How to Communicate Effectively Internally in Business
Josh Copeland joins us to discuss how to create internal business case in business, how to communicate effectively internally in business and what security teams need to know about business. AT & T Security leader and former military professional, Josh discusses career transition and effective internal communication for security in business and how to have effective communication internally for business.
//LETS CONNECT. Can you help us by Subscribing?//
Connect with JOSH COPELAND here: https://www.linkedin.com/in/joshuacopeland/
VIDEO Episode Link: 👩💻 https://youtu.be/9A72rMFsnFo
Thanks for watching! -David, Mark, Kylie and Team @CCJ
Want EXCLUSIVE Content? For only $4 SUBSCRIBE to Cyber Crime Junkies PRIME
Please consider subscribing to our YouTube Channel for ALL Video episodes.
It's FREE. It helps us help others.
Our YouTube Channel @Cybercrimejunkiespodcast https://www.youtube.com/channel/UCNrU8kX3b4M8ZiQ-GW7Z1yg
JOSH COPELAND joins David Mauro and Mark Mosher in the Cyber Crime Junkies Podcast studio to discuss How to Communicate Effectively Internally in Business
[00:00:00] Lucky to work for a great group of people you really believe in. Find yourself making an impact. Technology is a river that flows through every aspect of an organization, and today is different. We put ourselves and our organizations literally at risk of complete destruction every single time we get online.
[00:00:21] One click, one distraction is all it takes. Hi, cybercrime joke. This is. David Morrow, along with co-host Mark Mosher. Come join us as we explore our research into these blockbuster true cybercrime stories, along with interviews of leaders who built and protect great brands.
[00:00:44] And now the show.
[00:00:53] Welcome everybody to Cybercrime Junkies. I'm your host, David Mauro. In the studio today, I have my fantastic illustrious co-host, mark Mosher. Mark, how are you buddy? I'm quite fantastic and illustrious. Thank you for, that is good. Stating the obvious. Yes, absolutely. We are very fortunate and grateful to be joined by Josh Copeland today.
[00:01:18] Josh, welcome to the studio. Thank you so much for joining. Thanks for having me, guys. So tell, so tell the listeners, , a little bit about yourself. What's your current role and then, we're gonna back into that if that's okay. Yeah. , I'm currently a security director for cyber within at T'S Consulting.
[00:01:39] Essentially, you know, everything you know about at and t, none of that, you know, . Exactly. My cell phone. I'm not Your phone. None of that. Can you? My phone's not working. Can you help me out? No, you're not that guy. You're not, not that at and t. , we focus mostly on, you know, networking, cybersecurity, things of that nature.
[00:01:56] And kind of a very well respected. Very well respected. [00:02:00] Yeah. You know, at and t did invent networking. We know a little bit about it. Just a sco Yes. Little. So in my role, I essentially served kind of as a visa zone to our partner organizations. Typically they're s sl, T T S L E D, you know, state government, local government education organizations that just need a little help getting up over the hump of being, you know, a premier cybersecurity, cyber secure organization.
[00:02:28] So that kind of where I fit into kind of the bigger. That's great. That's great. And today we're gonna be talking about, kind of. How to communicate best, right? Internally for, for business, new ways to kind of master some business skills needed in cybersecurity. I mean, Josh, , for, for the listeners and those that may be attending on the livestream, Josh is very, very active in a lot of the aspects of the security community.
[00:02:57] Really a good proponent for people entering into, , the cybersecurity field. And when we were speaking last in preparation for, for this podcast, we were talking about, you know, once people get in, once you get that role right, that's just the beginning, right? There are so many key. Skill sets that, that the certifications don't necessarily train you for.
[00:03:22] Right. And so we really wanna share those because making a business case is really so important. Right. And the communication and other aspects. So, does that sound like a good thing to talk about Josh? Oh, absolutely. You know, we're all work for an organization that ultimately needs to make, you know, even if you're a nonprofit, you need to break even.
[00:03:45] Yeah. Understanding how you take all these bits and bys and make that into the business side is absolutely critical for anyone in our field if you want to grow professionally. Absolutely. Yeah. Cuz that's, that's kind of an area where [00:04:00] I think US is, is technically inclined or when trying to relay a lot of that information and what, what our findings are and, and what the vision is and things like that to executive leadership, to other team members to other.
[00:04:13] That maybe that's not always a strong suit for somebody that was an engineer or a CIS admin before, but you've got to have those skills to really ahead and you've gotta do that internally. And to do that, you've gotta be able to relay that message. And that's why I thought today's podcast would be really helpful to a lot of people.
[00:04:31] Yeah, I mean, before we dive into that, cuz I, I, I agree guys. I mean, I think there's a great deal of sophistication that comes in simplifying things, right? I think that. It's, it's, it's easy to just relay all of the technical aspects to somebody, but when they aren't necessarily technical or they need to make a decision not based on technical needs, but based on business or organizational needs, in the case of a non-profit or mission needs in case of churches or schools, things like that, then , then the communication element needs to be.
[00:05:09] But before that, I, I want the listeners to really get to know you, Josh, cuz you've got a, you've got a remarkable career, you've had a remarkable career. Where'd you grow up? And then, explain to the listeners kind of where'd you grow up. I know you've had a, a stellar career in the military, so walk us through that.
[00:05:24] Anything that you want to, Sure would be great, especially like, I know you had like some classifications, like some secret agent, like classification levels. If you could just spill that publicly. Yeah. It had like a oh oh seven cert . That would be cool. You heard it here exclusively on cyber crime junkies?
[00:05:41] Yeah. , I was one of those guys. I was a military brat. You know, my parents were both active duty, so I moved around a lot when I was a kid, and then when it came time for me to graduate high school, they went, well, what are you gonna do? Oh, I'm gonna join the military like the last five generations of my family has.
[00:05:57] , that's good. And I did, I, I ended up initially [00:06:00] joining to do logistics, you know, doing Oh, supply warehousing, kind of kick boxes do kind of, you know, something that, which, which I didn't know what I went, yeah. Which, which branch did you go into? , I went Air Force. And the funny thing is, , you know, both my parents were marines.
[00:06:16] You know, I have family that's all over. You know, the background. , and they went, well, what are you gonna join? I'm like, well, go join the Marines. And they're like, no, you won't really? And then they , they dragged me onto an Air Force base and went, this is an Air Force base. And I went, oh, okay. I'm joining the Air Force.
[00:06:37] Yeah. Well, what was it, was there anything about it? Was it the planes, the pilots that you met, the organization that, that appealed to you? Or was it the parental guidance? There's a, a longstanding joke that when, you know, Congress gives out money to the branches of the service. They give money to the Navy and the Navy goes buy ships.
[00:06:57] They give money to the army, and the army buys tanks and helicopters. When the Marines get money, they buy what's leftover from the. When the Air Force gets money, they build a golf course. The officers club, the enlisted club. I, I've heard that. All the housing. And then when they run outta money, they go back and say, oh, we forgot to build the airs strip.
[00:07:16] That's great. Well, and, and plus, you know, the, the ending of Top Gun was a whole lot cooler than the ending of like Hamburger Hill, right? So you could pick which branch you wanna go just based off cinematic references, right? And that's what we should all be. That's how I make most of my life changing decisions.
[00:07:34] That is how you make your life. How would this look like in a movie? So yeah, it was definitely one of those things where I, I took quality of life into account, you know, I. Being a marine was gonna be like growing up on marine bases. So when I seen just the difference in quality of life and then you. My 17 year old self doing research, you know, way back in the day on dog pile cuz I'm showing my Oh yeah, oh yeah.
[00:07:57] I was talking about, I was just talking about that this weekend [00:08:00] with my wife, with my family. Yeah. We were, we were explaining to our kids, like there used to be like 30 search engines. You didn't just go Google something you would like, there was s Gs, all this. And then we would like, dog pile would have like seven of them together then, you know, and, and then alter.
[00:08:18] Google gobbled the mow up or eradicated a lot of 'em. So, sorry, I didn't mean to digress. Oh no. So, okay, so 17 year old you dog piled it, dog piled, went, you know, looked at where Air Force bases were and you know, looked at kind of what little reviews there were out there at the time and mm-hmm. , you know, it's all, you know.
[00:08:37] Yeah. Let me go to Air Force, you know, went to the recruiting station, signed up when I was 17, you know, did that whole thing shipped out, you know, immediately after I had graduated high. and did that for 20 years. You know, I had some great opportunities there. You know, started off kind of as a, you know, supply logistics type person.
[00:08:57] Did kind of a detour into law enforcement for about a year. , very cool. And then it came to the point where, you know, we had a need for, you know, some internal IT stuff and there was no military billet for it. It was just gonna be some additional duty stuff. And they went around. Who's the geekiest nerdiest guy in the room and they went, airman Copeland, you're gonna go do this thing?
[00:09:20] I went, okay. And I really liked it and enjoyed it. Eventually formally cross-trained into that and did some really cool stuff. , you know, everything you possibly imagine in it from desktop support routing, the switching servers, pen test policy. I got to do a really cool study with the Rand Institute where we kind of devised ways to.
[00:09:41] Cyber attacks with kinetic effects like, you know, hacking a power, controller supply, yes. Supply chain attacks, well supply chain attack or hacking a power controller and taking out power to the military base or using remote access to attack HVAC, to then in turn be able to manipulate controls for [00:10:00] a server room to crash server.
[00:10:02] That's phenomenal. So all of that experience is available right there in the military, right? Yeah. I mean, that is just, is is it, is it more, did you find, here's my question. Did you find that it was there for the taking? If you want, if you expressed an interest in it, in an aptitude, they, you would kind of, they would kind of find a path for you?
[00:10:25] Yeah, I, I will tell you. In my 20 year career, the number of years I actually worked in the A F S C that I was assigned. So my job specialization, doing the stuff that was in that box one year. That's it. Wow. the rest. So all with the rest was like a training ground for cybersecurity was, you know, me saying yes to opportunities, like we have some, a requirement to go do this.
[00:10:51] It's not your job, but it's not really anybody's job, right? Who wants to go do this? You filled the void, right? Yeah. That's, I'll go, I'll do that thing. And it provided, you know, so many opportunities to learn all kinds of different stuff. You know, I got to, you know, learn a whole lot about how we do security and cybersecurity for nuclear weapons and nuclear missiles, which is kind of one of those really weird, unique things where you're going, this is all like 1960s technology.
[00:11:21] Mm-hmm. , you go. , but we still have to put that cybersecurity, you know, bundle around it. Yeah. And it provides some great opportunities. You know, whether it was, you know, me doing some really weird stuff at, at the time it was called the Air Mobility Warfare Center. Now it's the Air Force Expeditionary Center.
[00:11:42] You know, teaching airbase ground defense with a kind of cyber flavor to it. You know, there is all these opportunities. You just have to, you know, be willing and to be really honest. Very little, real skills coming in. You know, everything I had, they taught me, [00:12:00] provided me opportunities. You know, me sitting at home at night on my laptop, you know, Googling dog piling away, just trying to find information.
[00:12:08] But they provided all these opportunities to get me from, you know, 17 year old kid who probably did some things that were naughty, that might still be under statute of limitation, right? , right As a teenager. And to actually growing as a professional, you know, legitimate, you know, schoolhouse stuff, getting new certifications, you know, providing that opportunity.
[00:12:32] That's what I was gonna ask. College education, you know. So were you able to, to study for and, obtain certain certifications while you were in the military? Yeah, I was actually mandated, you know, to have a plus Net Plus and security Plus, oh wow. Air Force came down back in 2006. Timeframe that he barely, if you're going to be a, you know, you know it com person in the Air Force, you will have security Plus if you don't have it or equivalent or higher.
[00:13:04] So you could have, you know, SISs P or gas, something along those lines. Right? But Security Plus was kind of like the, the minimum base level. If you don't have that, we're going to find another job for you. You know, it was very directive you will. You know, certified and you will be a professional at this in addition to all of your military training that's specific to that, they wanted you to really have kind of this well-balanced background based off of civilian certification.
[00:13:34] So, which, which certification did you start off with? What, what, what was your first one? Was it security related or was it like IT fundamentals or something like that? Yeah, I did a plus. You know, cuz that was kind of Yep. The. You know, did that pass that, you know, showed aptitude and ability there? You know, a couple months later I did Net Plus.
[00:13:57] Then a couple months later I did security Plus. Now [00:14:00] the way the schoolhouses work, our IT folks, our cybersecurity folks, they get security plus before they even leave their training base. So they'll go basic training technical school to learn their job job, whether it. You know, client systems, desktop support type stuff, or networking, you know, server admin.
[00:14:21] And then they'll immediately roll into essentially a security plus course and they have to pass that to be able to graduate and go to their first base. So there's very much an emphasis on that. So it seems like the baseline knowledge of, this sector of the military that you were in kind of evolved over time.
[00:14:42] Yeah. You, you saw it evolve. That's really interesting. That's good. That's always good to hear. And, and I know Mark wanted to say this, but I want to thank you honestly for your service because that was just, it's just remarkable. Like having people voluntarily, involved in the military is just outstanding in our country.
[00:15:01] So thank you. And I mean that, thank you for paying your taxe. Well, yeah, I, I don't do that. we don't do that. I don't, I don't really do that. But, you know, I'm really, these letters from the irs, we just throw them away. We don't pay taxes. Yes, actually we do. And you're welcome. So that's perfectly fine. So, , did you, I, and I know you have a family and everything else was your, was your spouse in the military?
[00:15:27] How did you. No, she, she was not in the military. It was kind of one of those weird things where my biological dad and my mom separated when I was a young kid. Mm-hmm. and my dad's family found me through the military, through the military locator program cuz they went, well everyone else in his family's in the military, he's probably in the military.
[00:15:51] Really. And she was actually my cousin's best friend. And we met. Of all things aol, instant Messenger, of [00:16:00] course, which is where the, cause that's how every great relationship started, . So she was my cousin's best friend and my cousin had something to do. So here, talked to my best friend and we hit it off and eventually, you know, a couple months later got married and we'd been married for 22 years this summer.
[00:16:18] That's fantastic. Congratulations. That's great. Well, and we thank her for her patience to be with you for 20 years. So just he's a saint. Yes. As as, as I always tell my wife, I'm like, thank you. Like I owe you. So, that's fantastic. So, for those that, aren't watching the, the video portion, you're not able to see that Josh does not have a pink.
[00:16:44] But, , he is the guy known for being in the security field with the pink beard. So let's touch on that a little bit. , you recently got rid of the pink beard, but let's talk about why you had the pink beard. He's got a very manly beard, a good thick beard, but, , why, why was it pink for a while? You know, when I retired from the military four years ago, my, yeah, you didn't have it in the military, I assume.
[00:17:08] No, I did not have it in the military. Yeah. . Now that would make things a little difficult, I imagine. , my youngest daughter, Madison, has been kind of on me to do something, you know, wild. Because obviously when you're in the military, you're very conservative, you know? Mm-hmm. , short hair, clean shaven, you know, all that stuff.
[00:17:24] And she. , do something crazy, you know, do like the Viking beads or dye your beard. And I said, okay. You know, after four years I broke down and said, sure, we can do something crazy, but you're gonna have to do something to get me to do it. And told her, you're gonna have to raise money for charity. And she looked at me, dad, I don't know how to do that.
[00:17:46] That's fine. I'm my friend. You know Roe that works for the American Cancer Society chapter here, she'll help you out. They got together and cons. And they did the bamboozle and signed me up for the Real Men Working [00:18:00] pink campaign in October and worked out some kind of levels of, you know, donation threat thresholds.
[00:18:08] If it was $2,000, I would temporarily die my beard ping. If it was $4,000, I would permanently diet ping for every, you know, thousand dollars. Beyond that, I would dye my eyebrows pink to go with that . Just kind of these weird things that. For me completely outta character. I, I would've never had matched myself with a pink beard.
[00:18:26] We raised seven and a half thousand dollars, so I spent Wow, that's great. The entire month of October with a pink beard. My boss, a guy named Ray Levi, had actually said once we got to the 6,000 mark, he would die his beard pink temporarily too. And he did. So that's great. We've seen each other in Austin towards the end of October, beginning of.
[00:18:47] And there's a picture of us floating around, both with pink beards. But I had a couple, couple of things that were lined up afterwards and they had all requested that I, I keep the pink beard. So I ended up having a pink beard for about two months of a wow. Bright neon pink beard was found about, it was, it was, when I first met you, it was like bright pink
[00:19:07] Yeah. That's great. That's great. And is, is there a reason why it went? It went back to normal. It was just time to reset because I can't do, you know, a dye my beard to different color. Charity left my beard at time. . Right, right. Cool. You gotta open yourself to, to new opportunities, you know, have to reset, you know, and we'll see where that plays.
[00:19:30] That's great. So let's touch base real quick. I, I, I, I love that story. I love the bravery that it takes to even do that. Let's talk about the transition from military to civilian life. What can you, what, what can you tell us about that? We, we've had several people on the podcast that have transitioned from military and I know several others through family and friends, and it can be difficult.
[00:19:53] So unlike a lot of people, my transition was actually super easy. Really I knew at some [00:20:00] point, you know, early in my career that there would be a life after the Air Force.
[00:20:04] You know, so I had actually started planning, you know, for retirement, for transition about 10 years out, which is kind of the really oddball thing. Most people wait till they're about one to two years before they get to retirement. I started looking at, well, what jobs might work? I want to do, you know, look at what the requirements for those jobs are and start making sure that I'm aligning myself, both with the education that I'm doing, the training I'm doing, where possible, aligning the jobs that I'm doing in the military to those things that I might want to do when I retire.
[00:20:39] As well as just general networking. You know, getting out and, you know, being out there and you know, making. You know, professional acquaintances in the organizations that are here globally and especially through LinkedIn, you know, you have the opportunity to get, you know, thousands upon thousands of people who absolutely want to help and support you.
[00:20:58] So when I went to retire, I had a person who used to work for me at one point, was a manager at, you know, G D I T, and said, You're retiring, I want you to come work for me. And I literally retired on the final outage. I didn't retire till October, but I did my final out where I stopped doing military duties on the 3rd of July and the 5th of July I walked into my new office at General Dynamics and started working my next career.
[00:21:28] And then, you know, building on that networking that got me, you know, two promotions while I was there. You know, somebody I knew had moved to at and t and had requested. Interviewed to come work at at and t, which led to me kind of transitioning over there and then moving up through at and t through, you know, being a tier three SOC analyst, to a SOC director, up to a cyber security director.
[00:21:52] You know, it was really kind of setting myself up very, very early, you know, with the right education, the right certifications, you [00:22:00] know, getting to know the right people and figuring out, you know, what I really want to do and how to get there. Following actions that actually apply those things was kind of my key to success.
[00:22:12] Yeah. And you, and so you gathered all that information, all, all, all that experience, the certifications, the experience, the managing of people, the managing of platform systems, the experimentation all through the military, which is remarkable. You had mentioned that you had done some pen, pen testing, you'd done some things.
[00:22:30] That at least the statute of limitations ran, which is good. But is there something that you saw that made you wanna be more blue team than red team? Blue team? Meaning more on the analyst side, the monitoring the, the searching for anomalies as opposed to the, you know, the red teaming and the penetration testing, the ethical hacking, things like that.
[00:22:54] Is there something that, that draw you, drew you to the blue? . Yeah, absolutely. Red team side is kind of the, the cool Gucci, you know, "I'm gonna hack you" mentality, but I really found when I was kind of doing a bit of both, kind of doing a bit of purple teaming, that there's so much opportunity on the blue team side, you know, between actual employment, you know, every company needs blue team, you know, every organization has.
[00:23:24] Requirement. You know, when you're a red teamer, you have to find one crack in the, the fence line to kind of wiggle your way in. And that doesn't necessarily take a lot of skill. You know, you can be a, you know, 12 year old kid in your mom's basement in Russia, as we have seen. Find that capability as we have seen.
[00:23:43] Yeah. But when you flip it in your, the blue team, you have to find all the cracks on the defense line. Mm-hmm. , you have to predict where the cracks might. Yeah. And then build appropriate kind of levels of defense around that, that even if they do find a, a crack in that [00:24:00] fence line, that next level makes it all the more complicated and difficult for 'em to get through.
[00:24:05] So for me, it's definitely a, you know, levels of challenge different between being a red team person versus a blue team person, you know? Oh, absolutely. It's even a different mindset. altogether. That's why, you know, when they say, you know, a hacker doesn't need to have a college degree and certifications, no, they don't.
[00:24:24] Their inherent abilities are totally different from somebody who has to follow regulations, provide, you know, actual guidance, be in compliance with, you know, things like bed ramp, state ramp, tax ramp, you know, gdpr sock. Right, and to guide organizations in that capacity. Right? So they're, they, they really are relying on you to look at a scenario, look at a policy, look at a practice and say, are we in compliance?
[00:24:55] Are we not? Obviously there's legal teams in other aspects and risk managers, but from the technical perspective, that's where the experience, certifications, et cetera, come in. Right? Right. From the, the different perspectives is, red team is, can I find a hole? Mm-hmm. Blue team is, where are my holes and what are the risk of those holes?
[00:25:16] Right? Where am I gonna apply my limited funding to get the most benefit? You know, mom, that's a great segue into what we're talking about today, right? So you just touched on it. So limited funding is, is key, right? Because every organization needs. Everything right? They need all aspects of cybersecurity.
[00:25:37] They need every type of kind of platform, every layer, et cetera. But they can't afford it or they haven't budgeted it, and there's just economic realities. And with a downturn in the economy, there's a whole bunch of varying things, you know, where do they spend their money on? So being able to make that internal business case when you.
[00:25:57] When you're in an [00:26:00] organization is really key, just not only for yourself, being able to make your case for yourself, but also being able to suggest a solution, right? So I would love to get your, your input on that. Well, what are some of the things you found after transitioning and after getting into civilian life and working for an organization?
[00:26:19] What are some of the key things, the key skill sets that people that might have certifications or they might have experience that they really need to focus on? Yeah, so one of the things I find super helpful was, you know, many years ago I read the book Start With Why, by Simon. Oh yeah, it's right there.
[00:26:39] Right there on my bookshelf. Yep. Phenomenal. I've met him a couple times. He's an amazing guy. He is an amazing human. And start with why Absolutely applies to cybersecurity. I would love to hear this. This is gonna be cool. Yeah, I absolutely agree. And I've thought about it in my mind, but I want to hear from you.
[00:27:00] So when you apply this principle, why does it. You know, I can tell you that, you know, I have a metric of, you know, five nines now to an IT cyber guy, that means something to me. You know, that's a, a finite amount of uptime. You know, that drives the number of patching windows I have. How long that can be down, what kind of level of redundancies that I might need to have.
[00:27:24] But when I talk to my business counterparts, you know, my CFOs, my CEOs, my CEOs, that means nothing to them. Right? Right. Why does that matter? . Now, when I take the why it matters to them and plug that in and tell them, well, five nines compared to four nines is the difference of a hundred thousand dollars in revenue, right?
[00:27:47] The right clicks on. Mm-hmm. , they understand now why this is important. So you kind of have to find the why of why does this matter? What part of the business does this? , and how does [00:28:00] that kind of spider out, and why would somebody care about it? You know? Because you know, when you're dealing with your board, you're probably talking to them for less than five minutes.
[00:28:09] So you need to come there prepared with why does it matter to them what decision you want them to make? What are the options, which ones you're recommending and why? So when you kind of put those things together, you have to understand their why, their motivation, what the company's goals and organizational alignments are, what your s.
[00:28:28] Plan is long term to try to align that. I can say I want this cool new Gucci, you know, software that does six things. Does that align anywhere with where our business is going? Right. No. Right. It, it's something that's really cool for me right now, if I can tell you that I'm gonna implement this, you know, customer relationship management tool that's gonna integrate in with the operation side with their stock level.
[00:28:55] That's gonna provide real-time visibility of our inventory levels and be able to do predictions of when our productions are going to be, that directly inputs into our sales folks to where they can actually sell and pre-sell product, then that becomes a business value. Not that it's gonna replace, from my perspective, three antiquated products that I can't support anymore because they don't no longer exist and you can't patch 'em and they have massive vulnerabilities.
[00:29:22] You know, those are things I care. But what's gonna sell it is the value to my business side. Yeah, absolutely. It's a great encapsulation of, of how to make a business case from, from the technology side. Right. That was so, but yeah, for the, the listeners that are, and we talk about this all the time, that, that have the certifications or have some of the skillset this is, this is, I mean, if you just heard Josh say it, this is really important to have this ability.
[00:29:52] To communicate effectively, to drive change within your organization, just by the [00:30:00] skillsets. And if you don't have 'em, you need to learn 'em. And you're absolutely right. I've, so David and I are, are big big pupils of snack. So when you said that, that's why both of us smiled. But to hear you connect the two i, I think even in the simplest form, that's a really great.
[00:30:16] Comparison of, of how that literally applies in real life. So that thanks for sharing that. That was really good. I really appreciate that. Yeah, and, and it goes back to the thing of when you start moving up those technical levels, you have to really become a proponent of what the business is because the business is what drives having it and having security.
[00:30:42] If there is no business, there is nothing for. You know, operate or protect , right? So you have to really, you know, ingratiate yourself and understand what the operational requirements are, what the business requirements are, you know, understand your organization, you know, be part of those organizations like the ISACs for your, you know, particular field.
[00:31:03] Because there are other people who are just like you. They're going through the same kind of things. And if you're able to do that information, You're gonna not only build up your capabilities, be able to speak business to your peers, but you're also gonna be better protected. Yep. Now, you know, that's a great point.
[00:31:20] I think, I think the community piece is sometimes overlooked. But it is so rich and so abundant, especially in, in cybersecurity, if you really focus in on it. You know, online resources, there's just so much free material. LinkedIn, the LinkedIn cybersecurity community. Fantastic about supporting each other, supplying knowledge, articles, moving each other ahead, not just for networking, but it's like you said, it's your peers.
[00:31:46] They're going through the same thing. They can help. They may have been there last year and they've figured out a better way to do it and they can help you with that. So yeah, I think that community and reaching out and the part of some of those other peer groups is really [00:32:00] big to someone's success in.
[00:32:02] Yeah. And I, I ran out really quick cuz I, I wanted to see if I could find the book. I took this, there was this Harvard class that we offered through work, and it was about making an internal business case and it was phenomenal. And you, what was great is that the, the bullets that you just mentioned, Josh, were right on point with exactly what they said.
[00:32:25] Like, you have to align what you want. Right to the organization mission, whoever the stakeholder is. If it's a nonprofit, a school you work at a, a, a textile company, a manufacturer, it doesn't matter, right? You align what it is that you want to make the internal business case with their mission, and then you have to succinctly boil it down because they, they won't understand or see the benefits in the.
[00:32:55] Technical aspects, the features and benefits of any platform that you wanted or any additional service that you're recommending, you wanna be able to identify how it's going to benefit them. Right. In concrete with some data supporting it. And then all. And you also touched on this, you mentioned talking about the alternatives, right?
[00:33:17] Because that's something that's so important. What's the alternative if we don't do it? because sometimes the competition in getting your initiative accomplished isn't even, you know, going with another option. It's sometimes just staying with the status quo. Yeah. Is, is, is, is, is that what you find too?
[00:33:42] Yeah. You definitely have to do what I call is the juice worth the. Yeah, exactly right. Like, like is it, is it, you know, are, are things really that bad Josh? Like you wanna make a internal business case, you're asking for something, it might cost $75,000 or $175,000 or [00:34:00] $750,000. Whatever the cost is to the organization, is it gonna be worth it to us?
[00:34:04] We don't have to understand the, all of the technical aspects. You can write that in like a white paper. You know what, what, you know, what is it really going to matter to us? Yeah. And that's one of the key things to understand as a cybersecurity professional is sometimes not fixing it is the right answer.
[00:34:25] Mm-hmm. , you know, I might, cause it's about risk, right? It's, it's, I might have vulnerability that exists, but the cost to fix the vulnerability compared to my risk for doing or having that vulnerability are so misaligned. The cost is astronomical. The risk is low. Why am I going to invest money to fix this tiny risk?
[00:34:47] Oh yeah. I compared to, you know, applying that to something that's gonna have a higher risk with a better return on my investment. Yeah. Yeah, I agree. I mean, I, I see that in the approach for when, when organizations do penetration tests, right? There seems to be a lot of different types of penetration tests, right?
[00:35:05] Some that will run a scan and like tell us a thousand different things that are. That need fixed when you look at all critical. Yeah. Vulnerability critical. Really, they're all critical. Like most of 'em can kind of stay there, especially if you know what the organization's plan is for the future about decommissioning things and stuff like that.
[00:35:27] Right. So, and what, what I always like is when those reports take the approach of, okay, we will put it in a paper of all of the, all of the. That are out there, but there's a handful of things that matter, right? There's a handful of things, and those align with what it is that you're doing. I think that gets back to your Simon Sinek start with why, right?
[00:35:51] Yeah. So let's circle back with that. So the philosophy of, of why does it matter? Why should anybody care? Right? You really have to kind of [00:36:00] make that case internally, Don. . Yeah, absolutely. Because a lot of times, you know, cybersecurity particularly is typically seen in IT as a whole, as a cost center, you know?
[00:36:10] Right. This is just something, it's the cost of doing business. I have to spend money here because I need these things to work. But a good leader, whether you be an IT or cybersecurity leader, you know, tries to find ways to show where that's a actual cost center that's generating revenue. Or showing where you have saved revenue that's now being placed back into kind of the pot to be reutilized, you know?
[00:36:38] So what are some examples like, like if, if, if somebody is, because this applies across all facets. This isn't even just in cybersecurity. I know you're speaking from about cybersecurity because of your experience, but in general, the art of communicating an internal business case applies no matter what role you.
[00:36:59] I mean, it, it, it applies to Mark and I, I know it, it applies to other peers in, in, in other aspects of, of, of business structure. What what are you, like, what are some examples like when you want to have an initiative done? How are, are you going toward what it's gonna save the organization? Try to find some concrete examples, or if it's not gonna save it, at least you'll, you'll kind of have some type of roi, some type of return on the investment.
[00:37:28] Yeah, absolutely. So kind of giving a, a real basic example of, you know, a lot of organizations have to do super high compute financial accounting, you know, four times a year, you know Right. Based on their. Now under the old model, you'd have, you know, on-prem equipment, that's a capital expense that you'd have to purchase to, you know, have the compute power for those four weeks, a year that you actually use it.
[00:37:54] Mm-hmm. . So you're spending a bunch of money for compute power that you're only using four weeks a year. . Now I can make a [00:38:00] business case to you saying, well, we need to transition from this CapEx, you know, process and we're gonna move that process into the cloud where we're able to spin those servers up only for those four months, four weeks out of the year.
[00:38:14] And we're now making it an operational expense so it becomes a bit more, you know, easier to nibble at. Cuz you're biting it, you know, one week at a time versus buying a piece of equipment for three years. That you're gonna have to maintain, run and maintain on, and then you're reducing the number of people that you have to have to maintain that.
[00:38:33] And you can kind of find all these efficiencies and go, well, by doing this, we're gonna save, you know, a hundred thousand dollars between equipment cost, personnel cost, and then we're going to take that money and invest it in this new technology that's gonna then in turn, get us better compliant for our SOC two audit because we're getting ready to go public and we need to make sure that we have our financials in order as well as social security posture.
[00:38:57] because now s e c has said that now the board members are gonna be held accountable for cybersecurity issues. So when you kind of start linking those things together, it becomes easier to sell rather than. I just wanna go to the cloud cuz everyone's going to the cloud. , right? Yeah, no, that was a good example.
[00:39:15] That was a really good example. Yeah. Rather than just, you know, you, you interview some cloud vendors and you send them over the proposal with, with a little cover page that, that, that says look at the features and benefits. Isn't this great? Right. It doesn't really to somebody that is in finance.
[00:39:33] They're not gonna see the purpose of it. Right. They're just gonna see something that by viewing the, or that department kind of as a cost center and needing to manage that, to some degree, this just looks like an extra bill. Right? As opposed to the way you just did it, the way you just articulated it is you're identifying all the things that me in finance and hr, legal compliance, that we're gonna have to be dealing.
[00:39:59] There's a [00:40:00] benefit, if we invest this, there will be a better return on investment and reduce some risk because should there be an incident, this will help us reduce the risk of an incident. And should there be an incident that, that, that arises we'll be able to have another layer of protection that could that could help the organization.
[00:40:21] Yeah. Cause it allows you to articulate where you have some risk transference. Cause you have that. Security model, you're gonna be able to by ing your SOC two audit, you know, now you have documentation to go to your cyber insurance vendor and say, no, no. Mm-hmm. , look, we really are doing the things that we say we're doing because there was a case, and we all know that with, with insurance, it's, it's, it's crazy to be able to to apply and accurately.
[00:40:51] and effectively get a good to get it to get insured, let alone, to get a good premium right now because it's so hard. The, the, the tide has really turned. Yeah. 10 years ago, you know, underwriters were just cutting cybersecurity insurance policies left and right because they, yeah, they were just writing for premium.
[00:41:10] They didn't, there was no actuary tables to base anything off. But now there are, and now you're, The underwriters are getting very granular with it, where they're requiring you to have, whether it's a SOC two or a ISO 27 0 0 1 or a Fed ramp, something along those lines, and then they're even holding you accountable after the fact.
[00:41:31] There was a lawsuit a couple months ago where I, ICS Travelers versus I c s. Yeah. Where, yeah. The organization was suing the company because they said they had multifactor authentication. Yeah. Which was. They only had it on the firewall, not on the server. Ran somewhere. Yeah. It was enforced. They had it and there was a disagreement on how they answered that question, which generated a lawsuit.
[00:41:57] So, you know, [00:42:00] having kind of these best practices built, you can show where there's real value and return on investment to the organization because it's, look, we've done this, which will now allow us our premium to be reduced and. That we have insurability. If something does happen, absolutely we are going to get the payout.
[00:42:18] Yeah, absolutely. That's great. So let me ask you, as, as you, as you sit there today and you know at, with at and t being in leadership and security there, what are some of the largest threats that are out there today? I'm just always curious cuz I'm waiting for somebody to. And say something that I'm like, holy cow, I never even heard that.
[00:42:40] Mark, let's find this out , like, there's a new ransomware group or something. Like, what is it that, not that you guys are seeing, but in the industry overall? I'm not asking for anything specific to your organization, but in general, from the purview that you sit what is it that, that you're seeing?
[00:42:57] Obviously I think 2023 is gonna be a huge year for ransomware. MFA is always gonna be an issue. What are you. So I think the thing that I've been pondering the most on is the use of AI and ML by threat actors. You know? Yes. Our bad guys are always the first to, you know, pick up on anything. Yeah. And given how industrialize ransomware has become where they have no kidding help desks, that you can call them and negotiate your ran from down to another dollar figure and they'll put you on hold and say, I need to talk to my manager.
[00:43:32] Oh, congratulations. They care about their brand, the Ransom Work brand, the gangs, they care about their brand. We've learned all about like Lock Bit 3.0. They have like tattoo contests. They, they, they care about their PR man. They're, they're organized. Was it about a year ago one of the other organizations had their stuff leaked and it showed their actual, you know, benefits plan where you get X number of paid days vacation per year.
[00:43:56] This is your salary. So my [00:44:00] concern, You know, we've seen the GP chat has come out mm-hmm. and it's scary good with the quality that it puts out. Yeah. So taking one of those ransomware attackers, giving them that capability to use right. GP chat to generate those, you know, phish spear messages, generate those fake webpages that are honeypots and making them so accurate that, you know, 10 years.
[00:44:29] Your security training would say, look for the email that has spelling errors and bad grammar. Right? That's out the window now those days ago. Right? , this is gonna be near perfect. You know, and them using those kinds of things to even chuck data in to figure out who to spearfish, who to target based off of those things is going to be kind of my big, scary thing in the closet thinking.
[00:44:58] How do we mitigate that? Because ultimately it's still, you know, attacking the number one vector into any security enterprise. The person, people, 80% of all cyber attacks have, you know, a person who did something, whether they did something right. And you know, they just happen to have access to something or they did something incredibly wrong.
[00:45:18] You know, it's still a person had to do something to make that happen. Yeah. And then when you make the attacks so sophisticated, you know, I. Of at least one organization that had already used GP Chat to create a command and control nodule module. Mm-hmm. on the platform itself. Yeah. So when you look at that and how easy that was to do and how rapidly that's going to, you know, advance that technology, it's scary.
[00:45:45] You know, how am I going to combat that from a Blue Team defender per. Right. Do I? Well, because it really speeds things up, doesn't it? Like they, they don't have to try and fail and learn for a couple years and try out their new, [00:46:00] their new platform. They could actually throw it right in GP chat and they could hone it and they can target it directly and they can clean it up.
[00:46:09] Yeah. Yep. And then, yeah, when you think of some of the other reports are coming out where it appears, maybe China might be on the precipice of breaking the quantum. . Mm-hmm. , you know, that's a huge game changer. You know, the second they have quantum computing, all encryption, as we note is broken. Yep. Nothing safe anymore.
[00:46:28] So definitely there are some things that are, we're right on that edge of kind of some really breakthrough technologies that have some severe repercussions for the security field. And to me it's country CISOs are trying to figure out how they're gonna go to sleep tonight. Yeah, and, and, and to me it, it really, it boils down to user training and user awareness again.
[00:46:52] Because the less reliable some of the systems might get, right, the more reliable they're gonna look to the security teams and the security advisors for how are you educating the, the rank and file on what to look for, right? How to protect against social engineering, phishing, things like that. Because still it's a staggering stat, you know, depending on.
[00:47:18] Article or which report or survey that, that, that we look at. But it's, it's always way over 50%. It's always in, in the higher percentages of the breaches that stem from still somebody forgetting somebody, being busy, distracted, whatever. And they, they kind of let let the adversaries in. Yeah. And when you think.
[00:47:41] you know, there are things that I can control as a cyber security person. Mm-hmm. , I can control my security stack. I can, you know, buy the best in class of everything. What I can't control are people, right, whether they be intentional, insider threat, missing butter maker. You know, [00:48:00] the guy who just doesn't get the idea that you don't randomly click.
[00:48:05] Right. The email sent to you, you know, that's Mrs. Butter maker, that's our figurative lady that we bring with us. She's in, sits in the third floor cubicle, well educated, great employee. Phenomenal at, at her job, but she clicks, always clicks on those Amazon receipts. She always links, right? . She's the one, she's the, the, the, the greatest threat.
[00:48:25] Well, this was good stuff. This was really good stuff. Yeah, absolutely. So l let me ask you about as, as, as we wrap up, Josh, thank you so much for, for taking time today. I love that you mentioned Simon Sinek. I didn't even know that was coming. That's fantastic. . When you, when you went off stage? I told him, I said, I don't know if you saw the Yeah.
[00:48:42] The, the smiles that came from David and I, being pupils of Sinec. Yeah. I literally have the book. You mentioned that both. I literally have the book right there on my shelf. Love it. Yeah, it's fan phenomenal. How, how do you stay current? Like how do you, what resources are you looking at to, to be aware of?
[00:49:00] Obviously chat you know, GP chat some of the, the China aspects with quantum computing, recent data breaches. How are you, how are you keeping keeping chat? I mean, there's, there's so many resources out there. Yeah, and that's a great question because there are so many resources out there, and then figuring out which resources kind of be meets your needs, so, right.
[00:49:24] You know, Twitter's always great, you know, there's. Ton of folks that are on Twitter, they're putting out great information all the time. Mastodon is starting to pick up a little bit. Yep. Where, you know, the great, you know, migration from Twitter has started to occur. Mm-hmm. Of all things Reddit.
[00:49:39] Reddit has some great, you know, subreddits that are very security focused on what those new and interesting things are. Obviously, you know, go troll the dark web, you know, build your, you know, osen identities and start kind of parsing through those form. You know, for more news related agencies, dark reading, you [00:50:00] know, Krebs on security, who is, you know, my absolute hero when it comes to cyber.
[00:50:05] He's phenomenal. Security reporting absolutely record features. The record is another great, you know, group of folks that are putting stuff out. Alamo, Altos, you know, unit 42, Mandy. Oh yeah. Yep. Are all putting out great information all the time. You just kinda have to go cultivate. Pull through all this stuff.
[00:50:23] If you are working with, you know, government agencies, the FBI has a newsletter called Purple Arrow. That's all open source intelligence. That's really good. Phenomenal. Yep. Mark and I are both part of Infr Guard, so we always get that. I was gonna say, ingar is absolutely amazing for Yeah, that's a great, great organization.
[00:50:39] ISACs, I kind of already mentioned those. You know, I work mostly with state agencies, so I'm a member of the, you know, multi-state ISAC that focuses on state. You know, they're constantly putting out some amazing information. So kind of find where your niche is and pull that information. And then LinkedIn.
[00:50:56] LinkedIn is absolutely phenomenal for getting information. Yeah, there's so much information to the security community on LinkedIn. We can't thank thank them enough. It's everybody together is phenomenal. Well, Josh, thank you so much. We, we, we really appreciate it. Great insight, great discussion. Thank you so much for your time.
[00:51:14] Yes. And thanks for having service, Josh. Thank you for your service. Thank you. All right, everybody. We will have Josh Copeland's information linked his, his LinkedIn bio. Please connect with him on LinkedIn. We'll have his link in the show notes. And Josh, we will see you. This will not be the last time we talk, my friend.
[00:51:31] No, definitely. So thank you so much for Yeah, thank you so much for, for a great discussion buddy. All alright, thanks David. Thanks everybody. Thanks. Cybercrime Junkies. Thanks for listening and watching. Got a question you want us to address on an episode, reach out to email@example.com. If you enjoy our content, then please consider subscribing to our YouTube channel at Cybercrime Junkies.
[00:51:56] Connect with us on all social media like LinkedIn, Facebook, and [00:52:00] Instagram, and check out our website. It's cybercrime junkies.com. That's cybercrime junkies.com and thanks for being a cybercrime junk.
We also discussed:
What is Ransomware As A Service?,parenting tips for kids online safety,Parenting in a tech world, real cyber crime stories, best security practices for business, cyber crime podcast, simply cyber youtube, best security practices for individuals, best security tips for enterprise, top data breaches in healthcare, top data breaches law firms, best ransomware protection for enterprise, best cybersecurity practices for business, how to prepare for a data breach