Time
56 minutes
Difficulty
Advanced
CEU/CPE
1

Video Transcription

00:03
Hello and welcome Thio 12 competencies of the effect of sea. So competency, a technology of very excited of Ed here again for for eight session
00:13
in particular, this session is on technology. So one of the the awesome things that we're doing now is looking at it Security enablement across the enterprise.
00:25
Uh, and so one of the things that we love for the people in this call to actually help us with is filling out a survey on security enablement. I really this is enabling security across your entire technology organization rather than just with the security departments. And security is for
00:43
your entire company rather than just
00:45
your security department
00:46
s o. If you could do that, that'd be fantastic. And you should see that very, very soon. Um, Ed, take it away.
00:53
Well, thanks, Leif. Um, let's see. Today's lecture
00:58
is kind of directly related thio question that a lot of you get asked
01:03
and probably something that you ask yourself frequently and that is,
01:07
does a cybersecurity executive and in particular a c So
01:12
have to be a tacky.
01:15
Um,
01:17
I bet that be something that would get a bunch of your pretty go. You know pretty into a debate. Maybe over pizza over lunch or something
01:25
of that. There's some of you would say Absolutely some would say no. Like there's a very famous statement people make that
01:32
security is not a technical issue. It's a business issue. You hear that frequently says, probably. People would argue that,
01:40
and there's probably everything in between.
01:42
What I believe is that of the 12 competencies, it is definitely one of them.
01:49
So whether you are a quote unquote techie or not, um,
01:53
does not change the fact that you are going to have to have some technical
01:57
interest in skills
02:00
if you don't. If you just loathe technology,
02:04
then you're in the wrong business again. You don't have to be, you know, a PhD in physics to do this.
02:12
But you cannot loathe technology. It has to be something that you enjoy.
02:17
And I would also say that it may not necessarily be something
02:23
that just sort of comes and eight Lee to you. It's something that could be savored and learned for me.
02:29
Um, it was the opposite, you know. Management was something I loathed early in my career,
02:36
and then later on I came to appreciate it. I went to Columbia Business School and I learned,
02:40
Wow, there's really something interesting here. I found something actually foundational on academically interesting and then practically and said so I learned it.
02:50
So if you're sitting listening to this and you grew up in Accounting group or you have a business background,
02:57
you'd say, Gosh, um,
02:59
I'm not really technologists. And by the way, if you are, you probably find yourself consistently apologizing for that. Stop that, by the way, do not apologize and say,
03:08
By the way, I'm not technical. But don't say that you get technical.
03:14
That would make more sense. You don't have to be a PhD in physics, and this next hour I'm gonna make a lot of suggestions around some ways that you can get to the point where you couldn't be perfectly comfortable with technologists.
03:29
I'm even talking in a low level with them. So So let's get to it. So are
03:34
yeah, well, we start with the first statement here, make sure we're all on the same page, but
03:38
seesaws to be able to develop and maintain insights and technology status and trends. Obviously, our emphasis is I t's offering networking because that's what cyber security is about.
03:49
But just the insight. You don't have to really be somebody like you said, who spent, you know eight years in school
03:57
studying engineering. But you need to be able to maintain and and and share your insights, and they should be based on something meaningful. It shouldn't just be
04:09
thin.
04:10
So the first thing I would like you to resolve is that you are not
04:15
going to start any any discussion or any meeting by saying I am not technical comma because that's a negative point. And it's something that for the most part, is irrational. And by the way, it's been my experience that when people say I'm not technical, they follow that with a perfectly capable
04:32
observation on technology that sometimes is more
04:35
insightful than anything ever heard from. You know, the deepest techie.
04:40
A lot of techies can't even communicate, so being technical
04:44
doesn't mean you can communicate. So So let's let's agree that we can develop it now.
04:50
An example of doing this properly, an example of
04:54
kind of being ableto to make technology something that
05:00
others can understand again. The point here
05:02
is not that you can
05:04
build technology notice. I didn't say effective. See? So it must be ableto build. I t suffered networking but rather developing maintain in Stites.
05:15
So that means you're reading
05:16
and learning. Okay? I mean, you have to read, you have to learn, and then you can share
05:24
and yes, you'll get about a bunch of it were consumed. But the best example is this guy a picture of you and this guy, Carlo Rovelli. If you've never experienced ah Rovelli book or a lecture,
05:36
then you've got a nice thing coming. This is my personal favorite one. It's called seven Brief Lessons on Physics
05:43
and ironically, it's on my nightstand right now because I re read it every year. I think it is such a beautiful piece of work.
05:49
Um, this guy knows how to make complex topics
05:55
just absolutely delicious. They're so easy to understand. He savors that the technical issues, this is what you have to be able to D'oh. Not maybe not as a cz well as this guy. But you have to be that representative in the organization
06:14
who has insight into technology. Here's an example of a Rovelli kind of argument.
06:19
He wants to explain how we've viewed the world, the universe. And he draws this picture and says for a long time, this is what we thought the universe was, and you can think it's cybersecurity. There's some very simple views of computing that we have nearly days
06:36
Ah, PC connected to another PC or, uh, Peces and servers on a network are some real simple sort of thing.
06:46
And he says, we pretty soon figured out
06:49
that the world really looks like this, that you got people standing upside down on this on this block called Earth with Skye around us,
06:58
that was quite jarring, but it was also exciting. It was a new view of the world in computing.
07:05
We would show I don't know anything on the left is a perimeter,
07:09
and the thing on the right is cloud. I don't I'm just saying that you could explain short how you go from one view to another in a simple manner. You don't have to be a physicist or an astronomer to get these two pictures. Then, he says. So we looked around, looked in the sky, something was spherical. We thought, What's probably that?
07:28
You know, it's probably
07:30
the sky is a bunch of round stuff
07:33
and they seem to be moving.
07:36
And that's more or less what we think the world looks like. And that was viewed is very modern and beautiful. And then I guess Copernicus said, Well, wait a minute,
07:45
you know, it's actually this, you know. It's the sun and the earth moving. I look how different this view is from this one right earth with Skye, and now Earth is revolving around the sun with a bunch of other. So what? How interesting that is. This is architectural evolution in computing. This is Astra, the
08:05
astronomy
08:07
and sort of a universal understanding evolving. And they're similar.
08:11
And then, of course,
08:11
we realized that this big blob,
08:15
our universe, is actually just one little piece of some other big things, some mesh of of existence that
08:22
that we know to be true. And furthermore, that whole mess is just one little splotch on something even bigger.
08:31
Cool is that,
08:33
and then Einstein comes along and says, You know what? It's not really gravity that makes these things move. That that blob is is worked. It's that that's what makes things move. When you see things rotating around. It's because the the ether that we assumed was emptiness is actually
08:50
something very full and rich. That was Einstein's
08:54
main contribution in general relativity and and that, you know, things move on this. And then this is what we look like. And guess what? The whole *** thing is expanding like we started as a little one of these, and it's getting bigger and bigger. Look at how cool that issue went from this
09:11
to that.
09:13
I just took you through the history of the universe in about two minutes.
09:16
That's what you have to be able to do is a c so but for computing
09:20
and look, you can develop this skill. You don't have to be a deep technologist. You convey Vela pit
09:30
and notice. I'm not talking about cyber security. Now. I'm talking about technology, cloud mobility, operating system, that really we're talking about this stuff. This guy helped us all understand. This is Fred Brookes.
09:45
Um, if you've not read this book Good. Good Lord, where have you been? Um,
09:52
but this is arguably one of the greatest computer science books ever written.
09:58
Fred Brookes Waas,
09:58
a manager
10:01
at IBM and look at him. He's smiling. Talk about delighting in technology, just smiling and great greatest guy.
10:09
Um, And he wrote this fun book, the Mythical Man month, essentially saying
10:15
all the stuff that we do when we're building software where we assume it's engineering. And you can
10:20
you talk about me and months, you could say lines of code or a good measure of productivity of a programmer or progress on A on a project.
10:31
And he lampooned the whole thing. I'm guessing there's probably some younger participants in our session here
10:39
who may not not have ever heard of Fred Brookes. Please go download the book. It's It's old, you know, it's probably a good 40 years old,
10:46
but you should read it anyway. By the way, in computing, for whatever reason, we think that old stuff is bad, and I think I've told you this a few times. It's not. There's a lot of a junk, like an old word perfect manual in something you can probably toss.
11:01
But there have been some wonderful pieces that have been written over the years, and for whatever reason, we don't tend to teach them in computer science departments. I know him. I met three universities. I know that people tend to
11:13
push this stuff aside.
11:16
My son's taking a course at N Y U
11:18
in the computer science part where I actually teach and taking course on forensics. And I was so delighted that one of the readings he's being forced to do it's very modern course and forensics.
11:30
I think that the professor is making him read Cliff Stahl's book,
11:33
which I thought was just fantastic is that such a fun but cuckoo zag write such
11:39
delightful romp through catching a German hacker
11:43
based on evidence from a three cent accounting are really fun. But Fred Brookes is an example of somebody who's able to explain
11:52
two people
11:54
the technology of software and and how there's so many. Like the word myth. Being in the cover is so fun because he's essentially saying, Look, there's a lot of nonsense
12:05
that that really needs to be dispelled. And hence you know, Fred Brookes mob, you know, was able to, uh,
12:13
communicate some pretty important and interesting. So So look, I'm emphasizing reading here because it's doubtful that any of you
12:22
you know, if you're interested in becoming a cybersecurity executive and you're working practitioner managing a team right now, it's doubtful that you're spending a lot of time writing code. Maybe some of you are, but I bet you're not.
12:35
So what that means is you're gonna have to learn by reading. Um,
12:39
and and I'm just gonna share with you like a question here. What do you What do you read?
12:45
Um,
12:45
this is one for you to answer. I'm gonna show you
12:48
five things I read, but you should. This is an exercise for you. What do you read? You know what I don't mean On the, uh
12:54
ah popular sort of thing. Like I I devour the economist every weeks. My favorite thing to read.
13:01
Um, when it comes in, my wife knows to very gently set my copy down on my desk in my office
13:09
because I don't even like the pages to be Ben. I think it is such a spectacular. It has nothing do with technology.
13:13
That's what I read because I run a company.
13:16
But what do you read on the technical side? Think about that door. Do you? And I hope it's not some subreddit.
13:24
Um,
13:24
you know, I have a team of millennials in a tag, sire. You know, they give these factoids that they pick up in some subreddit on UNIX, and I go, uh it seems like
13:37
trivial pursuit for cyber, But whatever was the reading something but his first thing I read,
13:43
I read Wired magazine. I don't know about you guys. Uh, I like it.
13:46
Um,
13:48
I devoured from start to finish. It's a good, you know, train ride to New York. You by the time you Philadelphia from New York, you're through it.
13:56
Um, we're on an airplane, stuff this in my bag and usually try and get through it every month.
14:03
Think it's good. It gives me an an insight into what
14:07
the sort of the young, hip tech community is thinking in areas that have largely nothing to do with cybersecurity. But you'd be amazed how many times I'm in front of a board
14:20
and someone will ask me about, you know,
14:22
autonomous vehicles, assuming I'm gonna comment just on the cyber piece. But I was just reading the salon musk interview and I dropped something in about that.
14:31
Well, they're excited because I'm you know, this techie
14:35
and I provide a little tidbit about Alon musk and they can repeat it. Shoot. I just read it and wired. I know long must
14:45
I wish I did. But the dome
14:46
So did you read it? So this is one thing I read. Here's another thing I go through. I really do enjoy scientific American.
14:54
You know, those book things on biology? I don't understand. I took bio and chemistry is as a physics majors underground, but
15:01
I understand most of it, but I read it. And when people make anthropomorphic
15:05
kind of connections to computing anthropomorphic means you're signed human qualities to a,
15:13
um
15:15
on any inanimate object, which actually kind of irresponsible thing to do. In my mind, I don't
15:20
think computers think, but no less
15:26
is going on there some lectures that I give
15:28
that come from scientific American articles where someone has explained
15:33
cryptography, for example. Like Peter Danning wrote a beautiful article many years ago in Scientific American
15:39
explaining how public key cryptography works on whenever I'm in front of a nontechnical audience. It's still the way I explain it, because I read it in the book.
15:50
I in this in this journal, um,
15:52
you could read it, too, and you know, nothing secret there by this on any newsstand.
15:58
I also read that mighty technology Review. Not sure why. It's just there. Once in a while, there's good articles.
16:04
Well, I am a mighty does a nice job with this journal. There's a few other academic things that I'll read, but I tend to bang through this thing. By the way, I'm giving you my examples here. I'm not saying you should read these, but you should do this exercise. What do you read? What do you got? What do you go through every week or month?
16:22
I mean, you can't be a technologist by just having a degree in electrical engineering 27 years ago. That does make you technologist. What makes you technologies is your enjoyment of it and willing willingness to learn. So these are things I read? I also there's some domain specific stuff you might like, maybe you
16:41
into manufacturing. Or maybe you're into, um,
16:44
cp use. Or maybe you're a radio hobbyist or whatever. This is one. I like aviation, space technologies, fun, very expensive journal.
16:53
Um, you know not not something you can easily by sort of subscriber.
17:00
I get a lot of them that my friends give me. But you know, you find stuff like this. And then finally, there's a lot of text books that I carry around. Like if you'd be the type of person who read this kind of book
17:11
Um, great. I just am. I mean, that's not unusual for me to have a
17:17
big, fat textbook on something that nothing You do it, you need to have your list, whatever it ISS and it can't be empty. If you're not reading anything technical that are on a regular basis.
17:30
Oh, then you know, I don't know how you keep up. I have no clue
17:33
how you would possibly
17:36
keep up. If you're not reading stuff on a regular basis,
17:41
you don't. Then, as far as I'm concerned, not technical. Maybe at work you get some briefings better. Nothing.
17:48
But I think you do have to read, and you have to take the time to do it. And I don't mean read
17:52
power points or go through materials at work. That's the icing on the cake. You have to read outside of work.
17:59
Fair enough
18:00
again. Your call. You make your list. This is my list.
18:03
Now, this is reflective. If you're looking at this, you probably think this is reflective of my personality type. And you better believe it is,
18:11
um, you know, this is something. Here's a the mire Springs thing that I'll bet
18:17
a lot of you have been subjected to. I know I have been
18:23
every time I've ever been promoted in my career or even in academia.
18:27
People like to make you take this thing in urine I n f p or you're A S f j or you're whatever. And you know something? The Myers Briggs story is fascinating. Cat. Katherine Briggs
18:42
lived a long time 100 years ago. Um did born
18:47
and
18:48
her daughter,
18:51
um, Isabelle
18:52
had this fiance that Katherine Briggs thought was like a really
18:57
a real weirdo.
19:00
So she started doing personality investigation
19:04
toe. Better understand her creepy son in law.
19:07
How is the mother in law from hell, right?
19:11
Katherine brings no background in psychology. Nothing,
19:17
um, starts coming up with these personality that she came up with four. Like she said,
19:22
there's four personality types original thought was theirs.
19:26
Thoughtful people there are spontaneous people.
19:30
There are executive types, and then there are really social to this four times our original conception of
19:38
personality types. And then it she read some of the,
19:42
um,
19:44
research in in in
19:47
psychology that was happening at the time. And then she managed to get her daughter interested. You know, Isabel married this guy Myers Myers is the freaking son in law.
19:57
You know that Katherine brings was was, you know, creeping out on, um, so at least he gets his name in the front end of it. So when you see Myers Briggs, you should think
20:07
creepy son in law, Mother in law from hell. And they come up with a personality type index in a manner that had nothing to do with any foundational workers. None of them were trained in psychology or anything like that.
20:22
But over time, people kind of liked it, and they organized it into this thing's all foundation. Now that does this work.
20:29
Um, Isabelle Myers died literally 40 years ago. Mother had died much earlier.
20:34
So this is something that was a nonprofit foundation? Does this, But the idea is to figure a personality type. And I started looking at this, and I do a lot of coaching. I Coach Cee. So That's one part of the thing we do over tag Cyber.
20:49
You know where we'll work on a one on one basis over a year to with the sea So they get into that amazes me. By the way, that Morsy says don't have a coach. You wouldn't be a quarterback in the NFL without a coach. I
21:03
I had one when I was working, you know, I had somebody would come sit with me every week and we'd chat. And it was
21:08
a 10 out of 10
21:11
in terms of assistance because I had a confidante would keep me out of trouble.
21:15
You keep me from doing something really stupid and in many cases driving me to do something better,
21:22
but at any rate, part part of the coaching. I was thinking about me about making everybody do this.
21:27
But it was just stupid, like
21:30
I don't know. You make him take it and they find out they're in. I n tp say you're an original thinker.
21:37
What does that mean for cyber? I don't know. How are your e s t. J?
21:41
Now you like to run the show? Okay, Well, so I who doesn't it? Is it is So it's like I didn't know what to d'oh.
21:52
So I have a couple of friends.
21:55
One guy who runs it, M S S P,
21:56
um, in New Jersey and the other
22:00
work for a headhunter. And we got together. We skipped, get together at a local diner in New Jersey and just plop down, get coffee and chicken soup and
22:08
spread out paper on the table and talk.
22:11
And we came up with something like, we came up with a skills tendency model
22:18
where we're trying to think All right, The Myers Briggs is kind of dopey for cyber. What air? The relevant
22:25
tendencies. Personality tendencies
22:29
for cyber security. Now I'm not talking about what you do because you may have some boss that's naggy and forces you to be great a compliance. But you hate it. I mean what you love, what your tendency is.
22:41
But my tendency was not to management. But I learned to toe do better at that. And my tendency is so not compliance. I'm a rule breaker. That's that's my tendency. I grew up. I never saw a rule I didn't want to lampoon or break. That is my personality, tendency
23:00
and yet I managed to compliance
23:03
program for the fifth or sixth largest company in America.
23:06
So you can. You don't have to have a tendency to still be successful by the way, the way you succeed, where you don't have a tendency to surround yourself with people who complement your weaknesses or not interest my tendency technology. So So we drew this triangle, we thought,
23:23
technology management, where management is also business,
23:29
you know, But but you're not gonna have a personality tendency toward a business thing. I know you need business skills to succeed, So I'm not really talking about whether that one of the things you need to succeed I'm talking about your personality tendency. The thing your mother and your biological mother and father gave to you
23:48
on that may have been nurtured through, you know, through your
23:52
years as a child into adulthood. You know, whatever it is that frames your personality,
23:57
there's there's all these different factors. I tend to believe that
24:02
you know, your mom and dad, whatever they passed you genetically has a lot of insolence, right? Of course. And we're usually very proud for that. You hope your parents are not total losers. But if they're wonderful people, then generally you're proud to inherit
24:17
some of this tendency. So
24:18
we said, All right,
24:21
there's a tendency toward tak tendency towards sort of management supervised tenser toward reviewing on what are they tried to characterize them in a rubric.
24:29
So this this discussion around technology, this question of,
24:33
you know, are we in some sense with technology?
24:37
Um is, um,
24:41
I
24:42
just click on this every now and then. I click on the chat here to see if anybody's asking any any questions here Looks like just some discussion, but
24:51
so so the, um,
24:52
the technology tendency. Here's what I think it ISS
24:56
and, by the way, the plumber who fixes the pipes in my home.
25:00
Is it tacky?
25:02
But I don't think he's ever had a computer,
25:03
so I just wantto savor that for a moment.
25:07
Technology tendency does not mean that you sit in front of a computer every day.
25:11
It means that inherently, you're somebody who dives into a complex challenge. You fearlessly dive into complexity,
25:19
and you're not satisfied just knowing what something does. You must know how it does and how it could be improved and what the mechanism is your that person or you suspect that you can accomplish most task frankly, better on your own.
25:37
If you are that person,
25:41
then you have a technology. Tennessee. I want tell you. Cool story.
25:44
I I used to do a lot of work at the U S. State Department.
25:48
Old 18 2 days.
25:48
Um
25:51
and I heard about this guy, madam, Um, but I'd heard about him, wanted to meet him. He was doing cyber security over there,
25:56
and I finally got to meet the guy. We sat down and talked. And I for me, my favorite thing is to learn people stories. And I said, Dude, what? How'd you How'd you get jobs? Didn't like the nineties, mid to late nineties.
26:10
He was the early, uh, one of the early wasn't see seventies clothes.
26:15
And I said,
26:15
How'd you get into this? Because I have a funny story. Said I am his electrician's, um,
26:22
by training. So I would be in the
26:25
electrical closets
26:26
all over the State Department,
26:29
and I'm fixing stuff
26:32
and he said I'd always be in there, and they'd be these idiots
26:36
with a manual trying to fix the P B X. That's private branch exchange the old telephony. The State Department had, uh,
26:44
you know, circuits switched
26:45
telephony. And then that night, so did you. We all did, right?
26:49
So he'd be like, you know, doing his electrical work. And these two guys would be like fussing with the p b X and understand it. And he's listening and at one point can't stand A says, Hey, guys,
27:02
do you mind if I look at that manual and they go? Yeah.
27:04
So, like, on their lunch break, they leave. He sits with the manual, reads it and fixes the PBS and the guys come back and he says, Look, here's what problem. Waas was this assist. Look, Chuck 47. See that diagram? See that arrow? See this? That's that. And I just connected these two leads and
27:22
you had some software that just needed to be updated. I updated it while you're out eating. It's done and these guys are like,
27:29
What?
27:30
Like who are you?
27:32
And he's like, I'm the electrician's.
27:33
And before long word gets out that this guy can fix PBX is So what do you think? His new job is fixed? PBX is,
27:40
so he's bouncing around the wiring closets with the P B X is he has the same exact experience
27:48
with the people fumbling around with the routers.
27:52
What you see is that you know, they got a Cisco router manual open. They're having trouble with the thing. There's,
27:57
you know, the rebooting. And he says, Hey, can I read that? And he starts playing with switches and routers and the cabling
28:04
and before you know it, he's the network guy
28:07
and then did, Oh, security. You get the point.
28:11
This guy is a tacky. He's a guy who has that tendency.
28:15
It's he was born with it. And if he'd never been at the U. S. State Department probably still be doing electrical work
28:22
just like my plumber who is awesome and could fix anything
28:27
but tells me owned, by the way, I'm not technical.
28:30
And I say, Dude, yes, you are. You know, And I was joke with him. Is he is He just didn't grow up in that My father was a computer scientist. That's why I do what I d'oh his father. I'm getting guess is probably a plumber. That's what he does.
28:42
But he's as much a tacky is anybody these air personality tendencies. This is not what you do. This is what you were born is what God decided I was going to be pre wired. I again, I don't know where your pre wired It was not a course of religion here, but somebody, somewhere, somehow something
29:02
decided that you have a predisposition.
29:04
We all do.
29:07
And if technical is yours, then it's this again When I'm gonna go real quickly through these two management as you like to coordinate others and compliance is you, like, complex. It also sense of justice if you're that guy,
29:21
Wait a minute. Sense of justice. This is not right. There's no shortcut. You got to go back and fix this, right? You know that that person is more compliant. So let me get let let's take a little sample quiz here. So I'm going to read this,
29:37
and I want you to just listen and you tell me what you would pick. So the question is,
29:41
you were on stage in a company sponsored charity contest which involves technical of business related questions.
29:48
Your charity
29:51
benefits if you answer 10 questions correctly.
29:53
So you just answered nine correctly
29:56
and everybody's sitting there waiting for the final question. It's the final 10 questions. You're gonna get it right now. Being honest.
30:03
Which of the following topics do you hope
30:07
is covered in the final question? A legal and government regulatory stuff.
30:12
Be project management costs, management resource issues stuff again. There's something you're doing at work. That's why it's this geeky stuff.
30:21
See, history of compilers, translators and software. The mobile operating system Colonel Technology, Linen
30:29
Ari Finance Business HR Related stuff. So which of these would be your you really wanna win?
30:37
Because, you know, I don't know. The $10,000 is going to go to your charity. Maybe your charity is, you know, uh,
30:45
wounded warriors. Something like that. That's my favorite charity that we want some charity. You really wanna win?
30:52
What do you Which of these five Or you pick.
30:55
Not for me.
30:56
I would pray that it see is I know everything about this trip. Goodbyes, translation suffer because I love that stuff. I read that stuff. I read it for fun.
31:06
D would be my second choice. And the other three, I would pray that they didn't love. It's wounded Warriors wouldn't get a penny if something comes up on, you know, legal in government regulatory. I don't know a lot about that. I mean lying. I do. But I don't like it.
31:22
You got the point. You said. I mean, there's another example. Here's Ah, um
31:26
management. The questions the desktop security team sends out and noticed all employees
31:33
that they need to be careful about what they click on an email
31:37
and your let's say you know your wherever you work. Let's see you work in some other part of the security team and you read the thing and see the email notices. Very badly worded.
31:47
Can barely understand it is grammatical and spelling errors.
31:51
Yeah, right. You should be careful about what you click home, but, jeez, that's the note. So which would you do? A. Send an email of the desktop security team of the list of the mistakes
32:00
be Just delete the email. Forget about it's not your problem. Your bids. You got other things to worry about.
32:06
I'm see contact. The desktop security manager explained the errors. You you found
32:10
the forward, the bad note to your manager expressing your annoyance
32:15
and then e make a mental note to be more careful by clicking on the now they. After all, they sent you the thing, so you should
32:22
take the contact
32:23
Techies do e my friends
32:27
like technologists. Look at this. And don't worry so much about the grammar in the note.
32:31
But think about the substance of the message.
32:35
Managers do other stuff like managers, you know
32:38
are going to do something like sea or a techie sometimes do B. But not always, you know. But techies will tend to focus on E. If that's your personality type. That's been my empirical observation. I'll get into where I got the data for all of this, by the way, in a minute.
32:57
But you get the point. I'll do one last one will do compliance. One. So your project was audited recently. You believe your low score was unfair,
33:06
Ansel. Troubling Because the low scores go to the CEO. You never really had a low score before. But the truth is,
33:12
you know, for a fact the CEO barely reads the darn things. Nobody's ever been fired for it.
33:17
You know, your boss is kind of yeah, whatever.
33:21
So which would you know?
33:22
A. You demand a meeting with the auditors to express your outrage on low scores. Unfair
33:28
B. You say that's not worth fighting CEOs in paying attention. That thing.
33:32
See you document your concerns to the auditor copying management.
33:37
D'You Send the CEO in advance. Note explaining that the audit was unfair. Whoa.
33:43
And then you brainstorm solutions for response. After the audit is published
33:49
again, techies tend toward e
33:52
maybe a little bit of B, but a technical person Jen's generally is around content. It's like not gonna worry about was unfair to troubling them. What? The CEO thinks
34:02
an audit came out, It had findings. We need to deal with the findings.
34:08
That's why you do an audit. You don't do an audit because you're worried about what people say about you.
34:15
Managers may be a little different concept here, right? That managers know darn well that sometimes these findings air nonsense and then manager might do a o. R ah, or even d you get the point
34:29
now what? What I did. And Leaf and I, the folks at Sai Berry, have been kind of brainstorming idea. Maybe bringing this thing, you know to this community drop us a line. Tell us know what you think. But we do have a tool where you get a whole bunch of questions like this, and then we kind of score you on tech management and compliance. I've been doing it for free.
34:49
It was made well, I coated the tool into a wizard.
34:52
Um, and then we would invite people to come and and and score. And the enticement was, Would you be willing to go over your answers with us? And we did it with a bunch of companies. I actually had about 20 different companies that I engaged with
35:07
where we had the team do this. And then I ran a session. I charge him a few 1000 bucks or something for my time, but we're thinking in cyber this might be something that would be a fun kind of compliment to what we're doing here. Just dropped his line that you know what you think it's less about the tool, though, but more. I want you
35:27
in your own mind to think. Where do you kind of sit here in this
35:30
in the spectrum.
35:32
So So that is the technology kind of personality type. Now I think something that needs to be acknowledged here
35:39
is that in what we d'oh I've said the word technology, technology, technology. And when you, when you're talking technology of, say, rocket ships or bridge building or so on than it really is, the technology underpinnings air scientific. There is a science
35:57
with a set of laws and and and so on. But in computing, we don't have such a thing in this guy.
36:04
Go
36:05
Arguably is the most consequential computer scientists who's ever lived Donald canoes.
36:10
And if you don't have his volumes than you really should,
36:15
I think they're probably the most purchased and displayed volumes in the world,
36:20
but very poorly. Read like not too many people sit read Commute seven Miracle algorithms. It's all coded in old 19 sixties style
36:30
programming.
36:31
Um, I should say seventies, but it still looks sixties style to me,
36:36
and I'll confess I haven't read the books cover to cover I. I used him in grad school to just look stuff up,
36:43
but
36:45
canoes made the point that he thought it was. What we'd all do is an art.
36:49
Then you go home part.
36:52
So
36:53
is it
36:54
technology, or is it Art
36:58
E. I know the underlying tech I get it. You know, if you're talking about Cloud and Networks and I p and
37:07
then, yeah, I mean, all right, where we were talking about
37:09
tech. That's what we would conventionally reference in a normal business discourse
37:15
as a tech conversation to people debating whether,
37:19
UM, as your or AWS
37:22
provide better inherent security controls or sitting chatting about that that is a considered a technical protect conversation.
37:30
Would it be reasonable to say, though, that the work that they're doing
37:35
is actually an art?
37:37
And then it's not Tak it's art. Let's think about that. A minute
37:42
for science
37:44
is really
37:45
it's built on a bunch of laws, right? That's what science is the ability
37:52
to make a statement about
37:54
the universe.
37:57
We're about computing or about cyber security or about something. Make a statement
38:02
and that statement becomes a claim
38:05
and you try and make a general.
38:07
And you said, I believe
38:08
that networks become more valuable
38:13
as they become bigger. More nodes make a network more valuable, Metcalf said. That right, we call that Metcalfe's law,
38:23
so we would say
38:27
so. Ah, Network with three nodes has value the
38:30
but then a network with 30 nodes has value the prime greater than being right. A. A network of two fax machines is good for Alice and Bob, the owners of the two fax machines.
38:45
But a network of 100 fax machines is way more valuable. Because I faxed, the more people I consent this stuff or if you're a marketer,
38:53
do you want to be part of a network that has 100 customers? Are a network that has
38:59
1,000,000,000 potential customers, which is more valuable.
39:00
You'd make the claim that Metcalf was right, he said. My goodness. Metcalf, of course, is right.
39:06
Metcalfe's law law, not Metcalf's presumption or Metcalf's observation.
39:12
Metcalfe's Law
39:15
Down science What we d'oh
39:16
is when
39:19
a laws proposed,
39:21
We like to run experiments to see if it's right.
39:24
That's what we do.
39:27
So if we're computer scientists,
39:30
if we're doing computing here,
39:31
you know we're all talking about cybersecurity. Cybersecurity is an unusually difficult branch or specialization in computing. Don't let anybody tell you otherwise. I understand that the protection of a business, the kinds of things to see some us too,
39:49
include a lot of business issues. I told you a minute ago Management compliance tech. They're all important,
39:54
but the science piece of it is computer science.
39:58
So we like to run experiments. So if all the experiments we can come up with
40:04
confirmed the law, then we believe that laws correct. Einstein's general theory of relativity is considered a law
40:13
because we haven't come up with anything yet that contradicts it.
40:16
Newtonian physics
40:19
arguably is wrong, because Einstein showed that something was not right. They're not. For the most part, it's right.
40:27
It makes him adjustments in the way we interpret. We still teach Newtonian physics to youngsters,
40:31
so don't invalidate it in that sense. But what about computing about Metcalfe's law?
40:36
Um,
40:37
do we think that's a law? Can any of you think of an example where making a network bigger makes it worse? Let's say the two of you, any one of you and I are sitting having a cappuccino at the Starbucks.
40:50
We're sitting there chatting. We're on our computers.
40:52
Some were stabbed doing our work. We're sitting on the Starbucks WiFi,
40:58
and somebody walks in with an unpatched old Windows machine that is filled with malware,
41:06
and they snap into the
41:07
Starbucks WiFi right next to us. They're adjacent was Aiken Aiken. Look on my PC at the WiFi
41:15
participants, and I see that person just added to the network.
41:19
So the network is now bigger.
41:21
We've got a network that used to have n people on it and people sipping their coffees,
41:27
putting you and May.
41:29
And now we have a node that had been added. That's clearly buggy miserable. And now it's an N plus one network
41:37
question.
41:37
The network's bigger right, But is it better?
41:42
No.
41:43
Course not.
41:44
I want that guy on the network. Don't let him on. The network was better when it was smaller.
41:51
So what does that say to Metcalfe's law?
41:53
Invalidates, drawn
41:57
like That's not a law because laws are always true. So there's a case where it's not true. Hence it's *** to say
42:07
that if I have a network, any network and I make it bigger, it's better like not
42:14
well. However, as long as it's not. Ah no, that's infected.
42:20
Maybe that's a new law. Maybe that's Amoroso is law
42:23
and thinking that, uh, you know, uh, I say networks are are
42:30
that become bigger or better as long as the entrance? The new entrant
42:35
is an okay guy, something like that
42:38
because that better,
42:39
I don't know, maybe have some tool
42:43
that commanded the network. I can manage and nodes.
42:46
And then a perfectly good new entrant is added to the networks announce n Plus one notes. But my management tool can only handle end. And I just broke the management of the network by making it bigger. So a good guy joining the network just made the network worse because the management will miss the mark.
43:04
So now have I broken Amoroso, his lawyer. You get the point. That is what scientists do.
43:09
That's what technology. It's the technology perceived. If it's built on top of science,
43:15
it's not built on top of science. But I know what it is built on top of. And that's why Donald Canoes called this the art of computer programming. It's for that reason,
43:24
so when we write software,
43:28
it's technical stuff.
43:30
But is it art, or is it a science? Edgar Dykstra would say it's a science because you can shying, derive software, using mathematics.
43:39
Donald can you says it's an art because it's really there's no underlying laws. There's no scientific basis for any of this.
43:46
You just start. Are In some sense, it's like, um,
43:50
a great novel being constructed very similar
43:53
to ah, great piece of software Being constructed is not interested.
44:00
This, my friends,
44:01
is what technologists enjoy talking about. If you are a techie,
44:06
then you're enjoying today's lecture. If you're not and you're off doing your email and you're saying, Hey, heads off today, this wasn't so good.
44:13
You're probably not a technologist, right? Because this is what we celebrate is what we love.
44:17
And the patron saint of all this is that Kai, Leonardo Da Vinci And I just finished that book. If you haven't read Isaacson's biography of Divinci man, are you missing out? I think I referenced this book earlier in our lectures. It's so good that I think it just has to be reprised here.
44:37
Um,
44:38
this is the Vinci's design
44:42
of a tank.
44:44
How cool is that?
44:45
They found it in, You know, those those papers? I think Bill Gates bought them right is it goes way too. But I think I think Gates did,
44:52
um, want some billionaire got I'm thinking Gates.
44:55
I bought all the DaVinci sketches that he didn't his life or a bunch of them.
45:00
How I think that's spectacular. Like I look at that and I go, huh?
45:06
He's designing a tank like this thing here in the front opens up in a gun, pops out presumably another like a cannonball that's coming is gonna
45:16
roll off this thing. It's not easy to hit this. You need a direct hit on this little edge. So you're minimizing the surface
45:24
that would really see damage. And somebody actually built this thing years later. This is a modern
45:30
build of the Vinci's
45:34
beautiful design
45:37
of tank. Um, so, you know, I'm just saying that
45:44
you want to be a security executive. Part of you has to delight in this. You don't after wallow in writing code and being a total total geek
45:54
and your tendency maybe somewhere else.
45:58
But you're going to have to find it in yourself
46:01
to be interested in technology, to proceed in this business and to get to that topsy so job
46:08
and it's worth it. I saw my friend
46:12
Matt from
46:14
he's ah, head hundreds business. Um,
46:17
some give a talk last week at an Advanta man,
46:22
and he said That package is for C, says air, now approaching $2.6 million a year and that that seems right to me in the Northeast, in other parts of the country. Less.
46:32
But you could make a 1,000,000 bucks a year. As a C says, good reason to want to listen to this and proceed. Make some money
46:40
doing this. You're gonna have to be interested in this stuff because your seat yelling everybody around you is gonna expect that the sea so
46:46
has some tech interest in tech background. We should savor this book him and by all means, read the DaVinci Book. It is just a beautiful piece of work by
46:57
one of the greatest biographers. I'm sure you recognise Isaacson's name because you wrote Steve Jobs.
47:02
Biography Now also wrote a biography of Einstein. But both of which I read both of them are just spectacular.
47:09
Now we're not no, no guests this week, but I think an interesting case study. Nevertheless,
47:15
I find this one fascinating and I want to take a little extra time
47:21
taking you through the points in this case study in case you haven't read it.
47:25
But here's kind of what's going on, and I want you to put yourself in the shoes
47:30
of in this case, you know Emily, our hero. She's talking about her brother,
47:37
Um, and her brother is a guy who works for a consulting firm.
47:45
His name is Jim
47:46
and
47:49
is one of big consulting, you know, firms that he's working with. So I'll let you narrow down, which in the forward you think this would be
47:59
any right?
48:00
They get a big gig
48:02
with a company
48:05
that those shipping,
48:07
that's the business. They're in the ship,
48:09
and you'll know that in shipping you ship containers. That's how that that business work. I live in the Northeast,
48:16
so I know how that is
48:19
fundamentally changed the New York City waterfront. As I'm speaking to you right now,
48:23
I'm on Fulton Street
48:25
in lower Manhattan. By the way, we had a good view of the parade yesterday. Looked out my window waves to the U. S. Soccer team. There, I'm a fort full mystery, and a few blocks that way
48:36
is the old foot market and the old Fulton Fish Area, where shipping
48:42
was one of the things that would
48:44
support our fish eating habits for 150 years in this country.
48:50
Well, container ization changed everything. You know the container is sort of
48:55
module, arised and standardized the way shipping works
49:00
and it's all automated. A lot of it happens. Not here, but up in the leads. Elizabeth, New Jersey The shipping containers come in, Crane grabs the shipping container, drops it on a truck. And it goes, No longshoremen anymore. Just a lot of Tak. A lot of cyber, a lot of automation, a lot of robots.
49:21
I have a cousin
49:22
who works for one of the largest shipping organizations in the world, and he sits in an office at a computer, kind of helping to control all the shipping. What a change from those old longshoremen you know, who used Thio curse and spit lift things a big muscles. Tough dudes go out drinking afterwards that that career is gone.
49:40
Um, so any rate Jim is here consulting with the shipping business
49:47
and they sit down and they start talking. And Jim has one of the partners
49:52
is basically his supervisor
49:54
there with with him at the At this event, we're doing a technical architectural review,
50:01
so the meeting starts now read directly meeting starts, and pretty soon the application developers are talking about cloud infrastructure and how suffers, distributed and virtualized and protected. And they really start getting into virtual containers and how the containers are protected.
50:17
But as you'd expect, it was a disaster.
50:22
You know this partner, Jim's boss, omitted my I made it a she
50:27
It could have been a Her ignorance of what a virtual container was basically was a 10 on the embarrassment scale she was going on and on about at my brother's firm of the technical know how to make sure they're big physical shipping containers.
50:40
You know, we're protected, and it's just was horrible.
50:44
So at break the client holes, Jim aside and says, Listen, if you don't bring this partner, your boss in the line, you're gonna lose our business. This is embarrassing. She doesn't know what she's talking about. You better go fix this.
51:00
So he walks over to the partner, his boss, and ask if they have a moment together. I want to read this also, and once they were off to the side, the partner just began into a tirade.
51:10
She said that my brother Jim
51:13
was just sitting there like an idiot, saying nothing about protecting physical containers. She explained that she was going to write him up
51:21
and recommend that he be taken off this account for his technical ignorance.
51:24
So a couple of minutes brother notice a custom motioning from Let's get back to work. Are you getting her in line?
51:30
She takes another jab, saying that maybe he was not a good fit for the firm.
51:37
So my brother thought for a moment comma and leaned forward toward the partner comma and said,
51:45
So that's the case.
51:46
And the question for you guys is What do you think? Have you ever been in a situation like that? I have. I've been in situations where a non technical person is making a absolute fool of himself or herself,
52:00
and you're not quite sure what to do, especially if it's somebody who is.
52:04
You're senior at the firm.
52:06
Um, so some questions, you know,
52:08
main one here. What would he do? Should you d'oh like this few options
52:15
Option A is that he
52:17
just gets technical real fast and said, Listen,
52:21
um, you outrank me, but let's talk tech here for a minute.
52:25
Container, in the context of this discussion is a virtual construct in an operating system.
52:31
It is not a big,
52:35
you know, physical enclosure shaped like. And I and I like a rectangle that goes onto a truck. That's not what they're talking about.
52:44
And whether you want to fire me or not,
52:45
you're getting it wrong and you're embarrassing the firm he say's that probably fired.
52:51
Um,
52:52
or do you just say, OK, sorry. You know? Hey, you take the lead here,
52:57
case. Maybe he's fired as well because she thinks he ought to be speaking up.
53:00
Chances are they get back over there
53:04
and they would lose the business because, you know, she was being a total idiot. It's a tough situation,
53:10
and and really, one of the morals here is
53:14
you don't want to work in a firm where the principles or don't have a technical background. If you're doing technical work, it's something. Look for one of the reasons I went to work at Bell Labs right out of grad school. Is that all? The executives basically wrote the text books I used in grad school, so I thought
53:30
peck of those girls and guys and gals,
53:34
um,
53:35
can can are this creative attack then the problem is probably a pretty good place to work, and I was right.
53:40
So maybe that's part of it. I don't know. But as we always do, I hope you take thes case studies back to work,
53:45
um, and and go over them with your, uh, with your team.
53:51
So let's summarize. I think we can
53:53
finish a couple of minutes early here
53:57
when asked as we started.
54:00
Does the ceasefire need to be technical?
54:02
I think the answer is C. So, among other things needs to include technology as a basic competency. I hope you'll agree with that sentence.
54:13
And what that means is
54:15
if you're the type of person who says, he said, we need to be technical is a business problem. Stop saying that that's not right.
54:22
It is reasonable to say a C so needs to understand business. And that was one of our competencies here.
54:30
But the sea so also needs to understand and celebrate and enjoy technology. We agreed that you cannot loathed
54:37
technology. If you do,
54:38
you're in the wrong business.
54:39
And then finally, the stuff you read and absorb
54:44
is amongst the most important ways that you keep up with technology. It's not enough to just get it work
54:50
you're going to have to do it separately. It's gonna require homework. It's going to require regular routine of reading things
54:57
that compliment, you know, whatever it is you are picking up at work, let's just face it. That's something that
55:02
you're not gonna get paid for. But you'll get paid for 10 times over
55:07
in other ways. Other non financial ways, but through enjoyment and through potentially, um, no advancement at work.
55:15
So let's see. I'm gonna dig in here the chat, see if there's anything in here, but but But, Papa, a couple words about the assessment leaf and I will.
55:22
We'll go in here and I've been talking about how we somehow figure out how to make the
55:29
the tool available to this community.
55:30
I will figure something at least maybe what we do is with this group taking this course, maybe find a way to just stand it up for them. What won't figure something out? But if we decide to do, of course, next year or something,
55:43
well, make sure you all know. So if there's anything else in here,
55:47
uh, looks like no other real big questions. A lot of discussion, right? Myers Briggs glad you guys don't know about that.
55:54
I think I've taken five times. I don't even know what I am, by the way, for gotten. And I think I was different each time I cook it, so.
56:02
All right. Very good. Well, listen, I hope you guys have a wonderful rest of day leave. Thanks for setting everything up today. And we will see you guys next week. Everybody have a wonderful day.

CISO Competency - Technology

This is the eighth course in Ed Amoroso's Twelve Competencies of the Effective CISO, which focuses on the CISO Competency in Technology. The CISO must consistantly produce deep insights into the current status and trends associated with information technology, especially in relation to security.

Instructed By

Instructor Profile Image
Ed Amoroso
CEO, CSO, CISO of TAG Cyber
Instructor