GISGID EP 25 – Andrew Wilder and Den Jones

Speaker 1 (00:00):
Hello, and welcome to Get IT Started, Get IT Done, the Banyan Security podcast covering the security industry and beyond. In this episode, our host and Banyan’s chief security officer, Den Jones, speaks with veteran cybersecurity leader, Andrew Wilder. Andrew discusses some key lessons from his early career and his CISO roles with a dose of advice for those just entering the cybersecurity space. We hope you enjoyed Den’s discussion with Andrew Wilder.

Den Jones (00:28):
Good afternoon, good evening, good morning, I guess. Wherever you are in the world, welcome to Banyan Security’s lame effort at podcasting. If we don’t sell software, then this is a fallback trick. I’m just glad that our software is decent and we get customers. Yeah, Get IT Started Get IT Done. I’m the host, Den Jones, and every episode, I try and bring in some exciting guests that have good wit and wisdom, knowledge of the industry, and today’s guest is exactly fitting that bill, Andrew Wilder.

(01:01):
Andrew, welcome. Thank you for your time, first of all. Why don’t you introduce yourself?

Andrew Wilder (01:07):
Thanks, Den. Thanks for having me. Thanks to all your listeners. I hope that I can live up to the wit and wisdom. I’ve been in the cyber industry for about 20 years. I started out as a consultant. In fact, if you want me, I’ll take you back a little bit further. I think you and I might have talked about this before. Have you ever seen this television program called The Office?

Den Jones (01:32):
Yes, yes, and I’m sure most of our listeners or viewers probably have as well, right?

Andrew Wilder (01:37):
Yeah. And, just to be clear, there is a British version and an American version, and they’re both great, but my story’s going to take you back to the American version. Imagine a Dunder Mifflin, if you will, but transported to San Diego, which is where I grew up. One of my first jobs out of school was working for a paper company not unlike Dunder Mifflin, and we had all the different departments and stuff. Because it was a small company, I bounced around, I did every department. I worked in finance. I worked in inventory. I did marketing and sales. When we’d get really busy, I’d go out into the warehouse and I’d pick orders and I’d put them on the truck. I knew the whole business from beginning to end, and one day, the owner of the company comes to me and he says, “Hey, Andrew, we’re going to replace our old mainframe systems with Windows servers and Windows workstations,” and I said, “Joe, that sounds like a really good idea.” And he said, “Well, you’re the youngest guy, so you get to do it.”

(02:36):
For the next three months, I did all this data conversion by hand, and one fine day, we go live with this new program, and it is, by far, the most satisfying day in my very young career. Things break, I’m able to fix them. We’re just rolling on the fly, and it was so fun. And I realized after that, I thought, “Maybe I should do this IT thing as a career.” I saved up some money, I saved up some vacation time, and I went to Chicago for two weeks in the winter and I took this Microsoft Boot Camp. And, at the end of those two weeks, I had passed seven different exams and I was a Microsoft Certified Systems Engineer, and everyone else who went to this bootcamp were already IT consultants.

(03:18):
I was just a guy who worked at a paper company in San Diego, but by the end of that thing, then I could put my resume out all over the country and get picked up to do IT consulting. That’s what happened. Got picked up by HP to do a role with Bank of America in Atlanta and did a vulnerability management program for them and big rollout project upgrades and stuff, and then did the same thing for Nestle and also for DHL and got job offers from all three. And then I decided, “Hey, I’m going to go with whoever has the best culture,” so I went with Nestle because I fell in love with their culture. I thought they had a great culture, everybody kind of, “We’re in this together,” sort of thing.

(04:01):
I stayed there for 18 years. Every two to three years, I’d just get more scope, more budget, more team, more responsibility. When I left there in ’21, I was the regional CISO of Americas, Asia, and Europe. Then realized, at Nestle, I was at the top of my game. I didn’t have anywhere else up for me to go, so the next company that called and said, “Do you want to interview to be our CISO?”, I said, “Yes.” That company was Hillenbrand. I was there for about two years, and they’d never had a CISO before, they had one employee in cybersecurity, just rebuilt their whole program from the ground up and really got them moving forward in terms of cyber maturity.

(04:37):
And, right now, besides looking for a new CISO gig, I’m continuing to do my role as an adjunct professor of cybersecurity at Washington University. I teach a course called Data-Driven Defense, which focuses on the CIS 18 controls and then also how to use those incidents and things that have happened to you before to define a better way to focus your finite resources. That’s my background, not in a nutshell, but I tried to add some wit and wisdom in there as well.

Den Jones (05:09):
I was just going to say the number of people I remember in the ’90s and early 2000s that were doing their MCSE, it just seemed like everybody was like, “That’s the accreditation you need to get.” And I was an ex-Novell guy, so I used to turn around and I was like, “I think, in that class, all the teachers just add more memory,” because most of the Microsoft people that I worked with … now, first of all, me being a Novell guy and a Unix guy, I was never impressed with the Microsoft stuff in its early days. And then I was also never impressed with the fact that I would go through my book of knowledge, really, of Novell stuff, really deep in the kernel, and my Microsoft equivalent and the same team that I was in, especially at Adobe, I always remember them just being like, “Oh, add more memory.”

(06:02):
I’m like, “Man, what about tuning? What about tuning the thing so that you’re getting the most out of the memory you got?” And then, years later, at my Adobe gig, I was part of the team that built the first active directory domain globally for Adobe, and that goes back to the year 2000, I guess, somewhere onwards there. It was great in those days, and I think you’ll feel the same, it was great in those days to be, I’d say, in the early stages of really what Microsoft was delivering to the planet and getting to do a lot more greenfield, I felt. In those days, it was like I was doing a greenfield thing, the first email system for the company. That was really exciting.

(06:55):
Now, in the adjunct professor role, I don’t know much about an adjunct professor, so what does the adjunct part mean, and then what’s that role like?

Andrew Wilder (07:06):
Well, it just means that I’m not a full-time professor. I don’t carry a full class load. I’m part of the board there where we focus on the curriculum and what kind of new programs we might want to teach, but it keeps me engaged. It keeps me having the chance to get in front of students from time to time, but it’s not a full-time role. A number of my peers who are CISOs in the same area, they hold an adjunct as well, and that means they go in and teach from time to time, but they also have their full-time role as a CISO.

Den Jones (07:41):
Yeah. No, that’s [inaudible 00:07:43]. I think the exciting part, I’m guessing, you can keep me honest here, is the fact that you’re getting to work with some really emerging talent and you’re getting to see what that next generation of cybersecurity professionals are rolling out. My closest thing is I got interns, and I’ve always been a fan of working with interns and then new college grads. Is it rewarding, I’m guessing?

Andrew Wilder (08:10):
Yeah. I would say there’s maybe two or three aspects to it that I want to talk about. One is there’s the outreach that we do through a number of different groups to high school students and below to really start to plant a seed of interest in cybersecurity as a career. And then, of course, you’re talking about college students, interns, I’ve had interns at all the companies that I’ve worked at, and I absolutely agree with you. I think what they bring to the table is a huge positive influence to the team in terms of energy, excitement. They’re always coming to you and saying, “Hey, I need more stuff to do. I want to work on more things. I want to learn more.” That’s a really positive thing.

(08:53):
And then the other thing that we’re doing at the university is we do some of these executive programs as well, and these are people who are deputy CISOs, vice presidents who want to get into that CISO role, and helping them go through the leadership side, the technical side, some of the things on the business acumen side that could get them ready for that next role. I really like seeing it through that entire life cycle, and that’s really fun for me.

Den Jones (09:18):
That’s brilliant. And what motivated you to get involved in the education system like that?

Andrew Wilder (09:24):
It was really a crazy coincidence. I was meeting with the guy who was the head of our audit committee, and I was asking him to give me some advice from his perspective, and I said, “If you were me, what would you do?” And he said, “I would go to the biggest and best university that’s local to you and say, ‘I’m want to be part of your program.'” And I had never even considered doing that before. I knew that some of my friends were doing it, but I didn’t think that they would want to have someone like me doing that.

(09:58):
I reached out to the guy and didn’t hear anything, and then there was some email mess-ups or whatever, and I realized that the guy had responded and he wanted to meet with me. And so we met over lunch and he said, “Yeah, I’d love to have you be part of some of our programs, be part of the board,” and I was just blown away. And then I became even more excited about it and happy to do it. I would say, if you’re interested in doing something like this, go reach out to the colleges and universities that are near you and ask them if they’d like to have you be part of their program, because you may be surprised to find out that they do.

Den Jones (10:34):
Yeah, yeah. No, that’s great advice. And it’s funny because, probably a couple of years, ago I got involved with the college I went to in Scotland and really found out I was one of their earliest, I’d probably say earliest, but most successful graduates that they had in their computer program back in the mid-nineties, and they featured me in the local newspaper and stuff like that. But then I got more involved with them on how can I help inspire people to go to the college and get their education and realize that, if you come from a crappy little town called Livingston, Scotland, you have the ability to suddenly get an opportunity to move globally, you get to work for some great companies, and it’s possible, just that side of life.

(11:29):
It’s like you starting off in the paper industry and then, all of a sudden, you’re building a computer and you’re doing a project that’s tech-related because you’re the kid, and then you make a whole career out of it, which it’s those origin stories, I think, that sometimes people, they need for the inspiration to realize that it doesn’t matter where you are or where you come from, you can still do it if you want to put the work in.

Andrew Wilder (11:58):
Yeah. There’s a group that I work with called CyberUp that takes mid-career or people that are switching careers and gives them free cybersecurity training and certification and then places them as apprentices at different companies, and they asked me to go to one of their mentoring events. And so I go and I speak for two hours to all these people who are in the program, and one guy comments afterwards because I mentioned that I would drive the forklift at the paper company, and he said, “Well, that’s what I was doing before. I was a forklift driver just like you, man, and now I’m going to get into cybersecurity.” And so you never have any idea what this one piece of your origin story is going to connect with somebody and inspire them, and, yeah, that was just really powerful. I couldn’t believe that.

Den Jones (12:41):
Yeah. No, that’s brilliant. That’s brilliant. And so, from an advice perspective, so let’s say we’ve got audience that are new, they’re just trying to get into cyber and they’re finishing their college, what piece of advice would you give them that enables them to stand out as they’re trying to get their first job?

Andrew Wilder (13:02):
Two pieces of advice for you if you’re trying to stand out and get your first job, the first one is get hands-on experience any way that you can, if that’s a project that you’re doing at school, if that’s an unpaid internship or a paid internship, whatever you can do to get hands-on … volunteer to help people. People always need help. That’s the first one, and then the second one that I really encourage people who are just starting out in cybersecurity is look outside of just a SOC or a pen tester, because a lot of people, when they’re starting out, “Wan, that is the sexy thing. That’s what I want to do. I want to be an ethical hacker. I want to be doing the ransomware cases and instant response.”

(13:48):
Well, that’s great, but if everybody wants to do that, you might really set yourself apart by saying, “Hey, I want to be an intern or I want to be an entry level in disaster recovery or asset management or identity management or GRC,” something that’s not those one or two sexy things. And I think, if people will give those things a chance and learn about those things, they may really be able to set themselves apart and get a much better chance at getting an entry-level role.

Den Jones (14:18):
Yeah, that’s great advice. I think it’s funny because we just hired a new college grad at Banyan, and his career desire is to do that, be red team or purple team, but the reality is, if you join a company like us or another small company, you quite often become asked to do all of the jobs. It’s like you do way more things. And I remember, before I joined Adobe, I was in the same boat. I was everything, infrastructure and operations, desktop, networks, servers … and I joined Adobe, and then it’s like, “Okay, you’re in the directory services team.” Okay, cool, man. Yeah, and it took a while for me actually to work through my management career in order to get other types of roles or build up different disciplines and learning.

(15:14):
And I think that’s the one thing, like you said, when you were picking Nestle and stuff, it’s like it’s important to find, I think, the culture that fits you, but I also think the size of the company does matter when you’re early in your career, because, early on, you’re trying to get a breadth of experiences so that you know about these different areas, and you don’t end up doing, for 20 years, I’m an AD guy [inaudible 00:15:46]. Yeah, people might like that, but I don’t know.

(15:51):
Yeah, let’s talk a little bit about, let me see, so you’re a member of several boards. What do you give people, more executives now, who are thinking about, “I want to get more involved with board level work,” what did you see as the way in for you and what’s your advice for them?

Andrew Wilder (16:13):
Yeah. The best thing to get involved in boards is network. You and I are both heavily connected in the cybersecurity network and the vendor side and all of those different things, expand your network outside of that. Network with CEOs and CFOs and existing board members. That’s a huge thing. Of course, there’s many different organizations that you can join. Some of them are free. NACD is one that that’s paid for. They also have a NACD directorship certification. It’s fairly expensive. There’s another one that I really like that I’ve recently done, which is the Digital Directors Network. They have what’s called a QTE or Qualified Technology Expert, and they’re following very closely this SEC rule that’s supposed to happen in October, which will require publicly-traded companies to have cybersecurity experts on their boards. That’s a good one to look at.

(17:12):
There is some debate on whether or not having nonprofit board experience will help you. I’m on the side of the debate that it will help you. I’m on two nonprofit boards. Now I’m also really passionate about their mission and what they’re doing, so for me, that’s helpful as well, but they’re also following the governance, having the committees, all of those different types of things. Once you get into a private company or a public company board, you have some familiarity with it. And we are seeing more companies bring on first-time board directors, more so than in the past, so there’s certainly an opportunity out there.

(17:53):
I would say if it’s something that you’re interested in, there’s all kinds of books, podcasts, whatever you want to get interested. I’ve named a couple of good organizations. Go and check those things out, and then look at nonprofits in your area and see if they’re interested in having new board members join. Find something that you’re passionate about and go and do that. That can help you get in from that perspective.

Den Jones (18:15):
Yeah. No, that’s awesome advice. And then also InfraGard, can you share a little bit about your involvement there?

Andrew Wilder (18:23):
Yeah. InfraGard is one of the two nonprofit boards that I’m on. What InfraGard is is it’s a conduit between the FBI and civilian enterprise. One of the things that we’re working on right now is we’re creating what’s called our sector chief program. The sector chief program, some InfraGard offices are more advanced than others, but the sector chief program, basically, you’ll have a finance sector chief or a healthcare sector chief for a certain location, and then that person will be the primary conduit between the FBI and that industry in their area.

(19:02):
There’s about 60 InfraGard offices around the country in both the continental and outside the continental US. It’s a great way to get involved. You can join InfraGard. You don’t have to be on the board. I think there’s only about, I think, on our board, there’s probably five or six people. We might expand that a little bit. But you can definitely get involved with InfraGard either way. You can join, go through their certification program. That usually takes some time, but it’s a great way to get good information to partner with your local FBI office. They are always able to give us great information, them and CISA as well, who we partner with, but it’s a really good organization. I encourage everybody to get involved there.

Den Jones (19:45):
Awesome, awesome. Yeah. And, yeah, I’ve got a few friends at the FBI and a few friends at InfraGard, and for me, it’s a great opportunity, I think, for bridging that gap. And the friends at the FBI, they’ll always say that they can’t do this alone. They need the industry as well to help and really get involved and stuff, and I’m a big fan of that, and I’m a big fan of building relationships before you need them. If the first time you meet someone is when shit’s hit the fan and you’re calling them then, I’m like, “That’s not helpful.” It’s never the best time. Yeah, good. I think it’s good for people to check out InfraGard, check out even, on the FBI’s website, how they can get involved, how do they get to know where their local office is, and understand that as well. Both are great things to be proactive about. Yeah.

Andrew Wilder (20:41):
Yeah. And like you said, it’s really a two-way street. We learn from them, but they learn from us as well. We’re telling them what’s happening on the civilian side in the industry, and that’s helpful for them as well.

Den Jones (20:53):
Yeah. No, it’s awesome. And, yeah, I’ve got a good relationship with the San Francisco and the local Bay Area team as well, so I do get good information from them regularly and good communication, and I find that’s helpful for me and my team. That’s brilliant.

(21:09):
Now you’ve built a lot of programs from a cybersecurity perspective. What advice do you have for someone who’s thinking about building or they’re in a position where they have to build a program? What’s your best, I’m going to say couple of minutes of best advice, but I know, really, it takes longer, right?

Andrew Wilder (21:32):
Yeah. I’ll try and do my best wit and wisdom in a couple of minutes. I think the first part there is I would say use your network. You’ve got a lot of friends or peers that have already done this. Go and talk to them, find out what they’ve done, see if they can share with you any roadmaps or plans. What I always do is I want to do a assessment of where we are now. Some people have tools that are constantly assessing their level of cyber maturity, but if you’re just starting from the beginning, you just want to get a snapshot. Now, if you happen to have an audit report or a risk assessment or a pen test or something, or two or three of those things, that can help you to start your baseline, but then you say, “Okay, here’s our baseline and where do we want to get in terms of maturity?”

(22:22):
There’s a number of different maturity models. The most popular is probably the NIST CSF. I’m a big fan of CIS 18 as well. But there’s all kinds of tools that you can use, from very basic to very, very complicated, to assess your baseline. And then you look at where do we want to go? Now the way that I see my role as a CISO and as a cybersecurity expert is to go to the business and say, “Here’s a risk that we have. Here are two or three different ways that we can address this risk. Here’s how much each of those things will cost in terms of time and resources and money,” and then what is it that the business wants to do to try to reduce that risk? And, once you get that understanding of the risk appetite of the business, you can then implement the flavor of that control that the business wants.

(23:12):
And what you’d want to do is prioritize what the key areas that you want to start with, get those agreements with executive leadership, start working on standing those programs and pillars up, and then, at some point in time, three months, six months, whatever it is, do a reassessment of your baseline and then start to look at what other things do we want to add? What’s our roadmap going to look like? A lot of times, people define three and five-year roadmaps. I think those are great, those are good things to share with your board and with your executives, but always keeping in mind that these things are subject to change. The threat landscape is changing, the things that we’re doing inside the organization that’s addressing those threats are changing, and so we’ll be constantly needing to review and adapt those things. I hope hope that answered your question, Den.

Den Jones (23:57):
No, that’s brilliant, yeah. And it’s funny because I always got pissed off, I guess, or made fun of peers of mine that would come up with strategy slide decks, like five years, and they’d take months to produce these things, and sometimes they bring in one of the big four to help consult and shit and I’d be like, “Oh, my God, you’ve spent half your year coming up with what your strategy is for the next three to five years.” But the technology and the market is moving so fast that all you hear is, six months from now, that roadmap that they set out to meet the strategy is now adjusting because the market has changed, and I’m like, “No shit.” You didn’t realize the game is always changing all the time.

(24:49):
I would always make fun of that because my peers would come up and they’d do this big presentation of, “Oh, here’s the strategy,” and I’m like, “Here’s the strategy that you’re not going to deliver because, six months from now, you’re going to tell us how it’s changed. Is it that strategy or is it one that you’re actually going to deliver some shit?” And then they would never be too pleased with me, I guess. Sometimes I wasn’t making the best friends, but I always like to call bullshit on stuff. And one thing that you mentioned that, with any strategy, is do you know want to be, and then how are you going to get there? And I think the other thing you mentioned is really risk tolerance of your business. You see, we’re running businesses, and most businesses are trying to make profit, and their tolerance for spending money that gets in the way of making profit isn’t usually high. Their tolerance of reducing risk is only high if they think the likelihood of that risk is going to impact them in a financial way.

(26:02):
I would add a calculation for people, which is the cost of doing something and the cost of doing nothing is something that you need to be mindful of. If that bad thing occurred and the financial cost to me was a million dollars plus some negative press that I might be able to recover from, but the cost of doing something was $5 million, then I don’t know if any board is going to think that’s a good investment. I did work somewhere in my previous companies where I was talking to some security architects about something that they had recommended, and I asked them, “When you’re coming up with your strategy or your recommendation or your whizzbang magic, do you think of money? Do you think of the cost of implementing the thing and operating it?” And they’re like, “No.”

Andrew Wilder (26:56):
No.

Den Jones (26:58):
And I’m like, “Holy shit. For me, you’re running a business. It’s like cost is huge when you’re running a business. Yeah, and risk tolerance, as you mentioned, risk tolerance of the business is huge because, some risks, you want to mitigate it a little bit, and you’ll take the residual risk and you’ll be like, “I’m good enough for that.” And sometimes you’re like, “No, just accept the risk. The risk is negligible and I will eat that if it happens.”

Andrew Wilder (27:29):
Exactly. It took me a number of years in my career to generate the maturity that I didn’t get my heart behind a specific control that we were going to implement, because when you do that, you’re inevitably going to be disappointed when the business says, “No, we want the cheap version,” or, “No, we want the expensive version,” or, “We don’t want to take your advice.” I’m really there to say, “Look, I’m a subject matter expert. I’ll give you my advice. Here’s what I think we should do. Here’s the risk, here’s how to address it, but we’ll implement whatever solution you want,” and then, once you get that mindset, then you don’t get disappointed anymore.

Den Jones (28:08):
Yeah. And, like you, I learned early on was not everyone wants to spend the money that we believe needs to be spent. And, ultimately, our role is to really just explain what the risk is, explain the options, enable a decision to be made, and also enable someone to accept whatever risk is there at the end, because you’ll never get rid of any risk 100%. I think the other thing I learned early on was, when you’re looking at these programs, a new CISO has a tendency to look at the whole thing and realize you’re deficient in 10 areas, or whatever the number of areas is, and then you want to improve them all. And then the problem with a lot of new CISOs is they get caught in the, “Fancy tools will fix my shit,” and then the other thing is trying to bite off all the things at the same time and make no real progress in any one area.

(29:12):
I remember slashing programs and projects when I first took over running enterprise security at Adobe, and I was like, “I know we need to do it at some point, but if we don’t get these areas good enough and strong, then the rest of it’s [inaudible 00:29:30].” And for me, identity and access management, I need to know that we’ve got a strong discipline around that, plus privileged identities and secrets and … because, if those crown jewels get compromised, then all the rest of the stuff didn’t really matter.

Andrew Wilder (29:48):
Yeah. There’s two comments I have about that, Den. First of all, I love that you said about this being pulled in all direction thing, but there’s a slide that I use when I teach, and it’s says CISO’s Responsibility, and it’s like a mind map, and it’s in such a small font on the slide that there’s no way that you could ever possibly read it. And the point of the slide is to say, “Hey, there’s a million things that can pull you in a million directions of what it is that you’re supposed to do.”

(30:14):
And what I tell my students and what I tell startups when I coach them and what I tell businesses when I work with them is you can only really do one or two things really well, so do that. And then, when you’re done doing those things, then figure out what are the next one or two things that we’re going to do really well. But don’t try and boil the ocean, don’t try and do eight or 10 things at a time, because, like you said, everything’s going to be a halfway done project. Let’s get some real progress, let’s get some quick wins, let’s get some things done, and then we can go on to the next thing.

Den Jones (30:52):
Yeah. And, at Adobe and then Cisco, my teams, I probably had about nine or 10 direct reports that each one was responsible for a specific discipline. One’s directory authentication, one’s privileged identity, and so on and so forth. And I used to always tell those leaders, I’m looking for them to accomplish one big thing, and it could be one big thing a quarter or one big thing every six months, but if you’re going to tell me one big thing in a year, then you’re losing my patience, because I like to see things broken down into business value delivering things. And the result, ideally, is that, every month, one of my teams is delivering something big that the board can see.

(31:43):
And, if we get into a pattern of success like that, and the teams feel like they’re achieving something, and we’re challenging them, I look at it like that, for me, is what the career building is all about. It’s creating the ability for people in your organization to really challenge themselves, but then deliver something that 40,000 or 100,000 people will benefit from. And I absolutely loved when we could do that, and then, at the end of the quarter, you could have a newsletter that you’d send out to your organization, plus peers and those around you, and you’re really bragging about how well the team’s done, and that, for, me was always awesome. Time check, we’re right about 30-odd minutes here. I don’t want to take up too much of your time, but I’ve got a couple of little doozy questions.

Andrew Wilder (32:41):
Doozies, all right.

Den Jones (32:42):
Yeah. When I describe my job to my mom, I like to tell her that I’m an igloo repair man because, in California, those roles are in really high demand how do you describe your role to people who are not as familiar with that industry?

Andrew Wilder (33:02):
Yeah, that’s a good one, and I know you told me you were going to ask me this question, but I didn’t spend the time to think about how I would answer it. This is really, really off the cuff. I think what I do is I talk to people. I think the best way to get people to understand the challenges of cybersecurity is to talk about their family. You’re a smart guy, Den. You’ve got all the wit and wisdom. If you get a phishing email, you’re probably not going to click on it. You’re probably going to report it. You’re going to do the right thing.

(33:32):
But, if your kids get it, if your spouse gets it, if your parents get it, your aunts and uncles or whatever, they’re probably going to fall for it, or some of them are going to. What I’m trying to do is to protect people from all the dangers that are out there of cyber attacks and phishing and things like that, and stealing your data and doing ransomware attacks. And my job is to help companies to do that same thing, to understand what their cybersecurity risk is and how they can protect themselves against it. And it’s a very simple way of saying a very complicated thing, but I think it’s understandable enough that you can explain it to your mom or whoever else you want to.

Den Jones (34:20):
Yeah. And it’s funny because I would even say, at our level, when you’re an executive in IT or security or any of these things, you’re having sometimes some fairly technical conversations, but you’re having them with an audience that might not really be that technically gifted. Some boards, as an example, they don’t know the depth of cyber. We’ve, over the years, I think, especially in business, you’ve learned to adjust the conversation in a way that people can digest it based on where they’re at and the journey of knowledge. Now you mentioned about cyber attacks and stuff, and it made me think straight away of AI and how scary I think the future of AI is going to be from a cyber attack perspective. Is that something the college system and education you guys are talking about now with students, is that something that you’re particularly worried about or what’s your-

Andrew Wilder (35:27):
Well, it’s definitely something that’s coming up. In fact, I did a keynote on this last month and we were talking about the dangers of it, and the first slide that I showed is, “What’s your number one attack vector?” Well, the audience was able to answer, “It’s phishing.” Well, when you get a phishing email, how do you search for it? How do you eliminate the other ones that have been sent to your organization? Well, you look by the sender, you look by the subject, you look by the attachment, the URL, whatever. Well, what if, by using ChatGPT or some other generative AI, I could individually craft every single phishing email to be totally different, and then you’d have no common criteria with which to search it.

(36:10):
And the same question came up for malware, right? If I’m looking for malware, it’s got a hash value, it’s got a certain signature, it’s got a certain behavior, all of those things. What if, using generative AI, I could create a type of malware that is constantly evolving and changing and so you’re never able to really find it and stop it? And it brought great conversation. I think the other side of that is how are we using it on the positive side, how are we using it to create documentation, to do communications, to empower our SOC to do investigations? I think there’s definitely some positive ways that we can embrace it as well. But it’s an interesting thing that we’ve let out of Pandora’s box now, and how are we going to deal with it both from a positive and a negative aspect?

Den Jones (36:57):
Yeah. Yeah. My team meeting today with our security team, we were talking about this, which is attackers and defenders are still playing the cat- and-mouse game, but it’s just going to get more advanced and more complicated, and the defenders always seem to be behind the eight-ball with the attackers hope. Hopefully, with AI, we can jump on that now to think of ways that we’re going to be attacked, because I think that’s it. I look at it like these attacks aren’t necessarily that complicated. A phishing campaign just needs to be 1% right and people are clicking links and stuff. And, defenders, all we keep doing is throwing other technology at it, technology and training, technology and training. And some of it works well, and some of it’s just a waste of companies’ monies.

(37:58):
I look at it like this AI thing, the growth of it, is like a hockey stick right now, and sadly, not the little, small gradual part of the stick, the really big, high part where it’s just going crazy. I love some of it. I mean ChatGPT, for me, is fun to play around with and leverage some of it, but I don’t use a lot of it. Adobe released Firefly, which is graphics and photo editing and stuff, and I played around with that because I’m an ex-Adobe person, and that stuff, for me, was just brilliant. My daughter’s graduation pictures were more fascinating when she added a wheel of cheese, Sergeant Pepper’s Lonely Heart Club band in the background, and then some alien monster, and then there’s her in the middle with her graduation shit, and it’s just like, “Oh, this is brilliant. That’s the one we’ll frame.”

(38:58):
Yeah, for me it’s like there’s a fun side of it and then there’s a really scary … and I think that describes the evolution of the internet just in general anyway. I think we’re on this other evolution of spike and twists, which will be scary, but fun to watch, I guess.

(39:19):
Andrew, thank you very much for your time. I really appreciate it.

Andrew Wilder (39:21):
Pleasure.

Den Jones (39:22):
I’d love you to have the last, final award and leave our listeners with one bit of advice, one key takeaway, one epiphany that you think everyone would benefit from.

Andrew Wilder (39:34):
Yeah. I get asked this one a lot. I think the one key takeaway, the one epiphany, the one benefit that everyone could walk away with and learn from, this is going to sound strange what I’m going to say, is focus on asset management. One of the courses that I teach is CIS 18. Number one and number two controls in CIS 18 are hardware and software asset management. I like to say that you can’t protect what you don’t know about. If your landscape includes things that you don’t know about and those things are getting compromised, you are not in a good position. Go and do asset management very, very well and you’ll be surprised at how much more visibility you can get and how many more things you can address and reduce. Hope that helps.

Den Jones (40:23):
Awesome. Awesome advice. I do appreciate it. Andrew, thank you very much for your time. It’s a pleasure having you on the show. Hopefully, we can catch up in person sometime soon. We’ll need to chat offline about that one. It’d be great to-

Andrew Wilder (40:37):
Sounds good.

Den Jones (40:38):
… catch up for dinner and drinks. In the meantime, thank you, sir, really appreciate it. And, everybody, I hope you enjoyed the show.

Andrew Wilder (40:46):
Pleasure. Thanks, Den. Cheers.

Den Jones (40:48):
Cheers.

Speaker 1 (40:51):
Thanks for listening. To learn more about Banyan Security and find future episodes of the podcast, please visit us at banyansecurity.io. Special thanks to Urban Punks for providing the music for this episode. You can find their track, Summer Silk, and all their music at urbanpunks.com.

Close Transcript