Speaking Security with a Business Accent: Why Being Right Isn't Enough If Nobody Listens | A Redefining CyberSecurity Podcast Conversation with Josh Mason

and hello everybody you're very welcome to a new episode of redefining cyber security here on

ITSP magazine I'm Sean Martin your host and if you listen to the show you know I get to talk to

all kinds of cool people about cool topics and never a dull moment in cyber of course and to me it

always seems it boils down to telling a story whether you're telling a story to your team as a

seesaw trying to inspire them and empower them and to enable them or you're telling the story

upwards as a sock analyst to the seesaw or the seesaw up to executive leadership team it's about

telling that story with and without numbers with and without data with and without pictures but

in a way that connects and hopefully the idea that I believe is to drive some action right

any budget change how you look for you threat hunts change how we build products and deliver

services to our customers always about taking action and as the show is inspired to do by me

hopefully is due in a way that the business does it safely and protects the revenue and market

growth that it generates so with all that said I'm thrilled to have good friend Josh Mason on how

are you Josh you Sean I'm doing great it's good to see you my friend yeah and it was a nice

treat continue in New York City to be sides oh yeah yeah it was it was a good good event we spent

quite a bit of time hanging out together and meeting people and chatting with people and and

Huxley books on a Huxley Barbie puts on a good good event there for sure oh yeah agreed thanks

for letting me basically take it your whole day and that's one you didn't you didn't take my

whole day we enjoyed the day together and yeah it was fun Chris around saying hi to folks and

and here I'm what was going on and I was the the inspiration to have a chat and connected to

storytelling yeah one of the other things we got to talk about is speaking security with a

business accent I kind of like how you spend that there we we talk about language

of security to the business or language business language and security and trying to make

that connection but I like the accent because it it's the same thing it's just connecting and yeah I

don't know I want to get your perspective I can have some ideas but before we get into it though Josh

maybe a few words about what you've been up to and what you're working on these days yeah so right

now my my day job is lighting federal sales at act where we sell pen testing and I'm on the federal

sales team so to the federal government pen testing its scale supplementing in house penetration

teams but I'm always busy doing a lot of other things it looks like you have pointed out I run

and on profit new village where it's I call it the tutorial version of defcon or the on ramp of

defcon and we had our our first year this past August and that went swimmingly and had a meeting

last night we're already prepping for the submission which we won't be submitting until February but

we already have our ideas put together of what we want to do for this next year and yeah

but I've got a an Air Force pilot and several for a background and grabbed an MBA along

the way and then finally got into cyber and so I I look at things and think about things a lot

different than a lot of other folks that I work with what I've learned yep yep which is

which is really cool and I mean you're you're a busy guy I know you're you're at a lot of

conferences you have a lot of conversations with folks and you give back tremendously to the

community which I'm sure people appreciate to where the beneficiaries of the work do you do

yeah so all the good stuff you do for for the the community tell me tell me Josh what

you have a book that's that you put together kind of tell us what that's about and kind of the

catalyst for why you decided to write the book yeah I was giving some talks this past spring

and kind of things that I've learned from translating my what I've learned in from being a pilot

to some takeaways that I think a lot of cyber security folks can can utilize upwards communication

things along those lines and I I've recently identified that I'm autistic and for me a manual

that tells me how to do things is quite helpful and so in working with other people a book like

Dell Carnegie's how to win friends and influence people and then books like the Phoenix Project

and the goal which show how do we tie in the work that we're doing in one department with the Phoenix

Project in IT and then cyber security how do we tie that into what marketing and finance and operations

are doing ends up creating a everyone hates the word synergy because it's not the 90s anymore but it

does it creates this holistic everyone's trying to meet the mission mindset and that's what I'm

used to from the Air Force didn't matter where you went on base if you knew it was a a base where

you've got planes that fly in the end everyone knows that they're part of that mission of moving

things or you know planes getting off the ground even if they're a guard at the gate they've got

a thing to do but part of their job is getting things off the ground so I had been giving talks

along those lines of if you want to have your penetration test results your your report have some

impact knowing that I was going to a conference with a bunch of penetration testers I decided to

Dell Carnegie principal speaking in terms of the other person's interest pen testers speak of

pen testing if you want your results to be useful and be taken and utilized rather than having the

same results year after year after year can we frame things in our executive summary so that

they make sense about the business because the vulnerability is themselves and how you write those

up I'm sure they're going to be useful for the engineer who will work on them and they'll be

technically sound so that if they get to a Dell ops person they'll be able to fix it however

are they going to get prioritized are they going to get budgeted are those things going to matter

and how we write the report can help the team who is paying for and receives that report and

if they can then take that and pass it along so that it becomes effective on its own we as there

you know the pen tester can be part of that process and using that framing for the overall idea

for those talks kind of was the catalyst because at the end of the talk I presented a lot of these books

a lot of these ideas a lot of the concepts of how do we frame things and put them in those terms

and they said well this is great I've got some good notes but what else do I do and that

kicked my brain into gear and I went I guess I need to write the book and so I went home and I did

that I just just like that well I have the notes which is yeah what I guess that it's an

interesting good good point and that you have the knowledge right it's not just going and digging

up a bunch of stuff and pulling it together you have you have the knowledge and the experience and

and have had these conversations on these presentations I'm sure speaking with folks after you

present they validate some of your thinking they they probably share some of their own stories

which connects you to their business to confirm that what you're saying actually can translate and

fit into an organization's program so tell me so you when you're giving the example of pen testers

and pen testing and and that is the book it's not specific to pen tests right no so so who's it

for kind of give me the structure of what's in there and what people can find yeah I really liked

the way the goal and the Phoenix project and the unicorn project were written in that they share

principles without being boring they are not textbooks they're fiction they're literature there's

a story and a plot and a character and I went I that is not my strength but I do have my undergrad

in humanities and it's 2025 so with a you know $20 a month editor to help me out with this dialogue

stinks please help me make it better page by page by page actually made a pretty decent story

of a sizo at a company who realizes that their team is ineffective in communicating with one

another is ineffective with communicating upwards and outwards and shares principles with both the

team with colleagues with the board and then eventually outward as ironically I don't want to give

up the plot as as their career grows and they face new challenges taking it beyond their organization

realizing that they get to grow as a leader as well so multiple learning points there if you've

read deal Carnegie a lot of the point and you've put those things into practice a lot of it is going

to look very familiar if you've studied for an MBA a lot of the things are going to look very familiar

but the context for it might seem obvious and yet everyone that I've spoken to that's in a

leadership position that I've presented it to they go wow this I want to make my organization look

like this and that's one of those things that really makes me smile to hear I love that and without

giving away too much are there attributes or actions or other elements of security operations

programs say that you highlight changes so don't I don't want to give away the secrets but are there

yeah there are things that that you helped say yeah to your point if you if you write your

documents this way or if you build your your program this way if you hold your meetings this I

don't know how I'm making stuff up here but what are some of the things that you highlight

those areas for your potential improvement there's a little bit of tactical level presenting

some tactical ideas for options but nothing is you should do it this way it's we could do it this

way this way this way this way and we should choose it based off of what are we trying to achieve

as an organization both as our security organization but the security organization isn't an

ends in itself sorry throw on some philosophy because that's my my minor from undergrad

that's you Jay I know yeah so I was a safety officer as my first additional duty as a co-pilot

once they were cool you can land the plane you can take off the plane you can do all the things

that you're supposed to do as a co-pilot and now you need a job to do in the office because everyone's

got to have a job job to do when they're not flying which actually makes up 90% of your week so

I went to a safety school and I studied aircraft crashes miss apps it was a bit of crying a lot of

listening to black box tapes and seeing recreations of the crashes and knowing actually some of the

people involved and then going out to sites and seeing how an investigation would occur and knowing

how to manage a the whole process from a soup to nuts and then going back and being in charge

of a safety program for our unit and anything from a guy writing his motorcycle home from work one

day takes a curve wide and shatters his ankle and has a ground miss app that I have to file

because that counts under safety to bird strikes which happened way too often usually with no

issue but there's always the eagle over Arizona that goes into an engine and now we have to

it was a mess then he got to somehow get a new engine to some random airfield in Arizona and you

don't think that that's going to be a big issue but birds and engines is not a good thing

plants can end up in the Hudson and so with that while your mindset is on the worst case scenarios

that's not what you focus on all the time you do the work so that then everyone can focus on the

mission so it was never oh hey don't forget don't don't hit any birds instead it was we all know

that there is bird migration season and birds fly often at dusk and dawn and at these altitudes and

there's a lot of mission mitigation to take into it affect and you if you fly close to other

planes you fly close to the ground where you fly faster or slower in bad weather all these things

are less safe sometimes you have to accept safety for the mission or risk for the mission but

you're aware of it and then you make the mission happen and in the end flying becomes one of the

safest things it is the safest form of mass transportation and in the Air Force it is fairly safe

in the big scheme of things so in that same sense now take that to security

there is the mindset of don't get breached don't don't let your someone get your passwords don't let

someone get into the system and oh no we can't possibly have this be the situation we can't

possibly let this be the rules we couldn't possibly have that software or wait on this patch

because of the risk it's like well no that's not the case we now please inform us of the risk

let us know what the risk is let's be aware of the risk and let's not make the risk let's not

fear action thinking that we're all going to crash and die because otherwise we would never

do what we do so in that same sense excellent now we know now let's do the mission

and that's if we can frame things in those mindset and then now understand cool if we're going to

do this that in the other four of the business okay we want this to be the priority okay then let

me help if market share if this quarter we are we're coming up on Thanksgiving and Christmas if

it we're a retailer I'm pretty sure the big focus is going to be making sure that the website stays

up that shipping goes out that payment information is able to go through if I work in security for

a company that's a retailer then my focus is going to be on making sure that I provide all those

things to the organization as number one because I know that's what their focus is and so how can we

as security in the organization make sure that those are available for the rest of the organization

and yes we'll also make sure that we don't get breached but where's our biggest risk and what are

we most concerned about right now yep yeah I mean you know the birds are there he got he got to

got to be prepared so how in telling your story of analyzing incidents and

and funny I just use that word I was gonna say crashes but I use incidents because it sounds like

more than just crashes how because not not everybody who's flying gets to do what you did there

yeah but you brought back that understanding in a way that helps the team understand what you saw

and heard and watched and analyzed and and take that to help them not think about it all the time

but be understand and be ready for what might happen and I'm just trying to think connecting to

security things I know we spend a lot of time looking at kill chains and building playbooks for

response and and running pen tests looking for weaknesses where some of the stuff of a bird hits

here it's gonna do this bird hits there it's gonna do that but do we do a good enough job

doing the the postpartum of breaches and we don't we don't really share that information much right

so it's really hard to look look back at and say here you're the most here the 10 most common

ways companies are getting breached through fishing rents or whatever it is and and here's how

they responded and and here's what we can learn from that that's that's our risk that's what we

have to know and it's live and breathe and feel right it's tricky with aviation obviously the

FAA got put in charge of all of that and the NTSB National Transportation Safety Board and

back in before the the biggest crash biggest airline crash in history was in 1977

to Gujigapa in the Azores two seven forty sevens ran into each other on the runway because of

one couldn't see the other one and the run air traffic control cleared one well another was still

on the runway crossing and since then a lot has gone in to stop and it's like that from happening

again now that was hundreds of you know individuals lives we in security in cyber security we

have big issues crowd strike affected a lot of people solar winds affected a lot of people

i'm thinking back to some of the biggest worms and malware that stretch across the globe affected

a lot of people however the body count is one of those things that overall governments haven't

gotten to the point where they've decided okay we need to really strictly have something watching

over this and managing it there are things in place as a FBI things along those lines so in the

end what you end up with is we have some organizations like MITRE Verizon

Mandient who collect or the incidents that they're tracking the incidents that they manage the

incidents that they know about and put out trend reports and those are very helpful overall to

the rest of us and then there's the the blogs and the cyber threat intel that's available

openly and then paid for and that's also helpful and in the end i think that we do have quite a

lot of that information that we can work with if someone if an organization is willing to

open their eyes and look for it it's there so yeah i think we do do a pretty decent job of it

i would agree that we have we have a lot of data to review and analyze and ingest and

and take into our program i'm wondering are we are we making the most of that though and then

yeah i don't know maybe i don't know if it's the the creators of the content and the

research that i wonder they yes it's there but is there is there enough done to actually

create a safety team if you will in certain security using that data or they isn't on their

shoulders to do what you did and then bring it in to the organization it i think it comes down

a lot to individual responsibility in the organization and i think in the United States at least

there's going to always be that sense of it is out there and available forcing organizations to

utilize it i don't think we'll be taken well i couldn't imagine it being a very

popular motion i mean even things that are are popular right now aren't popular right now

you know what i mean facing this past month so it's i would love to see things like that seem

obvious like that put in place i just i think it is going to continue to come down to the to us

helping to educate and lead our colleagues to understand and then educate and raise others in

the industry and in the community to have that mindset and in that way we might be able to make

that change better than hoping that something happens from above yeah yeah i'm always hopeful that

that we we find that path to to do more and do better and make that connection i want to

as we begin to wrap here i saw post the other day and i commented on it it was not a cyber security

post i don't even think it was a technology post it was a just a general be a good person

in the business post and it was it was really about

i'll i'll include a link to it off the dig it up again but basically the the author she said

i spent so much time making sure i was extremely accurate and always right in my

driving of things with my team that i ultimately alienated my team and those around me so

i was always right but it didn't matter because i couldn't couldn't get anybody listen to me because

i was focused on being right and i i i bring that up because in near the description of your book you

says your security professional are tired of being technically right but strategically ignored

and i think it comes back to two things right the story what do you you speed spilling the the

feeds and speeds and numbers and and and digits or letters or are you focused on

telling the story that impacts the business and are you doing it in a way that it isn't

look how smart i am but in a way that says i'm generally concerned with the business so

you're given the the post that i saw about focusing on being accurate all time and kind of losing

losing the connection and the relationships how does that relate back to the book and what you're

trying to say there yeah that's it's very poignant can often because we focus so much on the

technical lose the force for the trees and people but that's not the secure thing to do or that

doesn't fit what the model says or that isn't the best practice and that might be true

but it also again comes down to that isn't necessarily our decision to make unless it's our company

unless you're the CEO you're the buck doesn't stop with you and so yeah but there's i recently saw

a real a short at tiktok i don't know i probably want to cross several of them it was in response to

one if if you're paralyzed by it actually paralyzed in an action by focusing too much on trying

to make the right choice you're stuck in a fighter flight mindset and the follow on to that

was and that was from a psychologist or a sociologist and i think too often that's accurate

for cyber security well what what is the right thing to do it's like well there might not be a

right thing to do there might just be a best thing to do and the best thing to do is going to be

based off of what is the mission yep it's funny i was just going to say the right choice may not be

the best choice and the best choice might not be the right choice and that they can all be true at

the same time the the fun response to that was we'll reference back to the first iron man movie

in which Tony Stark he's building out the mark two in his mansion in you know in Malibu the

mark one he built in the cave so he could escape and you know one flight got him out of there

you know he survived the cave got away from the captors the mark two was able to you know fly

and he takes it and he it is not finished it is a prototype that he you know can fly

and his systems as AI says okay you shouldn't do this cool you flew good job now you should land

and he goes okay excellent great let's go up into the air and he flies over LA and he goes up to

58,000 feet or 85,000 something like that he goes up into basically space and he freezes up

because the suit's not made for it and then he finds out okay the suit is not made for that

and it ends up being the pivotal piece that sorry if i'm ruining a 20 year old movie for you

it ends up being the pivotal piece that that's how he wins in the end beating you know the other guy

is because he ran before he walked he decided i need to do this thing before i sit and figure out

what it would be all the perfect stuff before i get on the spreadsheet figure out all the specs

and features build it get to a certain point MVP go fly it try it see what features stink or

are good and then iterate and sometimes we just need to do that dev ops is happy to do that

but security we're oh no we can't possibly do that we have to have it all figured out

well takes nothing from dev ops know that you can have a 2.0 and a 2.1 yeah yeah yeah that interesting

point i didn't i don't know the movie for sorry for those who might judge me for that but anyway

as you're describing that i'm just thinking if you're if you're entering that space against the foe

and you figured out that the suits the issue and the and the foe didn't

and you can survive in that environment and the foe can't that that i don't know if that's the

story or not but that makes me think about security if you can create an environment where you know

what it takes to survive in there and the the bad actor doesn't know it and they can't

maybe maybe that's a maybe that's a strategy i don't know what that means but anyway

you just think across my mind and i have just the way of saying things that come to my head

my head anyway so there you go yeah in the in the movie you know he's got this suit

and he ends up fighting another guy with a very similar suit except the other guy's suit is

well-engineered for battle and beat him up pretty badly making a lot of mehem all over la and

he finally realizes you know what i'm not gonna win this against one-on-one so he takes off

and he's in you know the 2.1 version and he's going up and up and up and up and up and up and

he finally asks so what did you all do to deal with the icing and the other guy says what icing

and the other guy freezes up and he doesn't and that's how he wins the battle

there he goes and yeah is there a perfect analog i i don't know but it's we can't let the

the takeaway should be that inaction for perfection's sake isn't going to get us anywhere

i love it well josh i mean we can we could take this all kinds of different ways kind of like we did

we were hanging out in New York in New York and besides

just chatting and then shooting the breeze and always good to see you my friend we're going to leave

it here the book is speak security with a business asset how to communicate cyber security concepts

clearly he's friction with stakeholders and influence decisions sounds like a good book my friend

i will say thank you for for sending me my copy i hope to grab that soon when i get back to where

you sent it and while i have a good read of it i would encourage everybody else to to do the same

grab a copy sounds like a good team book for teams to read together and and maybe there's

some activities or workshops teams can do do after after they read certain parts of this all

include links to the the books of people and grab that obviously you're linked in so people

connect with you so thanks again josh congratulations on the on the book thanks shun take

other and thanks everybody for listening and watching this episode of redefining cyber security

here on itsp magazine please stay tuned subscribe share with your friends and enemies and

we have a story you want to share about how you run your program and how you're seeing some

benefits let me know love to have you on the show and i'll say everybody on the next one