0:53

How's it going , Andy and Hellmuth ? It's really

0:56

good to finally have you guys on the podcast

0:58

. I'm really excited for our conversation today

1:01

. Same here .

1:01

Excellent , good seeing you .

1:04

Yeah , it's that time of the year where

1:06

you debate about

1:08

taking time off of work or

1:11

if the work is going to be so light

1:13

that there's no point

1:15

in taking any time off , and so I'm in that

1:17

conundrum right now with

1:20

my day job .

1:21

It's a weird wind down this year because the stock market

1:23

keeps going up , so I think people are keeping people

1:25

glued to the screen a bit , isn't it ?

1:27

Right . Yeah , it's an interesting time . I'm waiting

1:29

for it to all come back down . Honest

1:31

, it's a little alarming that it's going up right

1:34

now . I feel like it should be going the other way , but whatever .

1:36

I think , enjoy it while you can . It's probably the adage , isn't

1:39

it Right ?

1:40

Right , yeah , I got a couple of friends

1:42

that are definitely enjoying it

1:44

. Right now we have a group chat and it's always

1:46

fun to see what they're saying about

1:49

it Absolutely .

1:50

What are your expectations for 2024 ?

1:52

Yeah , I think 2024

1:55

is going to be an interesting year . I

1:57

think it'll be a year of

2:00

reinvention and emergence of new skills

2:02

and new demand and whatnot . But before

2:05

we dive into all of that , how about we start

2:07

with your guys' background

2:10

? How did you get in IT ? How did you get into

2:12

security ? What made you want

2:14

to go down that path ? And the reason

2:16

why I started everyone off with this

2:18

question is because

2:21

I have a section of my audience that

2:23

is trying to get into security . They're

2:25

trying to get into IT , they're trying to make that

2:28

jump , and I've always found that

2:30

hearing someone else's story and maybe

2:32

you relating to that story , makes

2:34

it easier , opens up that possibility

2:36

in your mind to say , hey , I could do this

2:38

too . So , helm , youth , why

2:40

don't we start with you ?

2:42

So actually I didn't start off

2:44

in IT . I started

2:46

more running different businesses

2:48

, a large conglomerate at

2:50

Siemens , where I was responsible

2:53

for different regional businesses , and

2:55

then businesses managed

2:58

from outside of headquarters

3:01

, namely mostly from the US . Siemens

3:04

started to explore the

3:06

future of their industrial business

3:08

, going more and more into software and data analytics

3:10

. We acquired a software company had

3:13

quoted in Plano

3:15

, texas , and Forma , eds offspring

3:17

, and that brought me closer and closer

3:19

to the IT world

3:21

, but really coming from the software

3:23

angle , and the idea was

3:25

to bring the physical and the virtual world together

3:28

. And so I had then different responsibilities

3:30

in the industrial sector , in Siemens , and

3:33

my last role in Siemens

3:35

before I retired after almost 30 years

3:37

was their global CIO . So

3:40

coming more from a business angle into

3:42

the IT world , and the idea

3:44

here was to make sure that IT and

3:46

business is really closely

3:49

interconnected and creating value

3:51

, one together with the other . Most

3:53

of the businesses in the industrial

3:55

world today , even so , they come from very

3:57

much from a physical world . They're now

3:59

enhanced by data analytics and enhanced

4:02

by software and bring , then , these two

4:04

worlds together . That was the task at Siemens

4:06

and this was also the task of bringing

4:08

IT and the business closer together

4:10

and in this context you can imagine

4:13

, cybersecurity plays an absolutely

4:15

key role . Cybersecurity on the

4:17

IT side , but as much and

4:20

as important on the OT side . And

4:22

that brought me closer and closer to

4:24

the cybersecurity world which

4:26

we will be discussing today .

4:29

Yeah , it's a . It's an interesting

4:31

time right

4:33

In history when the worlds started

4:36

to kind of merge together . I

4:38

feel , and you

4:40

know it like opened up the world

4:42

of possibilities , of , oh

4:44

, I can control that pacemaker

4:47

and I'll control it in a way

4:49

to where no one knows

4:51

that I ever did it right . I'll erase

4:53

all the logs , I'll erase everything

4:55

that was on it and whatnot , and so

4:57

it it opens up a

5:00

really a really big world for IT and everything , interesting

5:02

space where you know

5:04

I think it's even described pretty well in the zero

5:06

day book by Kim Zader you know she

5:08

talks about how you know

5:10

these generals and these colonels you

5:13

know watched as this generator just

5:15

blew itself apart because someone with a

5:17

computer you know from a mile away

5:19

decided to hack it and put

5:21

some malware on it that made it operate

5:23

at speeds that it shouldn't have been operating

5:25

at . So , andy , how about your journey

5:28

? What was that like ?

5:29

Well , I started off with a typical scientific

5:31

degree in chemical physics and

5:34

did some programming on the

5:36

BBC micro when I was at college , but not

5:38

much , but I know basic pretty well

5:40

. So from

5:42

there I went to work in pharmaceutical

5:44

research and actually built a molecular

5:46

graphic modeling system , which was a

5:48

ton of fun . They taught me how to program and

5:51

I learned in 4Trend , 4 with

5:53

variables that weren't even declared and stuff

5:55

like that . So within a couple of years

5:57

I discovered that assembler was quite interesting

6:00

and that understanding how computers worked

6:02

was pretty interesting as well , and

6:04

I spent 10 years just writing code

6:06

. I kept being asked to take management positions

6:08

but didn't want to , and in the end I

6:10

became a contractor for six years when

6:13

I worked at Mark Coney's and BT and built

6:15

a whole bunch of different things as well Outside

6:17

of my day job , just so that I

6:19

could continue programming . So by the

6:21

time I went back into the corporate workforce

6:24

in 1994 when

6:26

I joined Paribas , I had

6:28

a lot of programming experience , and during

6:30

my time at BT we'd also run the

6:32

ARPANET Janet project , which was the

6:34

first connectivity across the Internet in

6:37

the days when gopher and FTP were probably

6:39

the only mechanisms you had for

6:41

collaboration and sharing . So

6:43

it was a very interesting time . Obviously the rise

6:45

of Mosaic and Netscape and so on

6:47

happened in that period as well . Then eventually

6:50

the Microsoft all out

6:52

gushed out to go to the Internet , which was

6:54

also quite fun to watch . I

6:56

had 20 years in financial services in

6:58

various different jobs , always technical

7:00

at one level or another . So CTO

7:02

roles , for example , had security report

7:05

to me two or three times over that period of time

7:07

as well . So pretty honestly , going back to

7:09

the ARPANET Janet connection , I think from

7:11

that point on security was born

7:13

. As soon as you could address everything

7:15

from the network , then it became the

7:18

protection , became like one of the most

7:20

important things . In the beginning

7:22

, as you probably remember , there was no real commerce or payments

7:24

, but as soon as that stuff started to emerge

7:27

then people started to worry about fraud

7:29

and so on . So I

7:31

feel like I kind of grew up in the environment

7:34

where security started and

7:36

many of my friends who've been SISOs

7:38

on Wall Street all came out of Bell

7:40

Labs in the US and the same is true in the UK

7:43

. Many of them came out of multiple labs , actually

7:45

into the SISO roles in UK companies

7:47

too . So I feel like I've been

7:50

at this for 30 years or so actually

7:52

, and for the last 10 or so

7:54

have been investing in companies , have been on

7:56

the board of Zscaler , watched Zscaler

7:59

grow from nothing

8:01

really to something pretty substantial , and

8:04

also watched Zero Trust grow

8:06

as a way of thinking , a philosophy

8:08

, if you like , for defense , which I think any

8:11

football coach would understand , strategy

8:13

around defense and attack

8:16

being very important . I think that's now true in

8:18

the enterprise as well .

8:19

Yeah , it's really interesting

8:22

. So it sounds like you were at

8:24

the start of the internet and you

8:26

were in the space , I guess , learning

8:28

as everyone else was . What was that

8:30

time like ? Because learning back

8:32

then is a lot different from

8:35

learning right now . You know , if

8:37

I want to learn a topic , I'll go on YouTube , right

8:39

, I can hear lectures from MIT

8:41

, Harvard , you know whatever it

8:43

is right , but that's all on the internet

8:45

, right ? I'm basing all of my learning

8:48

of a new topic on the internet . You're

8:50

at the forefront of the internet

8:53

. So what was learning

8:55

about what this thing was ? What

8:57

was that like ?

8:58

Well , I mean there's a lot of reading , to be honest . So

9:00

I mean I read , I think , every VAX

9:02

manual , every PDP manual , front

9:04

to back basically , and

9:07

while I was programming Assembler , I mean you need all

9:09

the help you can get . I also discovered

9:11

early on that Microfeesh was really useful

9:13

because you could actually read how

9:15

the systems programmers were writing

9:18

code , and I followed

9:20

like Bill Lang who designed Bliss

9:22

, and so I would basically look at the code

9:24

they'd written in a new release of the operating system

9:27

to learn the tricks and techniques from them . Obviously

9:29

, being surrounded by great people really helps

9:31

. The person who sat next to me

9:33

at ICI was a guy called John Farringdon

9:36

. He taught me what symbolic debuggers

9:38

were , and before then I was just , you know

9:40

, using print and stuff like that , and you

9:42

take these kind of massive increases

9:44

in performance just by meeting people and

9:46

, to be honest , that that's something that I've

9:49

continued to this day . If you want to know

9:51

a subject , go to a subject matter

9:53

expert and find out what their points

9:55

of view are , what they think is interesting . And so

9:57

I remember one particular incident at Paribas

9:59

where DEC actually bought in a guy

10:01

called Scott Davis and I'm like are

10:03

you the Scott Davis that wrote DECnet and he's

10:06

like , yes , I am that Scott Davis , and

10:08

who's the man , who's the TCPIP consultant

10:10

into Paribas and I'm like , dude , I mean , you're

10:12

my hero . And

10:15

so I think you've

10:17

got to kind of think about every

10:19

protocol in terms of how it could

10:21

be breached . And often people

10:23

forget about those legacy protocols , by the way , and

10:25

that actually is a mistake . But

10:28

largely they're gone , but not totally . I mean we

10:30

still see mainframes in probably most of the Fortune

10:32

500 . And where there are mainframes

10:35

you'll find SNA not far away . So

10:37

just a quick in

10:39

touch with the past comment there .

10:41

But , joe , actually let me add to this

10:43

I think some things have changed

10:45

, some things have not changed . So number one is

10:47

you get a lot of basic knowledge going

10:50

on the internet , watching

10:52

YouTube , using chat . Gpt gets

10:54

you , gets you all into into the area

10:57

, but to really

10:59

develop deep thinking

11:01

and new reflections , what has not

11:03

changed talking , go and see number

11:06

one and see . The second part is what

11:08

Andy just described be with people

11:10

that are really in the subject matter . And

11:13

I remember , andy , we spoke a lot virtually

11:15

together , but it was so different when we

11:17

met the first time and I

11:19

tell you , being two hours with Andy , you

11:21

learn a lot , much more than you can learn in

11:24

several days on YouTube . So I

11:27

don't think this is really replaceable . I

11:29

think you know then you might

11:31

get a certain basic knowledge , but if you really

11:33

want to get deep into any subject , it's

11:35

the best thing for developing your critical thinking

11:38

and this domain is being with people

11:40

that are experienced and willing to share

11:42

.

11:43

Yeah , it's really interesting . You know , do you think

11:45

that that also translates into

11:48

work from home culture

11:50

that we kind of got it became more prevalent

11:52

with COVID , right , where more

11:54

and more companies are working from home and

11:56

now employees don't really want to

11:58

go back to the office because they're not finding the

12:00

value in it . Right , and I

12:02

think from my perspective , right , my

12:04

stance on it is I'm very pro work

12:07

from home , but there could be

12:09

absolutely something that you're losing

12:11

with not going to the office and

12:13

for me it's difficult to

12:15

try and put a value to that

12:17

, right . So then it's , it's harder

12:20

, at least for me right now . So

12:22

, like , put a value to that , to say like , okay

12:24

, should I go in , should I stay at home

12:27

? You know all these sorts of things , right

12:29

? What's your opinion on that ?

12:31

Yeah , Joe , I think you know that , that I

12:33

teach at a business school and it

12:35

was very interesting , Of course , when COVID hit . We

12:38

had to go virtual from one day to the other . Then

12:41

there was a way , for everybody wants to be back

12:43

. Now what turns out is

12:45

we get more and more into a hybrid situation

12:47

where a lot of the material is

12:49

actually prepared , for example , in videos

12:51

. You get to this basic knowledge Once

12:54

in a while . A lecture can be perfectly

12:56

done virtual . It works very

12:58

well , but only in the combination

13:00

with being back in the classroom

13:03

, especially in group work , being

13:05

in a group where students work with other students

13:07

in a life setting , and then going again

13:10

for a while virtual . That works , but

13:12

I think it's really critical , this

13:14

direct personal interaction . So

13:17

I'm , I'm neither one nor the

13:19

other . I think the hybrid is really the most

13:21

effective way of working together now and

13:23

going forward . Andy , what do

13:25

you think ?

13:26

I think randomized hybrid is the worst

13:28

possible outcome . So when

13:30

people go to work when they feel like it , that never

13:32

works . The companies that seem to be doing this successfully

13:35

are saying let's go into the office Tuesday

13:37

and Thursday , and they actually specifically

13:40

look out for social moments , teaching

13:42

moments , you know , water

13:44

cooler moments and so on . So

13:47

my point of the honor is that there is

13:49

no substitute for John Farranden

13:51

teaching Andy Brown . There isn't , but

13:54

you know , during there isn't . I mean , I would never

13:56

have advanced as quickly without his

13:58

help . Right , and he was . You know

14:00

, he's a genius . He actually worked at ICI

14:02

, invented Diquart , and then he

14:04

did a computer aptitude test with borers and he got

14:06

100% . So borers recruited him

14:08

. So suddenly he came back when he was , when

14:10

he was older . He's an absolutely brilliant

14:13

guy , and so I don't

14:15

really think there is a substitute for that

14:17

. But I do think that once

14:19

you've built relationships with people , you

14:21

can work very effectively with them remotely because

14:23

you know them . But if you don't spend the time at

14:26

the beginning to build the relationship capital that

14:28

you need , I think it's hard to approach

14:30

people with a problem that you don't know

14:32

well . So I think that that's that's

14:34

the point I would make . I think familiarity

14:36

is very helpful in relationship

14:38

management , and being prepared

14:41

to not know the answer and ask somebody

14:43

for help is a sign of strength

14:45

in every organization that I've ever run .

14:47

So yeah , I think that there is

14:49

a lot of benefit going to

14:51

a hybrid model , especially

14:54

for the people starting out Right , I couldn't imagine

14:56

trying to get into this field , right

14:58

? So , you know , I got my bachelor's in criminal

15:00

justice , right , nothing computer related

15:03

. I didn't code before and I

15:05

still don't code today , right

15:07

, like thankfully right

15:09

, somehow I have missed that , that skill

15:12

curve , and I couldn't imagine

15:14

how difficult it would have been getting into

15:16

the field with without having

15:19

that face to face interaction

15:21

with my leads , with my , you know

15:23

, engineers , and saying like

15:25

, hey , what is this thing , you know

15:27

? And they actually pull it up , pull it

15:29

up on their screen , show me , talk

15:32

me through it , guide me doing

15:34

it , doing it myself . You know , those

15:37

sorts of things are really

15:39

, they're irreplaceable . You know , a screen

15:41

share doesn't do it justice because , you

15:44

know , with a screen share , once it's over

15:46

, it would to me

15:48

it would be rude to start it back up again

15:50

and , you know , ask more

15:52

in depth questions , right , it kind of puts that

15:55

barrier and I consider myself not to

15:57

be very , I guess , extroverted

15:59

or whatnot . I mean , people would probably contend

16:02

with me running a podcast if

16:04

I'm actually extroverted or not . But you

16:07

know , once the conversation is

16:09

over . You know , most people are not going to fire

16:12

it back up . Start diving into

16:14

it again . Right ? It's a complex

16:17

social situation , I feel

16:19

.

16:21

Hi , gary , with you , I mean , I think the one thing

16:23

that's probably good is that you can

16:25

ask multiple people the same question and

16:27

actually essentially crowdsource the

16:29

answer , which can be very helpful . And

16:32

if you look at how Slack is often used on

16:34

tech channels , that's often the way it's being

16:36

used . So I think , pros and cons . Personally

16:38

, I think I would rather have not read the

16:40

microfiche my glasses may not be so thick

16:42

right now if I had . So

16:44

if I hadn't rather . So you know

16:46

, they're definitely better off

16:48

today and it's much easier to come up with learning

16:50

curve faster . However , you

16:53

have to be intellectually curious and sometimes

16:55

you have to look onto the cover , because often

16:57

I think cloud programmers haven't

16:59

gone deep inside to really understand

17:01

how the computer works to allow them to

17:03

optimize their code , and many people would

17:05

say you don't need to do that . But I've seen code

17:08

written by people that do do that and they're usually

17:10

extraordinarily thoughtful about how they write

17:13

code . So I like a combination

17:15

of the two .

17:16

It's interesting , you know it

17:18

sounds like I mean , this

17:20

was one question that's taken 20 minutes

17:22

right , it sounds like the

17:25

winding path through

17:27

your career is the best route to

17:30

you know security , right Overall

17:32

. I think we would all probably

17:34

agree on that , which is it's not

17:37

what the younger generation wants

17:39

to hear . Right , I've done

17:41

mentorship sessions , right , with

17:43

people that are fresh out of college

17:46

or maybe they're just about to finish up college

17:48

and they're asking me what's the best way to get into

17:50

security . You know , and I

17:52

take them down , this , you know , kind of winding

17:54

path right , of being one option , and

17:56

they're like , well , if I do this boot camp over here

17:58

, you know it's eight weeks or 16

18:01

weeks , whatever it is , and I'm in . So

18:04

, yeah , you might , you might be in , but

18:06

you're not going to have the level of experience

18:09

that the industry is expecting of you . You

18:11

know you're not going to have the skill sets that

18:14

everyone else is expecting you to have

18:16

. You know , for instance , right

18:18

, if I went to work at Siemens and

18:21

they deal in in nothing

18:23

but IoT devices pretty

18:25

much , you know the the hardest

18:27

devices to secure

18:29

on any network , that's

18:31

what they deal with , that's their bread and butter , right

18:34

, if I , as

18:36

an experienced engineer , if I go in

18:38

as an analyst , I'm going to be in over

18:40

my head most likely , I feel you know , because

18:42

it's a section of security and

18:44

IT that I've never touched before . Is

18:47

that also what you guys recommend

18:50

to people getting started in security

18:52

? To have that winding road , to not worry

18:54

, you know , about maybe

18:56

not having that , that direct path ?

18:59

I'm not sure . I think what you just described

19:02

is exactly . What's necessary is

19:04

curiosity . I mean going , even

19:06

if it's just an eight week or 16 week workshop

19:09

. I mean , if you expect , then you know everything

19:11

. That's probably a pretty unrealistic expectation

19:14

. But if you're willing to keep on

19:16

learning , that's probably the best . It's

19:18

the best road to get into

19:20

it and it's always a mix

19:22

between getting a foundation

19:25

, a theoretical foundation , understanding

19:27

the topic , similar to what Andy said

19:29

before . You know at some point in time

19:31

if you , if you're an IT , it's probably

19:33

best you have coded at some point in time . You

19:35

don't have to do everything , but going

19:37

deep for a certain period of time

19:39

and understanding the dynamics

19:42

helps you enormously afterwards and

19:44

putting the applications into context

19:46

. And I think that's true what you just described

19:48

also on cybersecurity . You

19:50

just have to go deep and for

19:52

a certain period to get the foundations

19:55

, and then it's all about practical applications

19:58

. It's about understanding what is it actually

20:00

really used for ? Where does it create

20:02

value ? So , not staying in the theory

20:04

, but creating a theoretical base

20:06

and starting from there in certain

20:09

directions understanding where's the application

20:11

, where the risks , but also , and most

20:13

importantly first , where the opportunities

20:15

and where's the value created . We

20:17

start a little bit off this on kind

20:20

of the negative side all about . You know

20:22

it needs to be protected . Well , the first question

20:24

is why do you want to protect it ? So where do

20:26

you create the value that actually creates business

20:28

value ? And you just described the IoT

20:31

world . I think there's an enormous opportunity

20:33

for using the data

20:36

that are collected , be

20:38

it on a factory floor and one

20:40

of the Siemens factories . It's a factory

20:42

in the thousands of Bavaria , in Hamburg it's

20:45

several times the factory of the year and

20:47

in Europe and now from the World Economic

20:49

Forum . Why ? Because they have

20:51

a lot of people that have deep domain

20:53

knowledge in their segment

20:55

, and then they bring this together

20:57

with IT knowledge and then all

20:59

the cybersecurity knowledge , and I think that's

21:02

a combination which is really the winning one

21:04

. Coming back to your question winding

21:06

road or not , creating a good

21:08

foundation , building on it and then

21:10

being exposed to the real applications

21:13

that create value for clients , and

21:15

then thinking about how

21:17

do you secure it to make it consistently

21:20

successful . I think that's really

21:22

always a good approach , and then you

21:24

probably want to go back and go back into learning

21:26

mode again .

21:28

Yeah , I mean , I think there's kind of two things

21:30

that I would just pick up on there . The first

21:32

one is that this generation

21:34

of workers has to be lifetime learners

21:36

, and AI is

21:38

going to change the jobs that are useful . They're

21:41

going to change the pay rates for jobs as AI's

21:43

get more and more clever and

21:46

able to orchestrate . So whatever

21:48

you're doing right now , in five years

21:50

time it could actually be valueless . So

21:53

you have to stay ahead of that and you have to keep

21:55

thinking about what's going to get commoditized next

21:58

. If it's a skill that I'm currently

22:00

have , that's good because you can build from

22:02

it , but the question is , where's the part going

22:04

? I think . So reskilling and relearning

22:06

and learning new things is

22:08

super important . The second

22:11

thing is that you can't restrict yourself

22:13

to a single industry . Many people

22:15

in financial services work in financial

22:17

services their entire career . Many of the best

22:19

sites those I know came from telecom into

22:21

financial services and then went on to do a whole

22:23

bunch of other things after that . The

22:25

way I looked at programming when I was 21

22:27

is that programming

22:29

itself is a completely transferable

22:32

skill into any industry . I

22:35

used it to learn how to model

22:37

protein binding sites , how to automate

22:39

refineries , and how to automate an entire

22:42

telecom company that used to be a

22:44

public utility , which is not easy , by

22:47

the way . So

22:49

, in financial services , same thing , but

22:51

again , each business parable , very

22:53

different than Merrill , very different from Credit Suisse

22:55

, very different from UBS . And now , in the

22:57

last 10 years , working on everything

23:00

from how do you optimize wine growing

23:02

to how do you build security companies

23:04

. So , to me , the transferability

23:07

of the skill gives you the opportunity to

23:09

learn many different industries . Iot is obviously

23:11

an up and coming one and a good one to learn , but

23:13

that's about where the puck is moving . The puck's

23:15

moving to IoT . That's a good skill to learn

23:17

. As a security professional , you can start

23:19

to push your career in that direction fairly easily

23:22

. So the winding road is often , I think

23:24

, dictated by future market

23:26

trends , but your intellectual curiosity

23:28

and your ability to keep reading is what helps

23:31

you identify what those trends are . So

23:33

that's the way I would say it

23:35

.

23:35

Yeah , I guess it's not fully

23:37

accurate for me to say that I've

23:40

never coded or anything like that

23:42

. I say I've probably learned

23:44

Python like five times over . The

23:46

issue is that I don't use it

23:49

regularly so I forget

23:51

things that I learned six , seven

23:53

months ago and now it's like I have to

23:55

go relearn strings or

23:57

functions or whatever might be . But

23:59

I do fully agree with what you're saying

24:02

. Coding is one of those basic

24:04

foundational principles where you

24:06

take that learning and then everything

24:09

else starts to kind of make sense and it fits

24:11

into its place . I just haven't thought of it like

24:13

that in such a long time , because

24:15

now I just do it so innately

24:18

of deconstructing a problem or

24:20

deconstructing a system to seeing

24:22

how it works , when I'm picturing it in my head

24:24

, right of what that is you know in

24:26

Python or what that is in

24:28

code , and I'm doing that without even thinking

24:30

about it . But in the beginning you're learning

24:32

these things . It's like an epiphany . But

24:34

it's like , oh my God , that's how , that's how

24:37

the network stack works , that's how this

24:39

server works , that's how it communicates

24:41

to something else , all those sorts

24:43

of things . It just becomes an epiphany .

24:45

I think many theoretical things , Joe , also

24:48

. You only actually get them when you see

24:50

a practical application of them . String

24:52

theory , graph theory , I mean you know , graph

24:55

theory , yeah , okay , kind of get it , no , it's okay

24:57

, but as soon as you see the power of building

24:59

a graph , you're like , wow , this is really

25:02

cool . So I totally

25:04

think what you're saying is 100% right .

25:06

Yeah , it's fascinating , right . Like

25:09

you talk about being a lifetime learner

25:11

. I mean , it's never ending . I guess that's what

25:13

drew me to security personally , right

25:16

is being able to be a lifetime

25:18

learner , because for a long time I

25:20

was in the mentality that IT was

25:22

like the most boring thing , because I had only seen

25:25

help desk and I only did that

25:27

one thing and I'm like man , this would be miserable

25:29

If I have to spend my entire

25:32

career in help desk . I didn't even

25:34

think that there was another side of IT or

25:36

anything like that . It's that always learning

25:38

part that drew me in

25:40

is because once I figured out like , oh

25:42

wait , like I can literally dive

25:45

deep into hacking cars

25:47

Right , just hacking cars , and

25:50

I'll spend an entire career there . Or

25:52

hacking factories , hacking IoT

25:54

, all these different things it's

25:56

really fascinating . So I

25:58

do have a question , though so you guys have

26:00

your PhDs . A

26:03

German doctorate Well that's

26:05

like what Three American

26:08

PhDs right there , no , no , no , no , no . I

26:10

can't say that 100% is .

26:13

Not at all . Some people would say

26:15

it's proper American PhD .

26:17

So yeah , well , those people don't know

26:19

the German education system . So

26:24

I was studying German in college

26:26

in my undergrad , and

26:29

part of it was spending six weeks in Germany

26:31

, and I couldn't tell you the

26:33

amount of times that I was impressed

26:35

with just the intellectual

26:38

knowledge that Germans and other

26:40

Europeans had compared to

26:42

my own knowledge , joey , you

26:44

just made a lot of Germans very happy because

26:46

the latest PISA study was actually not

26:48

that positive about German education

26:51

.

26:51

I question that study . Okay

26:53

, but coming

26:56

back to the point I think

26:58

I just want to , this is

27:00

lifelong learning aspect , because

27:02

, as you know , andy and I

27:04

we just sat down and wrote actually

27:06

a book for board members and

27:08

good board members are actually lifelong

27:10

learners and they know that I don't know

27:12

. So part of being a board

27:15

member is asking a lot of questions , ideally

27:18

good leading questions and sometimes

27:20

completely open questions , but really

27:22

the willingness always to keep on learning , to

27:25

keep on understanding what's the

27:27

opportunity in the business , but also

27:29

what are the risks in the business . And

27:32

this is why Andy and I sat down and

27:34

wrote this book about seven steps for

27:36

cybersecurity for board members , because

27:38

they are lifelong learners and want to have deep understanding

27:41

on many subject matters and

27:43

one of them is actually cybersecurity .

27:45

That makes a lot of sense

27:47

for board members to be lifelong learners . I

27:51

find that as you

27:53

become more experienced , as you

27:55

get higher level roles and whatnot , it's

27:57

more important not for you to

28:00

know everything , but for you to surround

28:02

yourself with the right people that are experts in those

28:04

other areas . So

28:07

you could say , hey , can you handle this question for me ? Can

28:10

you drill them in this way , because

28:13

I don't know this side of it like you do ? And

28:15

, andy , do you find that true

28:18

with Zscaler right from the

28:20

beginning to the end right now , because

28:23

you're a board member of Red Zscaler ? Zscaler

28:25

is a fantastic product . By the way , I've

28:28

used them personally , and

28:31

I mean for a web

28:33

proxy solution to say that I enjoyed it . That's not

28:35

something that you hear every day , that's

28:38

true .

28:41

Look , I think board members generally need to be

28:43

people with lots of experience , and my experience

28:45

is that you get the most experience on the

28:47

winding road , which

28:50

is what leads you to the level of curiosity that Helmuth just described . But

28:52

I think your point was going a little deeper than

28:54

that and I just want to touch on that for a minute . When

28:56

you're building an organization that's growing quickly

28:58

, what you have to do is hire people smarter than

29:00

you in every role underneath you . If

29:02

you want to be carried on the shoulders of

29:04

giants and it takes a lot of confidence to do that and

29:09

for many SISOs who are being

29:11

promoted early in their career

29:13

into the lead role

29:15

because of the lack of qualified resources

29:18

and because they're ready but

29:20

they're ready in an environment where people

29:22

are fishing upstream to

29:26

try and get people to take these jobs the danger is that you're

29:28

not ready . You're not mature enough yet to know that you

29:30

need to hire people smarter than you to

29:33

work for you in every single role reporting

29:35

to you . And this is how you actually are able to first

29:37

of all , make sure

29:39

you've got a great succession plan

29:41

in your organization and , second of all , make the next step , which

29:43

many companies you're

29:46

moving from SISO maybe to chief risk officer and

29:49

promoting somebody from within . The

29:51

promotion from within parts in the industry is not

29:53

happening often enough , in my opinion . Right now , there

29:55

are so many searches out at any given point in time

29:57

for SISOs . I'm aware

29:59

of about 10 right now as an example . I think not only

30:01

do you need that from board members to the point that you made

30:04

, you need people

30:06

with enough experience , but oftentimes board members

30:08

who've been in the role for a long time maybe

30:12

haven't had to deal with the level of cybersecurity

30:14

threat that exists today , and

30:16

those are the people that we were at the board with . Right

30:19

, I mean , it's written for everybody , but most of all , it's

30:22

written for people who want to come up to speed with . Okay

30:24

, how do I get my head around this ? How

30:27

do I think about the right questions to ask and

30:31

how do I make sure that we are hiring people really smart , one down

30:33

and two down from the SISO to

30:38

make sure that every defensive angle that we can

30:40

pursue has been pursued ? Yeah , it's a fascinating

30:42

world , right .

30:44

Because I guess for me right , I'm not a

30:46

person who's not a person . I'm not at that level

30:49

yet , and so it's always interesting to

30:51

hear how that world operates . And

30:53

as I become more experienced

30:55

in my own career , I

30:57

start seeing things from a different

30:59

perspective . I start seeing things kind of from

31:02

the top down , being able to

31:04

rationalize different decisions

31:06

that are made within businesses and with

31:09

organizations and whatnot . Is there any

31:11

value to jumping

31:13

ahead , Like , let's say

31:16

, for instance , you go from

31:18

being an individual contributor to a manager

31:20

faster than what you probably should have been . Is there

31:22

any value in biting off more

31:24

than you can chew and

31:27

trying to work through it ? Or

31:29

are there critical skills for you to have that will make

31:31

you successful , like what you

31:33

mentioned of being

31:36

able to hire people that are smarter than

31:38

you in every role beneath you ?

31:40

I think the first step is to recognize

31:42

what you know and what you don't know . And

31:46

we all have a certain profile and background and

31:48

have some depths in some areas and maybe

31:50

are not that strong in other areas , and

31:53

that's hard sometimes . You know a really

31:56

realistic view on yourself and then you take

31:58

the next step and you try to

32:00

find exactly those people and

32:03

put around you that don't look like you , that exactly have

32:05

those skills that you are missing . So

32:09

it's always in every company , in every

32:12

organization . It's not CSOR

32:14

, not only the IT organization or cybersecurity . I

32:17

think in any organization the only

32:19

one who wins is a team . It's never one individual

32:21

. There might be one person

32:23

who is a CEO , but still

32:26

who wins is a team and

32:28

a good CEO . She

32:30

is able to bring the right people together and

32:34

covering those areas where he

32:36

or she is maybe a little weaker and strengthens

32:39

and makes a team really a strong team . I

32:41

think that's number one , and number two is exactly

32:43

what Andy said . Then you look for

32:45

the best people that are much smarter than you are , especially

32:48

in the areas which you don't cover that

32:50

well , and that takes a certain

32:52

level of maturity . That's

32:55

not just knowing a subject matter . Now

32:57

you have to have the maturity to accept that

33:00

you actually work with people that report to you , that

33:02

know their subject matter much better than you do , and

33:06

this is the only way , I think , to

33:08

really advance strong people strongly and

33:10

get ready , as Andy described , potentially

33:12

even for a next level .

33:15

I mean , there's a bit of science on this , joe to some

33:17

. Mckinsey has a fantastic report on this

33:19

that talks about skill distance , which

33:21

is the distance of the role you're going

33:24

into versus the one that you're in . Basically

33:26

, one of my mentors always said to me

33:28

if you're a sixty percent sure that you can

33:30

do the role , take the job , but

33:32

if you're fifty five percent sure , do not take

33:34

the job . Right , because the

33:37

thing is you have to have enough competence , which

33:39

comes from the experience of your current role

33:41

, that you can transfer into

33:43

the new role while you learn the new skills . So

33:45

you're both teaching and learning at the same time

33:48

when you take the kind of step that you just talked about

33:50

before . You know , and my

33:52

one of the favorite , my favorite quote

33:54

of all time is from Julius Caesar

33:56

, and the quote is experience is the teacher

33:59

of all things , and and and

34:01

the order I've become , the more

34:03

I realized how true that is . How

34:05

you attain the experience is very important

34:08

, right ? So people who take more career

34:10

risk earlier , but not too much career

34:12

. This sixty , forty things like very important

34:15

. You take too much and you don't do well

34:17

, you lose confidence and actually go backwards

34:19

. So so the people that take

34:21

more risk earlier , other people who do well

34:23

later . Not surprising , but it is . It

34:25

is a fact from the , from the McKinsey analysis

34:28

, that that that that is true , and

34:30

the thing that they do more of is acquire

34:32

new skills more frequently and

34:34

more often and faster . That's what that's

34:36

what that's what they do well . So

34:38

. So I think many CEOs that

34:40

I've worked for , and what with , have

34:42

that skill . They've been able to basically acquire

34:45

skills quickly and acquire knowledge quickly

34:47

in roles . But I think the theoretical

34:50

learner is different than the person with

34:52

experience . And this is a point I'm with made

34:54

earlier , and that's what season you about war

34:56

. He knew that the people with

34:58

the most experienced on the battlefield new

35:00

all the tricks that the enemy was going to

35:02

deploy . So I think I think that

35:05

is super important and that's what you're trying to get . As

35:07

a thirty something or forty something

35:09

, you're trying to become as experienced

35:11

as possible to allow you to deal with anything

35:14

that life throws at you and in a security

35:16

role , anything that life throws that you could be

35:18

the survivor of your business . So it's it's kind

35:20

of a . It's super important

35:22

to understand that , I think .

35:23

I have a corollary to this and I fully agree

35:26

with Sandy to the sixty , forty and

35:28

I think as bad as if it's a ninety

35:30

, nine one . So if , if you're

35:32

a hundred percent sure you will do great in

35:34

this job , then you're standing . So

35:37

the you have to feed your gross mindset

35:40

by continuously challenging

35:42

yourself . Just don't over stretch to extreme

35:44

. Then you fall into the trap that Andy

35:46

described . But if you do the other

35:48

extreme , it's not helpful either , because

35:51

you're not advancing anymore . You're not . You're not growing

35:53

mentally , you're not growing this experience . So

35:56

my recommendation to the listeners that are

35:58

at this stage where they considering a

36:00

next step , always try to find

36:02

something where you have a strong base

36:04

is sixty percent , but where you

36:06

also see it . Maybe it's just thirty

36:08

five percent , but you see that there's a material

36:11

increase in challenge , in

36:13

responsibility and then , out

36:15

of this , also in professional personal growth .

36:18

Yeah , it's very true , and I find myself

36:21

even going down that rabbit

36:23

hole right now with debating of if I should

36:25

get my PhD or not . You know

36:27

I don't want to get my PhD just to have a PhD

36:30

. I feel like there's no value in that

36:32

. You know , I want to get a PhD . I want to get a PhD

36:34

to stretch myself , to

36:36

really push myself to learn a topic

36:38

in depth that builds on

36:40

my previous experience . But I'm

36:43

also not sure of the value that

36:45

it holds in the marketplace , necessarily

36:47

, but obviously if I go into education it holds

36:50

a lot of value . And so I'm weighing

36:52

all of this out right , because I'm

36:54

always looking for the newest

36:56

ways to push myself in learning

36:58

a new topic and kind of redefining

37:00

my skill set right . I've

37:03

done it a couple times now in my career and it's been

37:05

beneficial every single time that

37:07

I've done it . You know , I went from being

37:09

just an IT help desk to , you

37:12

know , doing a specialist with this little

37:14

security kind of flavor to it

37:16

, to being dedicated security engineer

37:18

for organizations , to going into cloud security

37:21

. That graduation is

37:23

, you know , different skill sets all along

37:25

the way . For sure it's an interesting

37:28

balance , I think . What advice

37:30

would you give to someone debating

37:32

about getting a PhD or

37:34

taking another level of education

37:37

.

37:37

I think you know it's , it's less title

37:40

. If it's , if it's a PhD or whatever

37:42

it is , that is actually secondary

37:44

. I think number one is the process . But

37:47

if it's only the process , without

37:49

a product at the end , there's

37:51

a high risk to stop somewhere at seventy

37:54

five percent . The advantage

37:56

of an and it's again it can be a PhD

37:58

or something else on a level where

38:00

you have to , you know , where you have to let

38:02

do the very tough last five

38:05

percent to . You have to really

38:07

fully complete it , and I think there's

38:09

there's something in there in this process

38:11

until the final end . And

38:13

there it doesn't matter exactly which type of

38:16

final end is in there . But

38:18

I think what you describe before , this process

38:20

, is critical , because going through

38:22

the process and going through the process was

38:24

all the hurdles you have to jump over

38:26

. I think that's that's really strengthens

38:29

your knowledge base and also

38:31

your confidence that you can actually

38:33

master these challenges .

38:36

Yeah , I actually have struggled with that

38:38

same thing in my twenties , joe , honestly

38:41

, and I ended up

38:43

managing a student who

38:45

I see I was sponsoring for their PhD

38:47

, who was on my undergrad course in

38:49

London at Oxford . And so

38:52

because my boss my boss left to have a baby

38:54

and I was left in charge of the student , who

38:56

was one of my friends from college , and

38:58

every every two weeks I go to Oxford

39:00

and I've meet with Graham Richards and who

39:03

was her professor , and he would

39:05

try to recruit me to do a PhD , and

39:07

I was very tempted to do it , to be frank

39:10

, and I think the thing is that

39:12

that the role I had at ICI

39:14

was actually in the research organization

39:16

, doing research science , so I

39:19

kind of felt like I was already doing

39:21

what I would see . One

39:24

of the reasons why I chose not to become

39:26

a manager early in my career is that

39:28

I wanted to be really deeper programming . I

39:30

did not want to be broad , which is what management

39:32

gives you Later on

39:34

, coming back to it was better . Being older

39:36

, by the way , too , in my opinion , for me , that

39:39

was better , I think , if you have

39:41

the desire to go really deep

39:43

on a topic , particularly if you want to start a business

39:45

on something and you're really curious to

39:47

go explore a topic , then

39:50

going really deep can be great . While

39:53

I was mentoring this

39:55

other student , they were actually building

39:58

a competitive product to the one we built at ICI

40:00

. It was called ChemGraph . So I

40:02

was able to see both sides of it both

40:04

the student who tried to turn that into a business

40:07

when he left college and was very successful

40:09

actually in the end , and the way

40:11

the academics felt about that , which was not

40:13

great actually , and then just

40:15

doing a commercial product . We had so

40:17

much resource , I mean it was just so much easier

40:20

for us to be successful . So

40:23

I think you can sometimes take your

40:25

pet project and build a startup Instead

40:27

of doing a PhD , as long as you're confident

40:29

that you have enough knowledge to actually

40:31

go after it . There's a lot of work

40:33

, by the way , around depth in

40:36

startups , particularly in security . Because

40:38

there are so many startups , the

40:40

space now is getting so thin

40:42

in terms of what you need to be good at

40:44

to build a company that's valuable . That

40:46

could be another way to satisfy or scratch that

40:48

itch , I guess . But I

40:51

know exactly what that feels like and I used

40:53

to talk to my dad about it all the time , like

40:56

I should do that on art , and he's like well , I said , it looks

40:58

like you're doing really well at work , so why

41:00

would you do it ? But on the other hand , he of course wanted me to get

41:03

a PhD from Oxford and he used to push

41:05

me very hard to do it but ended up not

41:07

doing it and not regretting it actually . So it

41:09

just depends on kind of where you land

41:11

, I think , in the end .

41:12

Yeah , it makes a lot of sense . So , Andy

41:15

, in the beginning of our conversation

41:18

you talked about how you were with Zscaler

41:20

from the very beginning .

41:22

Not from the very beginning , but early on 2013

41:24

.

41:25

That's still pretty early on . As

41:27

someone from the outside , I've always found it interesting

41:29

as to how Zscaler

41:31

went from being obviously

41:34

the best web proxy to kind

41:36

of even developing this area that we

41:38

now call Zero Trust . What

41:42

was that like ? Because to

41:44

me as an engineer , once

41:47

I understood it as oh , this is least

41:49

privilege for your entire network . Once

41:51

I understood it as that , it made a lot more sense

41:54

to me and it kind of opened the door . But what

41:56

was that shift like internally at Zscaler , making

41:59

that shift from okay

42:02

, we're a web proxy solution

42:04

company to we're a Zero

42:06

Trust ?

42:08

leader essentially so many

42:10

of the engineers at Zscaler

42:12

came from Net Scaler , and Net

42:15

Scaler was a very , very performant

42:17

the founding engineers I'm talking about and

42:19

Net Scaler was an extremely performant

42:21

reverse proxy solution . So

42:24

one of the things they focused on was getting packets

42:26

from the left hand side , or the north , to the south

42:28

side of the Zenboxes very

42:30

, very fast less than a millisecond

42:32

, and

42:35

with a web proxy , that's extremely

42:37

important . So there are many benefits of

42:39

putting the proxy in the cloud . The

42:41

management of pack files I mean the whole policy

42:44

management massive benefit . But

42:47

this idea of what could you do to the packets

42:49

while they were traversing the edge of the network

42:51

became super

42:53

important for the business . But you

42:56

have to do it without impacting the performance

42:58

. So what you can run in

43:00

line between the north

43:02

side and the south side of the interface still

43:05

has to be faster than 10 milliseconds . It really

43:07

wants to be more like two or three milliseconds

43:10

or less , and so the

43:12

challenge always was how much

43:14

functionality , how many algorithms

43:16

can you run on those packets

43:18

while they're passing through the box to

43:20

enable you to put things like DLP

43:22

in line and all these other capabilities

43:25

that we now deliver ? And so , to

43:28

me , the thing that amazed me

43:30

the most was the original design

43:32

of the engineers . You know Z Scaler stands for Xenith

43:35

of scalability , as you probably know , and

43:37

it's the scalability of both

43:39

. The architecture , which is , you

43:42

can add as many pods as

43:44

you need worldwide to deal with the traffic

43:46

that you have . Most people have never

43:48

heard of Terabit networks , but we run them

43:50

, and so the bottom line is

43:52

that not only do you have to have boxes

43:54

that are very fast , but you have to deal with a lot of scale

43:57

on the bandwidth side as well . I

43:59

haven't seen this recently , but they used to in every

44:01

board meeting . Show us , you know , Z Scaler

44:03

versus Google , facebook , tiktok

44:06

and YouTube in all the major cities in

44:08

the world , and I start watching when we hit

44:10

number three , basically . So I

44:12

don't know what the numbers are now , to be honest , I haven't looked

44:14

them for ages , but that scale that we're

44:16

running in the enterprise , there's no one

44:18

else in that scale . I mean there are people who have

44:20

consumer businesses at that scale , but

44:23

not not . So the scale itself

44:25

. I remember being in a meeting with Google when Google were on

44:27

the board , where we exceeded Google's

44:29

throughput and it literally blown away

44:31

. I mean it was amazing , you

44:34

know , I think you have

44:36

to . You have to lead with performance

44:38

. You have to think about then the SLA

44:40

, that's open , which is about two milliseconds

44:42

, and then you think about well , what else can

44:45

we do in that two milliseconds to

44:47

add all of the functionality that we've

44:49

added today ? And , by the way , mostly we're

44:51

less than one millisecond today because what's happened in

44:53

the meantime is Moore's Laws continued

44:55

. Networking interfaces have become

44:57

more performant . You can buy more capacity

44:59

from fiber companies , so you know there's

45:02

an all , all boats rise in that ocean

45:04

kind of model there as well . That's

45:06

helped us along the way . But running

45:09

a network at that scale is I

45:11

mean , I worked in telecom , I know

45:13

what that is like , right and so and

45:15

I ran networks , by the way , in financial services

45:17

too . So the scale itself

45:20

still is is unbelievable

45:22

. It's kind of like the scale of some

45:25

things that SpaceX are doing , for example , just

45:27

in terms of how much of a reach it is

45:29

to be able to do that . So

45:31

I still find that amazing today . But that's

45:34

basically the , architecturally speaking

45:36

, that's kind of how that works , if that makes sense

45:38

.

45:39

And Joe , maybe from a customer perspective

45:41

. No , we at Siemens we are customers

45:43

of Cscaler and we started

45:45

really with a point solution with the so

45:47

called Cscaler Internet Access , connecting

45:50

directly to software as a service

45:53

provider like Salesforce , and then Microsoft

45:55

when we introduced 360

45:57

. And what was really interesting , traditionally

46:00

we had always this triangle

46:02

between cost , usability and security

46:05

and usually the discussion was always

46:07

well , let's spend a little more than we get a little

46:09

bit more security , but then usability

46:11

went down because it became more complicated . So

46:14

somehow the triangle was always unbalanced

46:16

and for us it was the first time

46:19

when we introduced zero trust and Cscaler

46:21

that in all three dimensions we had

46:23

improved . We had actually higher security

46:26

, we had higher usability and

46:28

we had less communications costs . So

46:30

it was a very interesting game changer for

46:32

us that what we thought

46:34

were trade offs were not trade offs anymore

46:37

and we could drive all three dimensions

46:39

in the right direction .

46:40

Yeah , it's a really fascinating area and I feel

46:43

like we could have a whole other episode just talking

46:45

about Cscaler and the capabilities and

46:47

the future of it . Right , but we're coming

46:49

to the end of our time here , but before I

46:52

let you guys go , let's talk quickly

46:55

about the book that you guys put together

46:57

. What's the book title ? And I'm

46:59

wondering is there a common

47:01

language when dealing with the boardroom

47:03

that you have found to be

47:06

very efficient ? Right , and I asked this as someone

47:08

that is graduating in their

47:10

career . Right , I'm learning

47:13

how to structure different conversations

47:15

with different parties within the company

47:18

, so what's your opinion on that ?

47:19

So let me start with the easy part . What's the title

47:22

? It's Cyber Security Seven Steps

47:24

for Board Directors , but then it has a subtitle

47:26

and it's called the

47:28

Guide to Effective Cyber Risk Oversight

47:31

from Board Members for Board

47:33

Members . So number one is , the

47:35

idea was , as Andy and I described

47:38

before , that we make a very

47:40

practical description

47:42

. That's really helpful for board members , that

47:44

where many of them do not have

47:46

very detailed knowledge of cybersecurity

47:49

, but a lot of curiosity and

47:51

, naturally , a responsibility

47:53

, a fiduciary responsibility for

47:55

the companies they represent on the board . And

47:58

so the book is full of

48:00

specific examples you know what's

48:03

happening in the cybersecurity environment

48:05

, and it also translates technical

48:07

terms into real life terms . And

48:10

I think they're coming back to your other

48:12

question . How is it helpful

48:14

? Actually not for board members , but

48:16

for , for example , cisos that communicate

48:19

regularly with the board . And

48:21

I would say just number one , as

48:23

when you walk into the boardroom as

48:25

a CISO , you can assume

48:27

that everybody in the room is prepared

48:30

. You can assume that everybody in the room

48:32

has a very strong interest to make

48:34

the company even more successful , and cybersecurity

48:37

is one part of it , but you also

48:39

have to assume that not everybody in the room

48:41

has the same technical depth as

48:44

you as a CISO have . So

48:46

make sure you have enough time

48:48

to translate what you want

48:50

to achieve , on what you're working on , into

48:53

a relatively normal business language

48:55

and how it relates directly

48:57

to the business that the board has

48:59

its fiduciary responsibility for . And

49:02

I think there the book is helpful in both directions

49:04

it's helpful for board members , but it's

49:06

also helpful for the IT professionals

49:08

that regularly have a dialogue with

49:11

the board .

49:12

Maybe I'll pick up on a few other points . The

49:14

first one I'd pick up on is often

49:17

members of the executive team in companies

49:19

are also not cyber

49:21

aware or not as cyber aware

49:23

, and we're certainly seeing collective responsibility

49:26

emerge as a theme around both

49:28

the lawsuits against Uber

49:30

and SolarWinds and , more deeply

49:32

now with the SEC changes that

49:34

require material disclosure

49:37

after four days . So everybody

49:39

on the on the executive committee of a company

49:41

now needs to really be on the same page with

49:43

filing an AK after an event like

49:46

that has occurred . So I think there

49:48

are now not just knowledge

49:51

requirements of board members to Helmholtz point

49:53

but there are also transactional

49:56

decisions that the board are going to participate

49:58

in , where board members are required

50:00

to be well enough informed

50:02

to make a decision on what materiality is

50:05

. The second thing there , I think , is that

50:07

not acting too soon is

50:09

super important . We've seen with the Clorox incidents

50:11

that that that when you react to

50:14

early you often have to retract or

50:16

react again , basically

50:18

when you find out more

50:20

things later on . And there have been a number of breaches

50:23

and exfiltrations recently where the

50:25

initial extent of the exfiltration has

50:27

been found to be much

50:29

, much greater than was originally

50:32

disclosed . So I think that's another

50:34

area that we've put into the book

50:36

, which is about kind of the process that you

50:38

put around the assessment of

50:40

materiality as well

50:43

, but mostly that the book

50:45

is . The book is really organized around

50:47

process and what process

50:49

you should run , both to

50:51

get people up the learning curve to

50:54

what they need to know , to

50:56

have a common language that they

50:58

can actually converse with the SISO in

51:00

. Often SISOs are very technical and

51:03

converting the way a technologist

51:05

speaks to the way a business risk needs

51:07

to be encapsulated is a trick

51:10

, and I think you know you can't expect SISOs

51:12

to learn overnight , particularly given the conversation

51:14

we had earlier about how often they are

51:17

kind of quite young when they're put into that role

51:19

. They can't overnight understand

51:21

what the business risk is . So I think the executive

51:23

team needs to work with them and that's also

51:25

something that we cover in the book

51:27

as well . And then the use

51:29

of public framework , so like the NIST assessment

51:32

framework and so on , to get a really tight

51:34

view on what

51:37

would an outside party say

51:39

if they were doing an assessment of your company

51:41

and actually having someone like EY , kpmg

51:44

or PWC run an assessment

51:46

like that . So you know where you stand and

51:48

you know what you need to improve . So

51:50

I think all of those things are important

51:53

. I mean , the whole risk surface area

51:55

is a topic that we touch on a fair amount

51:57

in the book as well . It's just understanding

51:59

what that is and where your current

52:01

weaknesses and strengths are as well , super

52:04

important . But I think that if you

52:06

ask it at a macro level , I think that's probably about

52:09

the scale of it .

52:10

Sounds really interesting . I'll definitely have to pick

52:13

up that book at some point . Well

52:15

, guys , unfortunately

52:17

we're at the top of the hour and I know that we

52:19

already went over , so I

52:21

really appreciate you hanging on Before I let you

52:24

go . How about you tell my audience where they

52:26

could find you if they wanted to

52:28

learn more and reach out ?

52:29

Sure , I'm very easy to find on

52:31

LinkedIn . By all means , reach out

52:33

with questions on the book on LinkedIn and

52:36

obviously you can channel those through ZSCADER as well

52:38

.

52:38

Yeah , same thing . Linkedin is the

52:40

easiest and if you

52:42

can make available the link to download

52:45

the book if they're interested , it's

52:47

publicly available , so easy , accessible

52:49

, and if there are any specific

52:52

questions , linkedin is always a good

52:54

way to connect .

52:55

Awesome . Well , all the links will be in the description

52:57

of the episode and I really appreciate you guys

52:59

coming on . Thanks everyone . I

53:01

hope you enjoyed this episode .