Cyber Crime Junkies

How Story Telling Helps Leaders

November 15, 2023 Cyber Crime Junkies-David Mauro Season 3 Episode 18
Cyber Crime Junkies
How Story Telling Helps Leaders
Cyber Crime Junkies PRIME+
Support the show & get subscriber-only content.
Starting at $4/month Subscribe
Show Notes Transcript

Dan Elliott, Principal Cyber Security Risk Advisor at Zurich, and notoriously talented storyteller for complex subjects, joins us.


  • how story telling helps leaders, 
  • Benefits Of Story Telling In Business, 
  • cyber security story telling, 
  • benefits of story telling for complex topics, 
  • analogies used in cyber security, 
  • benefits for having security assessments done, 
  • benefits of security roadmap, 
  • best cybersecurity practices for business, 
  • best policies to limit cyber liability, 
  • best practices for businesses to limit cyber liability

and more...

For more real cybercrime stories, visit our website at

Don't miss our extension of family at You will look and feel good and be treated like family and know that any purchase will help a great cause as portions of all proceeds go to support mental health awareness initiatives. Women's sweatshirts, tumblers, stickers, journals, bracelets and more. All in stock. All Handmade. Ready to ship straight to your door. 

Don't miss our extension of family at You will look and feel good and be treated like family and know that any purchase will help a great cause as portions of all proceeds go to support mental health awareness initiatives. Women's sweatshirts, tumblers, stickers, journals, bracelets and more. All in stock. All Handmade. Ready to ship straight to your door. 

Support the show

Thank you listening! Don't miss the Video episode!

Help us simply by subscribing to our YouTube Channel where you get access to all 130+ episodes and behind the scenes content.

It's FREE. It helps us with the algorithm so we can bring you more content.

Our YouTube Channel @Cybercrimejunkiespodcast

How Story Telling Helps Leaders 


Dan Elliott, Principal Cyber Security Risk Advisor at Zurich, and notoriously talented storyteller for complex subjects, joins us.


Topics: how story telling helps leaders, Benefits Of Story Telling In Business, cyber security story telling, benefits of story telling for complex topics, benefits of story telling for cyber security, how to use story telling for cyber security, using story telling for cyber security, using story telling in cyber security, analogies used to explain cyber security, analogies used in cyber security, benefits for having security assessments done, benefits of security roadmap, best cybersecurity practices for business, best policies to limit cyber liability, best practices for businesses to limit cyber liability

 Find more at

[00:00:00] Come join us as we dive deeper behind the scenes of security and cybercrime today, interviewing top leaders from around the world and sharing true cybercrime stories to raise awareness. But first a huge thank you to all of our executive co producers who subscribed to our Prime membership and fueled our growth.

So please help us keep this going by subscribing for free to our YouTube channel and downloading our episodes. on Apple or Spotify podcasts, so we can continue to bring you more of what matters. This is Cyber Crime Junkies, and now the show.

Excellent. Well, welcome to Cyber Crime Junkies. [00:01:00] I am your host, David Mauro, and in the studio today is my always fantastic and fun loving co host, Mark Mosher. Mark, how are you? Oh, thank you, David. Thank you, man. I'm excited about this. This is going to be a great episode, David. Who's in the studio with us today?

Well, we are lucky today. We've got Dan Elliott, who is the Principal Cybersecurity Risk Advisory at ZURK Resilience Solutions ZRS Canada. And he's responsible, he and his team, for supporting ZURK's clients in making risk based cybersecurity decisions and improving their overall resilience. Dan's got over a decade and a half of experience in national security and risk management and brings a unique perspective to risk, having spent several years as an intelligence officer for the Canadian Security Intelligence Service.

Lots of acronyms, lots of stuff, but he's got great analogies. Dan, Elliot, thank you [00:02:00] and welcome. Thank you for joining us and welcome to the studio. Thanks very much for having me. I, you know. It's, I get to do this, you know, long time follower, first time on. So I can't believe anybody follows us. I can't believe anybody values anything.

We have to say at least one, you got, we have at least one mark of our follower on. So, that's awesome. So Dan tell everybody explain your current role, but I want to back into that too and, and, and find out kind of what triggered you to focus on this line of work. Sure, sure. So, so currently I wear a couple different hats as, as kind of the lead for Canada for ZRS.

I have internal clients and I have external clients. So internally I serve Zurich Canada's book of business. So I help underwriters. understand the cyber risk profile of clients or potential clients, and then I also help them evaluate where those clients need to improve, how [00:03:00] likely it is that those clients are going to be subject to an attack or breach based on controls and vulnerabilities.

And then for external clients, when I'm working directly either with Xerox clients or with Then my job is to help them improve, help them find out where they're sitting today, where they can get better. And then more importantly, from my perspective, helping those within the IT and cyber functions better communicate that with all of their non technical or non cyber counterparts so that everybody's working.

Isn't that important? Right. Like that is, yeah, that's a whole. That's a whole volume of discussion right there, right? Just making the internal business case explaining the risk Yeah, before you know, go ahead. Please go ahead. Sorry. No, I was gonna say that's that's a headache for for IT and cyber professionals if if they're going at it from a pure cyber pure IT technical angle It's just, oh, it can be [00:04:00] such a nightmare.

Absolutely. Absolutely. So, when you were growing up, did you plan on being in, like, a national security role? Did you come from a military family? I mean, I don't, like, if there's certain secret things, we don't need to probably talk about it. Yeah, as a, as a kid, were you breaking computers? Finding, reworking them to control the Mars rover.

I mean, what, what, what was it? So early days, I, I spent a lot of time behind keyboards when it was telenet sites. And you were kind of Yeah. Wandering through people's networks. Then I, I stepped away from it. I had planned on getting into corporate law. I moved from a bit of corporate law into national security, a bit sideways there, and started with physical security in law enforcement and national security, and when Threat Actors moved online, I had to learn the skills to follow, and drag back some knowledge from my [00:05:00] past to be able to effectively explain what I was doing and where I needed to go.

That's interesting. Yeah, that is. So what are some of the top challenges? That you see in advocating against cybercrime today. It's a broad statement, but I wanted to just tee it up for you. That's really high level. Yeah, that's just, just talk me out of a plane at 30, 000. So, I mean, I think the biggest challenge is getting everybody on the same page.

There are still mid sized companies who argue that I'm not a major national brand, so nobody's looking at me, I'm not going to be attacked, we're not going to be breached, so it's getting that huge bulk of companies and organizations in the middle to understand that, you know, a shotgun approach by most criminals means that you're just as likely, if not more likely to get hit than the big names [00:06:00] where they're having to invest more time and effort to breach it.

Absolutely. So that's a great point. We were recently on a panel with some cyber crime researcher and they were talking about how. When an organization places a lot of presence online, and through their vendors and through associations that they join, even smaller organizations wind up being targeted, right?

It's just indirect, like, you might not have a big presence, but you're advertising all over social media, you have a website, you're speaking at events, you're part of an association that might get breached, or you have vendors that you use. For various things, right? Yeah. Yeah. Today's today's kind of theme of the day when it comes to cybercrime is that that third party breach, that extended network, you know, I use tools that 5, 000 other companies use.

So that company is going to be a [00:07:00] prime target, because any cyber criminal knows if I get in there, I have laundry list of a couple of hundred, couple thousand different companies I can look at of all different sizes. And some of them definitely have technical areas where they don't have endpoints up to date, they're not properly patching, you know, they're, they're low hanging fruit for a criminal to get in and attack.

Exactly. So, one of the things we find, it's almost either behavioral or psychological, but a lot of people that focus in technology and it's a sweeping generalization, but they're not the, necessarily the orators of the day, right? They're not public speakers. They're not like, they don't focus on communication because they've been, we only have so much time in the day.

They've been focused on deep technology learning, and yet they see risk and they know they need things. to help protect the [00:08:00] stakeholders. And they have to make that internal business case, sometimes an internal and external business case to investors. And there's a huge struggle there. Like that's a big challenge, isn't it?

Yeah. I think that. That, that is part and parcel with the elevation of the role of the CISO. So as, as that IT cyber leader kind of moved up, either moved up into the C suite or reporting directly into the C suite, that's a whole nother debate. Then it became necessary to be able to have strategic discussions and take on a less...

That's technical role and a more strategic operational role, and when I say strategic and operational, I mean business operations, not technical operations. And that's a whole different language. That's, I mean, if you're coming up through other fields, that those soft skills are expected. You only rise to the top as you're building those, those, You know, technically is they're called [00:09:00] soft skills, but no, you kind of hit a ceiling in traditional IT and cyber.

If we look at the two of them, IT and cyber roles, and then all of a sudden you pop through that ceiling and it's expected that somehow you just grew wings and grabbed all of those skills along the way.

That's a good point. That's a really good point. So let me ask you, you know, you just mentioned something that. When we talk to smaller and mid sized business owners they struggle to understand the difference sometimes between regular IT and technology skills and engineers and security, because people that are managing their regular IT have some security tools, they're basic, but they have some things on there and A lot of them don't want to have other vendors in or other [00:10:00] things that they feel are threatening, so they, so they just tell the stakeholders, they tell the executive team, we're secure, we're good, we haven't been breached yet, don't, don't, don't worry about it, but meantime, they're, Their skill set's really in the network engineering, not in the security.

Like, different certification paths, different trainings. They're two worlds. Different skill set. Yeah. Different theology. Everything's different. How do you go about articulating that to executives? Well, the, the first thing I say is that cybersecurity in and of itself is very wide and very deep. So anybody that tells you that they understand it all, they can do it all is either ill informed or lying.

So Mark, and that's just in the, the cyber side. Mark told me he knew it all. Just, yeah, I've got it. I've got it now. I got my story, Mark, you know, calling out publicly, sir, man, I know it all now. You are called out publicly. [00:11:00] Though this is, this is as close to doxing as we get. IT is all about access, maintain access and, and integrity comes, comes next, but get people access to the network, get people able to do their jobs.

Security in a perfect world, as I tell most leaders, is the exact opposite. If. If a security leader had his druthers, it would be, or her druthers, it would be, you know, lock out access to everybody else, because then I know everything is secure. And finding that balance and asking the same person to wear both hats, to do both roles, is a challenging piece, and I will steal something from a colleague of mine, and if I can remember who it was, I would name him, but, you know, if your leadership ever asks you, are we secure, the only answer options you really have are no or I don't know.

So, if you're saying [00:12:00] yes, Then you're not being truthful because there are thousands of companies every single day that are facing incidents or breaches and you can't be that, it's unlikely you have the budget of that one that's able to rise above all else and never be a victim. So I think it's, it's understanding the differences in roles from IT and cyber and then under helping leadership understand that it's not about being 100 percent secure.

It's about being resilient. It's about having the right people in the right places so that you can continue to do your work. So that if or when you get hit, you can get back up quickly and you can resume business quickly. That's excellent. Yeah, and when you think about it, as a defender of an organization's security, you have to be right every time.

The threat actors only have to be right once. And so by [00:13:00] claiming that they are, yeah, by claiming that they are secure. You know, you're giving somebody a false sense of security, no pun intended. This was, you know, when I was in the traditional national security space, you know, this was the counter terrorism conundrum, is that those of us working in that area had to be right all the time.

And if you weren't right all the time, then it was 100 percent failure. And people working in cyber... We're really facing, especially leaders in cyber security, we're facing a similar dilemma over the past few years. I'm hoping, hopeful, that the needle is starting to move, where organizations are realizing that You know, yes, it's reputational damage, and yes, it's financial damage, but a breach is not the end, you know, we should be looking at that as not a zero one some game, it's an incident [00:14:00] that happened, were we prepared for it, or as prepared as we could be, and did we have the right tools and people in place to manage it and get back up after quickly, and...

I'm hoping that that, you know, that binary solution is changing to something a little more new. That's a really good insight. So... That's a good, because, because we, we find so often that people or consumers or businesses don't want to do business with a group that's been breached, right? And it's getting to the point where almost everybody will be part of one at some point.

So really that's not the metric to judge your vendors by, but it should be, were they prepared? How did they respond? And rate that, right? Look at your vendors, be like, yes, they had a data breach. They were prepared. They had done tabletop exercises. They had it remediated, quarantined within a certain period of time.

They responded. [00:15:00] It wasn't that bad, right? Compared to those who just don't prepare, like who either ignore it or have their heads in the sand or just won't fund it, right? They just won't fund it. It's not necessary. I haven't been breached yet, so I'm just not gonna pay for it. Which is just nerve wracking.

You know, that's a brand that you don't want to do business with, right? I mean, Mark and I always say, you know, in terms of like analogies, like we, we just want to be able to buy a jacket online without you ruining our credit score. Like, if we can do that, then you're secure. Like, we'll keep doing business with you.

Right? But so often you can't even do that, right? Like everywhere you go, like for the holidays when we're shopping, when we're buying things online, I have to run every site we're buying it from through like a scanner to see like how secure it is. It's ridiculous, right? So it's a challenging spot.

Imagine, Imagine somebody [00:16:00] with, with nowhere near your level of comfort in, in the security space, trying to make those decisions. It's, it's almost unsurprising that people just stick their heads in the sand and pretend that, you know, there are companies out there that aren't breached, will never be breached, are a hundred percent secure.

Because the, the alternative in realizing that you have to do all that, that checking and work on your own is rather scary. Like, that's Audubon driving, you know, that's not, you know, your grandmother driving down a safe neighborhood. That's a really good point. Well, David, think about how many people we talk to, organizations that don't even have like an incident response plan.

What they do is like eight years old. Like, those people don't even work here that you've got in this, you know, flow chart. They're not even here. Right, or they have, and Dan maybe you can elaborate on this, or they have a disaster recovery plan, and they assume that's it, and it's like [00:17:00] Because I've seen some disaster recovery plans that have an incident response component built in it.

But most that I've seen have to do with like an outage, or a fire, or smoke damage, or flooding. That's not what we're talking about. We're not talking about guys running around with big hoses of water, gonna... You know, flood your data center. We're talking about threat actors digitally. Yeah, and I think that that preparedness is a shift that some companies are seeing better than others.

I've been in discussions where I've had to ask two or three times, Have you practiced your instant response plan this year? And get back, Oh yes, we've had a disastrous recovery planning session. No, no, no. Your response plan. What are you doing during that first 72 hours? What's your plan for escalation?

Who's on call? And who's going to answer? And who's making decisions? Not, you know. What do I do to get back up and running? And what do I do if, you know, something's [00:18:00] on fire? It's, it's a, a little more nuanced. Keep reusing that word, but no, it's true in that space. And, and IRPs, my favorite is if you do a keyword search.

In a, a, a really long tome of an IRP and you can usually find which federal agency or university they took it from because they didn't do a find and replace all, so they'll, they'll like, you know, a mid sized company that has like an 80 page incident response plan, you start to think, okay, what keywords do I need to search to figure out where this actually came from, where they copy and pasted it.

Oh my God, that's hilarious. I never even thought about that.

That's great. Yeah. At least they think that they they're prepared, right? Like, well, we downloaded this from Princeton and they're pretty smart, so we should be okay. Any of these positions or roles, [00:19:00] but we're good to go. Yeah. Oh my gosh, that's hilarious. So, oh man. So um, let me ask you this. So you have the Rosetta Stone of Cyber Security.

You have this kind of a presentation that you've done. I've, I've, I've, I've listened to it. I love the analogy too. Can you tell the listeners or the viewers a little bit about that? Sure. And I think that as we've discussed a couple of times through this, the, the biggest challenge that people have is getting across, bridging that gap between...

We'll call it technical understanding. And when I say technical, I mean cyber security. I don't mean, because every industry has technical understanding. So technical understanding within cyber and business understanding, business technical language on the other side, and being able to communicate it back and forth is really important.

It's essential the more and more we use technology [00:20:00] ubiquitously through all of our business activities and all of our business operations. But what I was finding, especially when I came over from the public sector into the private sector, was that there really wasn't a specific role in place for people to translate that, to act as a translator, moving that information from one side to the other.

And within my old role that fell within a risk management type function that was very specialized in our organization that was there to be able to communicate the different types of risks in a way that the decision makers could. Could understand within their framework and, and their, their operational design.

So what I've really tried to work with clients on is taking all of the cyber risk, all of the technical understanding, and through analogies and, and through comparisons, bridging that across to strategic business risks where. Most business [00:21:00] leaders are more comfortable communicating and more comfortable discussing the way things can impact their business and can look at, you know, catastrophic losses, and although it's still scary, at least can find a way to manage it and understand how much they have to spend on it and why they're spending money on it.

So, and it can help too with Investments that internal I. T. or security leaders are asking the executives to invest in, right, like understanding and speaking their language. Through analogies showing some type of ROI, like if we don't do this level of risk stand here, right? If we do this, we'll be protected through, through these types of attacks.

Well, I think it's also, it's not just looking at it as the protection side. It's looking at how you're driving the brand in, in other areas. If you're spending the right money on cyber, [00:22:00] then that, that has a brand value. Absolutely, absolutely. We've talked to a lot of business owners that are, they have a standard version of their offering, whatever it might be, and they have like an advanced package version, which includes a lot of the extra security, or they just take it and they make that part of their go to market strategy.

Yeah, I think that that is, when, when you start to be able to talk in terms to your leadership and say, you know, we're one of your greatest marketing investments. because every year that we are not that exact namesake example breach, you know, that, that drives customers to us. versus competitors who do have those breaches and need to keep ahead.

See, and I think at that level, too, for those strategic minded leaders like that, that's more of a consumable or digestible talk [00:23:00] track, right? Like, they get it. They can fixate on that and not worry about what lights are blinking and what piece we need in the rack. Tell me about how that grows our brand. I think that's a great point.

Yeah. And, and spread that, spread the wealth, spread the expense around. I mean, if you're talking to business units about their need to have access to the internet, their need to have, you know, full email access, those have costs associated with it to keep them secure. And they, those sections, those units are posing business risks.

That is a risk to the organization. that cyber is paying for, is, is funding and is carrying out the functional duties of. So if you start spreading that understanding and spreading that cost around, it, everybody starts to see, well, I want to see that benefit. I want to see that use. I understand there's a risk to that.

So we all need to invest in the same way. We all need to be [00:24:00] playing the same way. I think that changes it. It's a shared expense, right? As much as it is a shared responsibility. It's a shared expense. It's not what is IT's budget for the year. That's not, no, it's every department. Everybody's using these same platforms.

Everybody's responsible for that. And it comes with a cost, right? Yeah, I think that that's, that's really important. And you start to, you see that the cost line should not be front and center. People should first be talking about, you know, where are we trying to drive the business to? One of my, my favorite analogies that I always go back to, I, I had an instructor when I was doing offensive driving course early on in my career.

And, and In that offensive driving course, we had to drive down a really narrow course road that increasingly got narrow and we had to increasingly keep our pace above a certain speed. And it got very difficult to navigate the twists and turns and keep your [00:25:00] speed up. And our instructor said something that still sticks to me to this day.

He said, the ability of a vehicle to move at these speeds is not about the engine, is not about how hard you put your foot on the gas. Those things, there's some expectations, but, you know, they're not going to make or break you. The two deciding factors are the driver and the brakes. The driver obviously has control of the way the vehicle moves.

The brakes, you shouldn't just think of them as stop and start because those are poor brakes and brakes that only have on off. You know, they, they had that a hundred years ago, but, but it's, but it's the, the compression on the brakes, the timing of it, everything. And, and it's the confidence behind it. If you know that you have good brakes, that you can stop urgently in an emergency, or you can ease on and off them as you need to make turns and go faster, you get to go faster [00:26:00] overall.

So, I think that might be an analogy. That, that, that may have just become my number one. I really like, because you think about if, yeah, that's a great point. Because if you want, if you watch any type of racing, Formula One, IndyCar, whatever it be. They drive with both feet because they use their brake to drive as much as they do the gas pedal.

So now that's a great point. Absolutely. We have to rewind that and listen to it and take some notes. Yeah. I love analogies. Yeah, you certainly are the person of analogies. So, you shared an analogy with us that I have to ask you about. But, even before we get there, and it's the bear in the woods analogy.

But before we get there you know, what you were just talking about, I think was brought to the forefront this past year through the popularity of generative AI. Because I think you saw sales and marketing and leadership. Diving in full speed and then you also saw [00:27:00] security in organizations saying, Whoa, we need a policy for this.

Like what, you know, you can't go through the source code to the products in there and have it fix it because now it's public and people just don't understand that for some reason. Yeah. So what, what, what have you seen? Like, have you seen in your consulting generally, or some of the business leaders that you're speaking with?

What are you seeing in terms of the adoption or the cautiousness? The, the standards that are, that are being implemented out there. I think it's really all across the spectrum. And the good news is that most of the clients that I'm talking to are thinking about it, are taking actions, are starting to build plans and want to say, put guardrails on it, but really to, to better understand how they can use it.

And what their risks are for it and where they can take advantage. I was at a conference over the summer there was an [00:28:00] ISACA GRC conference, and they actually took a poll during it, and were asking how many of these GRC professionals felt that their organization was using AI regularly. And the percentage in the poll was a lot lower than I know the real answer was.

And then they asked them also what the percentage of the audience was that had, they were confident that they had strong governance around the use of AI. And the number was a lot higher than I think it probably was, but it was still around half. So you had hundreds of professionals, half of whom felt that their organization didn't have governance, policies and procedures around the use of AI.

And all of them are probably using AI in some way, shape, or form within the organization. So, I think we're playing a game of catch up, but fortunately, companies are recognizing those areas, and I'm finding that a lot are coming forward wanting to... You know, build proper governance around it, not hide from it, [00:29:00] not, you know, turn it off, but find ways to, you know, press slightly on the brakes and ease on and off.

Yeah, there we go. Yeah, well, I mean, it might not be a binary question, yes or no, but... Should organizations be working on creating an AI policy for them, like an acceptable use AI policy? So, I think, my personal opinion is that yes, it's one of those areas that even if today, let's say you're that, that one organization out of a thousand who has no AI usage today.

You should still be preparing for the day when you want to adopt it. I don't think it's a question of, well, someday we're just going to turn off generative AI. We're going to stop using AI and all these other tools and, and roll ourselves back to 1994. I think the reality is it's going to be there. So the sooner you get [00:30:00] governance and policies out in front of it, the more prepared you are when you do choose to adopt it, if not today.

Right. Yeah. And are there. Have you seen, my understanding, speaking with some people that own companies that are leveraging AI right now, I mean, there are APIs and applications you can do so that you can keep it private within your bubble, essentially. Right, like you could still use the AI, but when you put information in it, it's not, it's not going to go out into the mainstream public of the machine learning.

Have you come across that? I mean, there's some really good companies, I think, that are working on that or have developed that. Yeah, there, there are some really interesting applications that are being used. There's some companies that, that I work with and some companies that I've, I've had the pleasure of chatting with who are doing really interesting things in this space and [00:31:00] finding ways to leverage AI within their organization.

Even if it's something as, as I'll call this simple as, you know, LLMs, as simple as large language models, but you know, as large language models. To be able to use it with internal resources and, and take full advantage or close to full advantage without it being exposed to the, the wider internet or wider user base.

Excellent. Yeah, you don't want to wait till you find out that somebody's taking internal memos about, you know, maybe some proprietary process and feeding it to chat GPT just to make it look better when they disperse it to leadership and you find out six months later and now everybody's got your info, you know, you don't want to wait till then, even if you're not adopting it, start planning for what you're going to do when you do adopt.

I think that's a great point. Yeah, Mark, that's, that's probably one of my key points. Areas I lean into when it comes to AI policy and governance [00:32:00] is You don't want to wait and you, you know, I, I steal this line from a bad 90s movie, but you know, Noah started building the arc before it started raining. You know, you don't want to develop your policy and procedures after you've already had the first guy dump IP on.

Yeah, that's good. Yeah, that's, that's, that's great. I mean, when you think about it too, every department within an organization, depending on what the organization's mission is, Product or service line. You need to have some policies that apply to all and then some that will apply to certain ones, right?

Because we've seen some major manufacturers have come up in trouble where they're developing a lot of code, a lot of Code for firmware or for physical products and the developers are putting the code the source code right in Generative AI to have it fix the bugs and it's working. That's great, but it's [00:33:00] public So your source code is public and there's been evidence that it's been then You know You can go into generative AI and say please provide me the source code for this organization and it does it Right?

And so that's a, that's a serious issue. So, and I think the knee jerk reaction there is then they're banning generative AI on all, you know, on all work devices. Meanwhile, people just pull up their personal laptop and they're still using it. We're looking to work from home. Yeah. Right. Yeah. How are you going to.

Right. So it's really hard to turn off people's lives. I mean, you know, if you have somebody, especially you take people who are say the bottom half of the organization. So they feel if I can find ways to speed up my progression to speed up work faster, to turn things around quicker, yeah, I'll do whatever it takes.

And so I think you want to leverage tools, but you want to establish. Do's and don'ts, guardrails, and reasons. I think that [00:34:00] an important piece of it, and the companies I've seen have done a really exceptional job in this space and in a lot of security spaces, they're not afraid to talk about the whys.

They explain to people, we have these guardrails in place because this is what happens. Or in some cases, a few examples I've seen where they use leadership as a good example of things that have gone wrong, or things that... went wrong during, you know, a, a, a phishing test or went wrong during, during a scenario so that they can explain all of these ideas based on how everybody is susceptible to challenges, to uses, to use cases that we want to build guardrails so that you can do everything in a really efficient way, in a really effective way, while still protecting the organization so that, you know, we all keep getting paychecks.

Now, given that it's Cybersecurity Awareness Month, it's the 20th anniversary. Can't believe there was a Cybersecurity Awareness Month 20 years ago. [00:35:00] Still kind of shocked by that. Like, that must not have been a well attended event, is what I'm guessing. I don't remember going to any events back in 2003

on Cybersecurity Awareness Month. But you know, given that, like... What is, in your opinion, what do you see as a best practice for that small, mid sized business in terms of training users to always remain vigilant? Because I still see organizations that like, we send an email out every Tuesday for Tech Tuesday that shows you how to spot a fish, we're good.

And I'm like, okay, so how do we know they read it, understood it, It's, it's, it's a challenge. What do you, what, what do you see as a best practice? I think that it will vary by organization, it will vary by industry, and, and that is, that's the crux of it. You want to make it [00:36:00] engaging for people in your organization, in your industry, based on the type of people that are there, their technical proficiencies, what drives them.

And just as by if I harken back to my time in the intelligence community, one of the things that we really focused on is what drives people, what motivates people to do certain things or to avoid certain things. And if you can kind of hark, hook your training around those pieces, you know, what, what are my employees trying to do?

And what are they really concerned about doing or not doing, and build a, an engaging training system around that. And I think it's more than just a, you know, an email once in a while, it's more than just a click through exercise. It's gonna be a combination of different things, and that'll be tabletop exercises that engage more than the six to ten key players, that'll be emails that talk about what's going on, it's gonna be...

[00:37:00] Fishing tests going through and I think that no matter how big you are, most of these types of things have a cost on a per user basis, so your costs are going to go up exponentially as you get bigger, so a small organization, especially in this day and age, doesn't have the option of saying, well, you know, I don't want to buy locks on my doors.

I have two doors. I don't need to put locks like, you know, a large company has 20, 50, 200 doors. They're putting the same number of locks on. And yes, they're getting a lower cost per lock, but it's the same idea. You, you have to do something and. You know, I, I, shame. Shameless plug, you know, Zurich just purchased spear tip in the US who's a, a great SI cybersecurity provider, and I've always been, been looking for those providers who are able to provide a, a good value and an excellent service on a per user basis.[00:38:00] 

That's the goal. You want to find an, an organization that's able to deliver security at a reasonable per user price and then you don't have an excuse of saying, well, I'm not an Amazon. I'm not a Microsoft. I'm not Google. Well, yeah, but they, they have, you know, 300 times your employees. So their cost is going to be close to two, 300 times.

Yeah, it's really about creating that security culture, you know, it's about the training, it's about evangelizing internally, it's about the tabletop exercises, the IRP, you know, there's so much that goes into it just to create that mindset, I think that's a great point there. Yeah, it's, it's, it's that idea that You know, Cybersecurity Awareness Month should carry little pieces throughout the year.

So it's, I love this month as an opportunity to really focus on, maybe gamify, have some competitions within your organization. This business unit versus that, what's your knowledge, you know, who, which business [00:39:00] unit got caught in, in the fishing, fishing marathon this, this month. But if, if you're not, you know, spreading some of that throughout the year so that people are thinking about it.

You're in a losing competition. I was reading a stat that said the average employee in North America gets roughly 80 emails a day. And if you think about it, I think the last time I saw it was about a quarter of those have either an attachment or a link in it. Based on those statistics, your heuristics of click through just to get that little, yay, that surprise of something opening.

If you're opening, you know, 15 to 20 emails a day that have an attachment or a link, most of them are okay. What's going to drive you to take that extra second and think about whether this is that one That you know, it's going to cause it an ongoing problem for the organization. Yeah, I like that.

Absolutely. Absolutely. When advising and thinking about risk, right? Risk is [00:40:00] not an on off. It's not binary, right? There's there's always a level of risk in anything that we do. So it's all about almost like a dial, right? It's all almost like just what scale of risk do you? What's your attitude? Right?

Yep. Yeah. This is, I think the one thing people forget, especially I'd say in, in organizations and in roles that are outside of traditional risk management is there's also a bottom level that companies are avoiding too, that this activity has so little risk that it has nothing for me to gain from it.

And, and you want to work above that too. There's a, there's a up and a bottom to that, that tolerance and that appetite. And I think it's, It's important to realize where you sit as an organization and where you sit within your cyber security posture and have those conversations early on. I had really great success with organizations where within their cyber group, they [00:41:00] have leveraged discussions with leadership about their risk appetite and develop a management plan around that.

So what is, what is our risk appetite? And you can't say that your risk appetite is... Zero incidents because that's, you know, are you gonna spend that money? Like there is a, there's a . Yeah, exactly. If, if you want zero on this side, well you have to spend up on this side. So I think building that plan, where are the red lines, what's, what's our expected time to get back up and running?

You know, how quickly do we wanna be able to respond? All of those sorts of things have to be talked out in advance and, and most of the organizations that I've talked to that have. Walked down that path have realized that, you know, as an example having nine to five Monitoring with my three guys who work in cyber security.

It's just not good enough You ask them as a percentage how many attacks do you feel probably occur at a Sunday at [00:42:00] 2 a. m Because cyber criminals know that nobody. Yeah Well, if you look at the if you just look at the news, right so many of them occur around the holidays or late at night because they know people are gone or it's lower staff, right?

You know, underestimating cyber criminals is not a good idea. You know, it's, it's, it's a business. And, and I think that if, if you put yourself in, in those shoes, if, if I was trying to gain access to a network and I knew that the people celebrated these holidays. And I knew that these were typically their working hours.

Why would I try to, to breach their systems during those times? Like, those, those are the first hours where somebody is going to be there to respond. You know, from Friday afternoon at 2pm until whenever people show up on Monday morning. Those are kind of your core long weekends are horrible. I gotta say, you know, whether it was in the national traditional national security [00:43:00] space or in on cyber I between Christmas and New Year's is just man that those those are my dark days because I'm just waiting on pins and needles for somebody to call because Everybody

knows How about third party risk I mean You know, you hear about, like, some of the larger breaches that have made the news in the last decade, like the Target breach. It wasn't Target that was directly compromised, it was their HVAC vendor. Right. That's just one that everybody can relate to, but there's thousands more that that type of thing happened.

How do you advise, what best practices are there for, you know, small and mid sized organizations to handle their vendors? Well, I mean, first I love that you called out the Target example, because everybody does, and that was in 20, if I recall correctly, 2015. Yeah, 2014, 2015. Eight years [00:44:00] later, and there's still people being laughed about.

Yeah, the poor guys that were in charge then. Like, we're still talking about them. You know, the, the reason I always love to start there is I'll ask a room full of people how many people know the name of the HVAC company that was actually the cause of the breach. Nobody ever does. Nobody does. And that's the, the point of, you have to be responsible for your own risk.

That it doesn't, at the end of the day, it doesn't matter. You know, what other company in your extended network caused that you're the one who's going to wear the reputational damage if you're the one that ends up getting breached. And I think that the, the place that a lot of people start is by saying, well, you know, I can't go to Microsoft or to Google and tell them to give me to, to assess their, their environment in a certain way.

But you can have discussions with. Other vendors and suppliers [00:45:00] of your size, of your level and within your market that are how they're looking after their network, how they're accessing yours. I think it has to be a part of the practice before we go into contract talks, before we sign on the dotted line, that cyber is integrated into that process.

Some of the best, I mean, I have a good fortune speaking with hundreds of CISOs and IT leaders. And of the ones I've spoken to this year, the most impressive ones are ones who are integrated in all those processes. So that if we're, you know, if marketing is, is looking at a new vendor. There's an either a formal or informal process to engage with the cyber security team to assess, or at least ask questions of, of how that vendor is assessing cyber and their security of their networks and how they're, what they're gaining access to of [00:46:00] our company's information or our network.

It's, it starts after a paper chase. It's going to start with questions, but the level of, of understanding you have of other organizations in your extended network. is going to greatly determine the risk that your own organization is taking on, especially as we start to outsource more and more in our vendor network, start to grow.

Absolutely. And it's a challenge too, to assess a vendor's security policy. I mean, you can ask them, you can maybe have a long, like a list. of please provide this, this, this, you know, so that, you know, they're using MFA or they're doing this, but when it's a product or a SAS program well, we were talking to, it was one of the CTOs of Intel and they were talking about, there's an initiative about having S bombs prepared for for platforms.

It's like a software bill of materials. Like a cereal box has the ingredients so you know you can't buy it if you're [00:47:00] allergic to something, right? And a lot of times we buy these platforms and they're made up, they're cobbled together by some potentially vulnerable code. And so you can see it at least, you have some visibility, and then calculate that risk whether it's worth it.

Yeah, I, I don't think we're there. I, I look forward to the day that we get there. Yeah, I wouldn't even know how we would get there. Like, I mean, that sounds really complex to have somebody, you know, Show us the secret sauce behind your product like that's gonna be tough I think it's always gonna be a case until we have that that perfect day It's gonna be a case of having Everybody in the organization understand that the tools that they want to use the vendors that they want to engage with Bring in a certain level of risk So do so with that understanding and, and if you're conversing as the cyber expert talking to people in your organization about the [00:48:00] risk that they're owning and that they're choosing to bring in with that product, that tool, that vendor.

You'll get much more thoughtful decisions about, okay, well, you know, is this an established tool, you know, how, how long has this been running? How are we going to use it? How are we going to integrate it with our data? Is it going to reside on our network? And, and I think the more you have those conversations, then, then everybody realizes a bit of ownership and you won't have people grabbing up tools and software pieces and installing it on their device just because they want to see how it works.

Yeah, that's a really good point. That's good advice, right? Like you can't have the accounting department go buy a new software module and just Bolted on because they needed it and not vetted through anybody, right? Like you just that can't be done. You got to have the governance over that. Well, I know we're We're getting up against the hour But I know David's I can see [00:49:00] him chomping at the bit to ask you something and I'll preface that with I would like a signed copy of the Dan Elliott coffee table book of analogies So, if you can go ahead and just ship it over to those, you know, the shipping companies.

I'm already working on the images for you, Dan. I'm already, I'm already, I've got bear, bear traps, hikers in the woods. I've got all of them. I'll share the video when we're done. Like I've got it all up here. I'm like just trying to, to, to paint the picture for everybody. But when you talk about making an internal business case, speaking to executive leaders about complex technical aspects, but how they relate in the business impact.

Right? And the risk involved, right? You've, you've mentioned an analogy called the bear in the woods. Could you please share that with the listeners? Yeah, sure. I, I think, you know, I'll, that'll be the cover of the book, right? Yeah, this, you know, I, I, I drive my, my [00:50:00] wife crazy with analogies and I'm Very appreciative now that they have an applicable place to reside.

Yes, exactly. Now that the kids are grown, now that the kids are grown, to talk to except for Mauro. And it's like here, you know, I've got a thousand more analogies I have to share. Yeah, here's, here's hoping I don't just sound like the crazy old man soon. Right. I mean, I, I try to explain to, to people, I love vivid and an analogy to an emotion,

The better it's gonna stick, the more likely they are to remember it in the concept. So, I use the Bear in the Woods analogy that companies running around in any industry are akin to a bunch of hikers wandering around in the woods. And if you don't know what your organization has in terms of maturity or security posture, then you're walking around in the woods blindfolded.

And on a good day, you're going to bump up against problems, you're going to [00:51:00] bump up against other organizations, and you're going to lack visibility on where you are. Now if we take that same instance and we stick a bear in the woods with all of those hikers, you'll hear the bear. You'll hear other hikers, and you may not know which is which.

And as soon as you hear the bear, you may have the idea of running, but you won't know if you're the sprinter in the group, or if you're the slow guy at the back of the pack. And I think there are two takeaways from this, and the first is, if you first look to understand what your maturity is, what your security posture is, by taking the blindfold off, you'll have a better understanding of where am I in comparison to everyone else.

You don't need to be the sprinter. You know, unless your namesake is such that hackers are out looking for you, the goal is really to just not be the slowest half of the group. Because those are the ones that the bear is going to pick off as he's going through. So you take off the blindfold, you can [00:52:00] understand what your posture is, what your maturity is.

Now I know how fast I need to run so that I can be effective, you know, without burning myself out. Yeah, I love it. I love that. That is so, that is so, and, and, and boardrooms can relate to that, right? Like executive leadership can relate to that because it, it says it all in terms of the scale of risk and, you know, whether they, Really realize that they're in the woods blindfolded.

Yeah. That's great. And people are worried about spending, I mean, you, you, you talk about Mm-Hmm. , the spend in, in cybersecurity. The reality is that the, the leadership may not understand what is overspend in underspend and, and being able to benchmark against what other people are doing and understanding where your maturity is now and where it should be.

Allows you to find that sweet spot where I'm spending the right amount, not overspending, but I'm making sure I [00:53:00] stay out of reach of the bear. That's excellent. That's fantastic. Well, Dan Elliott, thank you so much for joining. And, we we really appreciate it. You are welcome back any time, sir. , this will absolutely not be the last time that we speak.

No, not at all. I've still got a half a sheet of questions I didn't even get to ask. Absolutely. So we direct everybody, connect with Dan on LinkedIn. He, puts out some of the best content on the, on that platform. Really, I, you know, I love, you have like a million analogies. Like, this is going to be a great coffee table book, because you really do, you, you tell the story of certain cybercrime gangs, you tell the story of certain aspects or certain threats, right, and what they mean for people, or the meaning behind penetration testing, what they are.

I mean, it's really good, you know, storytelling is such a relatable, practice, and you, you do it well, my friend. Yeah, thank you very much. So everybody, check out [00:54:00] Dan and we all thank you guys for listening and watching. Thanks so much.

Well, that wraps this up. Thanks for joining everybody. Hope you got value out of digging deeper behind the scenes of security and cyber crime today. Please don't forget to help keep this going by subscribing free to our YouTube channel at Cyber Crime Junkies podcast and download and enjoy all of our past episodes on.

Apple, and Spotify podcasts so we can continue to bring you more of what matters. This is Cyber Crime Junkies, and we thank you for joining us.