#123 – Douglas Brush (Part 1): Guess Who’s Back, Dougie’s Back

[00:00:09] I'm Douglas Brush and you're listening to Cyber Security Interviews. Cyber Security Interviews is the weekly podcast dedicated to digging into the minds of the influencers, thought leaders and individuals who shape the cybersecurity industry. I discover what motivates them,

[00:00:26] explore their journey in cybersecurity and discuss where they think the industry is going. The show lets listeners learn from the expert stories and hear their opinions on what works and doesn't in cybersecurity. Welcome to Cyber Security Interviews. It's back. After

[00:00:50] a long hiatus and a lot going on in my life, I am bringing back the podcast. In order to do so, I brought my good friend and colleague and data privacy and cybersecurity person of interest,

[00:01:01] Dan Ayala, to interview me. So over the next few episodes, we'll discuss where I've been in the past 18 months, what I'm doing now and where I think this industry is going and why I

[00:01:13] plan to leave it within the next seven years. First episode, we'll be looking back at the last 18 months with a lot of trauma I've had to face and how I've had to build for mental resiliency.

[00:01:24] So please plug in, listen and buckle up as Dan and I dig into the last 18 months. Hi and welcome to Cyber Security Interviews. No, your ears aren't deceiving you. The voice you're hearing is not Douglas Brush. I'm Dan Ayala and we're doing a special series

[00:01:40] of episodes of Cyber Security Interviews in which I get to turn the tables and get to put Doug Brush in the interviewee's seat. Doug, welcome to Cyber Security Interviews. I know the founder

[00:01:50] of this show is very excited to have you here. He's a talented individual. I thank him for all his contributions to the community and I totally support all of his endeavors and fully

[00:02:02] support all the stupid things he says and does that gets him into trouble. It's not his fault. I understand you've recently nominated the founder of this podcast for a Nobel Peace Prize.

[00:02:12] There was a couple categories. I figured I'd spread it out for the Nobel Prizes. There's physics and I mean, it was really everything because I think I color so much. Excellent. Very cool. Well,

[00:02:24] we're back here on your podcast and the question I think that everybody is interested in is it's been a while. You took a year off the podcast. What's been happening in that time

[00:02:34] and what's bringing you back now? Yeah, I bought a boat and I sailed west to find the new world and open up spikes. No, wait, that wasn't me. That was in the 1500s in a prior life. Now,

[00:02:49] unfortunately in the last year, this will be today is exactly a week and a year away from when my mother passed away. And in that time, since then I lost another kind of so good mother from

[00:03:08] a kind of the extended family. Dolly Singh who was with me since I was two years old, she was taking care of me in New York City where my parents started their communications consulting PR consulting business DJ brush associates at this time they were writing books and

[00:03:25] presenting all over the world on corporate communications. You know, they had this forethought forethought to think that you know maybe someday you know there's going to be different methods for content creation both internally and externally for communicating with employees and customers

[00:03:41] and each other and there might be new ways to deliver this information whether it be from satellite internal TVs. My dad had a crazy idea even in the 80s like these local area

[00:03:52] networks are going to come down and pricing and be more available and ubiquitous to the world and allow people to actually then do things like video and audio over this things to a much

[00:04:03] wider audience. And I just hope one day he can he can actually see that vision unfortunately he passed away and he never got a chance to see that but I mean joking aside it's they're very

[00:04:11] much on the on the forefront of a lot of what we have now and I was really fortunate. But at that time they were starting a business and they had to have

[00:04:20] young Dougie and if you know Doug now just imagine a two year old version in the amount of care and support that's needed. So they had somebody kind of take care of me during the day

[00:04:30] and after school she was this guy and his woman Dolly Singh originally from India and she had left in the 50s during their cultural and revolutionary and political upheavals ended up in Africa moving

[00:04:41] to South America and the Caribbean with other things and other other folks from that area. And she's up here taking care of me suddenly finds out her family her father or father or husband passed away just dropped out of a heart attack in his 50s

[00:04:58] and he was taking care of the boys three boys and a girl and some of the other you know cousins and brothers and sisters in that family so she has to fly down and then takes them

[00:05:09] back and they basically live with us for you know some time while she was getting all the funeral stuff and then she came to the United States and we helped them get started Gavin Singh the eldest

[00:05:19] was really the one that got me started with it he was the one that in the early 90s sat me down showed me Novel networking operating system and I know you might be one of the handful of people

[00:05:29] that still remember what that is. Bindery till the very end. You know because it's nothing better than when you're trying to get two computers to fight with and you have IPX, SBAX, Net Buoy and

[00:05:40] IP addressing to all collide with each other and then try to host name resolution and all of that. Why just in quit in the 90s at that point because as I was fighting with my DNS

[00:05:49] settings today I'm thinking I've been doing this for far too long but no he Gavin taught me a lot of this and after my mother passed away there were kind of extended family that were still supporting me. Unfortunately two months later Dolly finally had been fighting pancreatic cancer

[00:06:08] for years much to the surprise of her doctor to how she was so resilient and getting through it she passed away then two months after that Gavin dropped out of a heart attack so I lost

[00:06:20] three of the elders in my tribe and really people that I looked up as role models in both business and life were gone and during that time I was also going through divorce and

[00:06:32] you know people say well you know was it content all divorces are content there's no fun divorce nobody's like hey now this was really can we do that again um so it was it was really

[00:06:43] challenging time and when you have a young kid who's 12 going on 30 and she's very much like me and a wise ass and too smart for home good a lot of this was challenging and so as I was

[00:06:53] going through a lot of that it was just it was just really focusing on family and life and trying to get through the day-to-day and then even at the same time I was working a full-time

[00:07:02] job with a company and doing well with that traveling quite a bit and also on the side and nights and weekends doing some some work with um what I'm going into now is this special

[00:07:14] master in cordupoint neutral work that had come up and I've been kind of doing on the side for over a decade um that really took some full time so long story short it's been kind of

[00:07:23] a crazy crazy couple months years you know 18 months of just trauma and then even you know add in all the pandemic stuff it's been uh it's been a lot so I've really been focused on dealing

[00:07:35] with that stuff but finally at a point again where I can I can get back and doing things I love and community sport podcasting and getting back out there well it's great to have you back and

[00:07:45] I know the community is excited to get to uh to get to get another season of uh cyber security interviews underway uh you know the array of people you bring on is uh is a wonderful

[00:07:55] wonderful subsection of the uh of the community and information security is about secure is about community so glad to have you back um so all that said you know one of the one of the

[00:08:07] themes I just heard through your through your last year was one that really dealt a lot with with mental recovery with self-health with taking care of Doug um this is you know obviously it was a

[00:08:23] it was a there was a lot of tumult that showed up in the in that last year but there's also a lot of tumult that shows up in in our careers and later we'll talk about you know some of

[00:08:35] your current state in you know what you're working on and some of the things that lead up to that but right now I just like to talk a little bit about you know how mental health plays

[00:08:44] into um general wellness how it plays into your decision to walk to walk away from things for a little while and when you knew you were ready and how you knew you were ready to come back

[00:08:56] yeah I mean that's it's it's a great kind of story arc of that because you know there there's things that are out there such as uh these kind if you go to stress.org

[00:09:08] it has the uh homes ray stress inventory scale and it really kind of sets some markers of hey you know what's happened in the last year what are these these stress things and when you really look at it

[00:09:20] some of them are quite normal in the sense like you're going to have stress you're going to have low levels of trauma things are going to be disruptive um what you try to avoid are a lot

[00:09:31] of acute incidents on top of each other because as they stack up inevitably um you you suffer some mental health physical health breakdowns and so once you get to the the scoring points so it's like 150 points or less you have a relatively low amount of

[00:09:50] life change and low susceptibility to stress induced health breakdown as you get to 150 300 points about a 50 chance of health breakdown in the next two years if you continue at that level 300 points or more it's an 80 chance of a health breakdown in the next two years

[00:10:05] based on some of the statistical predictions and models on this so it's really this idea of forecasting where you are and where these things occur on a timeline and as you kind of plot them along when

[00:10:15] they come too closely really spike your your stress levels and that creates a whole parasympathic and sympathetic reactions affects your mental and physical health I was probably close to 800 when I took some of these I mean like off the charts at the points where it's just been insane

[00:10:33] when I add up all these things um in this case overachieving is not a good thing yeah and that's like you know it's like getting getting high scores on that whereas yeah nobody patted me on the back and gave me a you know gold star for that and

[00:10:48] but you know at that same time you survive and there becomes a certain point where you need to move on from surviving and start living because you had to start processing some of

[00:10:57] this trauma and that really became the focus of you know okay I'll give me get through this I'm going to maintain a level to the extent I can of resiliency through this in the moment

[00:11:09] plan for resiliency in the future and you know incidentally enough on that and I'll come and say the word resiliency I've been a big focus of what I've been saying in cyber security is

[00:11:18] look the proverbial shit's gonna hit the fan um in your organization and planning for it in ways that you adapt and overcome is a much better mindset for your governance and risk management

[00:11:33] planning than it is to oh my god we had something bad happen and we all freak out you know and so that's really become a parallel to what I try to do in life is understanding these things are

[00:11:42] going to happen they're going to continue to happen and it's not the end of the world as those as much as it feels it in the moment um but you have to keep going through now on the

[00:11:51] other side of that you know as you go through this it adds up I mean the step that stress that bag it's just 300 to 600 or 900 points they had to be processed somewhere and I really became a point

[00:12:02] about middle of last summer as all these things were really accumulating I had some work stresses that that I was becoming frustrated with and I was probably acting out on those within the corporate culture in ways because they just became the easiest punching bags because

[00:12:18] you're close to them on a day-to-day basis um and I really felt I was in an unhealthy space even though it wasn't so overt but I didn't want to get to that point where I was going to hit rock

[00:12:29] bottom and stuff so I started kind of planning for that and saying you know I'm gonna as as the end of the year comes around November seems like an arbitrary date and all but that's a good

[00:12:38] downtime and that's really where I kind of targeted I was going to take off November or December and I would say I went into that thinking okay great I'll give myself two months

[00:12:47] and I think I overly analyze this plan of I'll be back on my feet I'll know what I'm going to do in 60 days and I really think that 60 days took me time to slow down and start feeling things I really

[00:12:59] realized I was not ready I was not ready to kind of re-enter society so to speak and it's really taken some extra time to really get to that point so then I can look forward and I

[00:13:10] probably allowed myself another month or so and continue to to see what I'm going to do and enter things kind of slowly and organize things because my cycle to date has been very much

[00:13:20] put out the fires move on get the high off of that and I have this very upward trajectory coming out of the bottom and I've talked about this in my mental health talks from 2017 it's hit a really bad

[00:13:32] bad spot then too and then you know within six months I was in China I was working with DJI I was doing all this incident response I was in the New York Times like all these things

[00:13:42] built up and I was just like okay cool I'm fine but I really wasn't I didn't process these things so it's allowing myself enough time to really get into the feelings of all these traumatic events that

[00:13:52] have happened and work through them and not just say hey I'm fine you know it's okay not to be okay at times and give yourself that space to heal because in the end of the day I have a family

[00:14:02] I have folks within this community have a lot of people that whether I like it or not because that's not my choice necessarily depend on me in ways that I need to be the best version of myself

[00:14:14] and what does that look like and that to me is health and it's my mental health my physical health and really getting things in a place where I take care of myself so I can take care of others and so

[00:14:24] there's this weird selfishness that has to go along with it where you have to really say I'm going to put myself first in a non conditional kind of way where it's not like you know I

[00:14:33] want something out of it it's in the sense that I'm going to do this because I know it's better for other people and that's really been kind of a driving force and with that I've been able

[00:14:41] to get a lot of things under control and in a much better balance and quite frankly know that things are going to happen and you know right now as we record this there's a severe economic downturn

[00:14:51] in the tech industry and unfortunately these are things I started preparing for a year ago like I knew these things were going to happen I predict I think we talked to you about a number of

[00:14:58] times at the way that the market was set up and where I think the industry is going that I was like all right this is a perfect time to step back so I really was more deliberate

[00:15:05] about making sure I had time step back process get ready for the next wave of whatever things are going to happen good and bad but to really be in a much more prepared state without being

[00:15:16] burnt out about it. Well there's no better time to leave your job than just ahead of an economic downturn so I want to go into something that you were talking about there and relay a question

[00:15:30] you and I had talked early on about the power and importance of you know of staring at trees of taking the time to just stare it and look at the world around you we live in a world at

[00:15:39] least here in the United States where if you're not working there's the perception that if you're not working actively working hard overworking that you are failing how did you and how can people give themselves the grace allow themselves the grace to take that necessary recovery time

[00:15:57] rather than just jumping from crisis to crisis or from high to high work high that is and let themselves actually get back to a recovery I guess the subtext of this is how do we even let ourselves

[00:16:10] take you know more than just a Friday off as a vacation day and get to a model where we you know take two three weeks off and actually decompress and recover. Yeah I mean again I grew up in

[00:16:22] that culture probably similar you know like I said with my parents you know I had my mother was the CEO and president of DJ Brush Sosius so she had to push hard and strong I mean south side of Chicago

[00:16:34] Pollock who's 6'3", blonde beautiful intimidating I mean she just had all but she never used it as a clutch you know she just commanded presence but I know she had to work really hard to get

[00:16:46] through a lot of things you know coming from you know a second generation immigrant Polish family that she really had to prove herself so it was ingrained on me to not take your foot off the

[00:16:56] pedal that was you know you're going to something bad is gonna happen I think my father was in the same way too because he kept himself very busy maybe not productive maybe not effective in certain

[00:17:08] things but they were both very busy and people and we were there was no downtime arrest so I grew up with a culture of that at home and it was certainly reflected in the business cultures

[00:17:15] that we grew up in the 80s and 90s I mean as I entered consulting yeah the expectation was you were going to bill 60 70 hours a week I mean that's just what you do and as I got into corporate America

[00:17:28] even when I came in as a VP and director level my you know my utilization billable targets were still you know 30 40 hours a week which means I had to still go out and do business generation

[00:17:36] I was still working 70 80 hours a week and there was always this expectation that you know coming into the year would get rewarded out of it financially and it was like you know is that

[00:17:45] $1,000 bonus really worth it and I think you know that all is you know there but I think there's a huge shift in change in that part of it is I think I was very fortunate to run my own

[00:17:57] teams and consulting practices even within groups whereas I had new millennials come in that just space they said we're not going to work the weekends or nights but we need the work done go figure it out hire more people not my fucking problem like I'm

[00:18:09] going to deliver to you in the time that I can if you need to fill those those times you know you need to work it out and that really allowed me to refocus the way that I did my business

[00:18:20] planning and product quite frankly a lot of productization of cyber security services so for example things like a $10,000 security assessment so we go into the voting scans policy assessment just this really kind of light touch across all boards to really say okay what's your posture

[00:18:36] and that came out of something that was a very long process and snw's and we had to make sure we had billable hours on this and we were forecasted screw this let's just do it at a fixed fee

[00:18:47] price well what if we go over I was like well then that's not us to figure out how to do more efficiently we carved out a lot of things and what I found was is by setting the expectations

[00:18:55] and boundaries around it I worked better on it my staff worked better we delivered faster and I've kind of used that ever as a model say okay well we don't have to burn people out

[00:19:02] it's not about the hours it's about the output and as we started getting more results with doing less that's really where came my focus on staffing and growing businesses I think I did a much poorer

[00:19:14] job doing it to myself you know I was very good at encouraging that and seeing that but do as I say not as I do yeah because again it was so much in great of my DNA and I had very high

[00:19:24] employee satisfaction very low errors things that had to be done higher customer satisfaction as well as part of this higher retainment of customers higher attainment of talent and like a 70 80 percent add-on of additional work so all the business metrics show if you do this right

[00:19:43] and you staff things right in consultancies you can actually do more with less it's not just about top line revenue I drove better margins and by the byproduct of it was actually

[00:19:52] better top line gross but you know people were happier and I was like okay wow we we were wrong for a long time about how we do consulting and doing lots it is bullshit and that had to stop

[00:20:05] and you know I think it's to me I was able to reflect on this okay it's okay because I would send people home when I can see them burnt out and I was like like yeah we have to get this done I was

[00:20:15] like great but you're gonna work through this from 6 p.m. to 9 10 p.m. on a Friday handed off to me over the weekend I'm gonna spend the entire weekend myself away from my family rewriting this

[00:20:25] because it's garbage so we're just doubling the work put it down we'll get back to it until Monday you know if I have to buy more times with the customer I'll do that that's my job as a manager

[00:20:33] to push back on the customer not push down on my staff and I really just sort of have to do that with myself it's really allowed myself the opportunity okay when am I gonna be my best

[00:20:41] how can I be in best and really with that is downtime and recovery it's not you know running at a full pace humans don't are not we don't run batteries you know we have very

[00:20:51] cyclical I mean since the call is circadian rhythm of you know when you have energy cycles when you have downtime when you need rest and really following that you get more productivity

[00:21:00] in that it's just for me it's it's changing that mindset of oh my god I have to get this done now too I can get this done later because right now the priority is my health so when I address this later

[00:21:11] I'm like best at addressing it so I'm not half-assing it at late at night and it's it's really forcing myself now I say it's like yes I how do you treat it's really hard it's hard

[00:21:20] for me to do that but I have to constantly remind myself look I have been I've proven it with my own numbers I have to listen to my team on dog food and it's hard at times and it's really

[00:21:28] allowing myself the space the time for recovery and just accepting things are going to be okay even in a two-month period of stepping back for things I can come back to the world's not gonna

[00:21:39] end because the other option is I take two months off proactively or six months off because of a health issue right I mean I was at I was at it I was at a point where my blood pressure was

[00:21:51] 170 over one the high 120s and the doctors were like we should just observe you in like a Truman show that had the fact that you're you're not having a stroke or a heart attack in front

[00:22:04] of us is amazing like they were like baffled that I was like not having a major health crisis if you think about that like a stroke or 46 years old you know for me to do that that's

[00:22:15] still even as the younger ages it's gonna be covered but that's just a horrible situation that was a wake-up call to that I need to get this under control since then I've got it

[00:22:23] way down and it's been much more encouraging but yeah it's like either you know take some time now or you're gonna be forced to take the time later yeah yeah I uh I'll relay one one of my favorite

[00:22:36] stories in this the moment that I got it as many 20 some years ago almost 20 years ago now and I worked for a for a Dutch bank and uh I was lamenting uh taking time away when I was on a trip

[00:22:49] over in the Netherlands and one of my colleagues based there looked at me and said Dan you're not that important you're not that important you're not that important and this is one of the things

[00:22:59] I loved about working for a Dutch company was you always knew where you stood there was this level of transparency and honesty and communications uh that that I you just don't find

[00:23:11] in many other places in the world but Dan you're not that important the company was here long before you it'll be here long after you surely you don't think that your two weeks away will

[00:23:23] make the place fall apart and it was just that eye-opening moment and from then on you know found ways to just make sure that I took time for me well and I think a lot of it too is when

[00:23:38] you're in cybersecurity even if you're doing the proactive and preventative work there's a tremendous amount of pressure on it you know you get to the IR litigation response space which like I keep

[00:23:49] going back to but you know for the most part um even when I go in and do CISO services I was talking to a client that I'm bringing on the other day and he's a CTI said well look when you talk to

[00:24:01] the CEO next heads up he's going to think the sky's falling he doesn't understand cybersecurity and he just he thinks it's this kind of dark scary thing and that we're doing it all wrong and when

[00:24:12] you come in and give your report and I'm just doing a basic NSCFF assessment that it's going to be bad and we're much worse shaped I go the amount of times I hear that like hundreds of

[00:24:22] times I'm particularly this is the preventative side I was like it's never that bad you know often when I go in it's like no actually you have a lot of good things going on and I think it's that framing

[00:24:32] it's very easy to forget all the good things you focus on these bad things and freak out um and you know then on the flip side with the IR stuff and litigation response same thing

[00:24:41] it's oh my god oh my god react react react I think our jobs are to be level headed cool carbon collective and not so emotionally responsive it's that stoicism of look I'm going to feel the

[00:24:54] emotions I'm just not going to act on them logic must prevail facts must prevail I have to make decisions based on what's in front of me now for the best in the future as well and that level of

[00:25:04] cool calmness uh is often missing in our industry you know both on really all sides everybody's like oh my god we have to get this done I mean the amount of times when I was at Splunk it was

[00:25:16] I would talk to you know the CISO and say okay what's what's going on now and it would be this I'm exhausted because I'm you know we went from 10 years ago where nobody knew what the function of

[00:25:27] a CISO was I still don't think most people do but you know it was just kind of this amorphous thing to where you know it's almost too much attention now where oh my god did you see this in the

[00:25:37] New York Times what are we doing about this doesn't affect our business well I need a report on my desk tomorrow because I got to bring in front of the board and the CISO's are like I'm just

[00:25:46] exhausted from this we're so reactionary even on like building a program I'm like now this is why nothing gets done I'm constantly responding it's like it's again it's great that the the board

[00:25:57] and the executives care now but now it's like that's a whole new level of incident response you got to stop dropping a role because somebody read something in the New York Times and a whole level of mental health care in the roles to keep that balanced

[00:26:12] let's well and that's the thing is I was going to say just on that is again if you look at the enough talk to them some of the surveys of CISO's you know most of them are overworked

[00:26:20] underappreciated feel that there's going to be a breach most of the CEOs don't feel there's going to be a breach however they think if there was a major security incident they lose

[00:26:27] their job most of them don't take off two weeks a year most of them haven't had a two week break and you know I would say most like 70 80% of them haven't had a two week break most have never had

[00:26:37] a month you know they just don't take the time and we wonder why these folks are burning out and and we still have these security incidents because we don't have strategy it's jumping from one

[00:26:46] hyper reactive situation to another that's not healthy for people it's not healthy for business and you're burning people out thank you for joining us for the first part of the return of the cyber security interviews podcast I hope you enjoyed it so stay tuned for next

[00:27:02] week's episode as we dig in a little deeper about my history and how I got into the industry thanks so much for listening thank you so much for joining us today on cyber security interviews

[00:27:12] I hope that you enjoyed this interview as much as I did please go to cybersecurityinterviews.com where you can find every episode including show notes and links for each guest there you can

[00:27:24] also find social media links and just sign up for new episode notifications thanks we'll talk soon