Against-the-Grain Cybersecurity for Managing Cyber Risk

Patrick:

Hey everybody, welcome back to another Kitecast episode. Tim, my co-host, has joined us. Tim, how are you doing today? 

Tim Freestone:

Hey Patrick, down a backdrop though. 

Patrick:

that? Kitecast backdrop. I’m missing it. I’m on brand at least. So for today’s podcast, we have real treat Albert. Well, he’s an international award-winning author speaker consultant and entrepreneur. He’s the lead author for the hacked book series. There’s two of them. Uh, they’ll they’re included actually in the URL for today’s podcast. You want to make sure you check those out on Amazon. He serves as the global ambassador at the Napoleon Institute, startup mentor at the Founder Institute. He’s a senior security manager, security architect at DevSecOps, ATRAM, senior security consultant, which he also founded IT Security Solutions, you name it. This is just what he’s doing today. If you look at his career history, he served as the president CISO at IT Security Inc, senior security consultant at BNY Mellon, among various other roles and businesses. Albert holds a bachelor’s in electrical engineering from Penn State University. He’s a Streetwise MBA at the SBA Emerging Leaders Program as well as the founding Institute. He’s a highly engaged professional in the cybersecurity entrepreneurial communities of board member at various organizations. I don’t know when he sleeps. Albert, thanks for joining us. 

Albert Whale:

It’s little hard when you had six kids, you didn’t get to sleep, you know what I mean? 

Tim Freestone:

With six kids, that’s amazing. Patrick, you keep getting these guests that make us look like schlubs. It’s like Tim and Patrick, they do marketing, next. 

Patrick:

I don’t know, well, speak for yourself. So 

Albert Whale:

You know, that’s why I’m working, to make it look easy for you guys, that’s all. 

Tim Freestone:

Yeah, okay, good. 

Patrick:

Make a good starting point. The books you published, they’re award winning books. How did you get onto these? You’ve done a sequel to the first one. You wrote the entire first volume and then you had a bunch of contributors who helped you with the second one. How did that all come to fruition? 

Albert Whale:

Wow, that’s a really great question. So, you know, in 2021, I decided to sign up for ball proctor coaching. And I took his coaching program under Cleona O’Hara. She’s now the CEO of Napoleon Hill Institute, which now I’m an ambassador and coach for. And we guided my evolution of being able to get things done to a much higher level. Hashtag hacked was written in eight weeks. Hashtag hacked two with 12 additional authors was written in three months and also became a number one international bestseller. And by the way, there’s two more books in the pipeline. 

Tim Freestone:

a model for productivity? Because eight weeks, that’s impressive for a book. Take me eight weeks just to 

Albert Whale:

So 

Tim Freestone:

write a letter. 

Albert Whale:

there’s a lot going on in Napoleon Hill’s teaching. And some of the things are changing your paradigms and changing your work habits and clearing your mind and being able to be more receptive to getting things done. I mean, if you wait till the last second, the amount of effort that it takes to get the job done is still the same, but you’ve waited three months. instead of doing it in six minutes. If it takes six minutes, get it done. 

Tim Freestone:

I don’t know if you have this on your agenda here, Patrick, but I sure would be interested in hearing more about the Pulling Hill, if we can squeeze it in. But, you know, because the concept of productivity and getting shit done, excuse my French, is applicable to all professions, obviously. And with cybersecurity 

Albert Whale:

It sure is. 

Tim Freestone:

and the lack of trained talent, obviously getting more done with less is the top of every CISO’s. leaders mind, especially when it comes to their team. So  

Albert Whale:

We’re five million experienced cybersecurity professionals. So 

Tim Freestone:

Just

Albert Whale:

we

Tim Freestone:

a view.

Albert Whale:

got to do better with what we have, right?

Tim Freestone:

Yeah.

Patrick:

out. So that’s maybe a good segue. I mean, let’s talk about Napoleon Institute. You got hooked up with these guys a year or two ago, you know, talk about what they do, you know, who’s involved in the program.

Albert Whale:

So the leaders that are involved have all been in personal development for a number of years. And what they’ve done, Cleona O’Hara was an orphan and she came over from Ireland or Scotland, homeless. And she got connected with Bob Proctor and started learning the goals and philosophy of Napoleon Hill’s teaching. about being able to organize your mind, about associating things with what needs to be done. And that’s how I got hooked up with her. I was actually following Bob Proctor on YouTube for five years, but in five years, I got nothing done. And Cleona eventually got ahold of me at one of the conferences and said, look, until you make the decision. the pathway won’t be shown in order to get it done. And I had every excuse in the book, I can’t afford it. I don’t have time for it. One of the things that came up was I was getting up at seven o’clock to go to work at eight. And when I signed up in the program after she finally convinced me that, I wasn’t gonna change my life or the results that I was having unless I did something differently, which she was right. I said, I’ll get up at six o’clock in the morning. She said, well, I’d like you to get up at 5.30 so you have enough time for study and to learn a material and to let it acclimate with your mind so that you’re able to do these things. And I’ll tell you what, after two weeks of, I told her I’m gonna get up at six. After two weeks of getting up at six, I said, I have to get up at 5.30. I’m getting up at 5.30 now because the material is so good. And what I’m learning is so important to getting things done. And I’m seeing a change in everything I’m doing. So recently, I signed up with Napoleon Hill Institute as a founding ambassador and coach. This is our challenge coin. These are handed out to only the first initial founders and ambassadors for Napoleon Hill Institute, which now has exclusive access. to all of the works of Napoleon Hill, including his videos and hundreds of books. And it’s just amazing. So we have a public offering that’s available. It’s free of charge on Fridays. It starts at 10 AM. I’m happy to provide a link to anyone that connects with me. Ask me for the link and I’ll send it out to you. There are several different programs and tracks. Let me tell you, it’s life changing.

Tim Freestone:

That’s, that. I hadn’t heard of it before today. So interesting.

Patrick:

So what did you do as an ambassador? You know, what’s your engagement like? You have how many people do you work with?

Albert Whale:

Well, right now I’m promoting the materials, but I’m also coaching because I’ve made sales to other people. I’m actually coaching them into improving their lives. I have a client that came from Boston. She was without a job and everything. And she didn’t have a family either. She was adopted and everything. So she had foster parents, which became her parents. And she signed up with me over a month ago. And she’s ended up with two jobs. She’s gone on vacation for the first time in four years. And her posit, her mental attitude has become completely positive. And she sees things so totally different now that when she looks at back at to who she was when she first met me. It’s life changing. She, she thanks me every time we communicate and I’m her accountability coach, as well as trying to direct her in. her personal study to help her grow.

Patrick:

You meet with the folks you’re coaching every week or what does that process look like?

Albert Whale:

Yeah, it’s a coaching program every week, but also people that sign up in the program have the opportunity to go through daily study. But daily study in the program also includes all the recordings so that you don’t have to attend live. You can actually catch up on it in a recorded format, and it’s just very beneficial.

Patrick:

Tim’s been harping on the fact we need to write a book, so now he expects me to write one in eight weeks due to

Tim Freestone:

Yeah, that’s the exactly bar that we set. Thanks a bunch.

Albert Whale:

Well, it doesn’t off quite like that. I can’t sprinkle that pixie dust on you guys because we’re in a virtual world right now, but

Tim Freestone:

We’re not.

Albert Whale:

certainly with the right direction, we can get you there.

Patrick:

So in hacked, what content do you find in hacked? You had a number of different contributors in hashtag hack two, they pick their own subjects or do you assign the topics to them? How did that work?

Albert Whale:

Sure. So hashtag hack is all about my journey and the different evolution of cyber security. How many things there are, what people can get engaged in, and really where is cyber security going? And actually talk about in the very end, a tool I’ve created that sits inside the network to eliminate the attackers that are already inside. Oh, did I say that? There’s attackers already in your networks. Come on, guys. Hashtag hack two came out with 12 professionals that all got to talk about whatever it was that they’re doing in cybersecurity, including one female and she does sales very well. And Maggie Dillon is her name. And we were happy to have her because we need more females in the industry. You know, just this week, this past week, I talked to the CISO for PNC Bank, Susan Koski. She just won an award and we need more females driving the industry to bring us closer to better protection.

Patrick:

You think we’ve made progress on that front? Cause that’s an area that Tim and I have been interested in. We’ve done some reports I’ve had in past lives, a podcast and webinars on the topic. Are we making progress or are we kind of just treading water? What do you think?

Tim Freestone:

And if I just to add to that Albert, just for some more color, like for me, it seems

Albert Whale:

because the question wasn’t hard enough already, you’re going to make it harder

Tim Freestone:

I got to reinforce the dire straits we’re in. So it seems like all these billions of dollars going into cybersecurity companies and all of the personnel, it’s like keeping us just barely above complete and utter catastrophe. We’re just, we’re like, floating at the point, it’s not

Tim Freestone:

What do you think?

Albert Whale:

we have a difference of opinion there.

Tim Freestone:

All right.

Albert Whale:

I agree. We’re spending billions and billions and billions of dollars. And I don’t think we’re making progress. Because instead of fixing problems, we have vulnerability management. Why do I want to manage vulnerabilities when I really need them fixed, right? And firewalls and virus scanners, they’re like 4% effective, which means The hackers know how to do things better than our defenders know how to get the job done. That’s why in hashtag hack, I say, we need to do this differently. And here’s why. Because what we’re doing is looking for an event after it happened. Wait a minute. We want to find the APTs. No, we don’t. Because our tools don’t look for APTs. They look for an event that might happen tomorrow on known threats. Well, if I’m only looking for known threats, what the heck? I don’t need the unknown threats, right? That’s the big problem. So I agree with you, Tim, that we’re missing 5 million people right now for cybersecurity experts. because China graduates five million analysts for their APT attacks every year.

Patrick:

And are we going to fill that with more women security leaders, more veterans? I know you’ve done a little bit of work in that area, Albert. Where are we going to fill the gaps? Or where are some of the possibilities?

Albert Whale:

Great questions. We need to start at a much younger age. We need to start in schools and getting kids interested in STEM. They don’t all have to be engineers, but we do need them interested in helping out the country. I mean, I’m a veteran myself, having served in the Navy and being discharged for back injury. But. getting people involved is the real problem right now because most people are staying at home, didn’t have to work for a while and they got used to it, right? Well, we can still work from home and do our jobs very effectively. I’ve been doing that since 1993. Before people said, you can work from home, they were telling me, you can’t work from home. We don’t know what you’re doing. Oh, watch me.

Tim Freestone:

So what I heard in there, and I’ll distill it down to one statement, is we have a collective brain power mismatch of the good guys versus the bad guys. They’re just more of them, and they’re smarter. So until we get to that collective brain power match or exceed, it’s always going to be a cat and a mouse and we’re the cat in this scenario. Is that?

Albert Whale:

We’re the mouse, they’re the cat. Here’s the problem.

Tim Freestone:

Alright, yes. Yeah.

Albert Whale:

Most of what we’re doing is compliance related. Nothing I’ve ever seen in the compliance world makes you secure. Now, if you’re securing your environment, certainly that could make you compliant. But if your focus is on compliance, that benefits the attackers because they know the rules for being compliant. And if they’re not following the rules because they want to break the rules because nothing is ever out of scope. All right. I I’ve been doing pen tests for organizations, some of them government, some of the military, and I present data to them about, you know, I can access all of the government sites from this one indication or this one subdomain on this site. And the response was. Well, that’s out of scope. But the attacker never says that.

Tim Freestone:

Mm-hmm.

Albert Whale:

Oh, heck, that’s out of scope. We can’t get in there. Oh, yes, we can. So we have to have a different mindset about what are we doing and how are we trying to fix things. If we continue down the same pathway that we’ve been driving for quite a while, we’re gonna get much of the same. I think it was Albert Einstein that said, thinking about doing things in the same manner. and expecting different results is the definition of.

Tim Freestone:

insanity.

Tim Freestone:

But what is the, and in your book, apologies, haven’t read it yet, but what, where do you, other than just if you’re thinking A, now think B, is there a prescription to any degree that, and by the way, I’m asking you to act, basically be God, but is there any prescription here that if you follow X, Y, and Z will at least get closer?

Albert Whale:

Sure. So a lot of us know what sites are legitimate and what are not. But the problem is we don’t know what’s out on the internet that our users are getting access to. Because when they get to a site and it has images on it, it might have embedded scripts to go to Evil Corp to download the latest version of malware. OK, that’s one problem. Another problem is exploits that are built into websites that people are visiting aren’t necessarily what we need to have inside the business. Thirdly, looking for tomorrow’s threat when we’re dealing with today. We should be looking at activity that’s maliciously aligned, like going to a. a website that has malware on it, and actually blocking that attack. Being proactive instead of reactive is the main thrust on all cybersecurity in my mind moving forward. And I wanna change cybersecurity globally. So being reactive is not being proactive and it’s not working. Every day I see hundreds of events being sent to my email on the news stories on, you know, different finds and different numbers of breaches of people’s data. Well, people can’t change their data. And people can’t be responsible for changing their password to use your system when it’s your system that’s

Tim Freestone:

system.

Albert Whale:

getting breached. Does that make sense?

Tim Freestone:

It does but it seems like it just always boils down to we don’t have enough talent like we can’t ever get to proactive state because to your point China’s graduating five million. We’re graduating five thousand

Albert Whale:

Well, I think that the tools that we’re using are all reactive tools. That’s why I promoted a tool I created, which is Proactive, and actually looks at current traffic. If we’re not looking at the traffic, we’re missing everything.

Tim Freestone:

Yeah, so tooling is in the solution, the right kind of tooling that’s somehow proactive. And that just gets down to the, look, we’re never gonna graduate 5 million people. So how do you make the 5,000 more effective? You

Tim Freestone:

We got to be more efficient. through technology. Right, scale.

Albert Whale:

Right, scale through technology, and I don’t mean AI, because AI, I don’t believe is the answer. It could be more of the problem. And as we get closer to quantum computing, you know, the encryption technologies that we currently have aren’t going to be able to avoid quantum computing attacks. So just encrypting data is not a way to secure it. People are still stealing the data. They’re just gonna be able to break the encryption faster. So we need better security.

Patrick:

the tool that you created, Albert, you talk about shifting left, you know, speak to how you define shifting left. Is it specifically focused on DevSecOps or is it much broader in scope?

Albert Whale:

Well, originally DevSecOps was the shift left mentality for new software. But if we look at it at a broader scope, I mean, certainly if you’re building software, shifting left and allowing the developers to be responsible for securing code, it’s their code, they wrote it. They need to know why is the code inefficient or ineffective for security, because only they can fix it. The analysts that… does the testing normally? Well, we don’t have enough of them. But if we allow the developers who are already writing code to fix it or test it by clicking a mouse click, then that helps leverage the technology, Tim, that we’re needing in the industry to align with better security methodologies. But more importantly, organizations need to understand that their third party risk is also a shift left mentality. Because if they don’t understand what is going on inside the vendor software and products that they’re using, they’re liable to have another SolarWinds event or anything else, a Log4j event that seems to be happening on a regular basis. Organizations need to take care of these issues, and the people that purchase these products need to find out how bad is the situation, what are they doing to address it, When was the last assessment done?

Patrick:

This doesn’t standards come into play their compliance and so forth, Albert, to a certain extent when you’re talking about third parties, because that’s one of the ways in which you can assess if they actually comply with certain security standards that you’ve established so that you’re not connecting third parties into your environment who lack cybersecurity controls and thus are at a much higher risk of being hacked when it comes to the content that they’re exchanging with you.

Albert Whale:

Well, I’ve always thought that standards were a good starting point. But once you understand what’s in the standard, just like the attacker, they’re going to understand what have you done to meet compliance. Compliance is the route that the attacker is going to utilize to get inside. So if you’re compliant to this XXX standard, SOC standard, ISO, NIST standard, then that’s the gateway that the attacker will take. And now that we’re working from home, those standards really don’t stand a chance because have we rewritten those standards from the work from home model?

Patrick:

And what changes do you think need to be made in those standards to reflect this new work from home reality?

Albert Whale:

A lot of the problems that I see in standards are that they’re doing a test on a periodic basis. And yet

Tim Freestone:

Yes.

Albert Whale:

our attackers are constantly knocking at the door 24 by 7. So anything that’s happening, whether it’s an assessment or monitoring, needs to be continuous. If it’s not being continuously scanned or analyzed for correct. network connections, permitted issues going on versus unwanted, undesirable connections, then you’re never going to know how secure are you. And we address a lot of that in CMMC standards for the defense industrial base, but I don’t think that the government organizations that have those are held to the same level of standards.

Tim Freestone:

This gets to kind of a bit of, I guess, a soapbox for me around third party risk management. You would think inherently that the R and the M together there would mean something’s happening on an ongoing basis or always on. But if you peel back the layers and you look at these solutions, the vendor risk management and TPRM, et cetera, like security scorecards and one trust and stuff, it’s point in time assessment. plus report equals risk threshold, and are you okay with risk threshold? But it’s always like point in time. So you do a point in time and then you do it in another point in time and between those two point in times, anything could happen. So…

Albert Whale:

And anything does happen.

Tim Freestone:

down.

Albert Whale:

biggest problems with those assessments. They’re normally done in a quiescent environment, meaning the users aren’t allowed in the environment, and they’re not tested because you’re assessing the environment to see whether or not the environment’s safe. But whenever there’s a problem, who’s involved?

Tim Freestone:

Yeah, it’s the people

Albert Whale:

It’s

Tim Freestone:

using

Albert Whale:

the users.

Tim Freestone:

1. Yeah.

Albert Whale:

So what are we assessing? only part of the issue. That’s why continuous assessment needs to be performed. That’s zero trust.

Tim Freestone:

Yeah, agreed. And one thing we talk about here at Kiteworks is your data is going to move into these ecosystems. So how do you have zero trust at the data layer, not just the technology layers, to say like this individual, it kind of goes back to the asset leaks and the document leaks with the Pentagon. I’d imagine that whoever leaked that, I can’t remember his name, privilege access to the infrastructure and the applications where those documents were. But at the individual document layer, there weren’t zero trust DRM applied to individual assets. So, this person could just take them even though they had infrastructure, network, and application least privilege management. So… Our position on this is, yeah, zero trust at the network and the application layer, but you got to bring it down to the individual assets that have your sensitive data in it. Otherwise,

Albert Whale:

All the way to the devices, yeah.

Tim Freestone:

yeah, the infrastructure, the network, the applications, and the content. As soon as you stop with the always on monitoring and the least privilege access, wherever you stop is to your point where they’re going to start. It’s sort of a deal.

Albert Whale:

if you’re not looking at who’s knocking at your door, they’re going to find a way in. Right? It’s kind of like

Tim Freestone:

just consume it

Albert Whale:

a night out with your wife after you’ve had a great dinner, and you find that there’s somebody on your couch watching your TV and eating your food. Are you just going to let them stay there? You have to get rid of them. So these assessments that are done are good only up until the time the is filed. And then they’re stale. Because

Tim Freestone:

And this may be,

Albert Whale:

you have an attacker

Tim Freestone:

on those is, right, the driver on those are compliance, right? I’m getting the assessment

Albert Whale:

Exactly

Albert Whale:

point. It’s all compliance matter, but it’s not a security benefit.

Albert Whale:

You get compliant. You checked the box.

Patrick:

You had an interesting reference, Albert, to federal agencies maybe aren’t applying some of the same standards that are contained within CMMC that their defense industrial base is expected to adhere to. Can you comment a bit on that? I mean, we have all these GAO reports throughout there that identify gaps. There was a report a few, few months ago, I believe that, in fact, I wrote a blog post on it, I think it was 60% of all. Uh, vulnerabilities that have been identified since 2010 still aren’t patched with federal agencies. Those, those are still substantial risk, right? So they can’t patch fast enough, let alone to your point, proactively defend their environments against malicious attacks, rogue nation states, and so forth.

Albert Whale:

Right. When I was teaching the Air Force about application security, I would actually go out to the teams that were building software, trying to show them exactly what’s going on with the software and how the attackers were breaking in. And that was very beneficial. Okay. Everyone got a clear picture of what’s going on because I actually taught them how to break in. So in the morning, I’d start out with people that have no hacking skills whatsoever. And at 2 o’clock in the afternoon, you could see the light switch turned on. The tears are streaming. The sweat’s pouring off their foreheads. They’re flushed. And they’re like, oh my god. This is how they’re doing it. But the problem with that is, when I went to see some of those teams a year later, they had the same vulnerabilities because they didn’t have the budget to fix them. So testing isn’t enough. Assessments are not enough. We need something that builds in the mitigation. That’s zero trust. That’s continuous monitoring. That’s stopping the attack.

Tim Freestone:

builds in the mitigation. Patrick and I spent a couple of years at a company called Contrast, which is IAST and Shift Left and DepSecOps and all that. And one of the founders, he did a lot of pen testing. Actually, both founders were pen testers. But he used to say they would play Vulnerability Bingo, which is to say they would have a card of like the OWASP Top 10. in random orders. And they knew that if they went into a company, they’d just find them all. It just in what order they would find them. And as a team, they play bingo. And he just got sick of knowing that every single company he was going into, he’d find all of the top 10 somewhere. And that’s where they built Contrast, which embeds using instrumentation, the identification of vulnerabilities. But it doesn’t mitigate it. Right, it tells

Albert Whale:

built It’s Safe. It’s Safe helps to mitigate it because we look at activity going on. And you know, if you’re a company here in Pittsburgh, this is where I live, you certainly don’t need to be talking to 30 odd countries around the world.

Tim Freestone:

Can you tell us a little

Albert Whale:

And

Albert Whale:

last year we bought, pardon me.

Tim Freestone:

You called the technologies It’s Safe, is that what you said?

Albert Whale:

Yeah, It’s Safe. ITS-safe.com. Last year, I bought a new TV. And that TV, it’s a Samsung TV. Bought it from Best Buy. My daughter works at the Geeks Squad, and this was the recommended TV of the year. Stuck it in my network, had It’s Safe in my home. There’s a crypto coin miner on it. back doors to everywhere that you can imagine, but now they’re being blocked. You know, the problem is, consumers don’t know what’s going on. And if you put this in your network and you’re working from home, I mean, what security does a home have that businesses used to have as a security perimeter? It’s not the same.

Tim Freestone:

tell us a little bit more about the It’s Safe? I just brought it up real quick and how it works and why you think it’s critical to the security posture.

Albert Whale:

Well, a couple different things. But first of all, I would have never seen the crypto coin miner on my TV unless I had it. IOT devices are coming out daily and they’re pushing them out through the marketing teams before they’re ever secured. People think that they’re buying secure products and they’re built in what country?

Albert Whale:

Yeah, in most instances, it is. I mean, there might be a few that come from other countries. But we’ve had an addiction to cheap technology. And they know it. So they’re building in the back doors that you don’t look at, because you don’t have a security team in your house. But you bring in your laptop, you take it to work, you telecommute, you VPN. So much is going on that you don’t see. So it safe sits in the network. It watches the traffic, finds out where it’s going, sees whether it’s of good intent or malicious, blocks the bad activity, lets the good stuff through.

Tim Freestone:

Seems simple enough.

Patrick:

And this is something that is more of a B2B player. It sounds like you have even B2C customers, Albert.

Albert Whale:

Yeah, so that’s just it. I put it in a small dentist office recently, and the dentist is like, I don’t have anything on my computer at home. How can I get this in my house? Can we connect the two? I’m thinking, all right, yeah. We have a B2C play coming up. We’re definitely B2B right now, but B2C is where we wanna get to because everybody needs better security. And that was the original design initially. was a B2C play because of all the IOT going on, the ring doorbells, you know, everything’s connected to the cloud. And what is the cloud? Where is the cloud? Who has the cloud? Who works in the cloud?

Patrick:

Very true.

Albert Whale:

I have a lot of questions, but I don’t have the answers unless I’m looking at what’s going on and that’s why I built ItSafe.

Patrick:

How long does it take to deploy? Is it relatively easy?

Albert Whale:

It’s so hard. There’s two wires and a power cord.

Patrick:

Ha ha ha!

Tim Freestone:

So it’s a hardware.

Albert Whale:

It is hardware. We don’t have

Tim Freestone:

future.

Albert Whale:

to distribute it to each individual laptop. Anything that goes through the network, we can see.

Tim Freestone:

And then I saw third parties. Do you, does it extend into the, into the third party? See if it’s not your network or how does, how do you couch

Albert Whale:

Well,

Tim Freestone:

third

Albert Whale:

so

Tim Freestone:

party?

Albert Whale:

that’s a good point. I mean, if you have third party products in your home or in your office, do they need to connect to China? Or how about a domain that’s controlled by China? Do you really want that happening? I mean, third party is one thing, but you don’t really wanna have malicious connections to third party countries. But we can whitelist it if you really have. We’re going to advise against it, but you know, there’s probably another way to go.

Tim Freestone:

In the world of Gartner, where would you, would you couch this in some of their acronyms somehow, or is it standalone different?

Albert Whale:

I think it’s so new that it’s not yet on their radar.

Tim Freestone:

Okay. I’m just curious. It’s, um, they have, they seem to have three or four letters for

Albert Whale:

Nobody

Tim Freestone:

everything.

Albert Whale:

else is doing this that I’m aware of, and that’s great. You know, I’m completely happy to be Blue Ocean.

Tim Freestone:

Mm-hmm. Yeah, it sounds familiar.

Patrick:

Now, this next question, Albert, goes back to something you said, I don’t know, 15, 20 minutes ago, it’s the pink elephant in the room, uh, chat, GBT AI. You noted that you thought it has greater likelihood or potential for malicious activity than for good. Why do you believe that’s the case? Do you, you know, we’ve spoken to a couple of different folks and we use chat GBT ourselves. It seems that it has a, uh, you know, there’s. positive use cases, there’s also ways in which it obviously can be used in a malicious manner.

Albert Whale:

Well, that’s true. But the problem is that you’re always going to have the activities of some malicious intent, whether it’s internal or external. So the problem with ChatGBT is it’s AI, and it can find weaknesses in your environment faster than you can patch them.

Tim Freestone:

Right. And so we’re in the cat and mouse thing again. And so the, uh, whoever the cat or the mouse is, I guess we’re the mouse. We have to embrace

Albert Whale:

in the mouse trap if you’re going to let chat GPT inside your network. Okay?

Tim Freestone:

Oh, even without that outside the network, I’m thinking about it in the context of bad actors are using going or using now AI to scale their, um, attack or attacks their, their ability to attack full stop

Patrick:

malware,

Tim Freestone:

that’s happening.

Patrick:

phishing, there’s a number of use cases.

Tim Freestone:

And

Patrick:

Yeah.

Tim Freestone:

it’s all, it’s all just getting scaled out. Um, so you can’t as a cybersecurity professional team or leader. not also look at how you match the scale with the same technology. It doesn’t get run over. Would you agree with that?

Albert Whale:

Well, I think they’re already getting run over. They just don’t know it yet.

Tim Freestone:

Well, it’s true, but

Albert Whale:

how long has AI been out before they announced that it was out? Because somebody’s been feeding it. Where

Albert Whale:

database of activity?

Tim Freestone:

yeah, just in the hands of, it’s just more in the hands, I guess, right now.

Albert Whale:

Sure.

Tim Freestone:

I don’t have an answer. I’m just curious, you know, we talked about,

Albert Whale:

know where it’s going to go.

Tim Freestone:

yeah.

Albert Whale:

I don’t really want to go down that dark rabbit hole.

Tim Freestone:

Sure, we’ll be there for a couple hours. Yeah.

Albert Whale:

Yeah, that’s a zone I’ve been. Sorry. Let’s be

Tim Freestone:

Nope.

Albert Whale:

more positive, OK?

Patrick:

We need to end on a positive note for sure. Zero trust, we kicked it around a little bit. Albert, you know, there’s a, the government’s trying to drive it, whether it’s, you know, executive orders like 14.028, and it’s had a bunch of subsequent items added onto it, I think three or four in the private sector, we see some of the. some of that starting to happen. Typically the government will drive some of it. Is that positive? And then Tim’s point as well, we see zero trust typically applied to the network, to applications, to infrastructure. Do you see, as we do, a use case around content? Does you gotta get it down to the content layer? And we would even argue that you gotta apply digital rights management to some of that content. So you can do things such as what you just described. ensure that that content’s not going out to Melissa’s third parties in rogue nation states, for example.

Albert Whale:

I would have to agree. I mean, right now, zero trust seems to be our best asset at securing the environment because if we don’t trust any connection. I don’t care where it’s going. Without authentication and authorization, just because it came from a specific device doesn’t make it trustworthy in itself, especially when it’s going to Guangdong, China. You know, the intent of a connection has to be considered in addition to the origination. And what’s inside of it? Is it really an NTP packet? Wow, that thing really ballooned up. It’s five gigabytes. What are they hiding in those packets, right? So abuse of protocols is another thing, again, aligning completely with zero trust.

Tim Freestone:

So it sounds like you’re all in on this, which makes sense. Like, you know,

Albert Whale:

didn’t have a word for it back then, right?

Tim Freestone:

Hmm, yep.

Patrick:

Still Forrester and Palo Alto came along.

Albert Whale:

Well, you know, somebody thought they could make a dime on it, and they’ve made more than a dime, probably a quarter or a buck and a half.

Patrick:

Why didn’t you come up with a name back in 2003, Albert?

Albert Whale:

They didn’t ask me about it. I didn’t write my two books then.

Tim Freestone:

Yeah.

Albert Whale:

And I got two more in the hopper.

Patrick:

So we got to talk about your two forthcoming books.

Tim Freestone:

Yeah.

Patrick:

So what there’s going to be in those two

Albert Whale:

Well, one of them is called Zero Trust. Funny you should ask. The other one will be called The Book on Cybersecurity.

Patrick:

That’s a good question.

Albert Whale:

Whoa, whoa, whoa, whoa. One at a

Tim Freestone:

Collaborative

Albert Whale:

time, please.

Tim Freestone:

efforts? Collaborative efforts on those as well or are you going solo?

Albert Whale:

I don’t think I’ll go solo. It’s much easier to manage my time than everybody else’s.

Tim Freestone:

Yeah, well that’s true.

Patrick:

So where can folks, number one, find the software? Can you tell us once again, because they probably have, you’ve piqued their interest.

Albert Whale:

Sure, it’s safe. I have a website up. It’s called its-safe.com.

Patrick:

We’re definitely checking it out. I’m sure our viewers will. On your two books, I assume, just go to Amazon and hashtag hacked and hashtag hacked

Patrick:

too.

Albert Whale:

actually have a website for each of the books, thehackedbook.com, thehackedbook2.com. Pretty simple.

Patrick:

I assume three and four will be used the same nomenclature.

Albert Whale:

No, well one’s going to be zero trust and something

Patrick:

Sorry.

Albert Whale:

else. We’ll work those out, but we’re going to link them all together so that you can get the whole anthology.

Patrick:

Well, we’ll have to do a part two podcast when you have those two published. It’ll be an interesting conversation. So,

Albert Whale:

I’m looking forward to it.

Patrick:

well, we appreciate your time, Albert. This has been an enlightening conversation. Hey, you gave us a lot to think about and…

Albert Whale:

I hope some of it was good.

Patrick:

Oh, definitely.

Tim Freestone:

What?

Patrick:

Always. Thanks our audience. If you want more episodes of Kitecast, go to kiteworks.com/Kitecast. We look forward to having you on our next… episode. Have a great day