WEBVTT 1 00:00:00.080 --> 00:00:04.160 Welcome everyone, ready to dive deep into protective security. We're 2 00:00:04.160 --> 00:00:07.799 talking taking military grade defense strategies and applying them to 3 00:00:07.879 --> 00:00:10.320 your digital life, your business, everything. 4 00:00:10.400 --> 00:00:12.880 It's a hot topic for sure, especially now with everyone 5 00:00:12.960 --> 00:00:14.560 so connected online big time. 6 00:00:15.359 --> 00:00:18.000 You know, I'm curious, what do people get wrong about 7 00:00:18.079 --> 00:00:21.199 protective security? Like, what are the biggest misconceptions you run. 8 00:00:21.039 --> 00:00:23.800 Into a lot of folks think, oh, it's just cybersecurity, right, 9 00:00:24.039 --> 00:00:26.800 firewalls and anti virus, that's it. But it's way bigger. 10 00:00:26.879 --> 00:00:29.600 Got to protect all your valuable stuff, digital, physical, the 11 00:00:29.640 --> 00:00:30.440 whole nine yards. 12 00:00:30.440 --> 00:00:32.560 It makes sense, not just reacting to stuff. Got to 13 00:00:32.600 --> 00:00:36.560 be ahead of the game. So how does this book 14 00:00:36.600 --> 00:00:40.159 we're looking at today, how does it approach protective security? 15 00:00:40.439 --> 00:00:41.840 We'll call it PS for short. 16 00:00:42.079 --> 00:00:45.399 This book, it's all about a holistic approach, blend physical 17 00:00:45.439 --> 00:00:48.679 and digital security. You gotta work together, can't separate. 18 00:00:48.320 --> 00:00:50.000 Them, gotcha, I gotta be seamless. 19 00:00:50.159 --> 00:00:54.640 The author uses this great analogy. Think of a military base. Okay, 20 00:00:54.679 --> 00:00:58.520 I'm a listening, layers of defense, right, fences, checkpoints, patrols, 21 00:00:58.560 --> 00:01:01.079 the whole shebang. It makes you think, how do we 22 00:01:01.159 --> 00:01:03.079 fortify our businesses the same way? 23 00:01:03.399 --> 00:01:05.719 I like that layers of defense. But where do you 24 00:01:05.799 --> 00:01:06.359 even begin? 25 00:01:06.719 --> 00:01:07.760 Start with the crown jewels? 26 00:01:07.799 --> 00:01:08.000 Yeah? 27 00:01:08.079 --> 00:01:11.159 Right, What are your most critical assets? What can your 28 00:01:11.159 --> 00:01:13.280 business absolutely not function without? 29 00:01:13.400 --> 00:01:15.519 For sure? For some it's their brick and mortar store, 30 00:01:15.560 --> 00:01:17.920 others it's their website, their platform. 31 00:01:18.120 --> 00:01:20.079 Exactly protect that core that's step one. 32 00:01:20.239 --> 00:01:22.640 So we figure out what needs protecting. 33 00:01:23.239 --> 00:01:28.200 Then what then you build outward layers of protection around 34 00:01:28.359 --> 00:01:31.480 those core assets. That's where the author's military background really 35 00:01:31.480 --> 00:01:32.120 shines through. 36 00:01:32.319 --> 00:01:35.359 Okay, interesting, Earlier you said PS isn't just reacting, got 37 00:01:35.400 --> 00:01:38.040 to be proactive. How do we get into that mindset? 38 00:01:38.079 --> 00:01:39.000 What does the book say? 39 00:01:39.319 --> 00:01:42.879 He talks about having a military mindset draws from his 40 00:01:43.000 --> 00:01:47.560 experience managing security for high risk military flights. And these 41 00:01:47.560 --> 00:01:52.040 weren't your average trips. We're talking high ranking officials, nighttime flights, 42 00:01:52.400 --> 00:01:53.680 lots of tension. 43 00:01:53.560 --> 00:01:56.159 High stakes. I bet the planning was intense. How to 44 00:01:56.239 --> 00:01:59.159 have everything covered? How does that apply to us regular 45 00:01:59.200 --> 00:02:00.400 folk running businessinesses? 46 00:02:00.760 --> 00:02:03.280 Think about it, whether it's a new product launch or 47 00:02:03.319 --> 00:02:08.400 you're handling sensitive customer data. Curveballs happen, right, unexpected stuff. 48 00:02:09.280 --> 00:02:12.240 This PS approach, it's like having a plan for the 49 00:02:12.240 --> 00:02:16.000 what ifs, minimizing the damage those surprises can do. 50 00:02:16.199 --> 00:02:17.919 That makes a lot of sense being ready for anything. 51 00:02:18.000 --> 00:02:21.879 So planning mindset, that's huge. You got it now. This 52 00:02:21.919 --> 00:02:25.360 book also mentions compliance. Lots of people think if I'm 53 00:02:25.400 --> 00:02:27.360 meeting the standards, I'm golden right yeh. 54 00:02:27.400 --> 00:02:30.199 That's where they get tripped up. Compliance that's just the 55 00:02:30.240 --> 00:02:32.199 bare minimum, the starting line, not to finish. 56 00:02:32.400 --> 00:02:32.800 Interesting. 57 00:02:32.919 --> 00:02:34.879 There's a story in the book author had to turn 58 00:02:34.919 --> 00:02:39.319 this RAF base into a civilian compliance facility for a 59 00:02:39.360 --> 00:02:41.879 big event, even with his military background. It was a 60 00:02:41.919 --> 00:02:42.680 whole other beast. 61 00:02:42.840 --> 00:02:45.840 Makes you think God adapt to different rules, different situations. 62 00:02:45.879 --> 00:02:48.960 But how do we go beyond just checking boxes? How 63 00:02:48.960 --> 00:02:50.680 do we build real resilience? 64 00:02:50.719 --> 00:02:53.319 Like you were saying, got to be constantly checking your systems, 65 00:02:53.360 --> 00:02:56.599 your processes, looking for weak spots. Always got to be 66 00:02:56.680 --> 00:02:59.800 adapting to new threats. Compliance tells you what to do, 67 00:03:00.199 --> 00:03:03.560 but real ps it's about understanding why and making your 68 00:03:03.560 --> 00:03:05.199 defenses stronger every. 69 00:03:05.039 --> 00:03:08.080 Day, always going to be one step ahead. So any 70 00:03:08.120 --> 00:03:11.479 practical tips stuff listeners can do right now to get 71 00:03:11.520 --> 00:03:12.599 on that proactive path. 72 00:03:13.039 --> 00:03:17.479 First off, ditch the basic checklist mentality. Ask yourself, am 73 00:03:17.520 --> 00:03:20.759 I really building security into everything I do? Then think 74 00:03:20.800 --> 00:03:23.400 like the bad guys, what's vulnerable in my organization? What 75 00:03:23.439 --> 00:03:24.319 are they going to come after? 76 00:03:24.400 --> 00:03:27.560 That's a great exercise. And speaking of vulnerabilities, the book 77 00:03:27.560 --> 00:03:29.759 talks a lot about the human firewall. Why is that 78 00:03:29.800 --> 00:03:30.400 so important? 79 00:03:30.680 --> 00:03:34.479 Technology is great, but human error that's often the weakest link. 80 00:03:34.840 --> 00:03:38.280 There's this crazy story in the book, a counterintelligence operation 81 00:03:38.360 --> 00:03:41.280 almost blew up all because of one wrong word. 82 00:03:41.439 --> 00:03:44.400 Whoa Okay, I'm hooked. Tell me more about this operation, 83 00:03:44.639 --> 00:03:46.360 what went wrong? What can we learn from it? 84 00:03:46.639 --> 00:03:50.000 Undercover agents, fake identities, high stakes mission, the whole bit. 85 00:03:50.080 --> 00:03:53.159 Everything's going perfect, and so boom, one agent slips up, 86 00:03:53.439 --> 00:03:55.360 uses a word that blows their cover, almost cause an 87 00:03:55.400 --> 00:03:56.360 international incident. 88 00:03:56.439 --> 00:04:00.280 Wow, even spies, one word can make or break them exactly. 89 00:04:00.879 --> 00:04:05.639 That's why training, communication, understanding how people think, it's all crucial, 90 00:04:05.840 --> 00:04:10.120 a human firewall. It's about creating a culture where everyone's 91 00:04:10.159 --> 00:04:12.840 trained to spot those red flags, no matter how small 92 00:04:12.879 --> 00:04:13.319 they seem. 93 00:04:13.439 --> 00:04:15.000 Everyone's got to be on their toes part of the 94 00:04:15.000 --> 00:04:15.840 security team. 95 00:04:15.879 --> 00:04:19.879 You got it. That takes clear communication, training and knowing 96 00:04:19.920 --> 00:04:22.040 how people tick the whole package. 97 00:04:22.120 --> 00:04:27.399 Thinking about that operation, maybe having codewords, specific protocols could 98 00:04:27.439 --> 00:04:29.120 have prevented that whole mess. 99 00:04:29.040 --> 00:04:32.199 You're right on the money. Having set responses for those 100 00:04:32.240 --> 00:04:34.720 tense situations. It takes the pressure off thinking on. 101 00:04:34.639 --> 00:04:38.920 Your feet exactly. Systems and procedures, not just individual judgment. 102 00:04:39.120 --> 00:04:39.839 Gotta have both. 103 00:04:40.680 --> 00:04:44.639 Speaking of systems, the author talks about resilience like a 104 00:04:44.800 --> 00:04:47.839 shipbuild for storms. Your business it needs to wather those 105 00:04:47.879 --> 00:04:50.399 cyber attacks and disruptions come out stronger. 106 00:04:50.720 --> 00:04:53.439 So it's not just preventing bad stuff, it's about bouncing 107 00:04:53.480 --> 00:04:56.000 back when it does happen. What are the building blocks 108 00:04:56.000 --> 00:04:57.519 of resilience? What does the book say? 109 00:04:57.839 --> 00:05:02.319 Three key things? Active planning what if scenarios. You got 110 00:05:02.360 --> 00:05:06.560 to have those plans ready. Then solid incident response, knowing 111 00:05:06.600 --> 00:05:09.519 what to do when the alarm bells ring. And lastly, 112 00:05:09.920 --> 00:05:14.079 strong communication. Everyone knows who to contact, what to do 113 00:05:14.160 --> 00:05:15.279 when things hit the fan. 114 00:05:15.319 --> 00:05:17.560 Like a fire drill, but for the digital world, you 115 00:05:17.639 --> 00:05:17.959 got it. 116 00:05:18.160 --> 00:05:20.000 You wouldn't wait for a fire to figure out your 117 00:05:20.120 --> 00:05:20.800 escape route. 118 00:05:20.920 --> 00:05:22.480 Now I got to hear about this story with the 119 00:05:22.519 --> 00:05:26.360 author's military dog. Sounds like a lesson in adaptability thinking 120 00:05:26.480 --> 00:05:28.839 fast under pressure security exercise. 121 00:05:28.920 --> 00:05:31.360 Right, author and his dog. They're supposed to catch a 122 00:05:31.399 --> 00:05:35.319 bad guy, but then the dog gets distracted by a 123 00:05:35.399 --> 00:05:38.800 totally unrelated scent through the whole plan off. 124 00:05:38.839 --> 00:05:39.959 Oh no, what did he do? 125 00:05:40.120 --> 00:05:43.600 Had to improvise and fast he readjusted, came up with 126 00:05:43.639 --> 00:05:46.439 a new strategy on the fly, finished the exercise. Despite 127 00:05:46.480 --> 00:05:47.240 the curve ball. 128 00:05:47.120 --> 00:05:49.519 Shows you resilience isn't just about tech. Got to have 129 00:05:49.560 --> 00:05:52.560 the right mindset, be prepared for anything, and a well 130 00:05:52.600 --> 00:05:54.279 trained dog probably doesn't hurt either. 131 00:05:54.399 --> 00:05:58.920 Absolutely, It's about adaptability, being resourceful, and thinking on your feet. 132 00:05:59.079 --> 00:06:00.800 This has been a great one look at the core 133 00:06:00.879 --> 00:06:05.079 principles of protective security. But let's get practical. What are 134 00:06:05.120 --> 00:06:08.879 some concrete steps people can take to actually implement these principles. 135 00:06:09.040 --> 00:06:11.279 We'll dig into those strategies in the next part of 136 00:06:11.279 --> 00:06:11.920 our deep dive. 137 00:06:12.040 --> 00:06:15.000 Okay, so let's get into the nitty gritty, some real 138 00:06:15.160 --> 00:06:18.000 tactics you can use to amp up your protective security game. 139 00:06:18.240 --> 00:06:21.800 Love it. Let's get practical. We've talked a mindset, the 140 00:06:21.879 --> 00:06:23.959 human firewall, thinking like an attacker. 141 00:06:24.240 --> 00:06:27.879 Now what the book talks about safeguarding your sensitive info. 142 00:06:28.079 --> 00:06:31.480 Got to use different security classifications like the military does 143 00:06:31.519 --> 00:06:34.319 confidential secret, you know that kind of thing. You've got 144 00:06:34.360 --> 00:06:36.839 to categorize your data based on how sensitive it is 145 00:06:37.240 --> 00:06:39.040 and protect it accordingly makes sense. 146 00:06:39.120 --> 00:06:41.399 Not all data is created equal. Some stuff needs way 147 00:06:41.480 --> 00:06:42.600 more protection than others. 148 00:06:42.720 --> 00:06:45.519 You got it, like customer financial data. That's got to 149 00:06:45.560 --> 00:06:49.399 be Fort Knox level security, multiple layers of protection, encryption, 150 00:06:50.079 --> 00:06:51.759 access controls, the works. 151 00:06:52.360 --> 00:06:55.040 So how do we decide which level is right for what? 152 00:06:55.360 --> 00:06:58.160 Any guidelines frameworks we can follow. 153 00:06:58.040 --> 00:07:00.160 A lot of organizations, they use a risk base to 154 00:07:00.199 --> 00:07:03.120 approach what's the worst that could happen if this data 155 00:07:03.160 --> 00:07:07.839 gets out? Financial damage, legal trouble, reputation hit. The bigger 156 00:07:07.839 --> 00:07:10.199 the potential impact, the stronger the security. 157 00:07:10.600 --> 00:07:13.879 So play out the worst case scenario that helps us prioritize. 158 00:07:13.959 --> 00:07:17.240 Right, And it's not just digital stuff, physical documents. Prototypes 159 00:07:17.480 --> 00:07:20.040 got to secure those two. The book talks about using 160 00:07:20.439 --> 00:07:25.399 persistent storage containers basically really good safes, lock cabinets, even 161 00:07:25.439 --> 00:07:27.800 dedicated rooms with controlled access. 162 00:07:27.560 --> 00:07:29.920 Like a real life vault for your top secret stuff. 163 00:07:30.079 --> 00:07:33.639 Exactly right. Now, let's talk encryption. It's a must have 164 00:07:33.800 --> 00:07:36.879 for protecting data, whether it's moving around or just sitting there. 165 00:07:37.439 --> 00:07:39.600 Think of it like putting your confidential info in a 166 00:07:39.639 --> 00:07:42.680 coded message. Only the right people of the key. 167 00:07:42.839 --> 00:07:45.480 So scrambled up, so even if someone gets it, it's 168 00:07:45.720 --> 00:07:47.480 gibberish without the key, right. 169 00:07:47.519 --> 00:07:50.120 There's different types of encryption, some more complex than others. 170 00:07:50.560 --> 00:07:52.600 The key is got to choose the right level of 171 00:07:52.639 --> 00:07:55.120 security depends on how sensitive the info is. 172 00:07:55.319 --> 00:07:58.839 So my grocery list probably doesn't need the same encryption 173 00:07:59.040 --> 00:08:01.480 as say, government secrets exactly. 174 00:08:01.800 --> 00:08:05.199 For everyday stuff, AES encryption that's pretty solid used all 175 00:08:05.199 --> 00:08:08.279 over the place. For super sensitive data, you might need 176 00:08:08.319 --> 00:08:11.959 something even stronger like RSA. That's the big leagues used 177 00:08:12.000 --> 00:08:13.800 for online transactions and stuff. 178 00:08:14.000 --> 00:08:17.160 Starting to see how all these different methods they add 179 00:08:17.240 --> 00:08:20.680 up to those layers of defense in the digital world. 180 00:08:20.560 --> 00:08:22.680 It's all about making it as hard as possible for 181 00:08:22.720 --> 00:08:25.240 the bad guys to get their hands on your data. Now, 182 00:08:25.279 --> 00:08:28.759 another important piece of the puzzle is information processing. Got 183 00:08:28.759 --> 00:08:32.399 to understand how information moves around in your organization. That's 184 00:08:32.440 --> 00:08:33.879 where you find vulnerabilities. 185 00:08:34.039 --> 00:08:36.320 Not just about protecting the data itself. Got to know 186 00:08:36.360 --> 00:08:37.200 its whole journey. 187 00:08:37.279 --> 00:08:39.600 You got it, where's the data stored, how's it transmitted? 188 00:08:39.720 --> 00:08:42.559 Who can see it? Map out those processes and boom, 189 00:08:42.600 --> 00:08:44.759 you'll find the weak spots that need extra protection. 190 00:08:45.279 --> 00:08:49.120 Like making a blueprint of your information and then fortifying 191 00:08:49.120 --> 00:08:50.519 it against attack. 192 00:08:50.399 --> 00:08:53.320 Exactly Think of it like a supply chain. Every step 193 00:08:53.799 --> 00:08:56.559 from creating the data to storing it to sending it, 194 00:08:56.559 --> 00:08:57.759 it's a potential weak point. 195 00:08:57.799 --> 00:09:01.000 That mapping exercise that's got to be super helpful. Really 196 00:09:01.080 --> 00:09:03.559 helps visualize the flow and see where you need to 197 00:09:03.639 --> 00:09:04.480 tighten things up. 198 00:09:04.759 --> 00:09:07.480 Absolutely. Now let's talk about staying ahead of the curve. 199 00:09:07.600 --> 00:09:10.120 Got to keep up with those emerging threats. The book 200 00:09:10.120 --> 00:09:14.360 talks about vulnerability and impact management, things like vulnerability scanning 201 00:09:14.399 --> 00:09:15.559 and penetration testing. 202 00:09:15.679 --> 00:09:18.840 Okay, those sound intense, What do those even involve? 203 00:09:19.000 --> 00:09:21.679 Vulnerability scanning, think of it like a health check for 204 00:09:21.759 --> 00:09:24.799 your systems, finding those weaknesses before the bad guys. 205 00:09:24.840 --> 00:09:24.879 Do. 206 00:09:25.840 --> 00:09:28.720 Lots of tools out there, some free, some of you 207 00:09:28.759 --> 00:09:31.000 got to pay for, depends on your needs. 208 00:09:31.200 --> 00:09:35.720 So basically scanning for non issues, patching them up before 209 00:09:35.759 --> 00:09:36.360 they become a. 210 00:09:36.320 --> 00:09:39.799 Problem, right, and then penetration testing that takes it a 211 00:09:39.840 --> 00:09:43.519 step further. You're simulating real attacks seeing if your defense 212 00:09:43.600 --> 00:09:44.080 is hold up. 213 00:09:44.200 --> 00:09:46.840 So you're hiring good hackers to try and break in 214 00:09:47.039 --> 00:09:48.480 expose those weak points. 215 00:09:48.600 --> 00:09:50.600 That's the idea. You can do it in house or 216 00:09:50.720 --> 00:09:54.279 hire a specialized firm. The goal is find the holes 217 00:09:54.279 --> 00:09:55.720 and fix them before the bad guys do. 218 00:09:55.919 --> 00:09:58.480 It's like a controlled experiment. See where you're vulnerable and 219 00:09:58.519 --> 00:09:59.720 shore things up exactly. 220 00:10:00.360 --> 00:10:02.879 The author also says, got to have a clear incident 221 00:10:02.919 --> 00:10:05.759 response plan just in case something does slip through. 222 00:10:05.960 --> 00:10:08.720 That's a good point. Even with the best security, stuff happens. 223 00:10:08.759 --> 00:10:11.600 So what goes into a good incident response plan? 224 00:10:11.759 --> 00:10:15.080 It's like your cybertag fire drill. What steps do you 225 00:10:15.120 --> 00:10:17.799 take if there's a breach? Who do you call? How 226 00:10:17.799 --> 00:10:20.240 do you contain the damage? How do you recover fast? 227 00:10:20.600 --> 00:10:23.360 So you're not just panicking? You have a playbook minimize 228 00:10:23.360 --> 00:10:24.440 the impact. 229 00:10:24.159 --> 00:10:27.200 Exactly, a well rehearsed plan that can be the difference 230 00:10:27.200 --> 00:10:29.679 between a minor hiccup and a total disaster. 231 00:10:30.039 --> 00:10:33.000 I'm guessing this plan should cover everything from figuring out 232 00:10:33.000 --> 00:10:36.639 what happened, to communicating with everyone involved to actually getting 233 00:10:36.639 --> 00:10:37.519 things back on track. 234 00:10:37.600 --> 00:10:40.000 You got it, and just like those fire drills, got 235 00:10:40.000 --> 00:10:42.639 to test it regularly, keep it updated. The threats are 236 00:10:42.679 --> 00:10:45.000 always changing. Your plan needs to keep up. 237 00:10:45.080 --> 00:10:49.879 So we've talked data, physical security, encryption, how information moves around, 238 00:10:50.480 --> 00:10:53.559 and having a plan for when things go wrong. What 239 00:10:53.720 --> 00:10:54.480 else can people do? 240 00:10:54.639 --> 00:10:58.320 Let's go back to that human firewall idea. The book's 241 00:10:58.320 --> 00:11:00.080 got a lot of good advice on how to make 242 00:11:00.120 --> 00:11:00.840 that's stronger. 243 00:11:01.120 --> 00:11:05.559 We talked about training awareness, making it everyone's responsibility, but 244 00:11:05.720 --> 00:11:08.840 how do we actually d owe that Empower people to 245 00:11:08.879 --> 00:11:10.240 be proactive. 246 00:11:10.000 --> 00:11:13.480 Make security training fun, Get rid of those boring lectures. 247 00:11:14.120 --> 00:11:17.840 Use real stories like that counterintelligence op. Show people what 248 00:11:17.919 --> 00:11:19.440 can happen if things go wrong. 249 00:11:19.559 --> 00:11:22.519 People remember stories, they connect with them. It makes it real. 250 00:11:22.879 --> 00:11:26.080 You got it. In communication, it's got to be clear 251 00:11:26.399 --> 00:11:30.320 simple security policies. They shouldn't be written in some secret code. 252 00:11:30.440 --> 00:11:33.240 Securitious everyone's job, not just for the IT folks. 253 00:11:33.360 --> 00:11:37.279 Right. The author also talks about strict access restrictions. That's 254 00:11:37.279 --> 00:11:39.919 another part of the human firewall. It's all about controlling 255 00:11:39.960 --> 00:11:41.120 who can see what it's like. 256 00:11:41.159 --> 00:11:44.960 Different clearance levels, top secret stuff only certain people can get. 257 00:11:44.840 --> 00:11:48.279 In exactly you want the least privileged principle. People only 258 00:11:48.320 --> 00:11:51.919 access what they need for their job, nothing more. There's 259 00:11:51.960 --> 00:11:53.960 this story the author had to stand up to a 260 00:11:54.039 --> 00:11:57.879 high ranking officer who is trying to bypass security. Shows 261 00:11:57.919 --> 00:12:01.600 you rules or rules, everyone follows them, no exceptions. 262 00:12:01.080 --> 00:12:03.759 Even small exceptions can open big security holes. 263 00:12:03.919 --> 00:12:07.759 Consistency is key absolutely to make sure everyone's following those 264 00:12:07.759 --> 00:12:10.360 access rules, Going to monitor those logs, see who's doing what, 265 00:12:10.840 --> 00:12:13.120 Like a security camera for your data. 266 00:12:12.679 --> 00:12:16.399 Looking for anything suspicious, anything out at the ordinary. What 267 00:12:16.440 --> 00:12:18.360 are some red flags people should watch out for? 268 00:12:19.039 --> 00:12:22.440 Someone failing to log in, over and over, accessing data 269 00:12:22.480 --> 00:12:25.559 at weird hours, trying to see stuff they shouldn't. Those 270 00:12:25.559 --> 00:12:27.320 are all signs something might be up. 271 00:12:27.559 --> 00:12:31.480 Like being a detective spotting those little clues that something's fishy. 272 00:12:31.679 --> 00:12:34.360 You got it. The faster you catch those potential threats, 273 00:12:34.399 --> 00:12:34.759 the better. 274 00:12:35.080 --> 00:12:39.039 Okay, so we covered building that human firewall. Now what 275 00:12:39.120 --> 00:12:42.679 about resilience. We talked about planning, having a response planned, 276 00:12:43.000 --> 00:12:44.639 but what else can we do to make sure we 277 00:12:44.759 --> 00:12:46.840 bounce back from those unexpected events? 278 00:12:47.120 --> 00:12:49.799 Got to test those resilience plans, see if they actually work. 279 00:12:50.399 --> 00:12:54.559 Simulate different scenarios cyber attacks, natural disasters, even internal stuff 280 00:12:54.600 --> 00:12:57.799 like data leaks. Put your systems and your people to. 281 00:12:57.799 --> 00:13:00.799 The test, like a fire drill, but all kinds of 282 00:13:00.840 --> 00:13:01.960 crises exactly. 283 00:13:02.440 --> 00:13:04.440 It helps you find the weak points in your plans, 284 00:13:04.879 --> 00:13:07.559 make them better and builds confidence that you can handle 285 00:13:07.559 --> 00:13:08.440 whatever comes your way. 286 00:13:08.679 --> 00:13:11.679 And learning from past incidents, your own and others. That's 287 00:13:11.720 --> 00:13:12.159 got to be. 288 00:13:12.320 --> 00:13:17.039 Huge, huge, every incident, big or small, it's a chance 289 00:13:17.080 --> 00:13:21.799 to learn and improve. The author, he's all about continuous improvement. 290 00:13:22.120 --> 00:13:24.519 Mistakes aren't failures, they're lessons. 291 00:13:24.879 --> 00:13:28.000 Turn those O crap moments into learning experiences. 292 00:13:28.120 --> 00:13:31.519 Exactly. Now, let's talk about your supply chain. You know, 293 00:13:31.600 --> 00:13:34.120 those third party vendors you work with. The book talks 294 00:13:34.120 --> 00:13:36.440 about attacks targeting them being a growing threat. 295 00:13:36.720 --> 00:13:38.879 Makes sense. It's easier to go after the week link 296 00:13:39.039 --> 00:13:40.759 sneak in the back door, so to speak. 297 00:13:40.840 --> 00:13:43.399 Exactly, you got to check those vendor security, make sure 298 00:13:43.399 --> 00:13:45.879 they're up to your standards. Just because they're a big 299 00:13:45.960 --> 00:13:47.440 name doesn't mean they're Fort Knox. 300 00:13:47.799 --> 00:13:50.360 That security mindset, I got to extend it beyond your 301 00:13:50.360 --> 00:13:52.840 own walls out to everyone you work with. So how 302 00:13:52.840 --> 00:13:55.320 do we do that? Check their security? What should we 303 00:13:55.360 --> 00:13:55.960 be looking for? 304 00:13:56.440 --> 00:13:59.320 The book recommends a risk based approach. Focus on the 305 00:13:59.360 --> 00:14:02.279 vendors handling your most sensitive stuff, the ones critical to 306 00:14:02.320 --> 00:14:06.279 your operations. Ask them about their policies, their incident response, 307 00:14:06.360 --> 00:14:10.039 their training programs. Don't be shy about asking tough questions. 308 00:14:10.159 --> 00:14:12.840 It's about doing your homework, being as picky about their 309 00:14:12.879 --> 00:14:14.679 security as you are about your own. 310 00:14:15.080 --> 00:14:17.480 Absolutely, don't just take their word for it. Ask for 311 00:14:17.639 --> 00:14:21.720 proof documentation, certifications, audits. 312 00:14:21.480 --> 00:14:23.840 And once you've picked your vendors, how do you make 313 00:14:23.879 --> 00:14:26.200 sure they keep up those standards. 314 00:14:26.360 --> 00:14:29.559 That's where contracts come in. Spell out those security requirements, 315 00:14:29.759 --> 00:14:33.679 data encryption, access controls, the whole nine yards. Make it 316 00:14:33.799 --> 00:14:37.080 legally binding. They're accountable for protecting your. 317 00:14:37.000 --> 00:14:39.360 Data, not just trusting them. Got to have it in writing, 318 00:14:39.399 --> 00:14:40.000 hold them to it. 319 00:14:40.240 --> 00:14:43.399 You got it, and don't just forget about it. Monitor them, 320 00:14:43.759 --> 00:14:47.559 check those security audits, see if they're getting any vulnerability notices, 321 00:14:47.840 --> 00:14:50.919 do regular assessments, make sure they're doing what they promised 322 00:14:51.159 --> 00:14:53.720 and keeping up the latest best practices. 323 00:14:53.679 --> 00:14:56.759 Like having a security checkpoint for your supply chain. Everyone 324 00:14:56.799 --> 00:14:58.919 coming in got to meet the standards exactly. 325 00:14:59.120 --> 00:15:01.639 Now we've talked a lot about doing all this security stuff, 326 00:15:02.039 --> 00:15:05.360 but how do we convince the people holding the purse strings, 327 00:15:05.360 --> 00:15:07.000 the ones you've got to sign off on the budget. 328 00:15:07.519 --> 00:15:08.960 How do we show them it's worth it? 329 00:15:09.039 --> 00:15:12.919 That's the million dollar question. Security often gets seen as 330 00:15:12.960 --> 00:15:15.679 a money pit, not something that makes money. How do 331 00:15:15.720 --> 00:15:16.279 we change that. 332 00:15:16.600 --> 00:15:19.679 Got to show them the ROI, the return on investment, 333 00:15:20.120 --> 00:15:22.879 make a business case for security, show them it's not 334 00:15:23.039 --> 00:15:23.639 just a cost. 335 00:15:23.960 --> 00:15:26.480 But how do you measure that you're trying to prevent 336 00:15:26.600 --> 00:15:28.600 something from happening. It's hard to quantify. 337 00:15:28.759 --> 00:15:32.000 Flip the script. Instead of the cost of security, talk 338 00:15:32.039 --> 00:15:34.879 about the cost of not having it. What if you 339 00:15:34.879 --> 00:15:37.759 get hit with a major data breach. What's he going 340 00:15:37.799 --> 00:15:40.360 to do to your revenue, your reputation, your customers. 341 00:15:40.559 --> 00:15:43.480 Put a dollar amount on those potential losses. Show them 342 00:15:43.519 --> 00:15:45.879 that's the price of doing nothing exactly. 343 00:15:46.399 --> 00:15:49.120 You can also highlight the positives good security. It can 344 00:15:49.159 --> 00:15:52.919 lower your insurance costs, help you meet those regulations, even 345 00:15:52.960 --> 00:15:55.720 attract customers who care about data privacy. 346 00:15:55.799 --> 00:15:57.840 Those are all benefits that hit the bottom line. They 347 00:15:57.840 --> 00:15:58.159 get that. 348 00:15:58.320 --> 00:16:01.759 The author also says, use mech track how well your 349 00:16:01.799 --> 00:16:05.600 security is working. How many vulnerabilities did you find and fix? 350 00:16:05.919 --> 00:16:08.519 How fast did you respond to that incident? How much 351 00:16:08.559 --> 00:16:09.799 did that breach cost you? 352 00:16:09.840 --> 00:16:12.519 Show them the data, prove that the money's making a difference. 353 00:16:13.240 --> 00:16:15.720 Now, before we go on, got to talk about this 354 00:16:15.960 --> 00:16:19.799 key principle from the book, The Holistic Approach to Protective Security. 355 00:16:20.039 --> 00:16:22.360 We touched on it before, but what does it really mean. 356 00:16:22.960 --> 00:16:26.080 It's about looking at security from all angles, not just 357 00:16:26.120 --> 00:16:31.440 the tech stuff, physical security, creating that security culture, managing 358 00:16:31.559 --> 00:16:35.639 risks across the whole organization, even thinking about employee well being, 359 00:16:35.840 --> 00:16:37.960 mental health, It all ties. 360 00:16:37.720 --> 00:16:41.159 In security is not just an IT problem. It's everyone's problem. 361 00:16:41.399 --> 00:16:43.159 God have that big picture view. 362 00:16:43.159 --> 00:16:46.399 Exactly, and it's never finished. It's a journey. Got to 363 00:16:46.519 --> 00:16:50.080 keep improving, keep evaluating, keep adapting to the new threats. 364 00:16:50.320 --> 00:16:52.000 Got to stay ahead of the curve. The bad guys 365 00:16:52.000 --> 00:16:53.039 aren't standing still. 366 00:16:53.159 --> 00:16:56.440 The author actually suggests using this acordym bridges as a 367 00:16:56.480 --> 00:16:58.360 framework for your security strategy. 368 00:16:58.480 --> 00:17:00.759 Bridges, Okay, that's interesting. Break it down for me. 369 00:17:00.879 --> 00:17:06.319 It stands for business, Risk, Identify, detect, govern, evaluate, and survive. 370 00:17:06.799 --> 00:17:09.839 Each one's a step in building that comprehensive security program. 371 00:17:09.960 --> 00:17:12.319 Like a roadmap for security. Make sure you cover all 372 00:17:12.319 --> 00:17:13.680 the bases exactly. 373 00:17:14.000 --> 00:17:17.920 Business means your security's got align with your business goals. Risk, 374 00:17:18.480 --> 00:17:22.599 Understand those threats, identify, find those weaknesses, detect, know when 375 00:17:22.599 --> 00:17:27.119 something's happening. Govern, have those policies and procedures in place. Evaluate, 376 00:17:27.200 --> 00:17:31.240 Test everything, make sure it's working, and survive. That's all 377 00:17:31.240 --> 00:17:33.880 about resilience, making sure your business keeps running. 378 00:17:34.400 --> 00:17:37.279 Love how this breaks it down makes it less overwhelming. 379 00:17:37.400 --> 00:17:39.319 It's a great guide for your strategy. Keeps you on 380 00:17:39.400 --> 00:17:40.839 track for that holistic approach. 381 00:17:41.119 --> 00:17:43.720 We've talked a lot about the practical stuff, the frameworks, 382 00:17:44.160 --> 00:17:46.559 but what about leadership. What role do they play in 383 00:17:46.640 --> 00:17:48.319 building that security culture. 384 00:17:49.079 --> 00:17:52.559 The book's really clear strong leadership, it's essential for a 385 00:17:52.599 --> 00:17:56.640 security conscious culture. Leaders They set the tone, They provide 386 00:17:56.640 --> 00:17:58.559 the resources they got to make it clear to everyone's 387 00:17:58.559 --> 00:18:02.319 security matters. Story the author had to convince this high 388 00:18:02.400 --> 00:18:05.279 ranking military officer to invest in a new security system. 389 00:18:05.680 --> 00:18:06.960 The officer wasn't buying it. 390 00:18:06.960 --> 00:18:09.799 It sounds like a classic case of needing to prove 391 00:18:09.880 --> 00:18:12.799 the value speak their language. How did he do it? 392 00:18:12.960 --> 00:18:18.079 He stopped talking tech jargon, focused on the consequences. What 393 00:18:18.200 --> 00:18:20.240 if we get hacked? What's it going to cost us? 394 00:18:20.519 --> 00:18:23.559 He made a clear case the new system, it's going 395 00:18:23.599 --> 00:18:26.519 to reduce risks, protect our assets, help us succeed. 396 00:18:26.640 --> 00:18:30.279 Shows you communication is key insecurity, just like everything else. 397 00:18:30.359 --> 00:18:33.920 You got it, and when the leaders prioritize security, everyone 398 00:18:33.920 --> 00:18:37.400 else gets the message it matters. He creates this environment 399 00:18:37.440 --> 00:18:39.960 where everyone feels like they're part of the solution. 400 00:18:40.359 --> 00:18:44.240 We've covered so much the human firewall, supply chain, incident response. 401 00:18:44.400 --> 00:18:46.960 It's been a lot, but what are the big takeaways 402 00:18:46.960 --> 00:18:49.119 that things people should keep in mind as they start 403 00:18:49.160 --> 00:18:51.559 their own protective security journey. 404 00:18:51.640 --> 00:18:54.079 Yeah, we've covered a ton, from those critical assets to 405 00:18:54.599 --> 00:18:58.079 building that human firewall, even securing the supply chain. It's 406 00:18:58.119 --> 00:18:58.880 a lot to take in. 407 00:18:59.000 --> 00:19:01.359 It's been a wild ride for sure, you know, going 408 00:19:01.400 --> 00:19:02.920 through all this it makes me think back to the 409 00:19:03.079 --> 00:19:06.599 early Internet days. Simpler times, right, totally back then, a 410 00:19:06.640 --> 00:19:08.680 password that was all you needed to worry about. 411 00:19:08.960 --> 00:19:12.720 Crazy how much things have changed. Cybersecurity used to be 412 00:19:12.799 --> 00:19:16.200 about protecting your own computer from those viruses. Now it's 413 00:19:16.279 --> 00:19:21.599 whole networks, data centers, even critical infrastructure, and the attackers 414 00:19:21.759 --> 00:19:23.359 they've gotten a lot more sophisticated. 415 00:19:23.480 --> 00:19:26.839 It's like a whole different ballgame now, way higher stakes. 416 00:19:26.880 --> 00:19:31.039 Absolutely one good cyber attack and businesses are crippled, services 417 00:19:31.079 --> 00:19:33.920 shut down, could even be national security issues. 418 00:19:34.039 --> 00:19:36.079 Kind of scary when you think about it, makes all 419 00:19:36.079 --> 00:19:39.000 this protective security stuff feel even more important, doesn't it. 420 00:19:39.079 --> 00:19:41.359 No doubt, we can't just bury our heads in the 421 00:19:41.359 --> 00:19:44.480 sand and hope for the best. But the good news 422 00:19:44.559 --> 00:19:48.319 is this book. It gives us some real tools to 423 00:19:48.400 --> 00:19:48.960 fight back. 424 00:19:49.160 --> 00:19:51.799 I'm definitely feeling more prepared after going through all this. 425 00:19:51.920 --> 00:19:55.079 It's not about being paranoid. It's about taking control, protecting 426 00:19:55.119 --> 00:19:55.839 what matters. 427 00:19:55.920 --> 00:19:58.680 That's the spirit, and for me, the biggest takeaway is 428 00:19:58.720 --> 00:20:02.480 that proactive whole approach. You're not just waiting for something 429 00:20:02.519 --> 00:20:05.640 bad to happen. You're out there anticipating threats, building up 430 00:20:05.640 --> 00:20:08.039 your defenses, making security part of your. 431 00:20:07.880 --> 00:20:11.200 Culture, switching from defense to offense, being the aggressor. 432 00:20:11.359 --> 00:20:13.359 It's exactly got to be vigilant, know what the bad 433 00:20:13.359 --> 00:20:16.519 guys are up to, and always be improving your security game. 434 00:20:16.759 --> 00:20:20.039 So if you had to pick just one strategy from 435 00:20:20.039 --> 00:20:22.599 all this, what would it be. What's the most impactful 436 00:20:22.599 --> 00:20:23.759 thing people can do right now? 437 00:20:24.559 --> 00:20:28.519 Hmm, tough question, but I'd say invest in security awareness 438 00:20:28.519 --> 00:20:32.000 training for every single employee. We've said it before, human 439 00:20:32.000 --> 00:20:35.200 air that's the weak spot. If everyone knows how to 440 00:20:35.200 --> 00:20:39.599 spot those red flags, report suspicious stuff, that's a powerful defense, 441 00:20:39.920 --> 00:20:41.519 stronger than any tech you can buy. 442 00:20:41.640 --> 00:20:44.200 Makes sense, build up that human firewall. Everyone's part of 443 00:20:44.200 --> 00:20:45.240 the security team. 444 00:20:45.160 --> 00:20:47.480 Right and it's not a one time thing. Got to 445 00:20:47.559 --> 00:20:49.440 keep the training going, keep people up to date on 446 00:20:49.480 --> 00:20:51.839 the latest threats, the new tricks the bad guys are. 447 00:20:51.759 --> 00:20:55.400 Using, so regular refreshers, maybe some simulations even make it fun, 448 00:20:55.440 --> 00:20:56.799 a little competition. 449 00:20:56.839 --> 00:20:58.839 Love it. The more you can make security part of 450 00:20:58.880 --> 00:21:00.400 everyday life at work, the better. 451 00:21:00.599 --> 00:21:02.559 And like the book says, it's not just checking a 452 00:21:02.599 --> 00:21:05.799 box and forgetting about it. It's a never ending journey. 453 00:21:06.119 --> 00:21:08.640 You got it. Security is not a finish line. It's 454 00:21:08.680 --> 00:21:12.359 a constant process. Got to keep learning, adapting, evolving. 455 00:21:12.640 --> 00:21:15.200 So what's next For our listeners who are ready to 456 00:21:15.200 --> 00:21:17.160 take action? Where do they start? 457 00:21:17.480 --> 00:21:21.400 Remember that Bridge's framework that's a great roadmap, breaks the 458 00:21:21.480 --> 00:21:23.960 whole process down into manageable steps. 459 00:21:24.359 --> 00:21:31.000 Right business, risk, identify, detect, govern evaluate, survive. 460 00:21:31.519 --> 00:21:35.279 Start by looking in the mirror. How's your security right now? 461 00:21:35.400 --> 00:21:38.519 What are you good at? What needs work? Then focus 462 00:21:38.519 --> 00:21:40.079 on the biggest risks you're facing. 463 00:21:40.240 --> 00:21:43.039 Don't try to boil the ocean. Start small, make those 464 00:21:43.039 --> 00:21:44.119 improvements over time. 465 00:21:44.200 --> 00:21:46.559 And remember it's not just about tech, it's the people, 466 00:21:46.640 --> 00:21:50.519 the processes, the whole culture. Create an environment where everyone 467 00:21:50.519 --> 00:21:53.039 feels like they're part of the security team. They're empowered 468 00:21:53.079 --> 00:21:54.519 to contribute awesome advice. 469 00:21:54.599 --> 00:21:56.279 Any final thoughts for our listeners before we. 470 00:21:56.279 --> 00:21:59.839 Wrap up, Stay curious, stay alert, and never stop learning. 471 00:22:00.200 --> 00:22:02.160 The bad guys are always coming up with new stuff, 472 00:22:02.160 --> 00:22:02.640 so you got. 473 00:22:02.519 --> 00:22:04.079 To stay ahead of them and don't be afraid to 474 00:22:04.079 --> 00:22:07.799 ask for help. There's tons of resources out there, consultants, organizations, 475 00:22:07.880 --> 00:22:10.599 even the government. They can help you out. 476 00:22:10.160 --> 00:22:13.079 This deep dive into protective security. It's been a blast 477 00:22:13.480 --> 00:22:15.759 what we've talked about today. It's just the tip of 478 00:22:15.799 --> 00:22:19.240 the iceberg. Take what you've learned, explore those areas that 479 00:22:19.319 --> 00:22:22.759 really hit home, and start building that strong security strategy. 480 00:22:22.799 --> 00:22:25.200 Couldn't have said it better myself. Thanks for joining us 481 00:22:25.279 --> 00:22:26.960 on this deep dive. We hope you got a lot 482 00:22:26.960 --> 00:22:27.400 out of it. 483 00:22:27.400 --> 00:22:28.240 It's been my pleasure. 484 00:22:28.319 --> 00:22:32.400 And to everyone listening, stay safe out there, stay secure, 485 00:22:32.720 --> 00:22:36.039 and stay ahead of the game in this crazy digital world.