#126 – Douglas Brush (Part 4): Dollars and Cents, Not Bytes

[00:00:09] I'm Douglas Brush and you're listening to Cyber Security Interviews. Cyber Security Interviews is the weekly podcast dedicated to digging into the minds of the influencers, thought leaders and individuals who shape the cybersecurity industry. I discover what motivates them, explore their journey in cybersecurity and discuss where

[00:00:29] they think the industry is going. The show lets listeners learn from the expert's stories and hear their opinions on what works and doesn't in cybersecurity. Welcome to Cyber Security Interviews.

[00:00:49] It's back after a long hiatus and a lot going on in my life, I am bringing back the podcast. In order to do so, I brought my good friend and colleague and data privacy and cybersecurity person of interest Dan Ayala to interview me.

[00:01:04] So over the next few episodes, we'll discuss where I've been in the past 18 months, what I'm doing now and where I think this industry is going and why I plan to leave it within the next seven years.

[00:01:15] Speaking of other fields, you also started over the past number of years playing in some adjacent fields to information security like privacy and legal. Why those? Because I always have. You know, you go back to when did I know?

[00:01:32] I mean, to me, it was supporting this stuff even when I was doing more of the IT focused services in the early 2000s. My hardship was around 2008. I sat there and watched.

[00:01:46] It was, I say funny, but as Ralph wake up from the symptoms say, it's funny, but it's not ha ha funny. Quote that way too much. But it was, you know, I had fought with external and internal orders of Merrill

[00:02:02] Lynch about the set of event products and services I was offering. I basically would drop into, you know, behind enemy lines. So to speak, but I would go into conference spaces in New York City all over the world

[00:02:15] and set up secure networks so people can work and so we can support the transmission of content for investment banking and all these things. And they were, why can't our internal IT people lose? Why can't it was really actually as the subcontractor and that the internet

[00:02:30] to go, no, we have each five. Like we do help this where we're not doing this or long term project. And what Doug does is you know, like, well, we, we want to examine the costs.

[00:02:39] So it goes to this 18 month, you know, audit and it was September of 2008. They said, you know what? Well, nobody else can do this. You provide such incredible value. You're the green light going forward. And five days later they were gone.

[00:02:55] I mean, literally I sat there watching the ticker on CNBC that Monday morning it was, you know, Merrill Lynch is done. You know, my livelihood was gone. I was like, all right, again, one of those moments where I had to kind of step

[00:03:10] back and I was going to get married in a couple of weeks. We got married, came back from the honeymoon. I was like, what am I going to do next? Very fortunate again, to be at the right place at the right time.

[00:03:21] A gentleman, Rob Sanderson who amazing audio forensic sky used to support his network doing all the AV. If you remember, Avid, what an absolute gyceunotting because I know you know how fun it was that if you accidentally updated it, you had to blow out everything.

[00:03:36] And all your plugins would stop working. Yes. Shaking my face, kids today do not understand like the delicacy of early lands and updating and all this stuff. So it's just such a great job with his video networks when he was doing corporate video stuff.

[00:03:53] He's got an AV forensic said, look, I got a case that I'm working on. Something's not right about it. I think it's on the computer side. I have the video, but I need you to come in and look at the video time stamping make sure it's right.

[00:04:07] And I was like, OK, I think it's an investigation for this big litigation in the federal courts. I'm like, all right, cool. I'm kind of like exploring what I want to do now. And I really wanted to get back into cybersecurity at this one

[00:04:19] because this is that was where I was going from about 2005 on. I was like, screw it, I'm going to be a hacker when I grow up. And, you know, that's really what where I was going to go.

[00:04:27] And so he calls me up and out of the blue shirt. And I just forensic investigation and computer find out that the time stamps on the video were off because the bios had never been synced or updated because of the way these court crystals time slipped.

[00:04:41] It was off and everybody just assumed again, you know, this well, the computer said so that the time stamps are right. And 16 experts on either side were like, well, we're basing all our reports on this time stamp information. I was like, yes, completely wrong.

[00:04:56] I got deposed on the matter. And it ended up, I ended up not getting deposed in trial, but it was really like this fun experience and it brought me back to that hacker roots of pulling things apart, question things.

[00:05:06] And that's when I launched the digital forensic group in New York City in 2008. And this is the rest of history. And it's really kind of set this trajectory where everything I've approached is a problem that I'm trying to solve. And again, whether it's a litigation, whether it's a

[00:05:26] privacy problem, whether it's a data breach, whether it's whatever it is, some proverbial shit hits the fan. And people need to know what happened, what data is involved, who potentially had access to it. What's going on? Give us some visibility because that's a box over there

[00:05:44] with a hard drive and memory and is connected to this. I don't understand what I need to do is tell a story about what's going on. And for me, that's where again, coming from corporate communications experts, I'm so incredibly lucky.

[00:05:56] I knew it's like, OK, I got to tell a story with the technology, but not necessarily about technology, but with it. And so I was able to really kind of get into this mindset early on is I didn't care if it was litigation.

[00:06:06] I didn't care what the problem was that was impacting the business. I wanted to solve it. And so I've been able to kind of be as Alex Woods constantly calls me Alex Wood from Colorado Security and now it up like he constantly calls me a polymath.

[00:06:21] He loves that word. He's not going to cringe when he hears this because he loves the word polymath so polymath, Alex. He loves polymath as much as you here love being called the Doug show. So I'll share we can also look at Robert going on AI.

[00:06:38] But anyway, so, you know, but he, you know, we were given to have this kind of disability to learn about things and be kind of a discipline in a lot of areas because when I sat there and I was talking to my girlfriend,

[00:06:49] it's like the amount of achievements I've had in data breach, privacy, CISO work, litigation as a special match. Like most people look at do one of those and I've been able and to me it wasn't.

[00:07:03] I'd like to think on social, but I think it was more on the mindset that what are we trying to do? What's the community? What's the story? And I've been doing this all for so long and consultancies. You know, if you look at the first last 20 years was

[00:07:15] always silo those. Well, we don't want to step on somebody else's toes that's running that division that name a big 16 consultancy because that's their revenue. So that's going to be discovery over there. Data breach is going to be over here. We're going to do privacy over here.

[00:07:28] I'm like the business doesn't give a shit what you call it. It's data. It has risk. It needs to be protected. And when bad things happen, we need to explain why it happened. Or when people come knocking at the door from a government regulatory,

[00:07:41] do we have what we have? And that's the thing is the longer you take to respond to something, whether it's a government inquiry, a litigation, a data breach, the worst things are going to be. And so for me, it's I don't care what it is.

[00:07:54] I just want to I want to help companies and individuals and organizations get through their worst day of their life when I've seen a thousand of them. It's going to be a really bad day for them.

[00:08:05] I want to help them get through it so they can get back to their wife and kids. I mean, that's for family or whoever, you know, it's just I to me, that's the mindset. I don't look at it as these are completely different disciplines. They're all the same.

[00:08:17] Yeah. And I think that within organizations, though, you mentioned about the consulting world and consulting world is obviously revenue driven separations, but inside the organization, inside the organization itself, there are those same striations or have been between legal and IT and information security and compliance.

[00:08:35] But I've seen it. You know, I spend most of my day with my general counsel as a as someone who owns security and privacy and compliance. My general counsel and I spend endless amounts of time together, which I've found to be a really great relationship.

[00:08:51] But I'm curious, I guess, are you seeing these things all merging organizationally, even if people finally starting to let themselves admit that they're coming together organizationally or should be? Absolutely. And I think it's been happening a long time.

[00:09:09] And again, it's where I've been saying the emperor has no clothes for so long is that this has been happening. And I don't define it that way. And then when I got into organizations, particularly doing the CISO work,

[00:09:21] I mean, those are all the folks I would talk to. And I was like, what's your problem? You're facing. And then I would kind of do this meta analysis. Like, you know, you guys are all saying the same issues

[00:09:28] or seeing the same issues have the same concerns, same. But you're just defining it differently or maybe you have the context of your language different. But okay, then that's just a translation problem. But I think it's also the.

[00:09:45] I would say traditionally, it's been very easy to leave cybersecurity as an IT function. And, you know, the CISOs that I know are, you know, chief information security offers, but that's a small C. They're not at the same parity levels as CFO or CEO or CEO.

[00:10:01] So it's been this abdicated role because nobody else wants to touch it. And somebody who's grown up as an IT person is shot out. Now, through us to do in this business function with no support or training, it's kind of sucks.

[00:10:12] And I think it's starting to change because where I hope it's going is that this is all coming down to governance, data governance and overall governance of the organization. That is a board level function. That's a C-suite function. Most in a Google list, you know,

[00:10:30] people don't like LinkedIn fight people about this. Cause I was like, look at your traditional way that an organization set up with your wireframe of a C-suite. The CFO owns organizational risk finance department shared with the GC. Why the fuck are we putting cybersecurity under an IT function?

[00:10:50] It is a business enabler. It helps people do their jobs. It is not a risk management function, nor should it be. Many of the components that we look at have technology functions, but it's people, process and technology. We have to understand how the dollar comes in

[00:11:03] from the first time a customer has an impression of that brand all the way to the balance sheet. We have to protect and mitigate the risks around that financial transactions as they occur because there's a lot of changing hands. And organizations have to understand that

[00:11:17] that you got to put these pieces together. I mean, it's not these disparate functions. It's a part of a process and you have to secure the process. And we're seeing where the process has short points, single points of failures and just parts where everything's going off the rails.

[00:11:33] There just hasn't been any kind of transparency or accountability there's been none who gets fired in the big reaches you read about. CIS, CIOs, maybe the CTO. Not the CEO. Maybe sometimes now there's been some fines, but until this the top level executives are held accountable,

[00:11:51] that's not going to change. But it is starting to change. We're seeing new SEC guidelines. I think when you're looking at the state levels of some of these privacy guidelines, we're certainly seeing it with the GDPR enforcement. They're not saying these are IT or cyber problems.

[00:12:06] They're saying these are privacy functions that's happening because of governance problems that's owned by the top levels of the organization. There's going to be more of a push to that. And then when people's jobs, assets, you know,

[00:12:17] wallets around the line, all of a sudden they're going to start listening more. They're going to listen more, but it's still going back to what I was saying before as we need to start talking in better terms too.

[00:12:26] This is this is a defining moment for the industry to stop our bullshit, stop thinking that, you know, this is again, like I said, we talk in dollars and cents, not just bits and bytes. If we really have the kind of opportunity where we can work with

[00:12:38] them and not against them and not be adversarial, like stop everybody from each other under the bus. It's not a zero sum game. We're in this together. How do we enable the business? How do we protect these people at the top level

[00:12:49] with things they don't understand about this organizational data governance and help them understand that? Hey, look, you know, there's risk around this data, but there's also value in how do you value this data? And what are you doing on this business function? I think that's our opportunity now.

[00:13:03] And cybersecurity is I look at it is dead. It should be dead just the way it's been. I think it's going to evolve and change. And we're going to get into a much different era than we've ever seen because of the way that the governance is coming in.

[00:13:15] And quite frankly, the market changes. There's too many small players doing the same things. I don't need another 30 I am solutions or two factor out there. There's too many of them. There's too many of these cybersecurity function ish things that exist

[00:13:29] that are just creating more confusion and friction than allowing users to do their job. So there's going to be a massive consolidation of that on the products and services side. And cybersecurity, as we know, it's going to have to go through

[00:13:40] evolutionary evolutionary shift like we never see before in the next years. Level set the listener, Doug. What's the difference between cybersecurity and information security? For me, it's the amount of clicks I get for cybersecurity. I get way more than information. You know, they can certainly be interchangeable.

[00:14:04] You know, and I'm personally trying to get away from those terms and thinking of things in data protection and data governance. The end of the day. And again, there's a lot of people that are clutch their pearls

[00:14:17] I can hear in the future that the monocles popping out of so many cybersecurity thought leaders and experts. Now, I'm using the air quotes eyes that, you know, there's going to be more breaches. There's going to be more security incidents. Shit is going to happen. Get over it.

[00:14:34] Stop thinking we're going to stop these things. We're not. It's resiliency. It's how you adapt and overcome. But in part of that is nobody in rare access to make an absolute statement. That's not true. But it's very rarely do you see finds in breach notification over infrastructure breach,

[00:14:51] meaning somebody pops a system and you can say relatively with Sir, that no data is inappropriate. I want to see the words inappropriately access. You are taking you forgot your security is very important to us. You forgot your security is very important to us.

[00:15:06] Well, I was just saying we've identified a security. It's a very environment. They security in your privacy is very important to us. We determined through our forensic investigation that none of your data is taken in properly access. What was it? Highly skilled, highly skilled and intricate or attack.

[00:15:26] Well, blah, blah, blah, however. We were going to sign you up for one year. But which attackers, by the way, they love that because attackers are all man. I only have one year. Oh, well, I'm not going to wait till the 13th month of the visas.

[00:15:41] Oh, anyway, that's a whole nother rant. But no, it's ideas like it's the data. It's the data. Stupid. You need to protect the data. You need to understand when you say the crown jewels, it's the I think too much in the lens of it is it's the data.

[00:15:58] What data do you have? How it's being used? Who's accessing and how it's being dispensable? What's the data life cycle? Governance start there, build around it. That's really where this is going. It's going to be less cybersecurity, less information government information security, more data governance.

[00:16:12] Because that's where it should be. Stop breaking it up. Let's start there. What do you have? What's risky? What's toxic? Some of that toxic stuff is probably, you know, the secret sauce. But I guarantee you there's 80% of it that's out there.

[00:16:25] That's on data spoil and areas that you don't need or you're not using marketing databases that will get popped and that you're going to have to sit there and end up doing breaching. Why do you have that? And so I think, you know, understanding where your weaknesses

[00:16:40] are from financial reputation legal risk. And where those vulnerabilities lie to the balance sheet because you have data that has real value. Yeah, data storage is cheap. But what's the risk? And people just aren't doing those assessments. They're sharing whatever.

[00:16:54] And that's where the industry is going to be at. I'd argue that no offense to the name of this here very podcast that the term cyber relegates the tech relegates the work being done to the technology propeller head

[00:17:06] zone which is exactly the thing we're trying to get out of cyber indicates technology and IT and things related to the tech and security that boy it's a much bigger topic. And look, I say I know it gets attention.

[00:17:22] I think people should but I hope more people like us. Now that we got your attention, let me tell you what this is clickbait. I probably own information security. I just bought two more domains. It's too easy. Stop before you buy again.

[00:17:46] Hi, my name is Daly Allah and I own far too many domains. I was just looking at yesterday because I bought again two more. I thought that was a really funny cool idea when I had two Manhattan. That's only nine bucks.

[00:18:00] So we knew there's I have at least a dozen. I just keep it. But I did actually just buy new one for some of the community stuff. Actually feel that's good. I actually set up the website and the name and bought with Azure and DNS.

[00:18:19] At least I'm using this one. Long story short is yeah, no, I know I bring attention to that word while hating it at the same time. So recently you made a declaration to me to the world about your departure from the world. I'm done with this.

[00:18:40] I'm leaving the field. What went first of all, I guess start with how a little bit how how that came to be and when did you start thinking that and what drove the thinking toward I'm done with this space.

[00:18:54] I think because I've come as this to me, I was always an outsider. This goes back to why I even started the podcast, right? It's that my imposter syndrome. I don't belong here. I didn't have formal training in this. It was actually funny, you know, doing digital forensics

[00:19:13] in New York City, speaking at all three of the colleges that had graduate programs for cybersecurity. I they would say, Hey, would you want to teach us? Sure. They go, wait a minute. You don't have a degree. I was like, no.

[00:19:30] So but you're you want me to teach the material that I've developed and stuff like you're referencing it in your classes like stuff I've done. Yeah, but you don't have it. And as you know, coming from academia, that's the death now. So I was like, yeah.

[00:19:44] So I was like, this is stupid. Okay. So again, this goes in the whole notes. Why the industry changes that mentality by the time people came out of three year programs, our skills were not developed. And most of the stuff that is wrong.

[00:20:00] But to be fair, at the time that we came into the field, there was no training. There was no information security degree in 1992. But there also wasn't information security vendors. You know, look. It would you Cisco a routing switch and firewall company or is it a cybersecurity company?

[00:20:22] No, that depends on who you ask. A lot of friends at Union 40 James. I live in I live in a town that's all well Cisco security on. But yeah, shout out to Duo. No, but it's it's yeah, no, it's.

[00:20:40] It became very funny for me or a very interesting for me as I saw these companies that I grew up doing network infrastructure stuff. So I'm shopping at a bar say talking about security. So am I in security now because I was doing I'm a network engineer.

[00:20:54] Is that does it like do I just call? Oh, I'm cyber cyber done. Cool. Can I go to RSA now and I suffer watching these things happen. I'm like, cool. Okay. It's cool. Yeah. Hacker things and then I kind of have these like for the

[00:21:06] cool hacker camps, you know, the depth cons and stuff like this is cool. Go to the big shows. I'm like, yeah. Okay. I can see the balance of this and that was 2000 2010. 10 years later, we're still doing the same shit. We're still going to these either big vendor conferences

[00:21:23] where they roll out all this bullshit. I think I really had that moment at RSA in. So 2014 15 where John Lithgow is on stage and he had everybody was like a prop comic like he might as well have been Gallagher or freaking carrot top. All right.

[00:21:41] Now everybody reach under your chairs and get your flashing lights and let's all do this together. I'm like, I gotta get out of this industry. I was like, I'm fucking done. Like I can't do this. This is so stupid.

[00:21:51] I was like, we are such self congratulatory to do these things over and over again because it's fun to go to these conferences on the vendor side. Well, cool. Do the hacker conferences. Cool. I go to those. Lot of this stuff's cool. What business promises.

[00:22:03] So how dare you talk about business man? Fuck the man. This is capital. I'm not like, no, I get that, but somebody's got to pay us for this research and do it. Like I'll do a research. I'll build a business where I'll hire a bunch of hackers

[00:22:15] and we can do like 20, 30 percent of time. No way, man. You're not cool enough anyway. And by the way, you are cooled up because you're a white male, but we keep all everybody else out. And we're going to talk shit about anybody that's not us.

[00:22:28] We're so open and we're not. So I was like, yeah, this sucks too. So I just over the last 10 years, I've just seen the same problems repeat themselves over again from both camps on the vendor side on four people. Things are not changing.

[00:22:41] And when I look at the Verizon data breach reports, when I've done all the data breaches that I've done, people said, why you must do some really cool shit? I was like, maybe one or two of them and we're talking

[00:22:48] about what the rest of them are open RDP parts with easy to guess passwords and new two-factor authentication, business email compromises, Office 365 where a general user had admin rights, ransomware where yeah, both of those things occurred and somebody got a foothold over, you know, SBB one vulnerability

[00:23:04] that were discovered, what 20 years ago? Like it's the same goddamn thing over and over again and because it's Groundhog's day, I'm just done. Like I can't do this anymore. And it's not that I'm done. It's like I'm not going to continue to do this.

[00:23:16] So I'm going to move on. That's all I'm leaving cybersecurity behind. Y'all can come join with me with search song in the business problems and grow up and get out of our headspace of being too cool for the room.

[00:23:27] And oh, we're just going to go to Black Hat and RSA because that's where the parties are. That's again, like look at the numbers that are impacting the businesses. That has not changed year after year. It is still fishing, business email compromise.

[00:23:40] There's all the same things are happening over and over that are impacting the bottom lines of these organizations. Now where people are going to be feeling at the top levels, they're not going to tolerate this. Neither should we.

[00:23:51] It's time to grow up and move on and get out of this. Cyber securities, cool kids. We're in our teenage age. It's time we've got to get up and out there. We've got to join the business. And we've been asking for that for years.

[00:24:02] It's finally an opportunity to do it. So I'm done. I'm leaving cybersecurity. I'm going to the business side. You're all welcome to join. And we're going to support the business and we're going to do things around risk mitigation about informed decisions about the information,

[00:24:14] the data and how it moves through the organization. And we're just going to make better business analysis decisions based on this information because we're putting a whole new level of risk around it. That's not that it's new. It's just never been asked of before,

[00:24:27] but we finally have this opportunity. So that's what I'm going to do. I'm not going to continue to do the same thing over and over again. I just can't. I'm just hearing the who in my head. We're not going to take it.

[00:24:38] Thank you so much for joining us today on Cybersecurity Interviews. I hope that you enjoyed this interview as much as I did. Please go to cybersecurityinterviews.com where you can find every episode, including show notes and links for each guest. There you can also find social media links

[00:24:55] and to sign up for new episode notifications. Thanks. We'll talk soon.