0:00

Welcome to another episode of Breaking

0:02

into Cybersecurity Leadership, where

0:04

we talk to cybersecurity leaders about

0:07

developing our next generation. Today

0:09

we have David will be sharing his

0:12

experience of getting into cybersecurity

0:14

leadership and sharing his

0:17

tips and tricks for you. Before

0:19

we get started call for everyone.

0:22

If you're seeing this, share this with

0:24

others. 'cause we do need

0:26

a diverse set of leaders

0:29

as well as a diverse set of individual

0:32

contributors within the cybersecurity environment

0:35

so that we could tackle the complex problems

0:37

of today and tomorrow. David

0:41

tell us a little bit about your background and

0:43

what got you into cybersecurity. I.

0:46

All right. My joining to cybersecurity is

0:48

a very interesting one. Having started my

0:50

career in core technology

0:53

telecommunications, Pure

0:55

signaling, uh, long

0:58

distance communication stuff, antennas

1:00

and all of those things. That

1:02

was the beginning after my first degree

1:05

in electronics, computer engineering, telecoms

1:07

was my passion and my love at

1:09

the time. So went round, did external

1:11

line plans switching some

1:14

routing. So basic stuff

1:16

for was C-N-E-C-C-M-P certified. Worked

1:19

with a few organizations in network administration

1:23

and all of those early stuff. And

1:25

somewhere at the fourth to

1:27

the fifth year in my career I began to

1:29

notice a couple of things. There was

1:32

a lot of prestige and respect around

1:35

security. That was the days

1:37

of the Cisco CCDP certification,

1:40

design, security, professional Security

1:43

Pro CCSP, security professional. There

1:45

was a lot of respect and

1:48

prestige along those lines and

1:50

just. And excited anytime the CCSP

1:53

guys came in, they came in only once

1:55

in a while and they collected fat monies

1:58

that the c the CCMP

2:01

guys weren't collecting. anD

2:03

I was like, what is going on here? These guys and

2:05

their routers are very expensive. tHe

2:08

switches are very expensive and they don't they

2:11

don't particularly do too much. They're just there. Not

2:14

much was but they got paid very highly. And

2:16

so that was also about the time

2:18

when the telecoms revolution

2:21

in my country started where we moved from

2:23

the pt PSTN network

2:25

to the core select technology. I

2:28

had the benefit and the advantage of being

2:30

part of that transition

2:33

and having understanding about external.

2:35

And also at the transmission

2:37

centers the long distance trans transmission

2:40

centers. I got interested in

2:42

security after an incident as

2:45

a young engineer where heads

2:47

began to roll. There was a

2:49

breach in the switch, uh,

2:52

the billing platform of the night

2:55

tale. Tel is communications

2:57

limited. There was a breach in

2:59

billing, and that breach

3:01

was very significant. So

3:04

my the entire, everyone caught

3:07

cold. Everyone was very troubled and

3:09

that started, they had to implement some security

3:12

features. In the switch. And that began

3:14

my foray and my interests beyond

3:17

traditional signaling, beyond

3:19

common channel signaling

3:22

seven systems and the common

3:24

things we do both in switching and routing. That's

3:26

apart from the traditional

3:29

network on the telco network

3:32

side. So I read up a few of

3:34

the chapters in the security professional

3:37

book and. Sensitized. Then

3:40

we had as a network administrator, one

3:42

of the clients I worked for, we

3:44

had a security breach where

3:46

someone's password was breached.

3:49

As a network, as a young network administrator,

3:52

the amount of pressure that came

3:54

with it, the user issues, the stress

3:58

and how much management hit energy

4:00

on further securing. Those

4:03

networks and those issues

4:05

and then it was amazing for

4:07

the first time. It was an rare moment for

4:09

me for the first time when I saw how

4:11

much potentially we could lose. In

4:14

that case, we didn't lose much, but how

4:16

much we could potentially lose was

4:19

a very big issue for me. It was, I

4:21

kept turning and tossing on my bed, what

4:23

if the wrong, because that's a very small

4:25

person who had. Access

4:28

to very sensitive systems.

4:31

He was the person who authorized everything

4:33

when payment is in and it's gonna go in

4:35

hundreds of millions, he was one to go to.

4:37

So I was like, wait a minute guys, what

4:40

if something happens to this

4:42

man? And his password is compromised,

4:45

is beaten up, and his password

4:47

is compromised, and we have to,

4:49

pay heavily for it. That began my

4:52

strong journey and

4:54

my strong desire to ensure

4:56

that I master cybersecurity. So I began

4:59

to, get interested, do conferences,

5:02

read more around it. And that started the journey

5:04

for me. And of course, I also,

5:06

I made a good transition into program

5:08

management, where now implement

5:10

projects and for whatever reason, Cybersecurity

5:13

projects started getting thrust at me strengthening

5:16

infrastructure, toughening

5:18

up infrastructure, improving identity,

5:21

uh, systems and all

5:24

of that. And then along the line, I

5:26

stumbled also into card transactions

5:29

and the import of those and the amount

5:31

of fraud that happens, or the

5:33

amount of fraud that industry up because,

5:36

geometric rise in the transaction

5:39

rates on the planet. thE

5:41

internet has become the place. You

5:44

have it online. You seldom buy. I use my phone,

5:46

the NF NFC here right now to,

5:48

to all the way from taxis. To

5:51

eating at the restaurant, to

5:53

ordering something on Amazon. Everything is

5:55

up ally but then at

5:57

this time it was still starting. aNd

6:00

so all of that energy and as I

6:02

observed the future trends and the challenges

6:04

around cards, I got more interested in

6:07

cybersecurity and I've been on this journey in

6:09

total for about. To decades kids

6:12

been there, done that. I've worked within

6:14

the ERP domain,

6:16

rolled out ERPs, rolled

6:18

out infrastructure on the technology

6:21

technical side, been here, done

6:23

that and it's been a very, pretty amazing

6:25

experience. Loads of

6:27

lessons lose of very difficult

6:29

moments, uh, where

6:31

you had to answer questions of conscience. And

6:34

think about the future, when the

6:36

future has not happened. How do you prepare

6:38

for a future? You can't see, you can't crystallize,

6:40

you don't understand the risks, uh,

6:42

because of the limitation

6:45

of where you are. So this is a major challenge.

6:47

I've also seen in my journey over

6:49

the years. How do you prepare for volume

6:52

of transactions that suddenly balloon

6:54

up

6:55

Yeah. Thinking about the future is definitely

6:57

important. What, as you think about your

6:59

journey why did you decide to pivot to

7:01

become a cybersecurity leader versus

7:04

staying an individual contributor?

7:06

I decided on the leadership route

7:08

be because anyway, leadership was thrust at

7:11

me. In my role as a project manager,

7:13

I have been forced to, whether

7:16

I like it or not, I have to take leadership,

7:19

from a communication standpoint,,

7:22

I had to be comfortable, for example, with

7:24

addressing the elephant in the room having

7:27

difficult conversations that nobody was willing

7:29

to have. Collaborating with difficult stakeholders

7:31

because the success of and

7:34

the failure of the project rests on

7:36

me. Generally typically I'm in charge of

7:38

scheduling and ensuring that things

7:40

happen as at when due.

7:42

When you are in those kind of roles, you

7:45

are like the proverb proverbial

7:48

dancer who cannot look

7:50

at the noise of the markets. You got a job

7:53

and everyone depends on you as a driver

7:56

to take them from point A to point B.

7:59

Now that requires a lot of

8:01

leadership, a lot of excellence,

8:04

a lot of dedication and passion

8:07

beyond being an individual. And

8:09

anyway, I enjoy their attention. It's

8:11

not very easy being a leader must confess to

8:13

you because then you

8:16

are much more aware of your own weaknesses.

8:19

And your fullness are heightened. And

8:22

indeed, your personal,

8:25

uh, private failing moments can

8:27

be easily amplified and

8:29

you can cause damage at a bigger level. Now, awareness

8:32

of those kind of things make it very sobering

8:35

and make it difficult for one to gloss

8:37

over. But all in all, I'm grateful

8:39

for the opportunity first to

8:41

serve. And to keep serving in

8:44

leadership position because, anyway, I

8:46

always, when I talk online, I find myself in

8:49

conversations all of a sudden taking the lead,

8:51

not because I want to demonstrate superior thoughts

8:54

or I want to show myself off,

8:57

but it's coming more from a heart of service. A hat

8:59

of help, a hat of a responsibility

9:02

that things could be better, and that

9:04

is the driving force. Although over the

9:06

years, that has been misunderstood

9:09

and people think you want to show off. People think you have

9:12

a desire to make others look stupid. But no,

9:14

it's just that you just want

9:17

things to be better. Than they

9:19

were and you think we can all benefit from

9:22

a better system and with no hidden agenda.

9:24

This is what thrust me into

9:26

the leadership positions. I found myself

9:29

either in the project room or in

9:31

the technology field or even in third leadership, that

9:33

I championed a lot. I.

9:34

So A, as you look

9:37

to grow your leadership skills, what

9:40

in your view are the critical

9:43

skills needed for a cybersecurity

9:45

leader? I.

9:46

That's a very deep question right there,

9:48

iT's multidimensional. Chris that's

9:51

very deep. Let me say this. fIrst

9:54

of all, you must want it. You

9:56

must want it, and that is

9:58

not a skill you gather in any textbook

10:01

or a skill in any material. It's

10:03

pure personal desire when

10:05

your PDI Personal Desire

10:07

index or indicator, which is

10:10

a measure of your cautions,

10:13

which is a measure of PDQ, personal

10:15

desire. ENT when

10:17

it's below a certain number that

10:20

is beyond the equilibrium of

10:23

the industry and where you are in your

10:25

life. Don't take the leadership position. When

10:27

your internal willingness versus

10:30

the industry equilibrium and the

10:32

strength of events in the environment

10:35

is at a higher level of turbulence than you can

10:37

allow, for example, as one of the factors

10:39

we are measuring within your life

10:42

at that time. Don't take that position when

10:44

you, where your desire is higher than

10:47

that equilibrium point and

10:50

the higher. To lead. This is

10:52

genuine desire, not ambition,

10:54

because there's a difference between ambition

10:58

and assistance. I call

11:00

it assistance. The willingness to be

11:03

good and to help the willingness that everybody

11:05

trusts me to stand at this door and

11:08

the willingness to serve rather than I

11:10

want to be the most for

11:12

the purposes of advertisement

11:15

and size, ego and all of those kind of

11:17

things, and somewhere in the future of

11:19

your leadership. That metal will be

11:21

tested. You will either be converted.

11:24

A more humble leader or more authentic leader,

11:27

or you will grow much more narcissistic

11:30

or something, and eventually your

11:32

time will pass without you having

11:35

left any legacy or you

11:37

will learn the lesson. Or nature happens to

11:39

you, whatever happens, X. But I

11:41

think that personal desire is the place to start from. It's

11:44

even a calibrator of how far, how

11:46

well you would do. So I don't sidetrack the conversation.

11:48

So the rule is the hire your

11:51

personal desire to lead, especially from

11:54

the positive psychologist standpoint. The

11:57

higher it is than that equilibrium

11:59

point for the industry and the environment you are in

12:01

at large, the more your chances of

12:03

success as a leader. That's the first one.

12:05

Can I stop you there? Because it's, that's something

12:07

that I have not heard about. For those

12:09

that are looking to learn

12:11

more about this, where

12:14

did. Where's this where

12:16

did you find this from? Or where did

12:18

you learn this so that they could dig into this

12:20

themselves.

12:21

I do a lot of personal introspection and

12:24

I try to find my answers. I don't find my,

12:26

not pull, of course, I've

12:29

read a lot of things, but it's rooted in

12:31

the materials of self-awareness to be

12:33

aware of your desires. Self-belief,

12:36

first of all, self-awareness, self-belief,

12:39

self-esteem, self-acceptance and

12:42

self-promoting, and yet being

12:44

selfless.

12:45

Makes sense. Makes sense. Yeah. I'm

12:47

a big supporter of the north of having

12:49

your North Pole as well, to help

12:51

yeah, exactly. So having my north pull and

12:54

then not following the tide on

12:56

the outside, but having my north pull

12:58

on the inside was the

13:00

way I arrived at this particular solution.

13:03

That my personal desire indicator

13:06

based on all of this foundations of

13:08

my self understanding and awareness of

13:10

where I am. Must be beyond a

13:13

certain threshold of the entropy

13:15

or chaos of the environment. How

13:17

difficult is the leadership role? How

13:19

difficult is it to be a leader in that time?

13:22

What are the challenges the organization or

13:24

the context is facing? Who

13:26

are the players there? Would

13:28

they be willing to give me a chance to succeed

13:31

or fail? Is it context favorable?

13:34

If you're gonna be a leader in a place where you don't understand

13:36

the language, maybe you should not take up the

13:38

role. Maybe you should not just to be a leader there, you

13:40

don't even understand the language that you can't

13:42

even converse and you cannot even engineer.

13:44

Meaning beyond communication. Communication

13:47

is one thing, but meaning is

13:49

when David is

13:51

able to put the exact signal in

13:53

his mind, increase his mind, and

13:56

Chris's response. In such

13:59

a manner that David knows

14:01

that what he was originally intended to

14:03

pass across has been understood. This

14:05

is basic communication engineering.

14:08

So if you don't, if you're battling language

14:10

for example, then maybe you should

14:12

humbly not take the organization

14:15

or that leadership role up. So

14:17

those are the entropy factors. The questions

14:19

the threshold points. For example, another

14:22

one for example, is if you don't understand the culture.

14:24

Or you cannot fit it to the culture. Culture

14:27

will always eat strategy for

14:30

lunch and dinner and breakfast.

14:32

Culture will always destroy

14:35

the strongest of our good

14:38

lofty idea. So as a leader, as a

14:40

cyber leader, if you don't have

14:42

the cultural intelligence to lead

14:45

in that environment, maybe you

14:47

should pursue that. But there are complement skillset,

14:49

like cultural adaptability. If

14:51

you are culturally adaptable, you know

14:53

you are strong on the agility leg,

14:56

which is another, that being agile or understanding

14:58

agile frameworks helps you to do when you're a cyber leader.

15:01

So it's not a doom and gloom thing. If

15:03

you notice that there's a gap between where

15:05

your personal desire index

15:08

is. And where the level of

15:10

the threshold level is, then

15:12

you can bridge the gap and yet you

15:14

can lead. So it's not, but it's to be aware that's

15:16

a gap between your personal desire is

15:19

and some of the person's desires, mislead them your

15:21

desire. You may not be ready, you

15:23

may not be competent. So desire is empty

15:26

if it does not pass through. Personal desire

15:28

is empty if it does not pass through

15:30

the very lens of self discovery.

15:33

Self-awareness, self-acceptance,

15:36

then self-esteem. And then before you

15:38

now go to self-promoting in

15:41

all of these, yet being selfless.

15:44

So that you're not full of yourself, but you

15:46

want to serve and really solve a

15:48

problem. And if we were

15:50

to choose between Chris and I

15:52

will vote for Chris if Chris is a better

15:54

candidate than I am to help

15:56

us through the bridge. Chris knows how to swim.

15:59

I don't know how to swim. So

16:01

this organization is at the point within their

16:04

corporate lifecycle where they

16:06

are rolling out a lot of new products. And

16:08

Chris has had experience in products

16:11

rollout and Chris understand

16:13

the cybersecurity challenges and

16:15

the risks that happen in that particular

16:17

sector. Why do I want to

16:19

rob the organization? I. Of

16:22

his expertise because I want to earn

16:24

a few dollars, or I want to be the known

16:27

guy or want to be the one who is leading

16:29

the team. That's one thing ago. On

16:31

the day, something critical will happen then

16:34

to a paid that. I don't know how to navigate that. Ben,

16:36

Chris is the better driver there. Why don't I give

16:38

him the leadership? You've been in podcasting

16:40

for a while and, there's audience

16:42

intelligence, for example, that you have around

16:44

the cyber regime and cyber world. Why

16:47

don't, I want Chris to lead the

16:49

conversation because everyone has

16:52

what they're useful for, even in

16:54

cyber leadership. Everyone has a use.

16:56

Every leader has the moment

16:58

and defined occasion of your use.

17:01

There's your ah, in leadership and

17:04

do not stay longer than those hours.

17:06

That's also a sub to council there.

17:08

Your tenure may be two years. You

17:10

may be a very strong risk manager, or

17:13

you are a strong infrastructure deployment

17:15

leader. Because you have project management

17:18

and agile understanding, like me, and

17:20

you could actually be a strong people leader

17:22

because the team needs more confidence as

17:25

they need someone who is a CISO or

17:27

a cyber lead that understands

17:29

that level of energy and intelligence, if

17:31

you get what I mean. So at the end

17:33

of the day, wisdom is

17:36

to select your location. A

17:38

moment of brilliance and know your own

17:40

leadership, DNA, and leave

17:42

that ethos and not be driven by external opportunity.

17:45

Again, that cushions personal

17:47

desire that is intelligent, so we

17:50

can call it intelligent personal desire

17:52

that's willing to be personally developed to

17:54

meet the threshold and need of the occasion,

17:56

and the willingness to leave when the

17:59

time is due, not necessarily when the vision is

18:01

loudest, when the time

18:03

is due for that occasion.

18:05

So it, it sounds like if I'm,

18:07

if I could paraphrase, understanding.

18:10

Your leadership abilities and your

18:12

readiness to be a leader is

18:14

one of those core critical skills in

18:17

your perspective. Are there any other critical

18:19

skills.

18:20

yes, there is what is called kudo or situational

18:22

intelligence or awareness. The ability to

18:24

understand situations quickly and

18:27

the ability to take decisions quickly,

18:29

that will help you need

18:31

it. In cyber security leadership,

18:34

you cannot afford not

18:37

to have it, but how do

18:39

you get The problem with experience is

18:41

that you gain good experience from bad

18:44

experiences,

18:45

There's cheap experience and there's expensive

18:47

experiences.

18:48

Thank you. I like that. That's true thank

18:50

you. Thank you So every

18:53

time someone listens to Chris Fullon

18:55

a podcast, that's good experience. You

18:58

listen to David or you subscribe to any of

19:00

the seminars that do in cyber leadership

19:02

or any, or anything that you do, or we

19:05

organize something together and someone listens.

19:07

Good experience. You don't

19:09

want to wait until crisis happens.

19:12

For example, I've seen cyber leaders who don't

19:14

know their, they're excellent panicker. I've

19:17

met CISOs who are panicker. That

19:19

is their profile. Their panic profile

19:21

is on the roof. They panic and

19:23

then they panic, and they pile

19:25

budgets at panic. So the full panela

19:28

and then they get before the executive team and

19:31

their leadership communication skills.

19:33

And futuristic skills begin

19:35

to be torn to pieces, only because the

19:38

excellent people, when there is no tension,

19:41

they can take their decisions. But

19:43

because they are good panicker or

19:45

warriors, they hip budgets

19:48

and they hip reinforce steel. They

19:51

toughen up, architectural toughen

19:53

up infrastructure, toughen up, and

19:55

management is asking. But there's been no incidents

19:58

in the past five years. Why do I need

20:00

another server or another thing this year?

20:02

And the guy goes that's because I'm good. I'm doing my

20:04

job. They're like, so that means we don't need it And

20:07

it won't be in that frame of mind, if

20:09

not for his personal panic. But again,

20:11

some amount of panic is good for a CSO

20:13

because in the school of cyber warfare,

20:16

as in real time warfare, only

20:18

the paranoid survive so

20:20

some amount of paranoia is needed. Paranoia

20:23

is needed in cybersecurity, but

20:25

at the same time, it's also

20:27

very difficult for

20:29

you to be extra paranoid when you are leading people

20:32

and not use panic to drive the

20:34

bus of the road. So panic profiling,

20:37

for example. You must understand

20:39

your panic profile from

20:42

situation awareness perspective in

20:44

a situation what's going on. What

20:46

are the main things? What's most profitable

20:48

action? Which level of panic

20:50

am I supposed to switch on? Medium, low,

20:53

or high? How do you apportion

20:55

or identify the necessary

20:57

efforts or response to

20:59

an incident in a personal profile? So all

21:01

of those internal readiness work must

21:05

be there. Then I say that leaders

21:07

must have the full grill

21:09

things, the fall. Of leadership,

21:12

mentor, coach, facilitator,

21:15

trainer, mentor, coach.

21:17

Not necessarily in that order, if you want me

21:20

to order it. Coach, mentor, fac.

21:22

Sorry, coach, facilitator, mentor,

21:25

trainer, coach, facilitator,

21:28

mentor trainer. Training is the last

21:30

one, but many leaders try to do training first.

21:33

Yeah, that makes sense. Some of

21:35

the other skills that I've found over the years

21:37

to be really critical,

21:39

and maybe I'll ask you to rate yourself

21:42

from a, a scale of one to five

21:45

is delegation. How. Would

21:47

you describe delegation and rate

21:49

yourself one to five?

21:51

On delegation, I'll probably rate myself four.

21:54

That's because I've done some wrong delegations. I'm

21:56

like, how did I make that mistake? But I read

21:58

myself four on delegation, um,

22:01

because I'm blessed with a real ability

22:03

to see people. And watch

22:06

and observe without any

22:08

bias until I understand what's going on.

22:10

I've learned that over the years. I

22:12

watch people carefully and I'm very

22:15

non-judging in the beginning to

22:17

ensure that I understand what's really going on, and

22:19

I'm also sufficiently friendly. I try

22:21

to be friendly to walk

22:23

across the beach, to understand, even if

22:25

I see an external behavioral pattern

22:28

calibrated by. What is behind it? And

22:31

is this something that can be brought up in a

22:33

direct conversation or something? We're

22:35

gonna use indirect conversations to deal with.

22:37

So on delegation, I have about four of

22:39

five in total because I still

22:42

have some hit and misses. That's part my method. Number

22:44

one with delegation is that there are tasks

22:47

to delegate and there are things you cannot delegate.

22:49

The wisdom to know what to delegate, I

22:51

wanna delegate is very important for

22:53

a cyber leader. Number two.

22:55

And yeah. Next. Collaboration.

22:58

How would you rate yourself in collaboration

23:01

on a scale of one to five and why?

23:03

Collaboration. I read myself again, four

23:06

because I've done some bad collaborations in

23:08

the past, and I am a

23:11

collaboratively shy person

23:14

now. Because I've had some bad

23:16

experiences, so I do more rigorous

23:18

interviewing the and

23:21

Trustingly. I do collaboration, intelligence

23:24

coaching. So there are people who come to me and say, I wanna collaborate

23:26

with this guy. What do you think? Because

23:28

I have some intuitive coaching practice I do by

23:30

the side and I'll just do an analysis, say,

23:32

what do you want? Do you want a person to

23:34

person profiling or you want a business to

23:37

business, whether your business and that business can collaborate.

23:39

And in most of the cases, nine out

23:42

of 10 times, I get it correct. That's for others,

23:44

but for me, I'm slower because

23:47

I would watch, ask questions,

23:50

understand intent, but the key

23:52

is to contract in the beginning. That's

23:55

my summary of it. Contract

23:57

what the transmission will be like. I.

24:00

Contract. What the trans, what? What is? What

24:03

is going to be the recipient's expectation?

24:05

What is the sender's expectation? What

24:08

will be the handshake in the middle? Design the

24:10

contracting of the collaborative efforts.

24:13

Put parameters at it. Let it be well

24:15

defined when issues happen, they're not covered

24:18

within the framework you've set up. Go

24:20

back again and look at the framework. This works all the

24:22

time. I've seen it work all the time. All

24:25

the time. It works.

24:26

Okay. And for communication,

24:29

how would you rate yourself on

24:31

a scale of one to five for communication

24:33

and why?

24:34

I give myself four, 4.5

24:36

over five, and that's because I

24:39

don't wanna be proud. I have seen a lot of, I,

24:41

I understand communication at the

24:43

human engineering human fiber

24:45

level. I know I have

24:47

developed, I've, because I want to

24:49

help people communicate better, and I've

24:51

seen cybersecurity leaders stumble

24:53

on communication a lot, technical leaders generally

24:56

over the years being, having

24:58

the blessing of being in many boardrooms, even

25:00

as a young engineer, just sitting down to observe

25:02

and the power of erasing one word and putting another

25:04

word. The power of raising a sentence, the power

25:07

of changing the body language. For

25:09

example, I dunno whether you know that technical

25:11

people communicate lower value

25:13

without them knowing just by body language

25:15

and presence. The average chief marketing

25:17

officer will always end higher than the CTU

25:20

and the CISO and every, and they're all on the same

25:22

level. What typically happens is that. Technical

25:25

leaders are communicating without knowing they're

25:27

even communicating body language conversations.

25:30

Watch when the CMO wants to talk or

25:32

a chief product officer, someone that's in the csuite

25:35

on the commercial side of the business. There's

25:38

some, there is some order, there is some practice.

25:41

aNd because I have worked in

25:43

the marketing regime. I've worked in the

25:45

core marketing comms group, the

25:48

largest one in West Africa by the way. I

25:50

saw what goes into those things. Technical

25:53

people are sought wire and technicality,

25:55

concerned that they don't know

25:58

that we should practice communication. That

26:00

we should literally practice

26:02

go before the mirror. If you go, if it's a real

26:04

big presentation to a board, it's a budget

26:07

presentation. Go nitty gritty. Ask

26:09

for feedback present within your team first,

26:11

before you go for the bigger one where you're gonna defend them. But

26:13

many Cs or CTOs or

26:15

CEOs, we just put together a slide the

26:18

morning of the presentation, they just

26:20

serve, move some things around, and then

26:22

they go there and present. Typically

26:24

there's a response. So for communication,

26:26

I read myself 4.5 over five and I also communicate

26:29

better. And lastly I have

26:31

some answer. Like I told you what is

26:33

in my mind and vice versa must

26:35

come into your mind. And we must get

26:38

feedback that we got what the

26:40

other party was saying. That is

26:42

when communication has happened. And I understand

26:44

the nuances and communication

26:47

is the biggest to adjust behavior.

26:49

And how would you describe the

26:51

skill of influence and why is it so

26:53

important in cybersecurity?

26:55

Influence is very important influence.

26:57

In fact, one of the things I'm researching

26:59

now because crime as a service.

27:01

Has become big and crime

27:04

as a service will become big. Second reason

27:06

why I'm studying this, the signs of influence

27:08

and psychology of influence in cybersecurity is

27:11

that criminal gangs are, have moved into

27:13

advanced persistent nature. They

27:16

morphed and now there's the nature

27:18

of advanced persistent rates, and we say that organizations

27:20

that there are two kind of organizations, those

27:22

that have not been hacked, and those that will be hacked eventually.

27:25

The other factor why influence is important

27:27

is that we are having more

27:29

energy. And more order

27:32

on the side of the criminals and law enforcement

27:34

is trailing behind and litigation is

27:36

also trailing behind as a global trend.

27:38

So we need to begin to learn

27:41

adversarial influence strategies so

27:43

that we can go beyond just influencing

27:46

our teams to influencing the

27:48

criminal behavior. We should go to the point where

27:50

we will be able to do prescriptive

27:53

analytics. That will almost

27:56

help us to know where the crime will come from because

27:59

the tools that are gonna be available to criminals

28:02

from, I mean that's been available since year

28:04

2020, COVID-19

28:07

date, and that will begin. There are people that commit

28:09

a thousand dollars a month. They

28:11

work and then you commit a thousand dollars a

28:13

month. And they can, and 10 of them can come together

28:16

into hacking and exploring breaches,

28:18

and they're willing to commit that kind

28:20

of money for five years. Trust me,

28:22

if they keep at it and hire professionals

28:25

and they're not go into crime as a service, they'll

28:28

begin to succeed. So how do we begin from a

28:31

security standpoint to influence criminal

28:33

behavior? What are the technologies that

28:36

we. Help us to lead them in

28:38

a certain direction. And that's

28:40

so that's an area that's a niche area. Adversarial

28:43

influence management, where we are

28:45

able to use influence tactics so that we will

28:47

be able to cage crime, for example, the

28:49

concept of the corporate cul-de-sac, where

28:51

you actually create vulnerabilities within your system.

28:54

wIndows is not to be doing that right

28:56

now. I think Azure has started and

28:58

Amazon, but you create, you,

29:00

you create spaces in the cloud where they, where

29:02

some data will be thrown at the guys so that they can

29:04

come at it, and then we use that to isolate

29:07

that place and use it like a lab to study

29:09

the intrusion. And what they're trying to do and

29:12

cage all the influence. Influence will

29:14

be in the future, very important for cybersecurity

29:16

leadership because it's a useful

29:19

adversarial tool. It'll

29:21

be a useful counter intelligence

29:23

tool. And another one is when you

29:26

are beginning to have anti forensics. wHen

29:29

criminals starts from understanding for forensics.

29:31

They understand cyber forensics, so

29:34

they start designing the crime

29:36

with the view to be OB,

29:39

oblivious or transparent so

29:41

that they're like water or you can't even plant.

29:43

So that our forensics process and tools can't

29:46

even capture their existence. So

29:48

we need to go influence. Because

29:51

now and then they go anti because, okay.

29:53

So we discovered that they're anti forensic. Okay.

29:57

Okay. Okay. Yep. Can I go on. So

29:59

we discovered that they're anti forensic, so

30:02

we do new tools. So it

30:04

is anti when you catch, when

30:06

you find a new way, the criminal fights another way. So

30:08

when you're going anti forensic, we

30:11

may begin to think about influence engineering. Where

30:13

we begin to engineer tools and techniques specifically

30:16

deliberately to begin to influence

30:18

the behavior of the nature of the

30:20

crime and how the criminal gangs

30:22

are ring themselves because of

30:25

anti forensic. The other thing is we would need

30:27

influence to inspire teams to do higher.

30:29

We need to challenge. The

30:31

blue teams or the internal security teams

30:34

and the red teams. In this case, were everybody

30:36

working with us to do more because

30:38

for every single cyber security professional

30:41

there about three or four criminals who

30:44

are ready to, do an

30:46

undo. So we have to develop

30:49

influence strategies to break

30:51

the human limit of our teams. And

30:53

make them superheroes and, create

30:56

bigger solutions that will keep

30:58

all of us safer. Because our infrastructures

31:01

are going to be exposed in the coming days. We're

31:03

getting connected in connected cities. We're

31:05

seeing water systems, and sewage systems with

31:08

just a single line of code being

31:10

breached together, where a whole community

31:12

found their sewage going into their water. Plan

31:14

that was processed because somebody got

31:16

into a computer system and opened a

31:19

gateway. So we need to find a way

31:21

of influencing our teams to become

31:24

far more cyber resilient

31:27

and go anti-fragile, which

31:29

is the upper limit of human response

31:32

to incidents.

31:33

Okay. Another topic that

31:35

I like to bring up. Is the

31:37

concept of networking, but not

31:39

networking like we, we started our

31:42

conversation with in telecom, but

31:44

networking with people. Why

31:46

is that such a critical skill for cybersecurity

31:48

leaders?

31:49

Yeah, because at which criminals

31:51

are going, again, they're networking.

31:55

There are websites now, not

31:57

even in the dark web, openly where Windows

31:59

vulnerabilities are described and discussed.

32:01

If we don't have find ways of

32:03

positive networking, the cyber criminals

32:07

will always network because if

32:09

they make a single hit hits, it's a

32:11

big deal for everybody. They understand

32:13

the idea of bounty sharing. And

32:16

it's a primitive way where criminals

32:18

want to rob one village, and by the way, we

32:20

are now a global village. tHe

32:22

village is strong if they're

32:24

attacking at individual times of the

32:26

day. But if they come at once, then

32:28

the village army is overwhelmed. Now

32:31

criminals are trying to engineer that kind of, there are

32:34

hotbeds, some of them, to

32:36

the point that countries are now involved. Are

32:38

sponsoring state sponsored cyber

32:41

criminal activity, state sponsored terrorism. Now,

32:45

we cannot just afford not to network.

32:47

In fact, regulatory organizations

32:50

both in the United States and the United Kingdom

32:52

and most of Europe. Are now

32:54

going cyber networking as a

32:57

regulatory demand. For example, share information,

32:59

the obligation to share. If something happens

33:02

to your network, please share because

33:04

you're connected to everybody one way or the other. Just

33:06

a memory stick in your laptop

33:09

can bring down a whole

33:11

nation's financial system. It can bring

33:13

down a old nation's electrical system. Please

33:16

don't keep quiet. And those are found. So

33:18

it's it's water. It's the way water

33:20

is to human life or

33:23

the way food is to existence. As cybersecurity

33:26

professionals, we must network criminals

33:28

are networking and the power of aggregation is

33:30

beginning to play out. We have no choice.

33:33

Chris, we have to network. It'll

33:35

be an anima to be a hacker. You

33:37

don't have a hacking group or a hacking community

33:39

where you organize private hackathons and

33:42

you have hacking weekend hangouts.

33:45

You cannot be a GRC consultant and

33:47

not belong to a. GLC group that

33:50

does Friday evening bear out,

33:52

or Friday evening, uh,

33:54

sushi or dinner. We must

33:56

network and grow

33:59

in communities beyond the

34:01

ordinary. Of course the only challenge is

34:03

that communities a domic side on trust.

34:06

But the bigger problem is that trust is

34:08

not a very easy commodity to combat. Cyber

34:11

professionals are naturally

34:13

skeptical and paranoid as.

34:15

Yes. Yes. That is true. That

34:17

is true. A as we wrap up our

34:19

podcast any final advice that

34:21

you would give to future cybersecurity leaders?

34:24

David, I.

34:25

Yeah, the future is green. Groom

34:27

your leadership without demand.

34:30

Go for supply before. The demand for

34:32

it will come. Meaning. Supply

34:35

yourself with knowledge. Expose your mind.

34:38

Join networks, learn and

34:40

prepare. Your day will come. We are

34:42

in combat zone. In cybersecurity

34:45

today, there is the

34:47

traditional. Council I would give was

34:49

the response of King David. My possession

34:51

is Christianity king David as

34:54

a young boy of about 18. His

34:56

father sent him that as the story goes

34:58

to go to the battlefront to check

35:00

his brothers up and give them some provisions and

35:03

some food and write

35:05

their his eldest brother Iab,

35:08

who was A much more stronger soldier.

35:11

And he was already known as

35:13

a war veteran, looked at him. He

35:16

said, I know your heart. Who did you leave the ship with?

35:18

How come you are outside here and trying

35:20

to, look at the war you want to show off?

35:23

And David said to him, is there not a

35:25

course? Many is are not a reason. Seeing

35:28

that these uncircumcised listings

35:30

are defiling the armies of

35:32

Israel. Forgive my reference to the Bible, but

35:35

that is a state we are in. In cybersecurity, there

35:38

is a course, C-A-U-S-E.

35:41

There is a course and your

35:43

day will come. Every bit of knowledge

35:46

and capacity you grow as a professional will

35:49

eventually pay off the day of,

35:51

pay off. You won't be ready. If

35:53

you did not go to the gym every day on

35:55

the day of payoff, when your specific type

35:57

of cyber leadership, your specific

36:00

capacity will be

36:02

required. If you are not in the gym two

36:04

hours a day, three hours a day,

36:06

you won't be fit for battle, but your day

36:09

will come. Don't despair. If you're

36:11

looking for a job, you're looking for a cybersecurity

36:13

role and engage Chris

36:15

as a coach. Subscribe to Chris's

36:18

coaching program. Engage him.

36:20

Give it 12 months, 24 months. Let

36:23

him guide you, for example, as a cyber coach, or

36:25

anyone around you, or whoever you

36:28

think, but engage your

36:30

muscles in advance because

36:32

the day of glory will

36:34

still come. Forgive me if I look

36:36

motivational or I sounded like a.

36:39

Well, David, thank you very much for joining

36:41

us. Really appreciate it. And

36:43

again, a reminder for those that

36:45

are listening, share with others. 'cause David

36:48

said we need a variety of people. We

36:50

need a variety of different skills and

36:53

everyone has their skills that

36:55

they can rely on. And we, we need

36:57

all sorts of different leadership. David,

36:59

thank you very much.

37:00

Thanks a lot, Chris. I

37:02

appreciate thanks for having me and thanks for

37:04

the great work you're doing in preparing leaders

37:07

in the cyber realms. We need more of

37:09

you and thank you so much for that.