:48:35,280 --> 00:48:39,559 need to escalate those decisions to the people who assign budget. 944 00:48:39,599 --> 00:48:42,360 We need to tell those people's stories so they understand 945 00:48:42,360 --> 00:48:45,039 the risk. We have to get the right information, the 946 00:48:45,119 --> 00:48:48,199 right stories, to the right people so they can make 947 00:48:48,239 --> 00:48:51,800 the right decisions. Saying I have no budget, therefore I'm 948 00:48:51,840 --> 00:48:56,159 going to accept the risk. Many times is the wrong 949 00:48:56,280 --> 00:48:58,480 decision for the business. And we cannot afford to be 950 00:48:58,519 --> 00:49:01,960 making those wrong decisions time again. As you know, as 951 00:49:02,000 --> 00:49:07,239 the threat environment becomes more dangerous, as consequences of you know, 952 00:49:07,320 --> 00:49:11,159 industrial cyber attacks increase, we need to be making the 953 00:49:11,239 --> 00:49:15,599 right decisions. And you know this seems an essential component 954 00:49:15,760 --> 00:49:17,360 of making the right decisions. 955 00:49:17,840 --> 00:49:20,840 Speaker 2: Well, thanks to to mc create for that. And Andrews always, 956 00:49:20,880 --> 00:49:22,000 thank you for speaking with me. 957 00:49:22,440 --> 00:49:23,559 Speaker 3: It's always a pleasure. Thank you. 958 00:49:24,440 --> 00:49:28,480 Speaker 2: This has been the Industrial Security Podcast from Waterfall. Thanks 959 00:49:28,480 --> 00:49:30,280 to everyone out there listening.