In our first ever episode of the Cyber909 Podcast, Den and Aaron introduce 909Cyber our new consultancy firm. Anyway, we talk about the cyber industry, share some ideas and guidance with some fun stories and jokes weaved in.
Narrator:
Welcome to Cyber 9 0 9, your source for wit and wisdom in cybersecurity and beyond. On this podcast, your host, veteran chief security officer and Cyber Aficionado Den Jones taps his vast network to bring you guests, stories, opinions, predictions, and analysis you won't get anywhere else. Join us for Cyber 9 0 9, episode one with friend of the show, Aaron Wman.
Den:
So let's start today's session with some tunes. Yeah, just one moment. So everybody, welcome. Hey, this is Cyber 9 0 9, our first ever podcast, and I'm your host, Dan Jones. You may recall me from such amazing podcasts as Get It started to get it done with companion security after their acquisition with SonicWall, then we decided we'd start our own company doing cyber security consultancy and a few other gems. One of the gems though, is this sister company or podcast. So we're going to keep doing the podcast. The podcast is going to be a little different this year. We're going to do some cyber stuff, a lot of leadership stuff, a lot of other interesting things in your life. So don't be surprised if you get some other goodies along the journey of the Cyber Nine Nine Podcast. So our first guest for episode number one is one of my partners in crime. Mr. Wman, why don't you introduce yourself?
Aaron:
Aaron Worthman, 25 years in IT and security had the pleasure of being on one of the previous podcasts, and Dan was foolish enough to invite me back. Imagine that.
Den:
So not only invite you back to the podcast, but
As
We introduced the company, which is Nine Nine Cyber, actually the sponsors of today's episode. Why don't you explain your role in Nine Nine Cyber and a little bit about your background in the industry.
Aaron:
Sure. So I'm a advisory CISO at 9 0 9 Cyber, I think I'm going to slip up on that name as a Cyber 9 0 9 podcast goes on.
Den:
Yeah, probably. I think it might actually. Now, just so you guys all know, we're not only podcasting, but we're playing some tunes. Yeah. And this is vinyl, just so everyone knows Vinyl is this stuff. It's a little different. Sorry, Ms. Worthman. So Advisory ciso. Advisory ciso. So you've been A-C-I-O-A-C-I. So why don't you explain some of the companies that you've worked for before.
Aaron:
Sure. So I've worked for companies in seed stage. I've worked for Fortune 50, I've worked for retail, I've worked for software, I've worked for SaaS. I had the pleasure of working with you at Adobe.
Den:
Was that pleasure?
Aaron:
It was a pleasure for me.
Den:
You sure? Okay. For you? It was a pleasure. It wasn't for me actually. With you. With you. Oh, with me, okay. Yeah, it wasn't a pleasure at all. It wasn't a pleasure. No, it wasn't. No. That's why we're doing happy hour so that we can dull our senses from the pleasure that that was or was not. So anyway, so we do digress a little. So outside of the podcast, we've just started this company called 9 0 9 Cyber. Now, we were just explaining to a friend of ours earlier that we're not very good at coming up with names. So if you can imagine, I used to name servers as I was a server admin about 30 years ago, and I could never come up with a name for the server. That was before you had thousands of them and naming standards. I could build a server quicker than I could come up with a name for the server. So the company name A, the domain was available. B, all the social medias were available. And C, apparently no one gives a shit about 9 0 9. So other than Roland,
Aaron:
Well, I think we need to get this out of the way right now.
Den:
Yeah,
Aaron:
It is not an area code. Everybody asks me that.
Den:
I think it is an area code somewhere. Well,
Aaron:
I'm sure it's
Den:
Okay, fine.
Aaron:
It's an area code somewhere, but that's not where the name comes from. Where does the name come
Den:
From then? So there's a drum machine that I used to own called the TR 9 0 9, not to be mistaken with the TR 8 0 8 or the TB 3 0 3, which are other rolling gear. But the first record I ever released, the whole backbone of the tune was the TR 99 drum machine. Not to be confused with the nine nine, because apparently the accent kind of screws up the 9 0 9 thing. So yeah, so we didn't get that domain, but whatever. So yeah, it was a drum machine. Oh, and the first vinyl was up there on the wall, 1994.
Aaron:
Maybe the audience doesn't notice about you. Why is it important that it's 9 0 9 Roland? 9 0 9, and what's the music background?
Den:
So how techno trance from 1994 was the first record we released, I think back those days, you were tagging buildings, actually,
Aaron:
94
Den:
Or something.
Aaron:
94. I was doing both. I was tagging buildings, throwing rays.
Den:
So one of the cool things, so when you're choosing people to work with, it's a really good thing to choose people with ethics, morals, but just some level of craziness that matches your craziness. And for us, we're both music guys. We love music, dj, the vinyl and stuff. So that's a big thing for us. The music scene. The music culture, that's always been huge. And the funny thing is in tech, so many people we know in tech are also music technologists or into music in some way. So it's really a big theme throughout our career. A lot of the people I've met in the valley, while they're either technology people, they're big music people. So it's a big thing. Peace, love, unity. Respect I think is a big blur.
Aaron:
We
Den:
Busted out the blur from the rave scene. Some of us may have tattoos that are music related, some of us may not. No tats. I dunno what you've got No
Aaron:
Tats, no visible tats. I think you probably no visible ones, no visible tets Mind your business.
Den:
So your ass is Mickey Mouse or something. I think that's
Aaron:
No mind your business.
Den:
You sure? That's for Absolutely. Hey, we'll have the adult version of the podcast. That was a different name, but we'll do that later. Cyber 9 0 9 after hours. Yeah, yeah, yeah. We'll do the after hours one. And by the way, in the studio we also have Jerry, who's part of the team is nine oh nine's recruitment division. So Jerry, you may hear him laugh in the background. He has also got a refreshment. I think it's just lemon water though. We're not sure. So yeah, so nine cyber, we said this, so there's three divisions of it. We've got consultancy, we've got virtual ciso, and we've also got recruitment. So let's talk a little bit about each of those. Jerry's over here. So we're going to get to his shit at the end. Actually, maybe we'll let him pop his head in, but we don't want to scare you. So the consultancy stuff, we're really focused on what anything.
Aaron:
No, I mean I think as we've talked to clients in the last, I want to say we've been talking to clients for, I want to say almost two months now, just to feel out the market, understand what people are looking for. And what we've heard is that there's a need for practitioners like ourselves, people that understand the greater strategy, people that have put hands on the keyboard and on the past in the past to advise early stage companies, pre IPO companies on their security strategy.
Den:
And one thing I think is one gripe. Can we do one gripe? I got one gripe and I want to hear your gripe. So my first gripe is people who are new to the leadership role of a security organization, they go do their science course, they come back and they're like, we need to do the science top 10. And then they start spinning up programs covering all these things. They start buying tools. And then before long, 18 months later, maybe the lifetime of a ciso, about 18 months, two years, they bloody leave because they didn't get any results or they spent too much money. And the CEO of the company is sitting there with 50 million tools and they got five employees that look after these tools. I think in the tools assessment, if you do one, generally you'll find you've probably got about two tools per employee. They're not very well deployed. So the biggest grip I got is stop spending money on shit. And for us, our ethos is regardless of the engagement that we're going to do, we're going to also actively look to see where tools and technology have been deployed or processes have been being deployed that aren't to the benefit of your company. So they're maybe expensive, but they're not reducing the risk or they're not having the perceived value or someone convinced you that that risk is a big risk. But the reality is it's probably not. That's one of my gripes. I got a lot of gripes, but that's one to start.
Do you have a better gripe?
Aaron:
Yeah, I think it's sort of related. I would say is risk level. The company has a risk tolerance. The company has a risk level that it wants to meet or that it thinks it should meet in order to function as a company. And sometimes security practitioners don't align with that. And so they buy too many tools to have a callback to your tools or the security practitioner or the risk practitioner will argue with the business on that. And that's just a bad place to be. Both of these parties need to come to a mutual agreement on the risk tolerance, on the risk acceptance level. And that needs to be part of a conversation. And both parties need to feel like they are collaboratively came to an agreement. And
Den:
I think that's it. So security organizations really need to be a business partner.
Partner
Is the word, a business partner rather than a thou shout.
And
I think the reality is a lot of technology people, IT and security, they grow up with that ego of saying, I know better than you. And yeah, I've been an engineering companies like Adobe or the engineers think we are lower than the people that serve in the cafe. So the reality is, depends where you are, which company your ego could be trodden on or you're the king. Well, oftentimes
Aaron:
You come up with that God complex because you had CIS admin or you had root before you became a cybersecurity practitioner or whatever. So you feel like I have all this ability, thou shall do as I say. But the reality is that you have to find the balance there.
Den:
Someone with the ability to put key loggers on lots of devices and read other people's emails.
Aaron:
I mean, sometimes you got to do what you got to do to protect the business.
Den:
Yeah,
Aaron:
Yeah,
Den:
That's what he said. So I look at it, I mean, look, there's a couple of things by security professionals or practitioners. I'm almost like I see our role now walking into organizations and actively looking for ways to make them more profitable while reducing the risk.
And
I don't see it as being a security needs to be in the way of stuff.
I
Also don't think startups or everybody wants a program, all that shit for me just blows my mind. It's like you don't need to follow every framework.
Den:
There's
Den:
A lot of frameworks that have been released over the years and people will be like, what framework do you follow? And I'm like, I follow the business strategy. And from business strategy, you come up with your technology people process strategy so that we can help the business be successful. And I think most CEOs, most VCs, most founders, they actually are more busy trying to make profit and build a product. And until the product actually is very valuable, then they in their mind have nothing to secure. Now, I didn't come up with that. You were there when someone told us that
Aaron:
I was. And there'll be a blog posting on it on that exact conversation soon.
Den:
Yeah, I will look forward to the blog posting. So other than that, so we've got the consultancy stuff and our ethos is very clear. Our goal is to reduce costs, reduce friction, and reduce your tolerance for spending a shit lot of money I think on security. So there's risk, there's friction, there's money, reduce those things. Now on the other side of the business, virtual ciso, we actually started off thinking, hey, we're going to attack the virtual CISO market. The thing is, you spend a lot of time talking about the differences between a fractional and the virtual and the real ciso. So why don't you share just a few thoughts on what's the difference and why would maybe people want to call us to get involved there?
Aaron:
Yeah, I think the funniest thing we heard during all this, because we've talked to a lot of different people and some of those people are marketing people, as you expect when you start a new company and you want to understand the terms that are being used. And one of the things that we learned, I learned this, I think you learned this too, is the difference between virtual and fractional CISO is the SEO. That's the difference
Den:
Probably. Yeah.
Aaron:
Yeah. According to the marketing folks that we spoke with,
Den:
That
Aaron:
Is
Den:
The difference. The SEO,
Aaron:
Did you know that, Jerry? That's the difference.
Den:
That's the difference. So the SEO just, I dunno if you know what SEO is actually, do you know? I didn't know. I didn't know. So SEO is the search. When people search for stuff, it's the search results. So what search is more common than another search
Aaron:
Search? I search engine optimization.
Den:
Okay, see, this is why he's here. That's why he's here. You and I have no idea. Don't worry about it. We're just here for the drink. He's here for the intelligence. So this is the wit and the wisdom. Just say, by the way, Steve Watson, my old team, he came up with that term, so I will always use it because I respected that guy and his jokes were as funny as mine. So sales update, something like that.
Den:
Yeah,
Den:
Something like that. So I did have, one of my friends in Europe, he threw a whole article on LinkedIn and I've still not read it, but I got a sneaky feeling like a fractional CISO is one individual and they split their time against many companies. I think a virtual CISO is more likely a group of people, possibly. And they split their time against many companies. So I don't know. I've also seen people who said, we don't give a shit.
Aaron:
That is what I heard. It's a marketing thing. That is what we have heard from our clients.
Den:
What we did notice though in our conversations was you talk about virtual or fractional or cso, the terms doesn't matter. You spend more time explaining what the term is before you get to the point of, Hey, we can help solve your problems. I mean, at the end of the day, what we were saying is, look, we're executive leaders, we know problems. We've seen them, we've got the T-shirts we can help. And that was never shining through. And the website, like the nine nine cyber website last week was more confusing. By the way, this is going to launch about 9 0 9. So I'm saying last week as in the week, we're taping it. So this week you go to the website, it's very confusing. It's not very clear on the problems we solve. So as we get into next week, it's going to be a bit clearer. But the reality is for the consultancy, for the virtual CISO stuff, it's all about us delivering products
That quality that I think people expect from accredited stars like us and our team. So if we say so ourselves, if we say it's ourselves, yeah, yeah, we do. We do. Didn't last at Adobe for all these years for no good reason and their quality mattered. So ultimately we are not billing by the hour we're billing by the result. One thing for me, when I was leading teams, I'd bring in consultants and I'd be getting these hourly bills and the reality was, I just want the result. Tell me how much for the result at what quality. And then we're good. So now recruitment, because Jerry's sitting there holding his tongue, he's very enthusiastic. Taking notes. He's taking notes. Holy shit. So Jerry's on board executive from Adobe, executive from Zoom. I don't know if you want to poke your hand in or not. I mean, oh, there's Jerry.
There's Jerry. We go. So yeah, so he's here, really is here. So Jerry's partnered with Nine, nine Cyber. He has his own firm, but we're going to partner together. And I think the difference that we are able to offer in our partnership is the ability to turn around and say, look, when you want to engage with our recruitment firm, we're going to be in a position where we are working with our practitioners so that as the recruitment team engages with clients, if they need us to help build a job description, if they need us to reach into our network, remember we get a network of thousands of CISOs and thousands of practitioners. So we know people that are looking for work who have a job. You might not know that, but we know that. And we know people who are good versus the one who can bullshit their way into a job. We know
Aaron:
People with high saydu ratios and people with low saydu ratios.
Den:
Yeah, yeah. Now say, dude, so that could be a new term for someone.
Aaron:
So
Den:
I'll say it, but not do it or say it and do it. I mean you want those things to be, even in Scotland we'd say walk the walk and talk the talk.
A lot of people talk the talk and they're full of shit. I look in the mirror sometimes I got that, but I also deliver results sometimes. Actually I don't do shit. People that work with deliver results, that's why he's here. So the reality is, is we've all encountered those people. And actually famously in Adobe, our CIO years ago with an HR executive suggested that I should not trip up candidates in an interview because I famously, long before you joined Adobe, Jerry famously tripped up a candidate and said, you're lying to the candidate. Wow. Yeah, I did. This was about 2003, but I was really well known for being someone that's like, I can read people. So I was really pretty well known for like, yeah, you're lying. I dunno if you mean to lie, but you, they complained to HR after the interview, and needless to say, HR and the CIO O had a conversation with me that went along the lines of, you shouldn't say that. And I said, okay. But then I followed up with, I also don't need to interview people in other teams in it if you don't want me to.
It wasn't my team. I was doing someone else a favor and I have to do that. I read my job description. It doesn't say that. Oh my did you really? Yeah, yeah. Didn't give a shit. I didn't give a fuck. I mean literally it was like, Hey, do you want me to interview or not? And I think the reality is when you're, now, by the way, just so you guys know, I'm way more politically correct now. That was a year 2004, Jerry, this is 20 years later. This is a refined Mr. Johns. Could you imagine the 20 years ago me, I would stroll in with flip flops and soccer shorts and a soccer T-shirt. And I'd be like, what's going on? My ego was bigger than this ego trust me. And this one's pretty big. So yeah, so literally I didn't give a shit. I was just like, you're lying and you're wasting my time. That was it done here. Wow. You don't want to hear my vendor management stories. They're worse.
A lot better now though, but way bad then. So anyway, so the recruitment thing, I'll probably not be involved, but I think the reality for us is we have the ability to not only have practitioners engage as part of the recruitment cycle, but we can also work with the clients on building the right job description, what really matters. And then the other stuff is we reach into our network, we have got thousands of people in their network that reach out to us on a regular basis and we'll build a database of candidates of people who are not looking but are looking. So you get a lot of them, had a lot of them call me in the last two months. You know who you are. Well,
Aaron:
And I think the important thing there too is that when we engage with a client, we're not going anywhere. We're there for the long haul. So let's say we engage with somebody seed stage and we start their program with them and then they progress to A, and maybe they need to start thinking about their SOC two and they progress to B, and they maybe need to start thinking about their ISO 27,001 and then their C. And maybe then they're thinking about bringing on their actual staff. Maybe then they're thinking about the ciso or maybe they're thinking about security manager or something like that. We can help with that process. We're there with you throughout your maturity stages. We're there with you. We're not going anywhere
Den:
And at most startups as well. So just focused on that demographic for a minute. Most startups, they need people the minute they get funding, they need people. Now they got the funding. Actually every company I've ever been in and worked with, the minute the budget's approved, all the spending starts and then they get towards the end of the quarter, they're like, oh, slow down. You don't spend too much. So I think the big thing for us is we recognize that a client that calls us, they've just had their funding round, they've got a sense of urgency, they want it now. And the good thing about that is actually we have so many people in our contact list that we know everything from interns to CISOs. It's
Aaron:
True. And we have
Den:
That are either looking for work or they're in a great job, but we know them personally. So they might be tempted to bail.
Aaron:
I'm glad you said that. We absolutely know students. We know students that are looking so interns or students that are just starting their careers and then folks that maybe want to come on part-time or folks that are want to get out of their current job
Den:
And Cecils who are sick and tired of being CSO and actually maybe just want to be advisors. So we got the mix, we got the blend. So I know, I don't even know because see from here, I can't see what the time says, but I'm sure we've been talking for a little bit. Let's cover a couple of things as we wrap up. rn. So recently there was a breach, a data broker got breached, just one breach. Well, there's been a few, but let's pick on the one where all the people in America got their social security number stolen and a bunch of other data. So if you were going to give it advice, let's say this is just for the American audience, I know that we're probably the third best podcast and who gives a shit bill, but for the American people out there where this matters, what advice would you have for them and what can they do to protect themselves?
Aaron:
So as somebody whose data has been breached a few times, you have to sort of start with those credit companies, the three
Den:
Experian, Equifax, and TransUnion.
Aaron:
Yep. Start there. Go freeze your credit reports. I'm a big fan of doing that on a regular basis. Subscribe to some app or service free, preferably, I'm not going to shout out any names, but subscribe to some app.
Den:
Not until they sponsor the podcast.
Aaron:
That's true. Call me, call us, call us. We'll shout out names if you call us and track credit inquiries into your credit reports, that's important. And then on top of that, let's see what else you got. Freeze. You got track. You can also go to, there's some government websites for identity breaches and you can follow the steps there. Maybe we'll drop a link.
Den:
Yeah, we can do that.
Aaron:
We'll drop the link to that.
Den:
We've got the Have I been ponded website? Have
Aaron:
I been pod You absolutely have to do that.
Den:
That's a fun
Aaron:
One. Everybody has to do that.
Den:
Now we are also about to release a little booklet on personal security. So we're about 12 pages in on that one. I think it's going to be about 20 pages by the time we're done, we'll have that release in the next couple of weeks. I hope so.
Aaron:
We cover all of that there. When he says pages, it's because we're going step by step. It's not because it's like go do this and then 1, 2, 3, 4, 5, 6, 7, 8. It's not a hundred things to do. It's just because we are being thorough. We want to make sure that
Den:
We cover certain topics from password managers to freezing your credit. One thing there is how do you know? How can you spot someone's trying to scam you spot a scammer. So what do you do there? And it's targeted towards the normal person that doesn't do this shit for living.
So like my mom or Jerry? Yeah, my mom or Jerry or some of our salespeople might be able to read this and ideally understand it because I think the reality is enterprises do security training a lot and a lot of it for compliance to have to do it. But the thing about compliance is they're not prescriptive on what has to be in the training. They'll call out some stuff, but the reality is I learned at devcon about 10 years ago from some woman social engineer in the social engineering village, which is my favorite village there. She said, train your employees on how to look after themselves, their family and their friends. They will take that back to work. So at Banyan when we were doing security training, we actually, our onboarding training was about your personal stuff. The annual training was the other nonsense that we could track with hr, but it was pretty scaled back.
Aaron:
Yeah, since you told me that story, I have
Den:
Gone going to To the village.
Aaron:
That's true. But also I've adopted that as well.
Den:
Yeah, it's good. I mean it's really good. Now we're going to leave you guys with one thing that our unicorns behind us. We know there's bloody unicorns. We know there's a unicorn in the logo. What we want you guys to do is tell us in the chat thing somewhere here. Oh no wait, it's there. I know. Whatever. They put that shit by the time they record this, tell us in chat why the unicorn might be in the logo. Thank you very much. Everybody have a great week. 9 0 9 day is round the corner. Hopefully that's the day that this drops. And thank you very much guys. We'd love your feedback. This is the first ever. We got the next one recorded next week. We're not going to blow the surprise on who the guest is, but it's going to be a fun one. And he actually swears a shit lot more than me. Impossible. Thanks guys. Peace out.
Narrator:
Thanks for listening to Cyber 9 0 9. Subscribe wherever you get your podcasts. And don't miss an episode of your source for wits and wisdom in cybersecurity.
Den:
I.