Rolando Rosas 5:19
and it would seem to me that if you’re looking at the transition from, let’s say, the late 90s to the early 2000s into today, that the technology at hand, to whether it’s nation states or even well healed cyber criminals, is way more advanced. You add the AI component, you add servers that you can virtually connect to around the world and launch an attack the bank robber coming in. Boom, boom. Boom is old, right? You’ve got a whole arsenal available at the fingertips of somebody, whether they’re on a cell phone or using virtual computers to launch these attacks.
James Morrison 6:00
Well, that was kind of the growth of it, right? So if we think about the growth of the internet, unfortunately, also fueled the growth of internet crime, you know, I mean, I can, I’m old enough that I can remember, you know, dial up, right? So we would dial in, and you get lucky if you got 9.6 you know. And that speed somewhat restricted the ability of me to do a lot of malicious activity. I wasn’t going fast enough. But as our as our individual connections got faster, and then the interconnection between servers and between, you know, sites got faster, increased the ability of somebody to actually launch an attack against a company our country, you know, outside of their area. And I think what’s also, we have not reacted fast enough in our tool growth. So if we think about, you know, talking about the 90s, there really wasn’t anything. So one of the last things I did when I worked at Lockheed Martin in 96 and 97 was we were creating a firewall. DMS, what we would now call a fire firewall. DMZ, where you’d have firewall two firewalls back to back, with a area in between. There weren’t many firewall vendors at the time. So in the late 90s, the 2000s that’s everybody was, it was, it was a little bit of endpoint products companies like McAfee and Norton and stuff like that. Few firewalls like, you know, Sidewinder and, you know, Palo Alto. But I think what we’ve seen in the 2010s and especially in the 2020s is this massive growth of technology. And I think that’s the problem I’ve that’s where, why I’m at, where I’m at is that companies don’t always know how to navigate the 4200 4400 vendors that are out there. And so I try to provide a little bit of that assistance to say, hey, at the end of the day, these technologies, this, these five technologies, aren’t any different. It’s just how they’re implemented and how they’re supported.
Rolando Rosas 7:50
You’ve dealt with cyber criminals, or at least going after them or trying to investigate them with AI at your fingertips, and that 4000 plus vendors are out there for our security products, I would imagine their vulnerabilities in all of them at some point, and with AI, you can massively scan do things that a single individual couldn’t do. Now you add two or three or four or five or team of of a cyber criminal ring that’s using AI to look for these vulnerabilities. Talk about the speed of being able to launch an attack on a massive number of products at scale. Well,
James Morrison 8:28
and I think you’re right on it’s about speed. So in the olden days, if I was, when I was as I’m an ethical hacker, was trained as an ethical hacker, I had to actually sort of ping my way through the network a little bit and nibble at the edges of the network to identify things like what operating system is running on this server. You know what ports are open on that server? What’s behind those ports? So this was a very slow, methodical, manual process, but now with AI, especially AI that’s attached to the dark web, and we see things like worm GPT, that product allows me to automate this whole thing. So now what I would do is I’d go into worm GPT, and say, I want you to look at the server that’s at IP address, whatever, and identify every everything you can about that product, including version software that’s running behind it. And I say, go and I allow my AI engine to generate the code and go out there and pull all that information. And then after it does that, which is probably pretty quick, I get, I get now to look at the number of vulnerabilities that already exist on that environment and pick which one I want to exploit.
Rolando Rosas 9:37
So you’re saying something used to take days or weeks or even months to figure out the exploitation could take seconds or minutes with one person. That’s,
James Morrison 9:46
that’s what we’re seeing is, is that the speed, and it actually was upheld last the Verizon data breach report for last year said that the vulnerability exploitation tripled last year. And I think unfortunately, that means that that’s, that’s the path. Going forward is it’s not just about phishing and passwords and that kind of world. It’s increasingly becoming about what vulnerabilities exist in your market or in your environment, and how long does it take you to patch them? Generally, people are it takes them between 60 and 90 days to patch a vulnerability once a patch has been applied. Well, if the criminal is able to exploit that in minutes or hours, is that fast enough? And that’s the question that we have to start asking ourselves
Rolando Rosas 10:27
and with with that happening so fast, I can imagine you can talk about this, how there’s companies small as well as large, they may not even have the right people to be able to keep up with, you know, mind you all you, you know, the laptop requests for trouble, tickets and everything else that you get as an IT person, or you’re managing a small company, and you get, you know, all these daily operational things and the criminals are working in the matter of seconds where we’re working in, you know, days and even weeks.
James Morrison 10:59
Well, this is the this is the problem we have now, right? So it and security should be separate functions in a company, right? And most companies haven’t reached that level of cyber maturity yet. They still want to take the cyber security and put it as part of the IT function. But to your point, what that means is that if I’m a if I have responsibility for monitoring, let’s say my firewall logs. But at the same time, I have to handle the day to day minutia of provisioning laptops, doing password resets, um, you know, setting up, you know, office accounts, whatever I’m security, will always fall to the wayside. If you have to, you have to be very clear about assigning somebody to be in charge of your security, and that’s all they do. And I think that’s where companies, especially because of that kind of lack of of manpower, if I have four IT people, I can’t take one person and make them a night, make them a security person stand alone. But that’s why the growth of things like virtual CISO services and managed security services. I need to have somebody who has the expertise in a particular technology, who can install it, manage it, and then allow me and then alert me if I need to be, you know, be aware of it. But we’re not there yet, especially in the small most small companies aren’t there yet middle, mid sized companies. That’s kind of when I talk to a company. I was like, Do you have a security person? If the answer is no, then that sort of tells me that their maturity is probably lower than they think. The BLS,
Rolando Rosas 12:33
so Bureau of Labor Statistics forecasted as significant to almost 33% job market growth from 2021 to 2031, in terms of what’s needed to keep up with high demand for cybersecurity. And as technology becomes more ingrained, the need is even greater. So what they found that was that 71% of organizations grapple with the impact of cyber security skills shortage. That is an alarmingly high number. That’s almost three quarters.
James Morrison 13:09
I equate it, I equated often to the programming issue we had in the 70s and 80s. So I’m old enough to remember this right when everybody started to really deploy, you know, mainframes and servers, we didn’t have it. There weren’t people out there that knew Jack about, you know, about computers. And so if you could show that you could program, you didn’t have to have a degree. So how did we measure success over time? Well, success over time. There came when we started actually having computer science degrees at our local colleges. And I think if you look now, look how many cyber security programs are being created, and so I work with a local college creating a cyber security program, and we’re trying to get more more students out into this job market. So I It’s a beautifully robust job market, but it is, it is going to be until we get those people trained up. If I was a company, I’d be like, how do I how do I manage my environment today? Well,
Rolando Rosas 14:08
imagine, imagine both the corporate side as well as the personal side. I was thinking about this as we were getting ready. Imagine somebody being easily being able to hack into your ring camera that’s sitting in the front of your house or in the back of the house, and then for the corporate version of that, in hacking into your closed circuit TV. I mean, I live just right here, 20 minutes from DC, and I’ve heard a lot of stories around this happening way more often than people, both for the personal side as well as in the company, somebody being able to do that and launch those attacks from their laptop that that capability was only seen like in movies like enemy of the state, where they’re, you know, you’re hacked into the whole Baltimore grid. And that was NSA doing it, but now that capability is on a laptop.
James Morrison 14:58
Yeah. So I was, I. One of the things I did for the Bureau is I taught some classes overseas. And I was teaching a class in the Balkans, and it was in Croatia. But we had the we had three police officers from the different former Yugoslav republics. So we had Serbians, we had Albanians, we had Kosovo’s, Croatians, Slovakians, Bosnians, and I was talking about a thing called Shodan. And SHODAN is a website out there that looks at all of the video cameras or operational networks that are available, that are that are visible online. And as I was talking about the SHODAN and how you could see, you know, other people’s traffic. One of the one of the guys starts yelling at the guy next to him. And I, I learned later it was Serbian, and he ran out of the room. And it turned out that when he went on Shodan, he looked at, I think it’s Belgrade or Sarajevo, I guess is that their their capital, and all of the traffic cameras for Sarajevo were visible on Shodan. They hadn’t protected them, and this guy was, all of a sudden realized, oh my god, somebody could actually take over, or at least view all of these cameras that they had. They had this installed for personal or, you know, internal security, were now visible. So it happens a lot, unfortunately,
Rolando Rosas 16:19
and that’s and that’s the thing that you know, the things the threats evolve, the ease they’re talking about, the speed of being able to launch these attacks. And it’s not going to end. It’s not going to end. I know, I’ve been in the IT business about 20 some years now, and I don’t see the threats. You know, you’ve got the incidents like the Sony hack that happened in 2014 you have the Verizon report. You have what happened with MGM Resorts and using people as the weakest link, because you’re able to identify people, put together a personalized threat against somebody and an individual or a group within a company, which is not like, you know, you think of it like spy craft, right? I heard Andrew Bustamante from earlier. He said they’d spend nine months trying to craft an asset so that, you know, they can get the story and the juice out of them. But with AI, you can paint a picture of who your target is within a matter of seconds, days, and then go after them.
James Morrison 17:25
Well, that’s so there’s actually a social engineering cycle, and I actually show that cycle in some of my presentations, and this is exactly what they did for MGM Grand. They did some reconnaissance. They found a person who had recently started with MGM Grand. I think that person was an executive. They then used enough they gathered as much information as they could about that person, and then use that to contact the help desk of MGM Grand, and asked for a password reset. And they did the password reset, and they also did it without two factor authentication, so now this person, they never verified the person’s identity. This person was able to log in and eventually be able to escalate their privileges and move laterally in the network and take over certain key assets within that environment. We share too much information. That’s a whole different conversation. But in the United States, just from your email address or from your phone number, I can go on and run a background check on you, and you’d be surprised, the amount of information I can find where you live, how much you paid for the house, who lives with you, your kids, names your pets, names your you know, your your wife, your mom’s maiden, name your neighbors, your neighbors, names all of these things. And then I can even dig a little deeper, I can find criminal record on you. And then what we’ve seen is then criminals will take some of that information and actually attempt to extort information out of you, because it’s an emotional conversation, right? So a friend of mine had been in jail, and they were actually contacted by somebody from local law enforcement, saying they broke the law again. They were thrown back in jail if they didn’t pay X amount of money, what?
Rolando Rosas 19:02
Well, hold up a second that that’s that’s serious business there, because going to jail is not like, you know, a timeout in the corner. And so, so somebody contacted the police department and said, Maybe this guy, or they pretended
James Morrison 19:16
to be the police department. Oh, even worse, yeah, and they had enough information that made it sound relatively authentic, and, and, and so when I talked to this brand, I was like, Okay, well, slow it down anytime you’re you know, I mean, so whether it’s a scam like this, whether it’s an extortion like this, slow things down and do some research and actually reach out and contact The local law enforcement to see if it’s actually them. So we’ve got to become much more skeptical in this world that we live in. And that’s not easy. It’s it’s we, especially when we’re going about our business, I can’t tell you the number of companies that have gotten exploited from job postings. For example, they’ll do a job posting. And then somebody will send in a PDF or a document of their resume, and when they open it, there’s actually something malicious within that document, and everybody was doing their job. It wasn’t but because the criminal understands how to sort of exploit that, there needs to be a conversation internally to a company, how do I make sure that my HR department isn’t going to be the root of my next major infection?
Rolando Rosas 20:28
Wow. So the vectors, it’s interesting, because every company has to hire people right from the smallest, you know, donut shop that’s hiring five people, all the way to a big corporation that’s hiring a bunch of people all over the world, and it used to be that, you know, you would hear this, that business, ah, who? Nobody who cares about my information. I don’t care if it put it out there, but if you’re being threatened to extort it, I’m going to send you. We’re the police. We’re the authorities. We’re going to lock or your kid, right? Imagine to be an executive or manager in a high profile company. It doesn’t take a lot to sift through that information. Say, I think we have some information on your your daughter, your son, your wife, you know, a cousin or something, whatever. And if you don’t pay us whatever the amount is, we’re going after you. Well,
James Morrison 21:19
we saw this with the Ashley Madison breach, right? So when the Ashley Madison breach happened in 2014 2015 something around there, there were a lot of people that were registered on there, and that that hacking group released the entire list of people and their email addresses. And when that email list that came out, every company looked through that list to see if there was their company listed? We did in the government. We were like, did anybody? Was anybody stupid enough to list fbi.gov, but people did list military their email addresses, or we saw some people from other government agencies that had listed it. And so it created, not only a direct embarrassment to the individual, and in some cases, some extortion between them, but it also embarrassed the companies that were involved in it. So an example I ran into not too long right before my last before I left the bureau and executives got their laptops stolen. On their laptop, they had sexually explicit photos of themselves and emails between them and somebody that wasn’t their wife. And so this hacker actually was able to take that information and went to this person that said, I’m going to I’m going to tell your wife if you don’t give me a million dollars, and he paid it. So these criminals are always looking for any tidbit of information about a person to see if they can’t exploit it, and that’s why data security is really the monster that we’re talking about. How do I make sure that my data or the corporate data, isn’t being exploited or isn’t isn’t stolen by a criminal and then used in a way to get money out of my company or out of individual
Rolando Rosas 23:00
paint the picture, because you’ve evoked data security. And as a business owner, I know that this the insurance companies have changed, and they keep changing the terms of service when it comes to cyber security. If you’re a company that says, You know what, James not worried about it. Insurance will take care of it. What do you say to that?
James Morrison 23:24
Well, insurance isn’t going to take care of it. Insurance is going to try to give you your losses back, but they don’t. The reputational damage is still there. So what we’ve seen is like companies that have been like publicly traded companies that are hit by a major breach, their stock price falls between 10 and 20% immediately following that breach. Ouch, this is insurance can’t cover that. Also, when we talk about the individual damage to the people that are being exploited, maybe it’s the theft of personal information, right? So there was actually a plastic surgeon in Beverly Hills that got exploited, and they lost the data of all the all the the stars they had done plastic surgery on. And many of these stars had said they never had plastic surgery. Oh, my insurance helped me with that. Well, it doesn’t. What ends up happening is nobody’s going to go to that plastic surgeon anymore because they didn’t protect the data. So data protection is not just about a financial gain and loss. It’s about reputational but it’s also about kind of being, you know, being due diligence and taking care of people’s data appropriately.
Rolando Rosas 24:39
You know, when I think about plastic surgeons, I think about being in a hospital, and when I think about a hospital, I know that in the last 12 months, there have been multiple incidents at hospitals where their networks were breached or criminals were able to get in. And when you think about hospitals, Hospital street. Are lots of people every day. Some just common, random people, some people that are high profile. I would imagine that hospitals are on notice if they haven’t with what’s happened recently? Well,
James Morrison 25:12
yeah, United Healthcare is the big one, right? And the United Healthcare CEO went before Congress and got grilled. I mean, that was one of the most brutal interviews I’ve ever seen in Congress. And the question that comes up is, well, okay, so the criminal isn’t coming to steal my medical data. There’s not much value in that. But if you look at the data in a hospital and the way the data is stored, it is actually the perfect recipe for me to steal somebody’s identity. I can steal. I got their name, I got their social security number, I have addresses, I may have financial information and and so what we see around a lot of these, these hospital breaches, is an exponential rise, or a significant rise. Maybe it’s not exponential a significant rise in identity theft in the year following those major breach it’s like when we saw Equifax get breached, right? I don’t control my data being given to Equifax, also, I don’t control my data being given necessarily, to a healthcare organization. So it’s very discouraging to a customer of a healthcare organization or a credit agency, for them to get breached, because I don’t, I didn’t do anything wrong. You guys did, and I think that’s why you are you’re going to see healthcare probably HIPAA and high trust, which are the two major healthcare compliance organizations, are going to be adding a lot more cybersecurity required elements over the next probably 12 to 18 months.
Rolando Rosas 26:43
So the next 12 to 18 months, if you’re anybody that’s in the health related industry or even associated with that, I would imagine some of these projects that you’re going to have to implement are going to cost some money. They’re not going to there’s, there’s no like, yeah, we’re just doing this for free. You know, don’t just come out here and do the assessments. And, no, there’s probably consultants and vendors and integration and a whole host of things. If you’re that IT manager, or or, or manager, for that matter, that’s looking at that. And it’s like, all right, James, how do I pitch this idea? Because this is coming down the line, so compliance is obviously a part of it, but that there’s some money, so budget, how do I sell that story? There’s the hard facts, like the compliance piece, but how do we get this so that it is one of those projects at the top of the list that does get funded? What’s the approach that I should have going into that discussion with folks that write the checks?
James Morrison 27:45
Part of this goes back to my conversation about it and security. Security should be a separate budget and a separate line item from our it. What ends up happening is, if I’m an IT person, I go to my finance person and say, I want X, the Chief Financial Officer often says, well, that’s a toy or a tool. It’s not required. So what I tell it folks is, is when you have security requirements, the first thing you got to do is get allies. You’ve got to go to your Chief Compliance Officer. You’ve got to go to the chief financial officer. You need to show the data if, for example, two factor authentication. Two factor authentication is going to become absolutely mandatory for all healthcare organizations, because that’s how United Healthcare got breached. So you’re now going to have to come to the your chief financial officer and say, Listen, this is coming. I don’t have the expertise. That’s the second part of being an IT person is recognizing I don’t have the expertise to install these products and do it well. That means I’m going to have to outsource this and start the preparatory conversation before it becomes mandatory. I think what’s happening is, is that we’re being too reactive in cybersecurity, and so we’re waiting for somebody, either insurance or compliance or an external company, to tell us we have to do this, versus realizing we should be doing it now, in anticipate, anticipation of some of those changing requirements, listening
Rolando Rosas 29:10
to what you’re saying. I’m that manager. I’m going to put myself in that, that seat. I’m the manager. I’m going to try to have that communication but, but let’s just suppose you know, you’ve been in it. You know that it people are not sales people, and you’re telling them, Hey, build allies, paint the story. How can we do that in a constructive way? How should, how should that conversation begin, right? You’re giving me some okay, I’ve got the facts. Here’s the facts. But how should I approach that? You know, because we are all emotional beings here, right? We we all have our own crap that we’re dealing with. Why are you coming to me right now? I’m gonna talk to me after summer, right? I don’t want to deal with that right now, right? I don’t want to talk to you about your needs. I need to do this now. Let’s talk in the fall. What? How did you get. Because that’s the hardest part. Is the Getting Started phase. I
James Morrison 30:03
tell it people, learn the language of risk, learn the language of the board, learn the language of the finance person, right? So if we approach them as an IT person and say, Hey, I’m an IT person, I want new IT tools, all the finance person hears is technical, technical, that’s what and so instead, what we have to start doing is be able to take our technology and our security and mapping it to the success of the company, right? So if you’re in healthcare, if you’re in you know, you know manufacturing, if you’re in whatever, I have to be able to understand that my my technology allows the company to be successful. So if you’re in a healthcare organization, does this actually help the bottom line? Well, yes, it does, because what we see is that there’s actually a study that came out last week that said a company that suffers a significant downtime loses 9% of its profit. I think was the number, but there is a financial loss now directly associated with downtime through ransomware or through data exploits. So we need to do, as an IT person, is learn how to come back and say, This is my risk, right? If I don’t do this, my risk is high, medium, low or critical, right? And if we in, if we don’t do it now, we are going to be forced to do it at some point for for by compliance or by insurance. And so I think that’s the biggest thing we need to do, as it people, is learn a different language, and learn the language that motivates our executive teams to be supportive and be an ally.
Rolando Rosas 31:39
I love that. I love that. You know, when you said that words matter, there’s a guy that I like to follow, and I would throw that anybody out there on social media, Chris Voss, former FBI hostage negotiator, and he’s on LinkedIn. Follow him. Chris Voss, Chris, if you want to come on and talk about it, I invite you to come on. But he talks about, you know, what they learn at the FBI, and that’s, you know, what’s in the brain matters, and using those words and applying those in the business world, that there’s a lot of application there. And so if you don’t know Chris Voss and you haven’t checked that out, even if you’re in it and have nothing to do with sales and negotiation. This is something that’s going to become more of a negotiation based on what you’re talking about, because 12 months from now, either the hammer comes out and saying you got to do it. So why not get ahead of the curve? So a little bit smoother sailing when you get there? Well,
James Morrison 32:36
I even, you know, and even though I wasn’t trained and, you know, as an agent, I was in enough interviews and around enough of those investigations, that I learned a whole lot around that that interviewing idea, the words that arc said sometimes, are just as important as the words that are said. And listening to when the pauses are, when the ums are, when, when somebody becomes uncomfortable in that silence. And so there, there’s a huge element of of even from our sales perspective, when I talk to our sales partners, that that interview, that conversation, can you know, can really be opening as long as you allow the other person to talk and do more listening than speaking. And I think there’s some, there’s something in that when an IT person is speaking to a their chief financial officer, speaking to their board, speaking their CTO and understanding what motivates them, that’s actually something else we train on as personas. What is the persona of a chief financial officer? What is the persona of a Chief Compliance Officer. And once I understand sort of the basic things that are important to that person at that that position, I can then start talking the language that motivates them. It
Rolando Rosas 33:51
sounds a lot like Andrew Bustamante CIA spycraft, the way you just said it, the way you framed it. Because if I’m an IT person or somebody that’s in the technology space, and I want my projects to move forward, I’ve got to understand me, even ideology, motivation, fears, and having spent a little time listening to, you know, Chris Voss, Andrew Bustamante and a few others to come down to that core. You know, what’s pushing the buttons they fear. Do they fear? And then using what you just said, silence is your ally. A lot of times when you’re doing what Chris Voss calls tactical empathy, I’m listening and I’m just quiet and
James Morrison 34:38
comfortable in that silence sometimes, and we say it all the time, the Bureau is, I always, I always laugh about some of those investigations where we had a serial killer in New Mexico that one of our guys was interviewing we were trying to get more information on. He was the best at just sitting there and letting Him talk and letting the silent. It’s not, not leading him on, just letting him open the doors. And I think there’s a lot to be said around that that we don’t do very well. And so I think the soft skills, one of the things I’m trying to teach my kids and my, you know, my cyber security, you know, classes, is the soft skills that the interviewing, the paperwork, you know, the those, those things, and how you communicate with people outside of your IT area. I think what’s happened for so many years is that we in the IT industry, felt like we were isolated, that we were living on a on an island, and so we always just did what we needed to do. Security needs to take us out of that. And we’ve got to start realizing we’ve got to get allies across our corporation and understanding what motivates those people that hold the strings that allow me to move forward.
Rolando Rosas 35:49
I love it. I love it. I want to throw one and just play with you a little bit here. Since you’re the you’re the professor, I’m going to use one, one line that Chris Voss likes to start off with, is it a bad idea if we have a meeting? Is it a bad idea that we get a we do a coffee next week? What would you how would you respond to that question?
James Morrison 36:13
I do that all the time. I’m a one of the big things is trying to get to that next meeting, right? And so is, do you have time, right? Can I get on your calendar for 15 minutes just to talk to you, right? And what, what we’re doing there is, especially if I’ve got people always, we’re always drinking coffee, people are always doing lunch, people are always doing these things. So what you’re trying to do is insert yourself into the flow of their life a little bit, right? And then just walk alongside them for a little while and talk to them, and then, and then, hopefully you’re giving them something memorable. One of the quotes that I’ve been using lately is, and this my old boss said, is, if it’s not memorable, it’s mediocre. Oh, I get companies to work on their sales pitch, but that it’s got to be that three minute sales pitch. Can you say something in three minutes that’s going to grab my attention? Me want to meet with you more, and I think that’s the challenge. And so as an IT person, it’s important to learn that one too. Can you talk when you go talk to your CFO, if you walk in and say, I need to buy something, you might as well just walk back out the door, because everybody that walks in that door wants to buy something. Yeah,
Rolando Rosas 37:25
I’m gonna give you that’s, that’s what’s gonna happen exactly.
James Morrison 37:28
So instead, if you came in and said, Hey, I was reading this report, and it said that 60% this is a made up statistic, but 60% of healthcare organizations will be targeted by a ransomware attack this year. It has me concerned. If you read this, bang now I’ve grabbed somebody and I said, you know, and I’ve done it in a different way. And I think that’s what we need to learn, is a different way to speak, versus the traditional I need, I need, I need, versus we need. Like, that’s the other thing I would encourage us the culture of the company. If I’m seeing the culture of the company is security, then what I want to do is say, we need to consider how prepared are we for a ransomware attack, how prepared are we for data theft? And once I pull other people in and they say, Yeah, I think we need to, we need to figure that out. I’ve opened the door and I’ve opened the door to outsourcing some of my security needs. You know,
Rolando Rosas 38:27
one of the things that we’re being around this town here in DC is that you hear people that are older, can think back to the days where there were both sides, sat down and talked. And I’ve heard over and over and over again from a lot of different people, and just listening to different interviews, that when that happened, a lot more got done when the the time came, and that, you know, things really got to where they are today, where you have two camps, really, and they’re all shooting at each other. There’s very little conversation happening in the back end and the back rooms and lunches and dinners where, where a lot of you know, things got hashed out not in the public eye, and a lot less of that discussion is taking place in Washington. But I would imagine if we were to bring it to the folks that are trying to pitch project. These are the kind of things you have to take an interest in, in the other side, like you’re saying. And, you know, have those discussions, build those allies, build those bridges, so that you can come forward with, you know, Hey, James, would it be a bad idea if Wednesday, if you have some time, we can sit down at lunch. I’ll grab a lunch for you, and I’d love to run some ideas by you. Would that be a bad idea? Right?
James Morrison 39:43
Well, that’s it. I think, I think you’re right. I think we’ve lost the gift of conversation, we’ve lost the gift of compromise, we’ve lost the ability to connect with each other, and so that’s the other thing I would probably encourage companies internal maybe it’s not about getting a security person in. Maybe instead, you create a Security Council. And I’ve seen some companies do this where they’ve said, Okay, I need a IT person, I need a financial person, I need a compliance person. And they’ll form these little ad hoc work groups of 345, people, and they meet quarterly, and they talk about security or compliance in that upcoming era. And then what that does is it gives all of us an idea of how the other people are working and what’s important to them. So it’s not us operating sort of in a vacuum. I think what’s happened in the past is that when we said the only time we went over the CFO was when I needed money. Now it said, What do you need from me? Because there has to be some quid pro quo, and the CFO is going to need something from me at the same time I need from them, so creating some of that synergy, and we’re all working towards the same mission. This is my biggest criticism, as you’re saying, from a political standpoint, the mission we’re trying to do is the success of my company or the success of the government. And if we keep that in focus. If we keep that outcome in focus, then we’re all working, you know, kind of side by side, even though we have different motivation. Uh,
Rolando Rosas 41:08
agreed. I love that. That’s great. That’s a great one to button it up on. But before we button it up, James, I want to do with you a rapid fire. Okay, no right or wrong answer on this one. This is your answer. What would you think would hit your brain when? When I asked you this question so Ori, go ahead and fire up rapid fire for us. Walmart versus Amazon, same,
James Morrison 41:36
just different technologies.
Rolando Rosas 41:37
Okay, your favorite social media platform.
James Morrison 41:42
I don’t really have any LinkedIn I’m on probably the most favorite piece of tech, wow, favorite piece of tech. That’s an interesting one. Firewalls, I guess I find them fascinating. I like that there’s a whole lot of power in those devices. Okay,
Rolando Rosas 41:58
firewalls, we’ll go with that one. Okay, first thing you reach for in the morning,
James Morrison 42:07
my phone. Okay,
Rolando Rosas 42:08
you’re be you’re right on trend with a whole lot of other guests too. All right, here’s one I really like, because that this is where I learned the most game changing book for you.
James Morrison 42:21
Ooh, the latest one was David and Goliath by Malcolm Gladwell. Hey, I love that book. It’s, I find myself quoting it more than anything.
Rolando Rosas 42:31
Alrighty. The last one, easy one for you, a person you admire.
James Morrison 42:38
Oh, wow. Person I admire. I mean, you know, unfortunately, sometimes you don’t realize it until after someone passes. But my stepfather passed away a few years ago, and I realized I probably admired him more than I thought so that that mission, especially after Father’s Day. You know, it’s a you kind of remember, I probably admired the guy more than I gave him credit, right?
Rolando Rosas 42:58
I’m sorry for your loss, but yes, that tends to be the truth. Sometimes, when you, when you don’t have something, you realize it was so important. Yeah, exactly, exactly. So, James, was there any last, last words, anything, words of wisdom that you want to share with with us before we wrap?
James Morrison 43:16
Yeah, my biggest thing to it, folks out there, would be, don’t be afraid to ask for help. I think when I, when I ran the IT departments for the FBI in New Mexico, I was always afraid to to reach out. And I felt like it showed weakness. It’s not weakness in today’s environment. We can’t know it all. So it’s okay to reach out to someone and say, Hey, I don’t understand this. Can you help me? I think, I think that, especially in today’s world of and the other thing is, is, I’d rather talk to people today than try to talk to the internet. Sometimes talk to the AI bot. Well, you know, people do that. They go online and they do searches, but the searches don’t tell you anything about what you’re searching for. And so if you can find people that are in the industry that are giving away, you know, advice for free. Absolutely take them up on it. You know, those kind of resources. Yeah, there’s always a sales pitch. We’re all trying to sell something, but you don’t have to buy anything. That’s where you control that. But if you’re talking to somebody and they’re like, they’re giving you great advice, and don’t be afraid to use
Rolando Rosas 44:17
no no doubt. I love that one. Clap it up. So you’ve been listening to a conversation with James Morrison, former computer scientist at the FBI. Man, I wish we had another hour, because there’s other stuff I wanted to ask, but maybe we’ll save it for the next time around. So thank you, James for coming on today, and if you’ve enjoyed and nerded out on this conversation, I bet you’ll enjoy some other conversations we have on our podcast, like the one we had with Neil Patel. So if you want to know what’s happening with AI and digital marketing and how to get your company turbocharged, that’s probably the best guy to learn from. Neil Patel, go check that out on YouTube or wherever you consume your podcast. And lastly, James is talking about experts helping you out. If you need an expert to help you out, our company, Global Teck, is in that business. If you’re looking for a cyber expert or a team to come in and give you an assessment, we’ll be glad to help you out. Just hit us up on social media, reach out to us, and we’ll be glad to get in touch with you. So today, you’ve been listening to this podcast with James, computer security specialist, thanks for coming on today. I appreciate you, James. Thanks for coming into What The Teck?
James Morrison 45:34
Thank you all for the invite
Rolando Rosas 45:37
and I will see you next time
Recent Comments