Patrick: 00:00

Security is the computer literacy of tomorrow. We're now coming to the era where in order to have a good job, you need to have security skills. We're not there yet, but it's coming. And so get ahead of that curve. Listening to this podcast means you're already probably ahead of that curve.

Intro: 00:18

Are you ready to know what you don't know about Privacy Pros? Then you're in the right place.

Intro: 00:23

Welcome to the Privacy Academy podcast by Kazient Privacy Experts, the podcast to launch progress and excel your career as a privacy pro.

Intro: 00:34

Hear about the latest news and developments in the world of privacy, discover fascinating insights from leading global privacy professionals, and hear real stories and top tips from the people who've been where you want to get to.

Intro: 00:49

We're an official IAPP training partner.

Intro: 00:52

We've trained people in over 137 countries and counting.

Intro: 00:57

So whether you're thinking about starting a career in data privacy or you're an experienced professional, this is the podcast for you.

Jamal: 01:14

Good morning, good afternoon, and good evening. Wherever part of the world you're listening from and whatever time of day, you're listening to us too. I'm Jamal Ahmed, your host at the Privacy Pros Podcast. And this week, we're going to be speaking all about security and to help us get a really good appreciation as privacy pros for security, we've got an amazing guest here lined up for us today, and we're going to be speaking to the CEO and founder of DTS and Pulsar Security, Patrick. Patrick is a recognized technology leader with expertise in Microsoft technologies, software development, network architecture, as well as enterprise security. He spent the last two decades as a Microsoft Regional Director, frequently speaking at technical events throughout the world. So we're so fortunate to have him. And he's also a graduate of West Point and a decorated Gulf War veteran Patrick, welcome to the Privacy Pros Podcast.

Patrick: 02:10

Thanks for having me. I'm excited to be here.

Jamal: 02:12

Now, I know that you have an amazing podcast security this week podcast. What inspired you to create that podcast?

Patrick: 02:20

So we found a lot of the smaller companies, small to medium companies, couldn't afford red teams and the high end tools for endpoint detection, things like that. And they were kind of adrift. As a military person, I believe that when we look back, we'll see the cyber war has already begun and we're in the middle of it, and they're going to say, well, they just didn't even realize it's like the frog in the water boiling. And the victims, for the most part, are small to medium enterprise in the west. So the big companies can hire, the billion dollar companies hire organizations like us all the time. But we found a lot of small organizations just didn't know where to turn, didn't know what to do. So that really it's about education and getting people to know. And we use the security news over the last week to discuss that. You should be patching and why it's important and how it's important and what could go wrong and passwords. And we talk about open source intelligence, which I think will be a big part of our conversation here. And it's really to get the word out that you can do a lot of security, you can do a lot of good without spending any money. You just got to know the information.

Jamal: 03:27

Sounds super valuable and a much needed resource for every single privacy professional. So what we're going to do is we're going to link that into the show notes. So guys, once you've finished listening to this podcast, go ahead and go and check out security this week podcast. It's available on all major platforms and there is so much valuable content in there that I just had to reach out and make sure we get Patrick onto the Privacy Pros podcast so he can share some of that valuable knowledge with you. Now Patrick, I know I've actually gone in and jumped the first question. We usually always start off with an icebreaker. The one I have for you today is if animals could talk, which animal do you think would be the funniest?

Patrick: 04:05

That's an interesting question. I think in a dark sense of humour it would be sharks. And overall I'd pick something from Australia, like the kangaroo. I've never thought of that question more than the 30 seconds you've given me. So take it for what it's worth.

Jamal: 04:20

I'll take that. Sharks and kangaroos. I was going to say cows. They still just sit there and they just, how do they keep themselves entertained? They must have some funny conversation.

Patrick: 04:29

The Monty Python of the animal world.

Jamal: 04:31

There we go. Now you mentioned some of the larger companies or the enterprises they have the resources to be able to invest in red teams. So the penetration testing get people to attack. And then with some of the other businesses that are not as big or not as well resourced, they might have some challenges, they might not have the resources that they need or want. What are some common mistakes you notice that businesses as well as privacy professionals are making when it comes to securing their businesses and organizations?

Patrick: 05:01

Well, there's some of the same mistakes that individuals are making with their privacy. They're hoping if they don't move, they won't be seen. If I don't make any false moves or they don't have anything worth stealing. Everyone on the Internet, if you have a network connection, if you have a hard drive, then there's somebody who wants those resources. If you have a bank account, if you have an identity, there's somebody who wants those resources. So it's true for small companies as well. We're seeing a lot more ransomware going towards the smaller companies because they don't have the in depth defenses, they don't have the wherewithal to withstand those attacks. And that's really the big problem is they think that they're just not worthy of being attacked and that's not the case.

Patrick: 05:45

What they need to be doing is educating themselves because as I said earlier a couple of minutes ago, a lot of the things you can do really are free patching using current systems that's technically not free, but it's not onerous. Windows 95 is not a defence. The hackers know how to get into the old systems. In fact, it's much easier. Using a password that you think is clever, that's the way that hackers attack passwords. If you understand that, then you'll have a better chance of building a good password collection, if you will. Password management is a big thing. I'm a big fan of warfare. Somebody tried to identity theft me or somebody has been trying to identity theft me over the last six months to a year. And I take great pride that they've gotten not a dime and I've frustrated them at every turn. So I've blocked my credit. My credit is frozen. My birth date out on the Internet is all over the place. I don't give my real birth date most of the time because why would you? So I participate in a disinformation campaign just like everyone else, I guess when it comes to some of the things that would be used against me. One of the things that I just did, I just upgraded my phone and I didn't restore it from backup, which is incredibly painful. But if someone's got a hook in you, then you restoring your old phone to the new phone, just gives them a gift of they get to keep that hook in you. And it could be an ad tracker, it could be an app that you've installed that you shouldn't have installed or your kids or grandkids shouldn't have installed. And it's a chance for a fresh start that a lot of people don't take because it is inconvenient. And if you listen to our podcast, Security this week, you're going to hear me say if it's convenient, it's probably not working towards better security. Unfortunately, security is inconvenient. Disciplining your kids is inconvenient as is. Everything that is working out is often inconvenient. Everything that brings good results typically has some cost and unfortunately security is not immune to that.

Jamal: 07:44

I agree. I often say to my mentees, nothing good is easy or nothing good comes easy.

Patrick: 07:49

That's true.

Jamal: 07:50

Definitely align there. So essentially what you're saying is it's the same kind of patterns that you're seeing across businesses that we should actually practice as individuals. It's those basic things, using up to date systems, making sure we have thought about our passwords. We're not using the same password everywhere and we're not trying to be clever. Think about it. Making sure we're not using outdated technologies, making sure everything is running up as it should be. One interesting thing that you said then, which I hadn't thought of, is actually restoring those backups, making sure that we're actually having a fresh approach. So anything that could have penetrated our infrastructure into us is actually that's where the damage is limited, and we're not bringing that threat and giving them a free ride, a fresh start to the future.

Patrick: 08:32

Yeah, it's difficult because you have to download all your apps, you have to get all your identities, but it also keeps you a little bit tech savvy. So when I'm mentoring someone, I tell them that every day they should spend a half an hour to an hour doing something they know they should do but could get away without doing. That's discipline. Discipline is doing something you know you should do, but you could get away without doing. And maybe it's changing one of your passwords every day and making it a better password. Really thinking about it. Having a password manager going and reviewing the apps on your devices to decide whether they should still be there, should apps be discontinued because a lot of exploits come through, something that's no longer used anymore, whether it's an old test website, whether it's an application that was abandoned and not patched. So there's something called a zero day that many people have heard of. A zero day is when a hacker has an unknown attack that they can use, and they're worth millions of dollars in some cases. But there's also something that's called a one day. And a one day is when a hacker doesn't invent a new security breach, but they wait for the new patches, they reverse engineer the patch to figure out what the vulnerability was, and they go after everybody who hasn't patched. There's a race. Once the patch comes out, you need to get that in place, and you still have some time, but the time window is starting to get smaller and smaller. So having an old system in place that you're not using increases your attack surface. It's like, how many windows do you have in your house? Well, every window is a place that somebody could break in and get into the house. So fewer windows makes a more secure building. Same thing is true of apps and endpoints and software. The less you have, the more secure it is, the less surface area there is for the hackers to get in.

Jamal: 10:23

Makes sense, but it sounds so simple when you put it that way. But absolutely, it makes sense. Okay, so, Patrick, what's the most important emerging security challenge all of us need to start paying attention to?

Patrick: 10:36

So I think it's OSINT. It's open source intelligence. So if I go out, we've heard about the breaches target and this and that, and every other LinkedIn has been breached. So many of those breaches. Well, what many people might not realize, and it's been going on for more than a decade, is that the hackers and organizations like our own collect those breaches and turn them into a database. And so if I were going after you as a bad guy. I would do a search on the dark web for everything I can find out about you, and I might find out that you love dragons, that you're into the game of thrones and that kind of thing. And so dragon is a big part of your password, past maybe, and hopefully I'm not guessing that correctly, but let's say dragon, it's a good word. It's six characters, and you might be dragon one, two, three, or something like that. Well, if I see some examples from the dark web of breaches in the past where you've used that word, I can probably guess your password pretty quickly for Gmail and things like that. So the fact that I know that seed, is information I can use against you. And so we're starting to see people getting messages to call someone. Hey, there's no link. There's nothing to download. It looks innocuous. Well, what could hurt if I call this person? Well, if you call that person, they can find out that that's your active line. They can find out they can talk to you and find out maybe where you are. They might be able to find out anything that they can convince you to tell them. Hey, how's the weather? Where are you at? I’m up here in Boston, where are you at? Just little small talk is information, and information is power, because I can then take that information and use it to convince you or someone else that I know you, that we talked last week or that we went to a college seminar together. There's a movie called Groundhog Day with Bill Murray. I don't know if you've ever seen it. And he lives the same day over and over again. And because he can ask somebody questions like who their third grade teacher is, he can pretend to be someone who went to third grade with them, and he can build a rapport very quickly. That's hacking. That's social engineering. And so it's starting to come and leak into more and more of our lives with things like Chat GPT making it easier for people to write in ways that the spelling errors aren't going to give away the fact that it's a phishing attempt that used to be the case, if it's really badly spelled, then it's probably a phishing attempt that's going to be banished. That's not going to be the case anymore. So we have to get more savvy. And so it's not that there's new threats. It's that the threats are coming down and becoming more ubiquitous. If I had to pick.

Jamal: 13:29

But that's super interesting. A number of clients where we've had actually or where the clients have had security incidents, it is those social engineering attacks. They speak to one person, get some information. They speak to someone else, get some information. They get access to someone's email. And all they do, they're very patient, these evil hackers. They sit there, they collect information, they see there's a big deal about to happen. And they jump in last minute and say, okay, yeah, this is where this make the payment, or we haven't received it, or can you do this, that? And the other happens all the time convincing, because they have all of this information. It's like, oh yeah, of course, I must be speaking to them. How would they know all this information? And next thing you know, you're out of pocket.

Patrick: 14:05

So we deal with that a lot. We get called in a lot of times. The first contact we have with a company is, we just lost $100,000 by paying the wrong vendor. And they have no idea who's to blame. They want to figure out blame in most cases. It would be better to do prevention. What we tell people is we're now in an era of second channel confirmation. So if you and I are doing business and you send me an email that says, hey, I need you to change the banking location, we changed banks. This happened a lot around Silicon Valley Bank because it was a perfect excuse for the hackers. Hey, we had exposure because of Silicon Valley bank. We weren't banking with them, we were banking with some affiliate. And so we're changing banks. And so you owe us 127,000 dollars and fifty seven cents which is a very specific number. I know the number, I have the information, and it's sent from the person who sent you the original information, and it's sent from their email. Well, in most cases it's because their email was taken over. The hacker went through the mailbox and said, oh, there's a payment coming up. I'm going to send an email from that account in exactly the same style with exactly the same language and just tell them, oh, please update the banking information. And that does happen in the real world, but everyone who's listening should know that when it has any impact on money or where money is going to go, or how money is going to go, you go and you call that person on another channel. You contact them through signal, you contact them through chat, you talk to them on the phone. You go and drive to their office and say, hey Jamal, did you do that? Did you send that to me? And I'm famous inside our company for I'll verify emails that maybe I don't have to, but if there's any doubt at all, if there's a chance that there should be a doubt, double verify. In God we trust, everyone else, we double check. Okay? So if we can start getting that level of paranoia, that healthy paranoia, and it's inconvenient, I get that. But we're talking about real money. And if you don't care if it's $50 and you don't care, take the chance. Maybe you'll get ransomware and it'll cost a lot more than $50. But still, the second channel authentication is really the key. And really that's what two factor authentication is, isn't it? Two factor authentication is just you're not just trusting that the person knows the password and that means it's them, it's do they know the password and have their phone and have the authenticator installed and configured. It's that second factor that adds the extra security. If I gave you a password and a pin for a website, that doesn't add to the security, it just means that the person would have to steal both pieces of information. But by making it be a separate thing completely, a whole separate channel, I get much, much more security.

Jamal: 16:45

You're absolutely right. We're not seeing new threats. We're seeing the same threats just delivered better or performed better, with a slight tweak to it. And this is what we need to kind of be very conscious of is, oh yeah, we know how to recognize phishing email because it's going to have a spelling error, or the A is going to be a different A to the one they're going to use, and just thinking, oh yeah, we're safe because we know to look out for that. We're trained on that. It's not enough. That was yesterday, that was it's evolving, stay up to date. We need to be alert and we need to be in the know how. Which brings me on to my next question. How can privacy professionals and businesses stay up to date with the latest security trends and the best practices other than listening to This Security This week podcast?

Patrick: 17:26

You stole my answer, so I would suggest you spend a little bit of time just every week, every day. It's like if you want to learn Spanish, you got to nip away at it. You're not going to learn Spanish in a week, you're not going to learn cybersecurity and all the best practices in a week. You have to sample it on a regular basis and inculcate it, and you'll hear the same themes, patching, password management, second channel, multifactor authentication, things like that. There's plenty of videos on YouTube, there's plenty of great podcasts like yours and others as well. You don't have to become an expert, you just have to understand the terminology. For example, SQL injection is a term that many people might have heard and they don't really understand. Well, you can learn enough about SQL injection in about 30 minutes of just watching videos, and you don't have to watch all of them watch enough so it's like, okay, now I understand what they're talking about, they're getting too deep. Let me skip to another one and listen to the overview. When I train a new intern or somebody who wants to get into cybersecurity, I tell them, first you have to learn the verbiage and the terminology. You have to understand what the word Kubernetes mean. Not because you're going to become a manager of Kubernetes, because if you stumble on a file or if there's a conversation about it, you can understand what they're talking about and why they mean that. It's also, if you wanted to be a horticulturist, you'd need to know what an elm is so you can know it's not a breed of grass and it's not a bush. It's a tree. You don't need to know everything about an elm, but you need to know that it's a tree. You don't need to know everything about SQL injection, but you need to understand that it's an attack and what kind of attack it is. And so it's that literacy that I would say that they need to get to understand zero day injection attack, cross site injection. It's the terminology. If you know that, then you can consume the information better and more efficiently because you won't get confused when they say it's a privilege escalation attack. So, for example, one of the things we talk about a lot on our podcast is, oh, well, yeah, this is a privesque well, that means privilege escalation. Well, that means you already have to be on the system. It doesn't give me access to the system. It gives me escalation. Why is that important? Well, if you look at the last big well published iPhone hack, the last one I looked at, maybe it was over a year ago, so there's been a couple since then. It was a chain of seven different exploits chained together that went from, I don't have any access to full access.

Jamal: 19:53

Wow.

Patrick: 19:54

If you took out any of those links, you wouldn't have the exploit. And so we're finding that things are getting so much more complicated because we're chaining together exploits. So, for example, let's say you have a WiFi router, and that WiFi router has a bug that in its logging module, log four J that lets me get onto the system. Well, that's remote access. That's one kind of exploit. But if I'm on the system as a low privileged, I can't do anything. I can only read one directory, and it's an empty directory. I can't do anything. I need privilege escalation. I need to be given more power. And so if you understand, well, this is remote code execution. This is privilege escalation, things make a lot more sense because everything's not the sky is falling. So sometimes me, Duane and Carl will say there's a lot of big deal about this exploit, but it's not dangerous unless someone's in your network already. And so by having that literacy, and I know that's a very long winded answer to that question, but if you have that literacy, I think it helps you everywhere.

Jamal: 20:59

I love the answer, and thank you so much. And you're absolutely right. If we're going to learn something, if we're going to try and have conversations, we're going to pick something up, we need to understand it at a very basic level at the very least. It's a little bit like saying, okay, I want to get from here to the supermarket. Just thinking about it is not going to happen. I can wish it all day. I can wish I can teleport myself, but I can't. So I need to figure out how to get myself there. So I need to understand how to drive a car. That doesn't mean I need to understand how the combustion engine works. But I need to know enough what the steering wheel is, what the gear levers do, what the pedals do, where to put fuel in, how to turn lights on, how to use the horn, and what all of these different terms are for me to be able to get from A to B. Now, that doesn't mean that I want to become a car manufacturer.

Patrick: 21:43

Exactly.

Jamal: 21:43

Or like Schumacher it just means I need to get from A to B. And it's the same with security and privacy and any other thing. How we do one thing is how we do everything. We need to get familiar with the terms. We need to get familiar with the concepts so that when we are hearing or when we are looking to learn, when we're looking to understand, it's not all just going above our head as a foreign language, but we're able to make sense of it to the level that's appropriate for what we're dealing with. And if we want to become experts on it, then, okay, great, that's fine. But it all starts by first immersing ourselves as sponges into that environment, picking up the verbiage, understanding what all the different acronyms mean and how they start piecing together. And when we do that, we'll make our own connections, we'll get our own insights. And that's when we start adding more value to the businesses who are signing up or signing us up to protect them. And that's when we can actually add more value and contribute to the industry, contribute to the community, and really start moving those conversations along and also start advocating because if we are able to understand these things, it means we can start having conversations. We can explain this to our non-technical colleagues. We can explain this to our non-technical peers.

Patrick: 22:51

Security is the computer literacy of tomorrow. So remember about 25 years ago, people started to realize that in order to have a good job in accounting, they needed to have computer skills. Well, they weren't going to be computer programmers, so they didn't understand. But then we saw, well, in order to be good on almost any job, you had to have some computer skills. We're now coming to the era where in order to have a good job, you need to have security skills. We're not there yet, but it's coming. And so get ahead of that curve. Listening to this podcast means you're already probably ahead of that curve. But security literacy is becoming absolutely required. I have a program where we've been teaching security literacy and how to prevent identity theft and how to keep kids safe over the summer from cyber. We're trying to do that more in the community, trying to do that more in the schools. I've taught it to high school students. I'm going to be teaching at the local library. If you have these skills, go to your community. You probably know a lot more than the people who are running your library even and if we can share this and make this a shareable thing, then we'd all be much better off.

Jamal: 24:00

I love that. I love the advocacy there. And yes, it's all about giving back. It's all about creating legacy. But I read a quote over the weekend from Ralph Emerson, and he said, to succeed is to know that your existence had made one life a little bit better.

Patrick: 24:17

That's right. Yeah. That is success.

Jamal: 24:19

When we help people to have security over their information, to protect themselves against identity fraud, to protect themselves against the bank accounts being drained out, to protect those businesses, against having those patient records blocked out or being exposed or being used in ways that shouldn't be, that is to make someone's life easier. Because anyone that's been through an attack, anyone that's been unfortunate enough to have the identity stolen, knows how difficult it is to clean all that up and then even try and get a job. We speak to people who can't get a job because their credit file is all messed up, and the only way they can get out of that is by declaring bankruptcy. And now that reports but then try explaining that to HR.

Patrick: 25:01

It sounds fake, sounds hollow.

Jamal: 25:03

Yeah. I think sometimes we take these things for granted. And like you said, it all comes back to understanding and appreciating the basics.

Patrick: 25:12

Now, you're in London, right? So do you guys use the same three credit bureaus that we use in the United States? Equifax, TransUnion and Experian. Okay.

Jamal: 25:23

They are the major ones, yes.

Patrick: 25:24

So my advice, if you're not in the middle of buying a house, buying a car, opening credit cards that you need to open, go to those three and freeze your credit. It's very inconvenient if you want to open a credit card at a store, because you can't. But it makes it impossible for somebody to buy a house in your name and steal your identity and then rack up the hundreds of thousands. They can't open a credit card. They can steal your credit card and use your existing credit cards. So don't think that you don't have to keep checking your statements, but that's the principal way that you prevent identity theft from being catastrophic is by freezing your credit so that only you can unfreeze it. But you have to log in to all three sites. You have to set up an account and you have to set a freeze. And while you're doing that, they're going to try to sell you a service to do what you can do for free all the time. They're going to keep bombarding you. Well, you could upgrade to this free service, or you could just buy this. Service, and we'll do it for you. You can do it yourself for free, and everybody should. And it's amazing how few people freeze their credit. And you can even do a thaw. You can schedule a thaw, hey, I'm going to go and buy a car next Tuesday. I'm going to thaw my credit for the day. The hackers aren't going to get in that window, typically, and so you're still protected, but that's something most people don't even know you can do.

Jamal: 26:43

That is super insightful.

Patrick: 26:45

So I'll tell you another story. So I have a credit card that I use quite often. It's my primary card. And I got an email that said, actually, I had an incident where somebody, I had fraudulent charges. I found them right away because I checked my statements and the bank also notified me, and I'm like, oh, no. So they cancelled the card and sent me a new one. And I got the new one, I activated it. And then I got an email about three weeks later that said, we've sent you your new card. And I'm like, that's not right because it's too far abroad. And I'm paranoid because only the paranoid survive. So I called up the bank and I said, I want to understand what's going on. We mailed you the new card or the replacement card to Kansas. I don't live in Kansas, never lived in Kansas. So some hacker convinced them, they hacked my bank, not me, convinced them they were me, got them to change my address and my phone number, right, but not my email. And they had a card replacement card sent to Kansas, and I caught it, like the day it got mailed out. And so we cancelled that. We changed my account so that it required a voice password. So I have a voice password now. And you might think, well, how do you remember this stuff? Well, you put it in your password manager. That's why you have to have a password manager. And so now when I call up that bank, I not only have to go through the whole rigamaro, I have to remember this password that is a very random word that has nothing to do with my life. And then they can talk to me. So it'll be very inconvenient if I lose that password or I forget that password. I'd have to go through a lot of hoops, but it helps prevent the identity theft. And that's when I said, you know what, I'm freezing everything, and I froze all the credit. And I'm a mature person who has all the credit cards I need at the moment, but I do know I can go far out, like you said. So it's an ounce of prevention is worth a pound of cure.

Jamal: 28:47

Absolutely. Always big fan of prevention rather than cure. You mentioned Chat GPT earlier, and you also mentioned voice passwords now, voice authentication. With artificial intelligence, especially generative artificial intelligence, how do you think the landscape of cyber threats is going to change and evolve?

Patrick: 29:07

It's going to keep evolving. I guess I'm really old. I remember that there's been many of these inflection points where it's going to change everything. The mobile phone, the smartphone changed everything. The internet changed everything. Nuclear weapons changed everything. I mean, there's been these evolutions. I think Generative artificial intelligence will be one of those. I just recently wrote a blog article about how I don't believe that the AI we're seeing today is Doomsday AI because it's still too stupid. It looks intelligent. So I'll give you an example. If you didn't speak a language, let's say aliens abducted us and they said, you're our search engine now. And they gave us their language, which we will never understand. We will never understand their language. But they gave us infinite time. We have an infinite amount of time. We can take all the works of their writing and organize it so we understand what words are related to which ones and correlated, but we don't understand any of the words. We don't know what Apple is in their language, we don't know what computer or internet is in their language. But we have all these algorithms to say. If they say Bleep, then it's blarp and they give us a question that we don't understand, and we use our algorithms to produce a response that we don't understand. And they laud us as the most brilliant writers of their age. And that's what Chat GPT is. It doesn't understand the way we understand anything it's ever written. It's just really good at parroting back what we want to hear based on algorithms, based on numbers, mathematics, correlations. Once you understand that, you realize it's not going to love or hate us or do anything. Could someone program it to do bad things?

Patrick: 30:51

Yes, somebody can write a program, a do loop to launch nukes tight now, that doesn't make it artificial intelligence that's killing us. It means somebody's the villain behind the screens. We're still at that phase where it can be disruptive is in social media spreading disinformation, doing deep fakes. And that's again where we need to verify. I seek out as much as possible. I was on a podcast not too long ago where they asked me what my key to my success was. I run a successful company. I can brag about a little bit of success, I think, and I say that I seek out alternate narratives. I try to find opinions that disagree with me because I find if I'm anywhere towards the fringes, I'm probably off base the knowledge of the masses. The masses don't get everything right, but they typically don't get things so totally wrong near the fringes. And so it's the same thing if you hear information, you're going to have to verify it. Now you can't be lazy anymore. And that's what gets us into this trouble of these echo chambers and if you don't have the time to do that, as Marcus Aurelius said in his famous book Meditations, you can choose to not have an opinion, you can choose not to not to care about things that you can't change. And I think we're going to have to get a lot more of that stoicism into our lives in order to not go off the deep end.

Jamal: 32:17

Wow, that was very profound. Thank you, Patrick, for sharing.

Patrick: 32:22

Sorry if I brought the room down.

Jamal: 32:23

No, I love that. Patrick, one of the things you mentioned was about some of the success that you've had and enjoyed and what's really helped you to achieve that. At the Privacy Pros Academy, we're all about developing world class privacy professionals. And for anyone who's thinking about becoming a world class security professional, what advice can you share with us that would help us to stand out?

Patrick: 32:47

So they have to become a voracious consumer of information? As I kind of said earlier, we tell those that are trying to embark on to do what we do. So saying you want to go in a security is kind of like saying you want to get into medicine. There's everything from pediatry to X ray technician to bedpan emptier. There's a big range there. We're typically talking about people who want to do the kinetic stuff, go in, break some stuff, tell them what you broke, and then move on to the next one. That's the hacker stuff. That's what we do. We don't do the checklist. Well, your fences are three inches too short. You need to fix that. That's very important, but it's a different skill set. So for the kinetic, hoodie wearing hacker type, and I believe you talk to people like that as well, it's more about consuming as much information as you can so you recognize things. So I use Kubernetes as an example. I use it all the time. If you're a hacker and you're in a network and you find a Kubernetes config file, you need to know what that's for, otherwise you might miss an opportunity, you might miss a trick. And we find that most of the time when we're breaking a system, it's the experience that makes a difference. So have you ever heard of Hack the Box? They're actually based out of the UK. Have you ever heard of Hack the Box? So me and my partner Duane, and two of our senior hackers, and by senior, I mean the oldest among our company, decided to see if we were as good as we thought we were, because every hacker thinks they're great and I like to challenge my assumptions. So we started a Hack the Box group. This is a couple of years ago, and we said we're going to spend Friday afternoons and as late as we want in the evening, but that's all we're going to do. And the four of us are going to see what we can do with hack the box. And the hack the box has 20 systems active at any time for you to hack, and every week they rotate one in. And some of them are insanely hard, and some of them are pretty easy. They have challenges and all this other stuff. And there's about 300,000 hackers going after them at any given time, and there's about 50,000 teams, as far as I can tell. There's no official count. In order to get in the top ten, you have to get everything. You have to break every system, and there are very, very few people who do that. Well, we did that in three months.

Jamal: 35:02

Wow.

Patrick: 35:02

We were number seven. We were number seven for a while, and then we realized in order to go higher, we would have to be firsts, which meant we would have to have to hack at Saturday, because you have to be the first one to get into a system. And we had lives, so we're like, seven is good enough, we're out. But the reason we could do that with four people is we're old and we've seen everything. I know why the TCP IP stack is the way it is, because I remember when they changed it from this to that. I know the difference between IP version four and six. I know what frameworks salesforce was originally built on. I remember a lot of this stuff, and I know a lot of this stuff, and I remember old stuff, and that's hard for a new person to get to. So they have to kind of get this literacy that I talked about, and they have to consume as much as possible. We'll give them a plural site subscription or some other, like Udemy or one of those subscriptions and say, just watch the first ten to 15 minutes of everything. I don't want you to watch the five days of training on Kubernetes. I want you to know what it is and what terminology and what other terms are related to it, because you need to be able to recognise things. So when I was a cadet at West Point, I did a summer with the foreign Military Liaison mission in Berlin, and they would go over into East Germany and they would spy on the Russians. It was literally a game of cat and mouse. And they would spend four to 5 hours a day studying vehicle recognition. And they could tell the difference between a self propelled howitzer with an auto loader than one without by an antenna being three inches in one direction or another. So that's the kind of thing where you need that corpus of information to be able to see the opportunity, because hacking is all about opportunism. It's about, well, what if we did this? And you got to think outside the box, but first you have to understand the box. So again, long winded quest answer to a short question. Sorry about that.

Jamal: 37:04

I love the long winded answers, because I say what helps us to reach that level of excellence that we need. If you gave short answers to short questions, it'd be a very short podcast and we wouldn't have the value that you bring. So I'm so grateful and on behalf of everyone listening, thank you for sharing all of that value with us.

Patrick: 37:20

For the job you want, you need to be able to stand in a room with two people who know it cold and who have decades of experience and listen to their conversation and not necessarily track and be able to add to it, but not miss what they're talking about. I have another podcast called Entangled Things@entangledthings.com about quantum computing, and that's definitely one of those specialized things. So you'd need to know about superposition and entanglement. You'd need to know about Shore's algorithm and encryption. You'd need to know about Grover's algorithm and sorting. There's a terminology for everything. There's a terminology for privacy. There's a terminology for gardening, for horticulture. You just need to figure out what that terminology is and be literate in it. So you can learn, because if you don't understand the terminology, you can't learn because you don't even know what they're talking about.

Jamal: 38:15

I love that, and that ties into everything you've been saying earlier. It all comes back down to discipline. So could you be mediocre, get a check at the end of every month by not spending an extra 15 minutes listening to something on a daily basis? Yes, you could. But would you become a world class professional? Probably not. However, if you do the thing that you don't need to do, you could get away with doing on a daily basis, not only would you get familiar, not only would you learn new things, but it's really going to help you to propel and really start moving towards the excellence, world class level as a professional. And that's exactly what we're all about. Patrick, that's been absolutely amazing. So we've spoken about so many things on the podcast today. We started off talking about what got you inspired to create your own security this week podcast. And then we talk about some of the kind of false or limiting beliefs businesses have. They believe they're not worthy of being attacked. And we said, look, threats. It's the same threats. There's not really new threats. It's just a new way of that same threat resurfacing. So when it comes to protecting it, it's always the basics, up to date systems, password management, making sure that you're aware of things. And what I loved about what you said, Patrick, was, in God we trust, everyone else, we double check.

Patrick: 39:33

I think I got that in the military as well. That might have been a military aphorism.

Jamal: 39:38

If we take all of those things, make sure we're doing that second channel authentication, and we make sure we spend a little bit of time every day doing something that we could have got away with. Even when motivation dips, we maintain discipline. And that's really going to help us to achieve the goals that we want to achieve. It's going to help us deliver and serve better as world class data protection professionals, and it's going to help us to protect our organization and our client’s organizations in a much more robust way. And we won't be the ones in the headlines. We won't be the ones that have to worry about that. And we can actually start using that time instead of firefighting and trying to deal with the symptoms of the problem that we ignored, but we can actually take action to stop anything future coming along and enjoy the time and enjoy the ride.

Patrick: 40:25

Amen. Amen.

Jamal: 40:27

Okay, Patrick, so before we finish up, I always give guests the opportunity to ask me a question. It can be anything you like. So what would you like to ask me?

Patrick: 40:34

What's your favourite restaurant in London?

Jamal: 40:37

Oh, it depends on the mood. Are you coming to London in time soon?

Patrick: 40:41

I come to London more than once a year, typically. What kind of so we'll have to have lunch. That's why I'm asking. Definitely.

Jamal: 40:48

What kind of food do you like?

Patrick: 40:49

More of a meat and potatoes, steakhouse usually kind of guy.

Jamal: 40:52

All right, there's some great steakhouses. You let me know when you're getting here and I will make sure I will take care of the reservations.

Patrick: 40:59

Deal?

Jamal: 41:00

All right, sounds awesome. Guys. If you're listening and you want to join us on lunch, then unfortunately, I'm not sure the restaurant we're going to go to can cater for all of us, but we would love to definitely see you guys. If you're looking to upgrade your data protection skill set, if you're looking to become a world class privacy professional, then get in touch. We can definitely help you to future proof your career. And if you want to find out more about Patrick and his business, we're going to put all of those links in the show notes, and we're also going to put a LinkedIn thread to Patrick so you can get in touch if he says something that sparked your interest, if he said a term that you don't actually understand, or if you're one of those geeks and you want to know more about the other podcast with specialized knowledge, and you want a bit more information around that, then you can get in touch with Patrick. Stay tuned, because next week we're going to have one of Patrick's great friends. We're going to have Duane coming on, and he's going to share so much more valuable information. If you thought listening to Patrick was a bonus, wait till you listen to what Duane has got to say. And when we put those things together alongside all of the other thought leaders that we have on this podcast, wow. You're going to be heads and tails above everyone else.

Patrick: 42:04

Oh, you're going to love talking to Duane he's fun.

Jamal: 42:06

There you go. Is there anything we should know about Duane before we speak to him next week?

Patrick: 42:10

So Duane's the nicest evil hacker you will ever meet. So Duane was the core of our team. There were things that he was one of the four, and his twin brother as well, was also so Duane was on the team twice, technically, and one of the most powerful technical cybersecurity professionals I've ever met, and I've met a lot of them.

Jamal: 42:31

Okay, so we're going to have the nicest evil hacker on our podcast. I can't wait for that. Patrick, thank you so much for sharing all of those valuable gems with our listeners. On behalf of everyone, I want to say thank you very much for making the time, and I look forward to catching up with you again soon.

Patrick: 42:51

Definitely. Thanks again. It was very great talking to you.

Jamal: 42:54

All right, folks, until next time. Peace be with you.

Outro: 42:59

If you enjoyed this episode, be sure to subscribe, like and share so you're notified when a new episode is released.

Outro: 43:07

Remember to join the Privacy Pros Academy Facebook group, where we answer your questions.

Outro: 43:12

Thank you so much for listening. I hope you're leaving with some great things that will add value on your journey as a world class Privacy Pro.

Outro: 43:19

Please leave us a four or five star review.

Outro: 43:21

And if you'd like to appear on a future episode of our podcast or have a suggestion for a topic you'd like to hear more about, please send an email to team@kazient.co.uk

Outro: 43:33

Until next time, peace be with you.