Embracing the Suck, Lessons From #NASA In #Cybersecurity Artwork

Security Unfiltered

Cyber Security can be a difficult field to not only understand but to also navigate. Joe South is here to help with over a decade of experience across several domains of security. With this podcast I hope to help more people get into IT and Cyber Security as well as discussing modern day Cyber Security topics you may find in the daily news. Come join us as we learn and grow together!

All Episodes

Security Unfiltered

Embracing the Suck, Lessons From #NASA In #Cybersecurity

October 29, 2024 • Joe South • Episode 174

Send us a text

In this engaging conversation, Robert Vescio shares his unique journey from horticulture to cybersecurity, emphasizing the importance of economics in understanding cyber risk. The discussion highlights the value of learning from mistakes, the need for transparency in cyber risk management, and the cultural challenges within the cybersecurity field. Vescio advocates for a compassionate approach to cybersecurity, encouraging professionals to embrace failure as a learning opportunity. He also introduces X Analytics, a platform designed to simplify cyber risk management and provide organizations with a clear understanding of their cyber risk condition.

Chapters

00:00 Navigating the Conference Landscape
02:53 From Horticulture to Cybersecurity: A Unique Journey
06:09 The Importance of Economics in Cybersecurity
09:00 Learning Through Mistakes: A Personal Journey
12:05 The Culture of Mistakes in Cybersecurity
14:54 The Need for Transparency in Cyber Risk
18:06 The Role of Boldness in Career Growth
21:14 Embracing Failure: Lessons from NASA
24:00 Understanding Cyber Risk Management
26:58 The Impact of Cyber Incidents on Businesses
30:01 The Importance of Compassion in Cybersecurity
33:13 X Analytics: Simplifying Cyber Risk Management

#podcast #techsecurity #informationsecurity #cybersecurity #ai

Support the show

Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today

Speaker 1: 0:53

How's it going, robert? It's great to get you on the podcast. We've been working towards getting this thing scheduled for quite some time now. At this point, I'm really excited for our conversation.

Speaker 2: 1:03

Same same.

Speaker 1: 1:04

Sorry, it's taken a few attempts to get here, but glad we finally made it people to do like hour long calls like this during the summer because, like all of our conferences kick off you know april, may time frame and they go all summer long, especially if you start doing like b-sides conferences and everything else right, like that's all the time.

Speaker 2: 1:32

It's uh do you enjoy the conference?

Speaker 1: 1:36

thing, you know DEF CON, right, I don't like all the vendor stuff. All the vendor stuff. You're just getting sold all day long and it's really frustrating. So I'd rather go to like DEF CON or a B-Sides conference. You know something that's way less vendory Substance You're looking for the substance, right yeah. Yeah, I'm not looking to be sold something. You know I went to RSA a couple of years ago and I hope I never go back.

Speaker 2: 2:06

Yeah, I haven't been to an RSA conference since, uh, the last one was before COVID happened and uh, honestly I gotta say I don't miss it at all.

Speaker 1: 2:16

But honestly, I got to say I don't miss it at all. Yeah, I went to the one. I think it was like the one in 2021, right when they came back from COVID or whatever, and it was like a super spreader event. Like you know, I only walked the vendor floor maybe two times and I was done Like one day I did half of the room and then the next day I did the other half of the room, and it was just, it was just pointless for me to be there.

Speaker 2: 2:45

honestly, yeah, I've always found the best times at RSA are when you get people to meet you at places outside of the Moscone center. You know you can get into me, like a cool coffee shop or one of the hotel lounges. I just always felt that that was where the real action happened at RSA.

Speaker 1: 3:04

Yeah, yeah, that's what I would prefer, honestly, right, like, if I'm going to make the trip out to California, I already don't like going there. Right, like, might as well, like, show me around a little bit, you know, take me to a restaurant or something. I don't want to meet you at the conference room, you know. Right, right, because I think it provides a lot of value for people to hear everyone's background and say, maybe I have a similar background, right, and if he did it, maybe I can do it too, right, so what does that look like for you? Yeah?

Speaker 2: 3:57

So you know, my background in the cyber is a strange one. I started off as a horticulturalist out of all things right which is plants, if you're not familiar and when I graduated I started working for an environmental company that was doing a lot of irrigation systems in Southern California, san Diego mainly and they were in the process of moving all the irrigation systems from analog to digital. So, of course, being one of the fresh guys out of college, they were like hey, can we send you to some computer classes to learn how to make these swaps on our behalf? And so I just kind of fell into technology. You know, a lot of my training in college was in the field of science, obviously, but there was a lot of design aspects, which, surprisingly, has led into where I'm at today. Right, so from those initial technology classes that I was jumping into in the mid-90s to where we are today, I have found that I continue to pull back on things that I learned in college, like in the School of Agriculture.

Speaker 2: 4:59

I went to Virginia Tech. Horticulture is in the School of Agriculture. You have to spend a lot of time in economics classes, because small business finance economics is a big part of agriculture and you have to understand how that works. So a lot of the economic principles I've applied into the job that I have now and what we do at X Analytics. So it's actually worked out in a really sort of strange way. You could never sort of predict this path, but even the way like viruses propagate isn't too dissimilar. How plants propagate right the way that viruses work in the plant system isn't uncommon. How viruses work in the computer systems. So there's all these strange correlations that I have found from where I started to where I'm at today that you know again, you can never sort of plan a path like this, but I have found to take advantage of every little bit of knowledge that I have and combine it in a unique way that really sort of created the career that I have in front of me.

Speaker 1: 5:55

That's really fascinating. You know I've done over 200 episodes and horticulture is not one of those backgrounds that I've gotten. You know I've had opera singers on. I've had, you know, cyber warfare mercenaries on Musicians, probably, right, yeah, yeah, it's really interesting. You know, you said that when you were in school, right, studying horticulture, you had to study economics as well. Is that because maybe the industry in horticulture or agriculture overall is more small business focused? Right, like, you're not going to go work for. You know a really large company, right, like here in technology, you can go work for Apple or Google. You know a household large company right, like here in technology, you can go work for Apple or Google. You know a household name worldwide, right, but maybe in that industry it's more common to go the small business route. Is that like what it is, or is there another reason behind it? I think that's part of it.

Speaker 2: 6:53

You know, virginia Tech is one of the few land-grant universities in the country. That's where I went to school. Virginia Tech is one of the few land-grant universities in the country. That's where I went to school. Virginia Tech and Virginia Tech's really built on the foundation of many of the founding fathers of our country, and something that I think a lot of people don't understand about the founding fathers is that many of them were part of this Enlightenment philosophy Even Catherine the Great of Russia, right, she was in this enlightenment philosophy, which was to intersect science, technology, math and the arts together and Virginia Tech.

Speaker 2: 7:27

In order to graduate, at least at the time that I graduated, they wanted to make sure that you were well-rounded by the time you completed your four-year degree, and so that well-roundedness include that you had to be part of the arts, you had to be part of science, you had to be part of technology, you had to be part of mathematics and obviously for me in my field, some of the mathematics led directly into economic classes micro and macroeconomics, but I think on the big picture too, if you also think about agriculture agriculture, especially you live in chicago, right?

Speaker 2: 8:01

Agriculture has been something that's been traded on the chicago stock exchange for a long time, and so I just think there's a direct association between how agriculture works and how the stock market works. And obviously you're right, a lot of at least historically, a lot of the farms, a lot of the horticulture businesses, the nurseries, were small businesses. Today that's changed a lot. Right, they're part of mega corporations, but back in that time, absolutely, they were part of small businesses. So, having that foundation in finance, having that foundation, understanding how to balance the books in an organization, pay your liabilities, but then also weaving it all into the bigger picture of macro and microeconomics which is something that was part of the philosophy of Virginia Tech at the time I hope it's still there. I have a strange feeling it's probably not there anymore, but I hope it's still there.

Speaker 1: 8:51

Yeah, I really feel like everyone should take some economics classes. You know either in high school or you know in college, right like, because that that information is so much more valuable than like learning.

Speaker 1: 9:10

You know how to write a paper in english class, like I mean honestly it really is, and that's coming from someone that's getting their PhD right. Like you can learn the things of like how to write a paper properly through a couple, a couple drafts you know you have a patient professor. It's like, oh okay, you need to structure it like this, you need to use this terminology or whatever it might be right. Like you can learn those things really on the fly. But economics, I find myself, you know, I grew up in a in a poor family, right, I mean, we didn't realize that we were poor, but, you know, looking back on it was like, wow, we were, we were pretty poor and so, like, money wasn't money wasn't discussed. Of like how it works right, how it can work for you and against you, of how you know these things all, all, all matter Right, and like that.

Speaker 1: 10:03

That was the most challenging part for me when I became an adult. I had to, then, you know, learn that right and teach that to myself, and that took me. It took me a couple of years actually to to actually, you know, learn it how you're supposed to, like, actually know it Like, oh no, this is what a bad loan looks like. You know, my very first. I look back at my first, my first car that I bought Right. I should have I never. Should have leased it. I should have financed it Right. Should put more money down on it Right. Should have accepted the insane interest rate that I got because it was my first ever car loan and whatnot. All of those things. I had no clue that they were Right.

Speaker 2: 10:49

But I do feel like you have to learn through those mistakes, and sure you could learn some of that academically, but sometimes I think the best opportunity for learning is the mistakes that we've made. And clearly you've made those mistakes so you probably wouldn't approach a car loan in the same way. You know what I mean, because it stuck are learned in real life, especially in the field that we're both in is that you can read about something, you can learn about something through a lecture, but until you actually experience it firsthand, I don't think it really sticks you know what.

Speaker 2: 11:29

I mean Like it doesn't really resonate in how you make decisions moving forward.

Speaker 1: 11:33

Yeah, especially for me.

Speaker 1: 11:35

you know how I learn is by doing right, and if I don't, understand that something is is wrong, or you know, like it shouldn't be a certain way, right, I don't, I don't realize it until until I do it. You know, like I think about even like my current, like like my sports car that I have, right, again, it was a bad situation and I learned, oh, I can't go into it. You know, excited, right, like I have to be a better salesman. When I'm excited about the car, I'm like a closet car guy, you know, and so, like I just like started getting into cars and the guy showed me, you know, the right, like he knew exactly what he was doing. Obviously he does it for a living, and so it's like I got to learn this lesson again, or I got to learn it a different way, you know, but the same same thing in technology, and there's, there's so many people out there that are afraid to mess up, you know, and like I talk about it on my podcast a lot right, when I was fresh out of college, I mean I very embarrassingly like destroyed a bank's database of our products.

Speaker 1: 12:50

Right, just very inadvertently, very innocently, you know, ran the wrong command, had too high of privileges and permissions that I should have had, right, and I went and destroyed their database and I'm sitting here like man. I just started this job, I'm about to get fired, like this is terrible, you know? Yeah, but the VP gave me the opportunity to learn through that mistake. He's like well, you know, I hired you because I knew that you would make mistakes, and when you did make them, I knew that you would solve them. Right, what a great boss, though, right? Right, not many people are going to give you that opportunity, and that's probably why people are so worried about making mistakes now. Right, because they don't want to get fired, but you have to make the mistakes to really learn it.

Speaker 2: 13:42

This is. This is one of the things that I find fascinating and and for some colleagues, that you and I have that overlap I have these discussions with them and and, uh, I always struggle, especially for somebody that's new at a cso they don't want to share their findings directly with their boss or bosses, and, whether that's the CEO or corporate directors or whoever it happens to be, there's this hesitance like well, I know, that's my cyber risk condition, but I really don't want to share it. And I find that to be the strangest thing. It'd be like a CFO saying well, we know what our tax rate is, but I'm not going to share it because there's going to be an adverse reaction to it. You know, the CFO is just going to share it, right. Or if the sales numbers came in poorly for the quarter, the CFO is just going to share that revenue went down right Because sales numbers came in poorly.

Speaker 2: 14:40

It is what it is, and I find it so odd in the world of cyber that there's this hesitation to share the reality of the circumstance. And I think it gets to what you're saying, where people don't feel like they can make mistakes. By the way, I don't think the cyber risk condition is a mistake of the CSO. But there's this natural sort of like feeling can't share that because it's a reflection of who I am, or I can't make a mistake because it's a reflection of who I am and I think that in itself is a huge mistake in our overall industry.

Speaker 1: 15:07

Yeah, yeah, it's, it's an unfortunate consequence of I feel like punishing too harshly, right? Right, I feel like punishing too harshly, right? You know? I remember when I was working for a credit bureau and they had the culture on the security team was, you know, if you cause an outage, you're done by the end of the day, right? There was people that caused outages, you know, in the middle of the night during a change window, sure, and they were let go by the morning. Wow, what about? Like?

Speaker 2: 15:42

somebody running a vulnerability scan, which is a requirement that could cause an outage. Same.

Speaker 1: 15:49

Do not let it go down. You know, and that was just the culture, and that was a terrible culture because there was a lot of pressure with it, right. And one day, you know our solution we had just recently upgraded it and our solution created an outage. That was was quick, it was quickly contained, but the damage was very significant. It took us, you know, a week or so to to actually recover from the damage. That it did Nothing technically went down, but you know, it was in a state where, you know, you're resetting 10,000 service accounts and you're resetting, you know, 40,000 other accounts, right, and all that sort of stuff.

Speaker 1: 16:36

And you know, my intern was the one that made the mistake. It wasn't even a mistake, it was a business as usual test. The product literally had a break in it that we didn't know about. You know, she did the job that she was supposed to do, she did everything that she was supposed to do and it caused this issue, right, and she was nervous about reporting it because she immediately thought, okay, this is my last day here, I'm not even out of college, this is my last day here, I'm screwed. This is off to a terrible start for my career and my boss, or my boss's boss actually. He tasked me with doing an on-the the spot, like forensic analysis of what happened who did what? Because his boss was going to say did you fire whoever did it right?

Speaker 2: 17:25

so that was the first.

Speaker 1: 17:26

Yeah, that was the first question he was going to get, and so he tasked me with that and I showed the proof that it was her and he started walking away and I had to stop him mid like, literally mid stride to you know, firing her, and say, hey, this wasn't her fault. Like this is what happened the product, you know, broke the product. Let us down, right, this vendor, let us down. It wasn't her fault, she did everything that she normally does. I mean she did it two days ago, right before the upgrade, did everything that she normally does. I mean she did it two days ago, right before the upgrade. And but, like, it brings me back because that that culture, that mentality, like really carries forward in a significant way.

Speaker 1: 18:07

I remember, when fast forwarding a bit, every time I find like a glaring vulnerability or a glaring hole in an environment, I now don't really care, right, right, like, if, right, if I, well, I don't care in terms of like telling people about it because I'll, I'll find the issue. And then, like, my cso will ask me, you know the question well, what did you find? I was like well, do you want the full detail? You want like a, you know, a cherry-picked version of it? Right, and you know he'll, he'll ask for, like the whole truth and whatnot, and I'll be like, okay, I, I found all of this. You know, I found this stuff that we've been, you know, hiding under the rug, or I found these dead bodies over here, like we need to figure this out. You know, make that sort of thing but, and that's just my mentality, right, but, but, and that's just my mentality, right. But I know other people that went through that same incident that I went through, and now they're in a situation where they constantly feel under pressure to not mess up.

Speaker 2: 19:06

Yeah, you know it's a strange thing because I, in the story that you gave, always think does that hold true for other departments in the business? No-transcript. But at the same time, there are mistakes made in marketing, there are mistakes made in sales, there's mistakes made in product development and product execution, there's mistakes made in how the CFO and the accounting team does their job. And ultimately, it's always to get to the truth, right, it's always to learn from past mistakes and it's always to try to figure out how do we solve our problems and get better.

Speaker 2: 19:46

And the reality is that a business is always a series of problems that need to be solved, right, nothing's perfect in business, all considering the world's changing around you, right, at the same time. And so, you know, I just get this sense that IT and cyber is in this unique position inside of corporations today, where the other departments just kind of operate differently, almost organically, in a way where they can adapt and maneuver and make mistakes and overcome mistakes. I find it very strange, and so I don't know if it's self-inflicted, you know, as it's a culture thing, or if it's a real thing. And sometimes I think it's self-inflicted, right, it's the culture inside those departments that continue just to perpetuate that, and I'm not so sure that it's that same feeling sits with the CEO, or sits with the corporate directors of the business, who are risk takers by default, right.

Speaker 1: 20:44

Yeah, I, you know, I think it is. It's a bit twofold. I think it is the culture within security and the mentality that we're all taught, right. I mean like you're taught. You're taught this not even in school, you're taught it from peers. Right On this side of security, you have to be right every single time, 100 percent of the time, and that one time that you're not right it could lead to the entire company being breached and us being out of a job.

Speaker 1: 21:12

Right, like, having that mentality means that you're having a no-fail mentality, right, and then I kind of go back to, like NASA's mentality of no-fail Right, and what that means for them is, no, we're going to fail. We're going to fail in controlled ways, right, we're going to fail in as many controlled ways as we possibly can. We're going to think of literally every single thing that can go wrong and we're going to try and prepare for it. And then having you know the coding in a way where I think it's like it's like fault tolerant or error tolerant coding I mean, it's probably a different term, right, I'm not a developer so I don't know it offhand, but it's this type of coding that, even when errors happen in the code, the critical systems are still running because they're all segmented out and they're so well protected from each other that there's no you know there's no stopping the engine before you want to stop it. Right, there's no stopping the navigation before you reach your destination or whatnot.

Speaker 1: 22:15

And those things, those things all matter. Right, and they're applicable in our world too. Right, because you have to. You have to approach security from the mentality of if this endpoint were to be breached. Well, what's the blast radius of that right? Are we giving up everything because someone clicked on an email, or are we giving up 1%?

Speaker 2: 22:40

Yeah, you know, Joe, to dig into that. Take NASA, right. I mean, obviously, if you go to the race to the moon, right, no, red moon, right, John F Kennedy, they made a lot of mistakes. They couldn't get rockets to launch. Unfortunately, astronauts lost their lives in that process through testing, right, but it was, you know. And then we almost lost Apollo 13 on its mission to the moon. Thankfully they got them back, but there was a lot of mistakes that were made in the race to the moon. But they learned a lot through those mistakes, right.

Speaker 2: 23:16

And now you're right, we're in this age of NASA, especially like from the two shuttle explosions right in the 80s, and I think the last one was in the 90s, where they became really risk adverse 80s, and I think the last one was in the 90s, where they became really risk adverse. But then, all of a sudden, all the successes and progress and NASA stopped as a result of being risk adverse, Right, Like it had to take a company like SpaceX, Elon Musk, to sort of fuel them and perpetuate them into the future, which even SpaceX was on the verge of disaster because they couldn't get their rockets to work Right. And so feel that all great things happen through failure. You have to be willing to fail and you know there's all sorts of concepts in engineering like fail fast, right, so that you learn from it. But you know to dig into cyber. I find this interesting because, Joe, I'm not sure if you're familiar with what we do, but we help organizations understand their cyber risk condition but then, ultimately, we help give them options so that they can decide what to do with that condition. We basically simplify cyber risk management for them.

Speaker 2: 24:20

But what I really wanted to get into was that I'm analyzing tons and tons of data on a regular basis related to losses inside of cyber. And you know the losses really aren't that bad. Sure, nobody wants a loss to happen, right, they don't want a data breach situation or a ransomware situation. But if you really look at the full volume of all things that have happened, it's really not that bad, right. I mean, take the biggest IT outage in the history of IT, which was CrowdStrike this past summer. No outage has ever been as systemic as that outage. And you know, in the Fortune 1000, just over a quarter percent of the Fortune 1000 were directly impacted by that outage. Of course, you know we hear about Delta, right? They lost half a billion dollars from that outage, but in the big scheme of things, companies continue to go on, right. I mean, think about it Like out of the Fortune 1000, did any of those 250 or so go out of business because of the CrowdStrike outage? No, they've continued, right, Even CrowdStrike in themselves, themselves who caused the outage. Their stock took a hit, but clearly CrowdStrike's on full recovery mode right now. They'll probably shake this off Two years. We'll be like, oh, whatever happened with that CrowdStrike outage and we'll be laughing about it, right? Yeah, the largest fines inflicted on data breaches go to Meta, right? Facebook. One of those fines alone was $5 billion. Sure, some companies would be crushed by a $5 billion fine, but Meta continued on, right.

Speaker 2: 25:57

The only real damage that I see is happening to small and medium businesses. Right, when they not the large corporations, but when small and medium businesses have too many events cyber being part of those events that take place together in a short period of time, do they tend to be in a situation where they can't recover? Obviously, is it where you live Lincoln College, Lincoln University right After COVID and then the ransomware incident, they just had to shut their doors. Right, that was a university that was open for, I think, more than 100 years and just had to shut their doors right. That was a university that was open for, I think, more than 100 years and they had to close their doors right.

Speaker 2: 26:31

So you do see those circumstances, but generally it's compounded situations. It's not just the cyber event all by itself. The reason I bring this up is you can fail in cyber Most organizations can fail in cyber, have an incident, deal with the consequences of it. It's not ideal, right? Sometimes it's bad for shareholders, but you can deal with the consequences of it and continue to move on. It's not detrimental, it's not catastrophic to the business and I think if more people realize that, then maybe this culture that you and I are talking about would start to correct itself.

Speaker 1: 27:08

Yeah, that is, that's really fascinating, because that culture is very different in, like you said, in other parts of the business. Right, right, I mean for you to be the CEO of really any company. You're, you're, you got like a few screws loose, you know, like talk about sure, about pressure, talk about stress and risk, you know, yeah, um, and those guys are typically like very, very big risk takers in some ways, you know, and they have to be right, that's the only way a business will survive, because that's how they got there play it safe, you'll just eventually evaporate as a business yeah, that's how they got there, you

Speaker 1: 27:50

know, that's the only way, like, and with you know, elon musk, right like, I mean, he has bet everything that he has owned several times over. You know he's. He's not even worried to do it anymore, you know right, which is. It's a lesson that everyone can really learn from.

Speaker 2: 28:09

I think yeah you know, do you watch bill maher at all on hbo? Not very much. You know, I like to tune in, not every week, but every now and again. You know, have a glass of wine on friday night, tune in just to see what's happening, see what his guests are saying. But he does repeat something quite often on the show where, when people on a show are risk takers, they're taking a chance, they're being bold, regardless of everybody hates their opinion or not. He always celebrates their boldness and he always says that he believes that for the people that are bold and make bold decisions, it will always work out in the end for them. And and I think there's truth to that statement, you know, like I really do, I think that you know, in general, if you're bold and determined, you continue to have that motivation to move forward, it will work out for you. It's not, it's the people who give up, it's the people that are afraid of making decisions. That indecision that I think generally leads to dire consequences.

Speaker 1: 29:07

Yeah, yeah, that is, that's very true. You know, and like when, whenever, you know, whenever people are making like a career change, right, or they're trying to, just for for sake of this, this podcast, you know they're trying to get into cybersecurity from something else. I mean, that takes a level of boldness to think I don't know anything about this area and I'm going to get into it. You know, like that, that, that really that takes some guts and you're doing it, joe right, You're doing it.

Speaker 2: 29:39

You know you started this and now you're doing it and you've done, would you say the other day, like more than 200 episodes already, right? So that's the boldness, right? That's what I'm talking about.

Speaker 1: 29:50

Yeah, Well, you know, I also look at it. I remember when I was deciding to do the podcast or not, right, I was looking at it from the angle of, well, what happens if I'm like 60 or 70 years old? And I look back, well, I regret not doing it and I thought that I would. You know, because I like connecting with people. You know me and you like we'll, we'll be talking, you know, fairly regularly, right, Like once a year, like we'll talk and see how each other is doing. Now, without this platform, that wouldn't be possible at all in any way, shape and form, right, Like I would be nervous to even just reach out to you. But now I don't care who I'm reaching out to, I'll reach out to them, you know, Right right.

Speaker 1: 30:35

Which, yeah, I totally would regret it. And I have a personal rule too, where if that answer is yes, I will regret it, then I absolutely must do it and there is nothing that can stop. Same thing with when I was trying to get into security. I thought I could be successful at it. Right, I didn't know how successful I would be at it, but I knew that if I didn't try I would regret it. And so then, like by default, I literally had to give it everything that I had, and I couldn't stop until I gave everything, and I was. I was just about to stop too, Like I gave it everything that I had and I was just about to stop.

Speaker 2: 31:16

And then I go and I get two offers in the same day, like, okay, there's something here, that's the boldness, right, that's what, that's the reward. It just it, just it's kind of like magic, right. It just it works out. It happens. You know, I feel like too, like when you're right at the bottom is when sometimes, the best things happen. Right, like right when you're ready to lose everything or you're ready to give up, but you just have that little bit of perseverance. I feel like that's always where, like, those amazing things happen, is at that bottom where, like those amazing things happen.

Speaker 1: 31:51

It's at that bottom. Yeah, yeah, it's. It's interesting how I have found that when I go to you know new levels. It's like a new level of anxiety too. Right, like you know, my, my wife and I, we we built our first house. Right, this is our first house. I'm in it right now, our first house. We built it, which is no small.

Speaker 2: 32:12

That's a hard thing to do, by the way.

Speaker 1: 32:14

Yeah, it's no small feat. I don't think that we really realized that, right, we were trying to buy but buying didn't really make sense because the market was so inflated at the time. Right, because the market was so inflated at the time, right, you're going to spend $700,000 for literally the house that I have right now, and then you're going to be spending another $250,000, fixing it up, making it livable and whatnot. It just didn't make any sense. And when we finally moved in here, we obviously reached a new level together, you know, with, with getting the house and whatnot.

Speaker 1: 32:52

But then I had like a new level of anxiety, right, like something I that like crippled me for like a week. You know, it was just like I'm so nervous I don't know if I can make this, make this payment. You know, what did I do here? Like I'm, I'm a failure just going through all of this stuff and I had a. I had to stop myself. I think I actually had a friend that like stopped me and was like, hey, you know, like you're fine, it's going to be okay, it's new, it's different, but you're going to get used to it. And now you know it's totally different. Like I'm not even, I'm not even worried about it. I'm more frustrated that my mailbox is crooked as hell that.

Speaker 1: 33:28

I put in than than anything else.

Speaker 2: 33:31

Right, but you've relaxed into it. Yeah, yeah, yeah.

Speaker 1: 33:35

It's going to be uncomfortable in the beginning, you know, but as you get used to it, as you get used to that level, um, you know it gets easier. I think that's something that people forget about, or they miss often.

Speaker 2: 33:48

Yeah, it's almost like you have to accept, right your own reality and and just contend with it for whatever it is. Joe, I have a special needs daughter. She's gonna be 20 on sunday, by the way, well, and uh, you know she's one of those kids that, um, after she was, the doctors are like telling you she's probably not going to make it Right, and we heard that throughout her childhood. Of course, the doctors were wrong, but she's with me all the time. I take care of her. She's with me all the time and I get these people who come up to me and they're like oh, you know, god bless you or you're such an amazing dad.

Speaker 2: 34:27

I don't even think about it that way. I think about it as that's my reality and I accepted it very early on. I didn't fight with it, I wasn't angry about it and, of course, like back when Olivia was younger, people would ask like are you angry? Do you wish that you knew so you could have aborted the child? And I'm like, no, like I'm, I'm happy, like this was a gift in my life, and so I think perspective the point I'm trying to get to is I think perspective allows us to really operate in a way that is normal and anxiety free and allows us to really find the joy and the beauty in the things that we're doing, like.

Speaker 2: 35:07

I personally love cyber risk, right, I enjoy the things that we're doing. Like. I personally love cyber risk, right. I enjoy the space that we're in. I love being a father to Olivia. I have two other children too, and I love being a father to them. It's all different, every one of those circumstances is different, but I just accept them for what they are and love them, and it allows me to just operate with a certain amount of peace and anxiety-free attitude. That could be totally different if I was full of anxiety, right Like. If I was angry and anxiety, then I'm not good to them, I'm not good at my job, I'm not good to anybody, but interestingly, there's a lot of people, I think, that focus more on the negative than the positive, and part of it maybe, is a little Buddha-like, but you just sort of have to, I think, let go of the suffering, right Like just let go of it, right of.

Speaker 1: 36:14

oh you know, do you wish that you would have known that unknown or whatever might have been right?

Speaker 1: 36:18

yeah, it's like you know people are or they're, they're coming at it from. I don't know about that unknown in my life. I don't know how that's going to change me. I don't know how that's going to change me. I don't know how that's going to impact everything else around me. You know and yeah it's that's a really incredibly tough situation. You know, like, like you, you mentioned that. You know doctors were telling you that. You know she wasn't going to last very long and whatnot. And you know, I think back when, when, when my first kid I only have one kid right now, but when my first kid was born, she had a pneumothorax right and one of the doctors one of the doctors I really didn't like. I didn't trust her.

Speaker 2: 36:59

I had, I had some, didn't like either of them. Makes you feel better?

Speaker 1: 37:02

Yeah, I really did not like her and I met her for maybe 20 minutes, right, and that was the last time I ever saw her or spoke to her. And I mean, like literally, you know, I just tore into this person because they were, you know, they were treating my kid almost like a, like an experiment, right, and I'm sitting here. I'm like you guys. You guys literally don't understand who you're dealing with. Like I can reverse engineer this thing on the fly. You can't like, you literally can't tell me that you don't know when she's going to run out of morphine, for instance. Right, right, there should be no shortage of morphine in this room, like I and I literally said, from this day forward, I expect her to be a bag of morphine until she's discharged sitting there and if she needs it, she gets it immediately. Yeah.

Speaker 2: 37:57

You don't want to see your daughter in pain, right?

Speaker 1: 37:59

Right, yeah, she's what alive for three days and she's in, you know, excruciating pain. And I told you know I guess there was a benefit to what I went through younger, right, because my sister, my sister, went through renal failure, right, and I ended up donating my kidney to her. She's fine today, she's living a great life and whatnot. Totally fine, but seeing how, seeing how my mom had to navigate right this world, as we're not a wealthy family, we're a poor family, right, my dad actually, in fact, a few months beforehand, lost his job, you know, and so that was an extraordinarily stressful time. But my mom learned, and I learned in return is that, in that situation, the social worker and the nurse actually have the most power. In that situation, right, if you want a doctor removed, if you want a team removed, or if you want them transferred to another unit, or whatever it is those two people, they're tasked with making it happen, no matter what. And so you know, in this situation, right, when that doctor was basically trying to use my kid as an experiment, you know, when it's a relatively minor issue that she was going through, right, it was a pneumothorax, a little hole in the lung she had. You know, she was a little bit early, right, so they just had to wait for it to heal. You know it wasn't like anything crazy, but for a new parent that's extraordinarily stressful. Scary, yeah, super scary. That was by far the most scared I've ever been in my life, by a long shot.

Speaker 1: 39:37

But going through everything that I went through, I just went to the nurse and I said I don't want that doctor ever seeing my kid again. If she's in this room, she's seeing other kids, she's not allowed to cross this threshold of the room and she's not allowed to have any input. And they literally said well, what if she's the only one? I'm like you better call in someone else. Like I don't, I don't care, she is not allowed to touch my kid, she's not allowed to treat my kid, and I was very clear with them. I was like I want only these three nurses to be on her nursing team, right? So we know the nurse during the day, we know the nurse in the afternoon, we know the nurse during the day, we know the nurse in the afternoon, we know the nurse at night. And that doctor is not allowed.

Speaker 1: 40:12

And it was done right, everything that I requested was done. But if I went and started a fight with that doctor. Now they're going to have problems with me. You know, and I can't even remember how I got down this path right, but it's that unknown that you kind of have to dive into and embrace. That's when you actually make the real progress. That's when you actually make the real change in your life and everyone else's life.

Speaker 2: 40:40

I agree with that. If you were to think back on that Joe, that particular doctor, do you think part of it was attitude like yeah 100.

Speaker 1: 40:51

Yeah, because she was the only one that was just like openly smiling at me as she was saying what she was going to do. You know, like there was like no empathy, right, and I'm sitting here, I understand you may have a positive personality, right, but there is six other doctors that see my kid every single day and none of them approach me in that manner. Right, like when my sister was sick and she had dozens of doctors, none of them approached us that way. Right, it was very serious, concise, to the point, very exact about what was going on. There was no questions about what was going on and what was going to happen. There was none, right, and it was. It was totally her, her, her attitude. Because as soon as, as soon as she approached me from that way, I was like, oh yeah, she ain't, she is not ready to handle my kid because she's not ready to handle me, because I am not. I'm not going to be all like jolly with you, like no, get out of the room, let the adults.

Speaker 1: 41:58

Let the adults handle it, you know.

Speaker 2: 42:00

Yeah, yeah, you know, you know it's interesting.

Speaker 2: 42:03

And to tie it back to to cyber, you know, I think this is a this is part two of like the mistake that a lot of the vendor and the consulting community makes.

Speaker 2: 42:12

They want to talk at the CSO or they want to talk at the security people.

Speaker 2: 42:18

And I see some people that are out there that are big voices and you know they're always like CISOs should get fired for this, or or they say, like you know, they just need to get in line and adapt and you know, and I don't think any of that's useful, I think it's all like that doctor you're referring to, right, it's just like that sort of like, and they're just alienating the community, and I think we are in a place where there needs to be more compassion, right, we're in a place where there needs to be more of like I'm relating to you your job sucks, right, like it sucks, it's hard and you know, mainly you're responsible for a problem that you partially own, right, lots of other people own the problem and maybe you know, like, if people learn from your example and approach others in the field with that sort of grace and empathy, then I think we would see incredible changes and maybe some of that frustration and that anxiety that's prominent in our community would start to go away a little bit.

Speaker 2: 43:25

You know, it's just everybody being a little bit nicer with each other and relating to each other, and yeah, I'd love to see that personally yeah, you know it's.

Speaker 1: 43:36

It's fascinating when you approach insecurity, when you approach things from the like customer obsessed mentality. Yeah, right, you're, you're not looking to get through whatever the end user is talking about so that you can prescribe them a solution. Right, You're not like being solution oriented in that way, but you're more focused on actually hearing them out. Right, ask people. When I'm about to ask something of someone, right, I ask them. Well, why don't you tell me why it is this way? Right, Because I'm probably missing something here. You know, why was it like this 20 years ago or whatever? It is right.

Speaker 1: 44:20

And learning what the decisions were, why they made it, the evolution of a system or you know a domain and the environment and whatnot right, Coming at it from that perspective also opens up the recipient of what you're going to say. Right, Like the recommendations, because there was many times when there's been many times where people will be very attached to a system or you know a part of the network that's critical. Right, Because they feel like, hey, I really contributed to the success of the IT team here at this company and it's going to, you know, be like this forever. Right, Well, when you're meeting them in the middle there and saying, hey, you know, you created a great system, you created a great environment, like it's top of the line for sure.

Speaker 1: 45:12

You know, 10 years ago it was top of the line. Right Now, with different you know, advents of like zero trust and whatnot, we should restructure it just a little bit, make it even better. Right, it's really great. We're just making it a little bit better and and it fits our future endeavors right, that's how you approach it. But if you approach it from the perspective of, oh, you're wrong. This is an antiquated technology, You've already lost them.

Speaker 1: 45:39

You've already lost them. You're going to entrench them and they're never going to.

Speaker 2: 45:43

You want to hear a great story. Over the weekend I was having an issue with one of my websites. It's hosted on the Wix platform and it was a weird issue I couldn't figure out, like what was going on. Normally I can sort of figure those things out and fix them on my own. And so I reached out to the support channel, and the support channel is normally a phone-based channel. You can get a human on the phone, but on the weekends it's through messaging, right? It's a messaging platform and this woman over on the support team at Wix she picks up and she starts interfacing with them. She's like by the way, thank you so much for helping me on a Saturday morning.

Speaker 2: 46:19

And then we just started this nice dialogue back and forth with each other and it got to a point where she said you know, bob, normally I have to elevate this to somebody higher up than me, but I really want to help you and I think I know how to help you with your problem and I'm not going to elevate it. But let's try something. And so she gave me this thing to try. She walked me through it step by step. We got through it. It actually fixed the problem right, but normally that would have been escalated to somebody else. I would have had to wait for somebody else to contact me later in the day. But I think that politeness, that polite exchange between the two of us, a little bit of gratitude. She was probably like you know what, I'm going to help this guy and she did and it was great.

Speaker 2: 47:03

My experience with WIC support was outstanding and I just feel like those little things matter to your point. You know what I mean. Those little pleasantries matter. We're all humans at the end of the day. We all want to be thanked for the work that we're doing. We all want to feel good about what we're doing. One of the reasons I love horticulture is because it has a lot of instant gratification. You plant a bunch of plants in a field. You get to see what you just did. Right, it looks great, the field's been tilled, you can go back and see the perfectly straight lines. So I love instant gratification. But I think most of us really in general want instant gratification and the things that we do um and add in some pleasantries and I think all of a sudden you got this success thing happening yeah.

Speaker 1: 47:48

Yeah, absolutely. Well, you know, Robert, you know I apologize, we didn't really dive into X Analytics, but why don't you, why don't you tell my audience, you know, a little bit like an overview of like what you guys do, what you specialize in, yeah sure, and how you help other companies?

Speaker 2: 48:05

Yeah, by the way, joe, this has been a fun conversation, so thank you for having me on today. I really appreciate it. Yeah, absolutely. You know, just just summary wise, with X analytics, I'll tell you like where, where the idea came from and where we are today.

Speaker 2: 48:21

So years ago I was in a board meeting for a large bank. I was assisting the CISO in the board meeting and and for the stuff that we prepared, you know, we did a great job preparing the materials, but it was not received well in the board and it wasn't because they were upset about the information. They just didn't know what we were talking about, right? Like clearly, they had no idea what we were talking about, and so I left that board meeting. I said, you know, there has to be a better way, there has to be a way to communicate cyber in a way that people can understand and a way that they can make sound decisions from. And so about a year later, I left that job that I had at the time and joined up with some partners at X Analytics and we created the concept of X Analytics and the idea was could we build something that simplifies cyber risk management and could we build something that allows people, whether they're novices in cyber or not, to understand what the risk condition looks like and then where they can make decisions with ease. Right, that was the concept, and so we achieved that concept. We built what we wanted to build. We continue to iterate it, iterate on that idea as time goes on and we continue to advance our capabilities. But fundamentally, that's what X Analytics is.

Speaker 2: 49:38

X Analytics is a cloud-based platform that helps folks simplify cyber risk management, and the way that we do that is we have a really simple structure to help them build a profile for their business. That profile gets married with back-end data, which is historical loss data, historical threat data, historical probability data, and it serves up a really easy-to-understand concept of their cyber risk condition and they can see if they're a NIST CSF organization, they can see what the world looks like in this CSF. If they're CIS CSC the critical security controls they can see what the world looks like under that context. But then we take it further and we weave in the elements of governance. We weave in the elements of optimized transfer, optimized mitigation, so that, ultimately, organizations can see that the decisions that they're making is leading to an improved outcome in their overall cybersecurity posture and the goal there is to give the CISOs a pat on the back right.

Speaker 2: 50:42

The CISOs are doing all these wonderful things. From the very beginning. They can see those wonderful things by looking at the difference between inherent risk and residual risk and the current set that they're in. But then as time goes on, they continue to show those trend lines and how those trend lines are improving based on the wonderful projects that they're implementing within their organization. So it's really to serve up not only an honest perspective of their business but also to make sure that the CSO is getting the compliments for the hard work that he and she are doing for the business that they work.

Speaker 1: 51:14

Wow, yeah, it's really. It's interesting. It's like providing context right when, where, where wouldn't normally be in a very tangible way.

Speaker 2: 51:24

Yeah, and it's, and it's represented in a financial lens. Oh, and that's not the only way you can look at, like how much of NIS have I achieved? What is my NIS tier achievement? Between one and four. So it serves up other sorts of metrics that they can draw that perspective.

Speaker 2: 51:43

But the perspective that we do put forward is a financial one, right? So they can say my cyber risk problem is equivalent to 1% of revenue. Now, is that a big deal? Maybe, maybe not right, that's unique to every company. But it allows them to take that understanding and also compare it to other operational risks inside the business.

Speaker 2: 51:58

So, you know, in this past year, if you're comparing your cyber condition and it's 1% of revenue, but inflation is 7% of revenue, well, you're probably going to focus more on inflationary problems, right?

Speaker 2: 52:10

Going back to the economic stuff that we were talking about, if you're dealing with a company that has a lot of shoplifting and if shoplifting is 5% of revenue, well then that's going to be more important to the business to address shoplifting than the cyber problem. On the other hand, if cyber is the thing that is most significant it's 2%, 3%, 4% of revenue then it allows you to compare that with the other operational risks, to have a very honest conversation with the leadership, to say you know what, maybe we need to invest more in cyber. It's our number two or number one problem in our company. How would you guys like us to proceed? Right, and that's just a very open and honest conversation. So that's the goal. Right Is to really sort of simplify it, put it in a language and a context that everybody in the business can understand, compare it to other things that are happening in the business and then ultimately make the right types of decisions.

Speaker 1: 53:01

Yeah, it makes a lot of sense. It's definitely an area that's needed, for sure, in the industry. Well, you know, robert, I really enjoyed our conversation, but before I let you go, how about you tell my audience you know where they can find you if they wanted to connect, and then where they can find your company if they wanted to learn more?

Speaker 2: 53:18

Sure, I mean, you can easily find me on LinkedIn, robert Vecchio. There might be more than one. There's a doctor out of Los Angeles that also has a Robert Vecchio name, and there's also an author of children's books. So there's three of us out there that I know of, but, robert Vecchio, you'll see me because I'll have the cybersecurity tag associated with my LinkedIn, and then our web address is xanalyticscom. It's x-analyticscom, so we're really easy to find Joe. This has been an absolutely wonderful conversation. Thank you so much for having me on today.

Speaker 1: 53:47

Yeah, absolutely, I really enjoyed it. I'll definitely have to have you back on you know in the future. Absolutely, I look forward to it. Thank you, Joe, Awesome. Well, thanks everyone. I hope you enjoyed this episode.

People on this episode

Joe South

Host