Cyber Crime Junkies

War Games. In Business.

February 23, 2024 Cyber Crime Junkies-David Mauro Season 4 Episode 25
War Games. In Business.
Cyber Crime Junkies
More Info
Cyber Crime Junkies
War Games. In Business.
Feb 23, 2024 Season 4 Episode 25
Cyber Crime Junkies-David Mauro

NEW! Text Us Direct Here!

This is the story of Lester Chng, CISSP and the Art of How To Use War Games In Business.

Topics discussed: how to use war games in business, understanding war game exercises in business, leveraging war games in business, how to use war games in security, how to use war games in cyber security, war games in cyber security, how war games are like table top exercises, importance of operational resilience in business, what is operational resilience.

Lester’s LinkedIn profile- https://www.linkedin.com/in/lesterchng/

 Grab a copy of The Essential Cybersecurity Exercise Playbook- https://lesterchng.gumroad.com/l/The_Essential_Cybersecurity_Exercise_Playbook

LinkedIn Ghostwriting for Cybersecurity CEOs and Founders
 - https://sbfmbb2y0wg.typeform.com/to/RNoZ0onD?typeform-source=www.linkedin.com

 Rogers Cybersecure Catalyst (Non-Profit)- https://cybersecurecatalyst.ca/

 

Click the link above and leave your message!

You can now text our Podcast Studio direct. Ask questions, suggest guests and stories. 

We Look Forward To Hearing From You!




Custom handmade Women's Clothing, Plushies & Accessories at Blushingintrovert.com. Portions of your purchase go to Mental Health Awareness efforts.

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss an episode!

Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Google Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!

Show Notes Transcript

NEW! Text Us Direct Here!

This is the story of Lester Chng, CISSP and the Art of How To Use War Games In Business.

Topics discussed: how to use war games in business, understanding war game exercises in business, leveraging war games in business, how to use war games in security, how to use war games in cyber security, war games in cyber security, how war games are like table top exercises, importance of operational resilience in business, what is operational resilience.

Lester’s LinkedIn profile- https://www.linkedin.com/in/lesterchng/

 Grab a copy of The Essential Cybersecurity Exercise Playbook- https://lesterchng.gumroad.com/l/The_Essential_Cybersecurity_Exercise_Playbook

LinkedIn Ghostwriting for Cybersecurity CEOs and Founders
 - https://sbfmbb2y0wg.typeform.com/to/RNoZ0onD?typeform-source=www.linkedin.com

 Rogers Cybersecure Catalyst (Non-Profit)- https://cybersecurecatalyst.ca/

 

Click the link above and leave your message!

You can now text our Podcast Studio direct. Ask questions, suggest guests and stories. 

We Look Forward To Hearing From You!




Custom handmade Women's Clothing, Plushies & Accessories at Blushingintrovert.com. Portions of your purchase go to Mental Health Awareness efforts.

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss an episode!

Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Google Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!

This is the story of Lester Chng, CISSP and the Art of How To Use War Games In Business.

Topics discussed: how to use war games in business, understanding war game exercises in business, leveraging war games in business, how to use war games in security, how to use war games in cyber security, war games in cyber security, how war games are like table top exercises, importance of operational resilience in business, what is operational resilience, 

Lester’s LinkedIn profile
- https://www.linkedin.com/in/lesterchng/

Grab a copy of The Essential Cybersecurity Exercise Playbook
- https://lesterchng.gumroad.com/l/The_Essential_Cybersecurity_Exercise_Playbook

LinkedIn Ghostwriting for Cybersecurity CEOs and Founders
- https://sbfmbb2y0wg.typeform.com/to/RNoZ0onD?typeform-source=www.linkedin.com

Rogers Cybersecure Catalyst (organization I work for)
- https://cybersecurecatalyst.ca/

David Mauro (00:20.878)
The way to grow a brand in business has certainly changed over the years. Not only are there seed funding and pitch decks and financial risk, but so many startups miss the critical juncture of bolstering cybersecurity layers to protect the very brand that they're trying to grow. While money doesn't certainly grow on trees, understanding how cybersecurity relates to business is critical.

One of the most impactful things people can do to prepare for a day of tragedy are game time scenarios. War games. Every successful team in every sport on the planet, every competitive athlete, every intellectual leader, public speaker, and captain of industry understands the critical role of practice. We even learned about practicing war games as a child.

Back in school, whatever country you grew up in, we all used to have fire drills. Why? Because obviously children die if they don't get out of a building when there's a fire. The smoke, the building collapses, the related electrical dangers can arise unexpectedly in a moment, in a rush, in urgency, in any part of the building during a fire. If a child turns left on a hallway instead of turning right,

it could mean the end of their life. So we run fire drills. We practice a real life scenario so that on the day of a tragedy, children get out alive. Yet we blindly fly the plane of a new brand without any practicing for the day of a tragedy. Is it arrogance? Is it ego? Is it poor counsel and advice?

Is it the cybersecurity community and vendors, their inability to translate the importance into business terms? Or is it all of the above? Today we have somebody that is a phenomenal story. You can get a lot out of it. Lester Chang joins us in the studio. He's a cybersecurity leader in Canada, but he didn't start in cybersecurity and he's not from Canada. In fact,

David Mauro (02:46.062)
He was in the Singapore army, moved to Canada knowing only three other people in North America at the time. He had no social media presence, no LinkedIn presence, no business experience, and had been involved in tactical warfare and war games for over a decade with the Singapore Navy. He had...

cybersecurity experience and cybersecurity degrees and certifications from nowhere. Yet today, within just a few short years after arriving in a strange country, he's obtained his CISSP, one of the top credentials in cybersecurity. He has amassed a social media following through LinkedIn engagement and simply sharing his story.

And he's served in cybersecurity leadership for top financial institutions. His focus has always been targeted. It's always been about bolstering operational resilience. Now, those are great buzzwords, right? What do they mean? Understanding how cybersecurity relates to business is critical. Knowing how to use war games in business is

as important as running fire drills for children. This is the story of Lester Chng and the art of how to use war games in business.




David Mauro (00:02.83)
Well, welcome everybody to Cybercrime Junkies. I'm your host, David Moro. And in the studio today is Lester Chang. Lester, welcome, sir. Really excited about having you.

Lester Chng (00:14.764)
Hi David, always happy to be here, hope you're doing well and the weather is warming up here in Canada so happy to be speaking to you this morning.

David Mauro (00:24.046)
Always a pleasure to talk to any of our friends up north, always. So, you know, for people that may not be familiar with you, tell us a little bit about your background. I mean, you have a really good story, how you came from the Singapore army, you moved to Canada, brand new country, out of the blue, and you created this phenomenal cybersecurity career. Can you just give everybody a little bit of a...

of your background story.

Lester Chng (00:54.54)
Yeah, sure. So like you mentioned, I came from Singapore. I spent 12 years in the Navy as a naval officer specializing in training, simulation. Some of the highlights there, I ran the Wargaming and Simulation Center for the Navy. Nothing to do with cyber, training purely on naval warfare using simulation and a lot of exercising, drilling the teams on the

David Mauro (01:01.164)
Mm -hmm.

Lester Chng (01:23.5)
intricacies of naval warfare. So that was the bulk of my career in the Navy and like you mentioned, moved over to Canada in coming six years now. I knew three people when I came to Canada. My wife, her sister's husband. That's about it for my professional network in Canada six years ago.

David Mauro (01:49.582)
That's unbelievable. I mean, and I think the experience you have with war games too. I mean, granted at that time it wasn't about cybersecurity, right? But it was about war games. And how has that translated into your cybersecurity career? And then I want to touch on how you grew your network because you have a remarkable story on both of those fronts. Let's talk about the war games first.

Lester Chng (02:13.036)
Mm -hmm.

Yeah, sure. Yeah, so I think war games is like a like in the military we take it very seriously of course because if you're not in operations then you are exercising or training for it and I think one thing the military does very well is to plan and over plan which

In itself, it's a useful exercise to understand your limits capabilities, your options, your resources, who you need to call upon, who you have available to help, who are your allies, or at least neutral parties. So the war gaming aspect of it is important to understand even just the landscape or theater of war or theater of operations that you're heading into. And I think that's something that...

has translated and we can see in cyber operations a lot of the concepts, theories, defense in depth operating in a soft operation center. A lot of it I believe is borrowed from the military in what essentially is a cyber war. So I think that has helped me articulate I think in two ways. One,

the value I bring in my experience and secondly, I think at the operational conceptual level how organizations can set up to unfortunately be well prepared for what's an inevitable battle in this long drawn war that you see panning out.

David Mauro (03:58.126)
Absolutely. Yeah, we do. We talk about it every day on this podcast. You really focus a lot on building operational resilience, right? Like in in through the war games in in the cybersecurity realm or in business, right? What are some of the examples of ways that people can take that war game mentality and leverage it? I mean, you've you've written a really good book.

Lester Chng (04:13.388)
Mm -hmm.

David Mauro (04:26.83)
like the essential cybersecurity exercise playbook. Let's get in. Let's break into that. But first, let's back up just a second. I want to ask you when you first moved to Canada, and you had a network of three people, okay, this is a good story for people to realize the power of LinkedIn, the power of networking, walk us through what was your when you first moved to Canada, what was your LinkedIn profile like?

Lester Chng (04:30.252)
Mm -hmm.

David Mauro (04:56.334)
What was your LinkedIn connection?

Lester Chng (04:57.42)
I had no LinkedIn when I moved to Canada. To be frank, I had no resume, right? I was fresh out of the Navy, fresh off the boat, fresh off the boat into Canada as well, pun intended. But yeah, no corporate experience, no resume done. The last interview I did was probably when I was 18, entering the military.

David Mauro (05:04.972)
Mm -hmm.

Right, complete military transition, right? Yeah.

Yeah. Yeah.

Lester Chng (05:25.616)
one or two internal interviews for appointments within the Navy. But besides that, I had no idea what the resume was, no idea what challenges I was about to face in corporate America and just even networking. It's almost a foreign concept to me. In the military, we understood diplomatic arrangements, having relationships with allies.

David Mauro (05:45.782)
Yeah.

Lester Chng (05:54.924)
time share adversaries and all but it's a whole different whole different ballgame here and I think that's that's that was a huge mentorship of understanding and and I think I took it upon upon myself like I saw it as a mission right I needed to accomplish certain objectives.

David Mauro (06:00.652)
Yeah it is.

Lester Chng (06:20.22)
understanding what the scenario, what the landscape is in corporate America, I think that took me a while to even understand. And to be frank, I'm still learning. I'm still learning on this journey. Yeah, so it's like you mentioned, I only started being a bit more active on LinkedIn three or four years into my corporate career.

David Mauro (06:30.862)
Of course, yeah.

Lester Chng (06:45.718)
I still didn't, it didn't click for me at that point in time because I brought on, I brought with me and in fact that's what everyone does, they bring along what they, what has worked previously for them and they just try and translate that into a new environment. So for me, whatever Singapore taught me, whatever the Navy taught me in terms of what...

David Mauro (07:07.182)
Yep.

Lester Chng (07:14.444)
helps you progress, helps you succeed. Whether it's hard work, heads down, just get your job done and you'll be rewarded. A lot of that in the military, especially military in Singapore, that was my approach, my mindset, how I was brought up. And then when I came here, yeah, I mean, hard work still is important and all, but I needed to get my head up.

a bit more rather than just focus on pure delivery excellence.

David Mauro (07:50.19)
Yeah, and you really did. For those that aren't familiar with Lester, please connect with them on LinkedIn. If you're even able to accept any more connections, you're at close to 40 ,000 already. And I've just seen it grow just within the last year and a half, two years. It's just phenomenal. The content, the stories that you share, the work that you're doing with various groups. It's really, really helpful for the platform and for

the cybersecurity community. So keep it up, man. Good, great stuff. Absolutely. So you you have this book that you've developed, and it is the essential cybersecurity exercise playbook. Really, really practical guide. Very good. It's really well written, honestly. Walk us through kind of what's the central theme focus of the book and kind of what key messages or insights do you hope readers will take away from?

Lester Chng (08:50.86)
Yeah, I think it started off as a way to... So if I didn't start writing on LinkedIn or posting on LinkedIn, I would have never written this book. So that was the foundational piece to me having this idea of producing this book. So I think the initial... Yeah, the premise of the book is...

really take all the experience I have in naval wargaming, in running exercises, cyber exercises, cyber tabletop exercises, life exercises, and distill it in a one stop playbook where whether you have never run an exercise before, you have run, but you want to know how to get better at it, or you want a bit more...

deeper dive into what are some of the risks in a live cyber exercise. I tried to capture wherever the reader is along their journey in understanding cyber security exercises whether you have no plan at all at this point or you are looking to run a full life exercise. The book touches, like you mentioned, immediately actionable

antidotes and tips on how to execute it immediately and it's something that even currently I still refer to my own book I mean it sounds yeah sounds weird

David Mauro (10:25.646)
Well, it's a good practical guide. I mean, I've actually pulled it out in the past. Like, I'm like, I've pulled it up and shown people. I'm like, here's the steps. Like, here's how you make it really effective. It's very good. And so the people understand you came from no cybersecurity background, but you had that naval war game experience. And then you went and you took the CISSP and became a CISSP.

Lester Chng (10:38.38)
It

Lester Chng (10:54.7)
Yeah, that's right. So.

David Mauro (10:55.694)
Yeah, and then you used to run these for large banking institutions and things.

Lester Chng (11:00.748)
Yeah, so it was a huge learning curve to understand security and cybersecurity. But I think it was important to understand that cybersecurity response especially is going to take more than just the security and IT team. And I think that's the...

That's the area where I operate in. I do help the SOC teams run certain drills, but I think it's more important to elevate that conversation fairly quickly.

David Mauro (11:46.03)
Why are these so important for organizations? Like, why is it so important to run these war games, to run these simulations? I mean, I have, we talk about it all the time, but I want to hear it from you.

Lester Chng (11:53.644)
Mm -hmm. Yeah.

Lester Chng (11:58.844)
Yeah, so I think the Why it's useful and important I think no matter where or how matured your organization is in your cyber security journey and maturity I think there's always a place for exercises to play a pivotal role. So Yeah, whether you are no plan. No Everything's outsourced to your your MSSP Everything's on the cloud

whatever, you have minimal infrastructure like a lot of new companies are operating that way which is fine and perfectly sensible to structure that way but

David Mauro (12:31.118)
Hmm? Yep.

David Mauro (12:39.886)
When configured right, it's great, right? That's the key.

Lester Chng (12:42.348)
Yeah, we're incomplete. Yeah, but the problem is you can't outsource responsibility. You can't outsource responsibility. You can't outsource account... Yeah, and accountability to your partners, clients, customers. I think that's something that is... Yeah, you're going to... You have to bear that responsibility. And hence...

David Mauro (12:52.942)
Right. You can't outsource your reputation. Right.

David Mauro (13:00.652)
Mm -hmm.

Lester Chng (13:09.494)
regardless of your infrastructure, immaturity, setup, on -prem, off -prem exercises will tell you immediately where some of the gaps are, where you may have to pay attention to. And it will bring up a lot of questions about who's doing what. A lot of assumptions will get dug up and you'll realize, okay, you better pay some rigor into it.

David Mauro (13:20.718)
Yeah.

Lester Chng (13:39.052)
so that touch wood, when it does happen, you won't spend the first three, four hours scrambling to look through your contracts, look through your SLAs. There's really no time for that here.

David Mauro (13:50.51)
Right. Well, and there's a difference, but there's a difference in severity of data breaches, right, based on how much an organization has built up their operational resilience. Is that fair? I mean, the more resilient you are, the more you practice, the more you run these fire drills, the more prepared you are at...

Lester Chng (14:05.932)
Yeah, I think.

David Mauro (14:16.81)
stemming the flow of a systemic breach and you can reduce the risk accordingly.

Lester Chng (14:23.98)
Yeah, I think even knowing your options, knowing some of the prerequisites to activating an option. For example, if you want to recover your backup, it's not just a switch of the button, right? There teams that needs to be involved. There's probably testing. There's probably some security checks before you fail over. If your DR...

David Mauro (14:41.334)
Mm -hmm.

Lester Chng (14:51.838)
disaster recovery BCP plans covers that robustly with due considerations for cybersecurity, then yeah, then maybe you can get away with flicking a switch. But we all know that there are certain improvements to most disaster recovery and BCP plans. There are unique security concerns regarding

David Mauro (15:05.646)
Right.

Lester Chng (15:21.716)
Whether a backup is clean, whether the option to move to another site, whether it's even a viable option. And yes, there are a lot of new products there that help sort of safeguard your crown jewelers, the most important data and applications that you have. You can test it and you can onboard all these programs. But a lot of...

There are a lot of assumptions made from a security point of view on how that is going to happen.

David Mauro (15:56.398)
Right. And those get addressed through these simulations.

Lester Chng (16:00.492)
Yeah, I think it's a good opportunity to...

have a platform for people to ask the good questions, for your security team to work together with a lot of the application database teams. Most of them have never met. Just think through an onboarding of a new database. The touch point is probably a security questionnaire that somebody filled up. One of your analysts maybe sent in to a project meeting and said, yeah, it makes sense.

from a security architecture point of view but from a response

David Mauro (16:41.806)
But there's other stakeholders involved and by running a simulation, you show how it affects all the different departments or all the different organizations. And in smaller organizations, people wear multiple hats, right? One person is the department for certain aspects in smaller organizations.

Lester Chng (17:03.404)
Yeah, and yeah, but I think regardless, obviously the larger, the more complex, the more beneficial the exercise. I don't know. I think it benefits both large and small organizations in the similar way because the roles and responsibilities.

the same, it's just split up by the number of people, like you mentioned, wear different hats. So it's important to think of it another way. Even... yeah.

David Mauro (17:29.038)
Right.

David Mauro (17:38.126)
Yeah. Who's the intended audience for your book? Is it the is it just the technical group? It's not really. It's it's really the business owners or the people in leadership as well, isn't it?

Lester Chng (17:48.844)
Yeah, so when I wrote the book, I think it was for two large groups of people. One is for organizations that want to run their exercises in -house, right, internally. So maybe it's your operational resilience team, your race team, your head of SOC. If you have a crisis management team, those are the direct users of that book.

David Mauro (18:03.244)
Hmm.

Lester Chng (18:15.984)
And then the other group is essentially service providers like MSSP You want a lot of the insurance brokers also have their own in -house tabletop exercise services as part of their onboarding or

David Mauro (18:21.26)
Mm, MSSP's.

Lester Chng (18:34.412)
with their breach response services. So I think those were the two key audience. The end goal was really the same, to help people have information, to be able to run exercises to increase the resiliency of their response.

David Mauro (18:52.494)
Absolutely. So let me ask you this, since you started running them in your early aspect of your career in cybersecurity, to where you are now, and to where you were when you wrote the book, how has the security landscape changed? Like, to me or to people on the business end of it, right, dealing with decision makers,

Lester Chng (18:56.876)
Mm -hmm.

Lester Chng (19:00.972)
Mm -hmm.

David Mauro (19:19.63)
It seems like the threats are much more common, they're much more severe, they tend to be much more targeted, much more visceral, and all the more need to practice these war games.

Lester Chng (19:33.292)
I think the day -to -day news helps the awareness piece of the risk. So there's not as much selling. There's not much need for selling the value proposition of exercises. And not just from a cyber point of view. Just think about the last three to four years.

David Mauro (19:39.884)
Mm -hmm.

Lester Chng (20:01.484)
geopolitical health epidemics. There was a lot of change and a lot of uncertainty that sort of lent its weight to the need for exercising and being prepared to respond. So whether it's pure cyber attacks, that has been fairly common as well, unfortunately. But the whole mindset about...

David Mauro (20:01.55)
Mm -hmm.

Lester Chng (20:30.284)
The world has been fairly choppy over the last 3 to 4 years. This year is going to be choppy as well, but with elections, we still have ongoing...

kinetic action in certain regions. We have the onboarding or the onslaught of AI tools that people are still figuring out how that is going to impact. All that is just exacerbates the rate of change. And...

David Mauro (21:01.838)
seems to speed it up, doesn't it? I mean, what's your impression on how just even generative AI, not even the advanced machine learning and those capabilities for coding and things, but just generative AI has seemed to really impact social engineering and the access is coming faster, all the more reason to practice these tabletop exercises and to build out a living breathing.

incident response plan. Is that what you're seeing as well?

Lester Chng (21:34.412)
I think that it's inevitable that with higher capabilities whatever was happening before would just happen more often and in larger scale. Back to your point, if we don't get prepared today, what gives us comfort that we'll be more prepared tomorrow? No, it's not gonna happen. So until you put in time, resources to...

David Mauro (21:46.478)
Yeah.

Lester Chng (22:04.806)
spend some time really thoroughly looking at your plans, having those difficult conversations with your key stakeholders, bringing in external partners to really understand, okay if this were to happen tomorrow, what capabilities do you bring to bear? Or is it all just talk and it's on a paper but you can't execute? You need some offshore resources to execute it in, I don't know, office hours and we gotta wait for them to come on board.

all these conversations are to be had before anything happens.

David Mauro (22:34.068)
Absolutely.

David Mauro (22:40.628)
Absolutely. Absolutely. So let me ask you this. Given the interconnected relationship between cybersecurity threats and national security organizations, brand reputation, ways to protect it, how important is information sharing within the cybersecurity community, within business leaders and the cybersecurity community?

you touch on it often in your posts. I'm just curious to get your insight on.

Lester Chng (23:13.74)
Yeah, I think that is the... If that was absent, then we would have no chance, right? Because we are essentially isolated organizations with no ability to collaborate and to share and to hopefully get a preemptive warning about something happening. And it'll be...

Easy pickings for whoever is the threat actors and just pick targets one by one.

David Mauro (23:45.23)
Well, it's, yeah, I mean, it's good to know how lock bit and black cat are coming after people, right, and organizations, because then when you receive information from them or demands from them, you have some baseline of realizing who these people are, what their modus operandi is and how they function, right?

Lester Chng (24:03.882)
Mm -hmm.

Yeah, and I think it is We've come to a point where you can't play dumb anymore, right? You can't say I don't know what what the risks are who are the threat actors it's it's fun night news and I think it is corporate responsibility to your shareholders and your partners clients customers to

do the best you can. Of course there's no 100 % protection but to be embedded in some of this information sharing communities, getting best practices, understanding from previous victims may not be able to share that much but there's really so much information out there on what their experiences are like, what they have done that helped them during a response.

David Mauro (24:58.094)
Yeah. Would you agree there's still lessons to learn in all of these stories? Like even though you may not know the intricate details of even say some of the more popularized ones or publicized ones like the MGM breach or the Caesars breach, you do realize the element, it really heightened the element of social engineering and the research that they do ahead of time. And it helps train help desks when they're helping people and

dealing with MFA, there's a lot of different lessons to be learned there and to draw attention to areas that you may want to focus on, right?

Lester Chng (25:36.844)
Yeah, and a lot of that on hindsight it's always easy to see right but there are probably a lot of small indicators not from a technical point of view. Those if you don't have the tools you don't have any alerts right and a lot of the smaller companies they just don't have any capabilities to yeah but

David Mauro (25:42.988)
Oh yeah, of course.

David Mauro (25:56.366)
Right.

David Mauro (26:00.622)
Visibility. Yeah, they have no insight. Right.

Lester Chng (26:03.244)
But like you mentioned for me, social engineering, I think there are clues there. Like there was a latest huge fraud in Hong Kong with a MNC company. Just bringing in, inviting employees in, having a deep fake video telling them to transfer money and no one questioned. And they just transferred, I don't know, like 30, 40 million dollars. It's...

David Mauro (26:12.884)
Yep.

David Mauro (26:20.686)
Yep.

David Mauro (26:27.822)
Yeah, yeah, it was from the CFOs, allegedly from the CFO. So what you're referencing is the deep fake video where the CFO sent emails, phishing emails, business email, compromise emails, asking for funds to be transferred, but then got on a video call, had a meeting, right? And it wasn't even the CFO. It was a deep fake of it. Yeah. I mean, the FBI here in the US, the FBI issued

Lester Chng (26:31.5)
Yeah.

Lester Chng (26:35.306)
Mm -hmm.

Lester Chng (26:46.506)
Thank you.

Lester Chng (26:50.476)
Yeah.

David Mauro (26:56.878)
a warning of deepfake videos used for to gain access to various companies back in July of 22. Actually, people were applying for remote work using deepfake videos they were being hired on, right. And then we voluntarily would give them access to our systems. And then it wasn't even about hacking. It was more just about, you know, exfiltration of of confidential data and just

pure fraud, basically. But yeah, it's indicative of a lot of things, right? The advances in machine learning, the advances in AI, social engineering. Deepfake is really, seems to be one of the newest and most prevalent threats. And I don't know about you and your experience, but I don't see a lot of companies that have deepfake detection platforms.

in their budget lines, right? Like, what's our deepfake detection budget for this year? Like, nobody that we're talking to, very few people have actually thought that through. And it's something that's going to be coming now.

Lester Chng (28:07.564)
I think as AI video generation gets a bit more sophisticated, right now you can still tell, if you pay a bit of attention you can still tell, but it's just gonna get more and more difficult and I think the first part of awareness and education for your staff dealing with funds or even client interaction, I think that needs to be full of specific...

David Mauro (28:13.742)
Yes. Yep.

Absolutely.

Lester Chng (28:35.756)
a bit more specific training on what to look out for. We, we, we, we, we, we,

David Mauro (28:38.958)
Yep. In the defense of the people that are socially engineered in these situations, sometimes if they're working from home or they're working wherever there could be spotty internet or spotty Wi -Fi, right? You may see a glitch on somebody, right? And you might think, oh, it must be me, right? It must, it must, it's probably not them. That's our CFO. It's probably on my end, right?

Meanwhile, it's really just the deep fake system just glitching, right? It's really scary. I think that is what everybody's afraid of is, you know, how are we going to know, you know, the old adage of seeing is believing. Now that's being drawn into question even.

Lester Chng (29:12.396)
Yeah, yeah, I'm just surprised that

Lester Chng (29:27.628)
Yeah, for sure. And I'm just surprised that nobody asked him a question. Right?

David Mauro (29:32.526)
Yeah. Unbelievable. Yeah, we actually, we have a couple episodes where we're actually going very deep into deep fake. We're going to actually have some where we have a guest and a deep fake guest kind of compare the compare the two. And I'm interested to see it. We haven't had the episodes yet. So those are coming up. I'm kind of excited about that because I want to see how good they're getting because some of the people that we're having on that they have access to some really good.

platforms and it's very nerve wracking to think about that. So you've had a wonderful career. What advice can you share for people that want to break into cybersecurity? I know it's a broad question, but you've really come from a very unique and started Greenfield, started right out, right off the bat. And you've, you know, you're an inspiration to a lot of people.

that want to get into the field. What can you share?

Lester Chng (30:32.3)
Yeah.

Lester Chng (30:35.884)
I think the important thing is to... I came into cyber security through a project management angle which I think a lot of people should look at alternative ways to get into cyber security rather than straight up SOC straight up Intel network security I think it's important...

David Mauro (31:03.31)
What do you mean by you came in through a project management angle? Can you just elaborate on that a little? Because that's really helpful.

Lester Chng (31:06.7)
Yeah, so sure. Yeah, so I joined as a project analyst or coordinator within a cybersecurity project management office. So that gave me a good overview of all the tools that were being purchased in a huge enterprise transformation. And that was useful for me to...

understand all the different aspects of cyber security, why this tool is needed, how we're going to implement the tool in an enterprise and that gave me yeah I guess a good...

David Mauro (31:50.28)
unique insight. You didn't just go straight through the sock and the traditional route. That's really good.

Lester Chng (31:57.516)
And I think another way to approach it is look at some of the trends in terms of focus of technologies or domains within cyber. Like IAM is heating up. A lot of people are needing their tools and that's where the jobs are going to be, right? It's all a cycle.

David Mauro (32:23.042)
Can you elaborate on those acronyms? You mean IIM, right?

Lester Chng (32:26.614)
I am identity access management. I think that's yeah. Just, you know, there's so many aspects of cybersecurity to start getting into and.

David Mauro (32:29.864)
Absolutely.

Lester Chng (32:41.612)
start speaking to people who are in their current roles. Understand how did they get like I can't tell you how to get an IAM job, I never did it but they would have and you will soon realize that there is no one golden path to that. Maybe...

David Mauro (32:57.422)
Right. It's exactly right. Well, it's a broad, broad, you know, it just gets into defense and it's a very broad category and it's being formed as we speak, right? I mean, it's really being defined. Go ahead.

Lester Chng (33:08.544)
Yeah.

Yeah, there are probably some routes that are more higher probability of success than other routes for sure. But I think because I don't say it's a new career or industry, but I mean, you compare it to your network, IT networks, which is much clearer path.

David Mauro (33:34.03)
Right. Absolutely.

Lester Chng (33:37.42)
and because it's a constantly changing which I see as a good thing right because it's it's it's the the fear of a lot of people coming into IT especially it's like these guys have been at it for the last 30 years how am I ever gonna how am I ever gonna learn something to be able to catch up but I think in embrace the rate of change that's coming into

David Mauro (33:43.646)
Absolutely, I do as well.

David Mauro (33:54.702)
Right.

Lester Chng (34:04.204)
not only cyber, IT, the entire workforce If you're able to embrace that, learn faster than anyone else can learn then the guy with 30 years experience, he doesn't have much on you He will, at the start, obviously he will always have something on you but he...

David Mauro (34:23.406)
Want a fresh take, a fresh take, new insight, anything like that is really helpful, right?

Lester Chng (34:28.652)
Yeah and yeah and I think being it I think it somehow leads back into like your own personal brand on LinkedIn right. If everyone has that mindset that oh I don't have anything worthy to share because I don't have 30 years of experience then it would be crickets out there nobody would talk about it.

David Mauro (34:49.55)
Well, and it would be a really boring platform, which it's not, right? Because people, you know, I'm amazed that like less than 4 % of the people on LinkedIn actually post. Right? Think of that. I mean, 96 % of everybody consumes, right? And so what a great opportunity for people to have their voice heard to establish their own brand. I mean, you're living proof of it.

Lester Chng (35:17.356)
Yeah, and I think back to your point of how to get essentially how to get a job on LinkedIn You're gonna put yourself in the hiring manager shoes He opens up a SOC position Probably has a thousand applicants into it Like 90 % are probably more qualified than you given the layoffs that we had this year last year It's a fool's game to try to play the same route just applying blindly

David Mauro (35:39.414)
Mm -hmm.

David Mauro (35:45.998)
Right.

Lester Chng (35:46.86)
Why is it a surprise that you're not getting any traction? There's no surprise Just do the math, look at the landscape, look at what you're dealing with There's just no way you're gonna get in if you just Unfortunately do your four years, get some certs and do up a resume and click apply The guy on... you know...

David Mauro (36:01.326)
Right.

Yep. No, the key is to network. The key is to get to know people, right? And to have a unique perspective on things.

Lester Chng (36:13.612)
And it's going to take time, right? No one's gonna... You're not expecting to show up and give your...

2 cents worth of or a wildly alternate view about sock operations and expect it to go viral tomorrow It's not gonna happen People have been running socks for years and years now Either they call your bullshit or no one's gonna care about what you think or have to say Unfortunately, it's just... That's something that you have to learn People's time is precious

David Mauro (36:30.958)
Right.

Yep.

Lester Chng (36:49.74)
and if you don't understand that concept and you expect people to pay attention to you just because you did something then you got a lot to learn my friend because that's...

David Mauro (36:49.966)
Hmm.

David Mauro (37:04.11)
No, absolutely. There's a great book that I recently read. It's called Smart Brevity. And it talks about how business communications, interpersonal communications, online social media communications, there's a formula that actually works, right? Stating your point right up front, addressing the question that is on the audience's mind, right? Like, just, and then lay it out right away. And then,

go into one or two, three reasons in a very clear, concise moment, and then just edit it and edit it, make it shorter and shorter. Because when you think about when you work at an organization and you get up at the higher levels and you're trying to influence business leaders, right? You can't go there and talk about the events per second of your, of your sim platform. They don't care, right? They need to know about the

business impact, because that's what they care about. You have to enter their operating reality, point out the benefit of it, right? Point out the data that backs up the point that you're making, and then have your call to action right afterward. And it's, I see you do it, whether you realize that you do it or not, but I see you do it in your LinkedIn posts. I see people like Mike Miller do it, and it's really, really good. It's very, very effective.

Lester Chng (38:31.884)
Okay. Yeah.

David Mauro (38:32.398)
So as we're wrapping up here, you have an aspect on LinkedIn where it's LinkedIn ghost writing for cyber CEOs. Walk us through that. What is that about?

Lester Chng (38:40.586)
Mm -hmm.

Yeah, so it's a something that I haven't really talked about much and Yeah So so I think there's a huge opportunity for Cyber security founders CEOs in leveraging their LinkedIn profile

David Mauro (38:51.246)
Well, you're gonna today. So what is it? What's it about?

Lester Chng (39:07.248)
To drive awareness and eventually business to their product or their company it's Yeah, because it's to be fair it does take time to figure out this this platform to figure out social media social selling brand building personal branding marketing fun above you The founder unfortunately is like that's a marketing problem or that's a sales problem

David Mauro (39:13.862)
Absolutely. And many do not do it. Many do not leverage it.

David Mauro (39:24.14)
Mm -hmm.

David Mauro (39:35.534)
Right.

Lester Chng (39:36.076)
But no, it's not. It's a business problem. And who better to lead that charge than the founder or CEO themselves? We have seen a bit more extreme examples like Elon, Mark Zuckerberg, in really where their personal brand is larger than the company and helps it draw attention, whether good or bad attention, doesn't matter, draws attention. And it's something that I believe, one, there's a huge opportunity, two,

David Mauro (39:38.828)
Mm -hmm.

Lester Chng (40:05.93)
No one's doing it The tree, it is something that It's gonna take a bit of time to learn Which founders are swamped with whatever they need to do to keep their business afloat and grow business And therefore, this is something that I...

David Mauro (40:21.58)
Ghost writing for them, helping them do it is key. That's a really good recognition of a void.

Lester Chng (40:25.004)
Yeah, and I think I bring...

I bring the perspective of... Firstly, not many cybersecurity professionals do that. You can hire a generic ghostwriter, but they probably bug you for the next 20 hours just to figure out what your product is. You have no time to sort of...

David Mauro (40:39.702)
Mm -hmm.

David Mauro (40:50.51)
Right, they won't even understand it. Yeah, that's exactly right.

Lester Chng (40:57.004)
give them to be able to write in your voice and your understanding, your client's point. And yeah, I think I'm fortunate enough to be on, come from the enterprise, working with a service provider. I sort of understand the both sides of the coin. I wouldn't say I'm a marketing expert and not far from it, but I understand at least how you draw attention, how you start to build a certain sort of authority influence. Again, it all depends on the person.

points back to depending what the founder wants out of his time spent. So whether it's pure lead generation, whether it's a bit more authority...

David Mauro (41:39.438)
brand awareness, it could be, you know, yeah.

Lester Chng (41:41.02)
influence within the cyber community. Yeah so I think it is because what's the flip side? The flip side is throwing marketing dollars into LinkedIn ad spend, throwing marketing dollars to pay to be on a keynote, I don't know, to have to pay.

David Mauro (41:45.678)
That's really good.

David Mauro (41:53.708)
Yeah.

David Mauro (42:01.558)
run ads, run television ads or radio ads or things that you might not be touching the right people anyway, right?

Lester Chng (42:09.516)
and to pay for conference booths and to be chucked in the corner and nobody even knows you exist. It's a lot of money spent and I think just if you can portion a bit into investing in your personal brand, again it's going to take time. It's not I am CEO, everyone here here knows what's going to care about you unfortunately. But I think there are ways to slowly start to...

David Mauro (42:12.716)
Hmm.

David Mauro (42:17.678)
Yep.

David Mauro (42:31.894)
Right.

Lester Chng (42:37.868)
Share not just your company, not just your product, who you are, why you started this company, what was your journey like, why do you start a cybersecurity product, what get do you see, what's the mind and genius behind your company and I think that helps.

David Mauro (42:52.918)
Mm -hmm.

Lester Chng (43:01.612)
Firstly, put a face to your product and your company. It puts some humanity inside because as the interaction grows with more AI, more we're just going to get bombarded by robotic interactions and you don't want to be faceless in a world that's just going to be dominated by more inputs.

generated voice video yeah so i think it's early days i think it's linkedin is not going to go away

David Mauro (43:27.502)
Oh, absolutely. Yeah.

David Mauro (43:36.072)
No, I think it's really, really important. I mean, I think that establishing that personal brand is so key for all of those elements that you just mentioned. Absolutely. So as we look ahead, what's on the horizon for you? What are you looking to accomplish? What things do you have that are exciting that are upcoming?

Lester Chng (43:59.856)
Yeah, so I'm working for a cyber security not -for -profit. That's where I'm going to spend most of my time and efforts. I think we have a strong mandate to help shore up Canadians' infrastructure resiliency. So I think that's where I'll be spending most of my time.

David Mauro (44:23.01)
Fantastic. Well, we'll have links to that in the show notes. What's the name of the organization?

Lester Chng (44:29.396)
an organization called Rogers Cyber Secure Catalyst. So we are associated with one of the largest universities, largest communications company, bank, government. So we are well connected and we are hoping that our position will be able to help a lot of both private and public companies to be firstly aware and then ready for whatever's unfortunately going to come.

David Mauro (44:33.774)
Mm -hmm.

David Mauro (44:55.086)
Oh, that's great. Well, that's fantastic. Lester Chang, it is always, always a pleasure. You've got great insight. You've got a great origin story. It inspires many and just keep up the great work, man. Thank you. Thank you so much for your time. We will have links to your LinkedIn profile as well as well as to your book and the LinkedIn ghost writing, which I thought was a great insight.

Lester Chng (45:23.756)
Yeah, thank you so much David for having me, always a pleasure. Thank you.

David Mauro (45:25.614)
So always a pleasure, sir. Thank you so much. We appreciate it. Thanks everybody.