Dec 15, 2022 • 50M

Adopting Zero Trust: Season One is Wrapped

 
0:00
-49:52
Open in playerListen on);

Appears in this episode

Elliot Volkman
Today, Zero Trust is a fuzzy term with more than a dozen different definitions. Any initial search for Zero Trust leads people to stumble upon technology associated with the concept, but this gives people the wrong impression and sets them off on the wrong foot in their adoption journey. Zero Trust is a concept and framework, not technology. We are on a mission to give a stronger voice to practitioners and others who have been in these shoes, have begun adopting or implementing a Zero Trust strategy, and to share their experience and insight with peers while not influenced by vendor hype.
Episode details
Comments

Catch this episode on YouTube, Apple, Spotify, or Amazon.

Welcome to the last episode of season one, where Neal and I go on a rambling adventure and look back on some of the interesting and eye-opening conversations we’ve had over the past few months. To wrap things up, and what was supposed to be a 20-minute conversation, we felt it was time to better introduce ourselves to our listeners, discuss some plans for season two, highlight perhaps some aspirations of bringing AZT into the real world at a conference or two in 2023, and that we will finally open the doors to Zero Trust technology vendors.

Since this is our season one wrap episode, and much of what we cover is a stream of consciousness, there are no key takeaways. Swing back around in January as we kick off the next season with another group of amazing guests. We have plenty of surprises in the works, too!

We hope your year winds down well, and we will cross our fingers for no X-mas cyber incidents.

Interested in being a future guest? Slide into our inbox elliot[@]elliotvolkman[.]com

Episode Transcript

This transcript was automatically created and is undoubtedly filled with typos. As usual, we blame the machines for any errors.

Elliot: Hello everyone, and welcome to another wonderful episode of Adopting Zero Trust or a Z T. In fact, this is the wrap up for season one as we're gearing up for the holidays here, and take a little break. Well, at least in the background, it looks like we'll be taking a break, but we'll be chatting with some other guests and getting ready for season two, which will kick off somewhere in January.

Assuming, you know, nothing crazy happens with events and everything else that tends to happen in our space. So maybe something timely will pop up and we'll focus on that. But with that said, this'll be a pretty short episode or maybe a short episode. We know Neal likes to talk, so we'll see how that turns out.

but the two of us are just gonna do a little bit of chatting talk. what we've covered so far in the past few months with the first season. Maybe look ahead at some of the things that we want to implement for season two, and then we'll of course have some call to action on our listeners' side that we'd love feedback from y'all.

Fortunately we're getting some pretty good feedback so far and we'll dive into that in a little bit. But before I do it's been a hot minute since you have gotten like a proper introduction to ourselves, and I know I fully neglected do that myself. And I'll give you maybe two minutes instead of like 30 seconds for me.

But we're gonna jump to you, Neal our co-host the man of the Hour, the one who carries most of the conversation on our behalf, . So I'd love to so really what I wanted to do to like just kick this off and get like another reintroduction to who you are before we close out this season obviously you have a vast amount of knowledge and experience and you're able to really communicate with the different people that we speak on a technical level.

And that is why you are so critical to this podcast to make it you know, a valuable resource to people. That being said, you. I know some of these stories trickle out where you have a military background and some analyst background, but maybe run us a little bit through, you know, what got you to here today and how you're stuck with me.

Neal: Yeah. Well first off, thanks for propping me up, but the real thing here everybody needs to know that I just show up. Elliot does actually does the work. I may talk a lot and then obviously I do talk a lot but Elliot's the one who actually puts all the stuff together. So as much as he wants to prop me up, Elliot is the only reason why this exists, and the only reason why I have a mic that looks like this.

So just to be fair and explicative here. So all that to say, yeah, it it's been a. Long Road. It's been an intriguing two years, two and a half years for everybody, first off, right? There's been an uptick in podcast. There's been an uptick in weird webinar type things and engagements and all this other fun cool stuff where people are trying to help and build.

But to get to all of that, people obviously need either a curiosity, a spark to wanna learn, or they need a background as well to engage in that curiosity. So for me, Marine Corps background linguist you know, left before nine 11, went to basic, nine 11 happens. I'm already out of basic boom. We know what happens for the next five years from there as a linguist, in particular an Intel analyst.

Transitioned to cyber while I was part of active duty. So that was fun. Did some things for a wonderful three letter agency called N S a Woo and then got off, did some cool things moving forward with my unintentionally moving forward with my career progression into this world. With open source research before it was popular, before AP T one in 2012 was put out there by Kevin Mania.

Actually worked with Mania and OSI when he was still an agent and doing online investigations. That was fun. Another the little checkbox on how to do things and in and research, right, and reporting collections. All this other fun junk, stratcom strategic threat into operations. Before Cybercom moved out to DC, Maryland area before Cybercom was officially stood.

Plank colder there at Cybercom and the J two, but it was the liaison between J two and NSA from an Intel relationships building because I had that NSA background. So I got hoisted into there fun times there, and then found my way doing. Defensive security operations for operational technologies, O T I C S stuff.

That was a blast. And then moved back to Texas. Worked for AF Cyber, got outta AF cyber, got into the commercial world. Thank you, Booz Allen. And then last seven years have been startup after startup and some other fun stuff and varying degrees. , Intel analyst, client success roles, consultancy services, all sorts of mishmosh of everything to lead us to today.

And you know, it's just been following the Yes Serve program. You know, job offer comes up and you know, wow, that looks like an intriguing opportunity, a new problem, new way to go about life. So I say, Move to it, stick around for as long as they can until the problems are no longer there, or they become boring and then you find new problems to go solve.

It's, you know, curiosity 1 0 1 and that's how we got stuck here. Elliot and Cy Wear and Elliot's wonderful job at at Cy Wear prior to doing marketing stuff and then him exploiting the hell out of me to go do webinars. Which was fun. And and to be fair, I was never a public facing personality more than a couple interview things here and there.

Maybe one or two presentations up on stage period outside of the Intel community space. Get to Cy, where between Elliot and the rest of the marketing team. And my job description, because I volunteered for it to be fair became the front of house and Elliot and I built the wonderful relationship.

How we like to operate. And like I mentioned a minute ago, this only works because Elliot's able to do what Elliot does, not because of what I do. So Elliot running things the way he does gloriously while building the relationships, he actually builds with everybody to get the people in front of here.

I hope to change this paradigm a little bit next season where some people I actually know come on. But most of them look at me and laugh and you're doing a podcast. And then they watch it and they apologize. And then they call Elliot and say, we're sorry, but that's a whole different thing. You know, it's been great.

You know, it's been a wonderful, cool story. It's been a fun career so far. 21, 22 years in the making through the military. And the last little nugget I'll say is for anybody who actually cares about the cybersecurity world, don't focus on a degree. Focus on what gets you to the knowledge bases that you like and do O J T degrees important.

But O G T gets you further.

Elliot: Love it. Sorry, my internet connection's dropping in and out. So if I disappear for a while, you know why? 

Neal: I'll have a conversation with myself.

Elliot: Yeah, that's how it usually works, right? Just prop you up in front of some people here. You get a wall and we're good to go. No. So one of the reasons why I wanted to highlight that your background in particular is, you know, yeah, sure I can do all the things in the back end and get people connected, all that, that, that's not difficult.

I think in our space where there are so many c. Propping up with large marketing budgets endless podcast, endless videos. I do it myself so I know how it works. You're not really getting like the kind of conversations that we're able to facilitate here. So your crazy experience in your background allows you to have, you know, a level set conversation with most folks.

Maybe not been in the shoes of a ciso, if you ever find your unfortunate shoes filled there but, you know, you, you know how to walk the walk and talk the talk. That is why it was so easy to prop up that relationship over at Cy Wear. I don't know what the hell I'm talking about.

If I can find someone that can talk to people and likes to talk, golden we're sold. And that, that is, you know, where some of Adopt Zero Trust was born from too. But yeah, so that's like the idea behind it. The reality is like in the cybersecurity space and I think. One of the reasons why I also wanted to prop this up is as you had mentioned, anyone who's interested in joining this space, there are a million paths you can go to.

Obviously you can go to university, there are certs you can go after. Just so many different paths that you can travel that it you know, there's no one right path. And I think the same thing goes for zero trust in itself too. I think fortunately there's more refined approaches that are of coming down the.

We see folks like Chase who are recommending really great resources that are not just these kind of dry, boring NCES to things. I will give a shout out to this in a minute, which was mentioned during Chase's episode. That'll be later. But yeah, so two pieces of this. You don't have to necessarily go to university to get cyber security.

There are boot camps, there's tri hacking, there's going to conferences and connecting to people. You want to go get n plus and S plus or wherever you wanna start. There are so many entry points and I know you're really passionate about growing people's background, so I wanted to. , give a little bit of attention to that.

I know somewhere in the back of your mind one day was to launch like a podcast or some sort of conversation around that too. So just making sure that we give some attention towards that.

Neal: Yeah. So that's a good note. Ellie, do you wanna help me edit another podcast? 

Elliot: Let's go. All right. That's, I mean, it's not that hard if you do all the talking

Neal: Yeah, I'm definitely not the post edit guy for sure. Now, so I think it's, you know, this has been fun. You know, if we look retrospectively at what we've done in the last, I mean, wouldn't we? We started talking about this, I think end of March. And like legitimately got on a phone call in April I think.

Cuz there was some vacation, there were some job transitions, vacation, some other stuff. We finally got on the phone in April and then I think we kicked off our first interview mid-June, beginning of June, something like that. I

Elliot: Yeah I think it was with Andrew who was in Australia, which was a little bit complicated for timing purposes, but that came out so well. I mean, I didn't have a whole lot of background on him, but you know, he just knew his way around the conversation. You know, as far as like first episodes go, I could not have asked for something better and a better guess so it.

Neal: Yeah, dude, that, that was a good kickoff. And it's. , it's neat to think about the type of people that you've gotten on this, just the first, you know, few months out the box. And we've had CSOs, we've had a ceo, we've had former three letters outside of the CEO Csso of the Air Force. We've had perspectives.

I, I think what was really cool about this year is the perspectives we've had, were all from a practitioner focus. Very impactful from that. Side of the house, right? And yeah, some of the people have worked in the vendor space in some vein or another, maybe once, but they are still, they were still focused on actually doing not just not the sales pitch of the idea.

So I think that was really cool to see out the door and get that perspective. And on that, the thing I'm looking forward to next year and I think maybe we'll talk about this a little bit more in depth here soon, but you know, Meshing up some of these personalities, both prior people that we've had, hopefully, as well as maybe finally getting some of the sales marketing fluff type people in to see where they sit.

And then let's have a practitioner and a salesperson maybe panel it out a little bit without getting too promotionally speaking, but more on that in a few. But yeah, I think it's cool. Dude, I think you did a great job exceedingly well with the reach outreach that you did and the people that.

I'm board and then, you know, the I only pay attention mostly to the LinkedIn feedback that we get predominantly. But, you know, the people that we see commenting, the people that we see volunteering to be a part of this endeavor it's it's cool. It's neat to see that growth in such a short time and know that next year the impact's gonna be a little bit more and have a lot more fun things to go through.

Elliot: Yeah, absolutely agreed. I think on your note about incorporating vendors, so I think for full transparency, we definitely have vendors that reach out, like a significant amount of them or they'll connect on LinkedIn. I think they're just ready to pounce. So the way that I've been navigating around it is, and no one has fully taken me up on it, some of try to move the conversation forward is I was like, we're just not ready for that.

Set up yet, we just wanna talk to practitioners, people who are moving it forward in their own way, not necessarily selling the technology behind it, because without a doubt, I fling a lot of shit towards the marketing side because I live there, I know it well and it's easy for me to navigate it.

But if we're trying to, you know, decipher like marketing versus, you know, reality, Concepts. That's why we had season one devoid of all that. But of those people that I asked, we basically just said, Hey, if you have a customer that's open to talking about how they're adopting zero trust and they have to use your technology, awesome.

But to date, no one's really been able to knock that out yet. Fortunately with season two we'll basically get them adopting zero trust branded boxing gloves. Maybe put them in a ring together and see what happens. As long as we have a balance of voices, basically, as you had pointed out, I think, you know, that's totally justifiable.

We'll just tee it up. I, the other thing is like you and I, we. Engineer these conversations at all? Usually we literally hit record, I think out of the dozen or so episodes that we've recorded so far. I've only primed like two people because they usually have like PR handlers and they want to just make sure that those folks are not gonna go rogue and say anything that'll get the business in trouble, which I get.

Some companies that we've talked to have very large you know, brand presence and it would not be good if they were talking to a bunch of fools like us and, you know, getting themselves in trouble. So I get that. 

Neal: Think that's the fun part, man. Is You know, we do legitimately just hit record as much as possible. And what comes out. Sometimes there's some blank stares for a few seconds while we consume what it is the other person may or may not have said. But you know, it's you know, it's fun that way.

You know, it's, the raw conversation's important. I think having participated in panels and other podcasts myself, interviews and things like that, , you know, you get your, like cyber wire daily ones where they have a purpose from a question perspective, right. Throwing some shout outs to some people I've interviewed with in the past.

And they've got, you know, they, they've only got a finite amount of space that they can take up for your interview, right? So it makes sense. They come up, they give you a list of five questions, you write down your responses and maybe wing a little bit of it depending on who you are. But you know, you get your bullet points down, right?

And then you get your eight to 10 minute spiel in and then they. Cut tape and roll with it. Right? But then you get, same thing with panels. Everybody gets that list of preemptive questions. But I think for me, the most engagement and the most most benefits I've seen is when the panel gets up there and the moderator's you know what, here's this list of questions.

Let's throw that out the door. I want to ask you about this, and this. And then they really get the off the cuff, you know, spur of the moment thing. So you get to you, you get a little bit more. Feeling right out of that, you get a little bit more impact because someone's not just going off of a scripted mentality, so now they're having to think. about what that response is and really is and you get a better, more visceral take on what that, that question is. And you know, I think it's bit us in the butt a little bit once or twice, but at the same vein, it's given us a lot of good things. You know, we've had some conversations where, you know, ask a couple of questions and everybody's Whatever, you know.

Wrong audience. Good question, wrong audience. That's fine. You know, we're not trying to place, you know, stump the dummy. We're just trying to ask questions and if they go somewhere. If they don't, then we move on and keep going. And you know, that, that's part of the fun.

You know, you figure out the personality on the call, you figure out. What they're able to talk about, what they're willing to talk about. And then if you get to a question that's yeah, he's that's not me, that, that's Sarah down the hall and I'll get her on next time. Okay. Thank you. Appreciate it.

Clap. Let's move on. That, that's the fun stuff, you know, . And that, that's, I think what we got a lot out of this season so far with those conversations and even the structured ones, the preemptive ones they still ended up having a good. Raw discussion path, mostly because of my fault, because I didn't read the pre, pre-pro questions, but 

Elliot: Well, to be fair, I usually don't really have pre-questions. I'll ask them like two or three, and then some. At some point you just jump in. I'm like, goodbye mute . I'm checking out now. But yeah, I, we rarely even have to edit anything out. I think there was only one time we, I can't remember who we asked this to.

It was something about A breach or Twitter's debacle or nightmare scenario? We try to, yeah, we try not to pick too much at the bandaids of like timely things. There's enough podcasts that cover all those things and conversations and like for the shit flinging that I'm down for, it's usually about people that work right in my shoes.

So I'm good with that.

Neal: Oh, hey, it is coming into December and we all know the last three years now what's happened in December every year. So who knows? We might get a rather impromptu wtf. Log Forge, WannaCry SolarWinds some this month. Christmas is coming. Good luck. And this is the only time, if ever, I'm happy to not be a full-time practitioner

But yeah. Yeah, it's been fun, dude. It's been a good ride. I think next season, you know, there's definitely still more questions. There's still some more fun formats for us to take advantage of. Right. You know, we I know we've got some thought collateral around who was it?

Health industry, oh my gosh. Went brain fart right there for a few seconds. So one person that I'm gonna bring to the table that Elliot is aware of, you know, we're gonna have a fun conversation with with a leader in the healthcare industry and he's got some intriguing things relative to his perspective and his C-suite role and below.

And he also comes from a very long line of financial services stuff. So when he hears this podcast, he'll know we're talking about him, but I'm not gonna name drop until. Until next year. But that, I think that's what I'm looking forward to, dude, you know, the format, the people that, that you're gonna bring in and maybe the two people that I know that I get to bring in

But yeah that to me has been the exciting part as a whole. The conversations obviously, but just the faces that you've got, man, the I can't say enough about, about the quality and the character types that you've brought to bear in such a short time. Props for that one. That.

Looking forward to seeing what you pull out next year.

Elliot: yeah, seriously I think we're just very fortunate and lucky. I've worked in, you know, cybersecurity for six, seven years now. Basically worked for an M S P when I first started, and that's where I started making connections. But realistically, I've covered from like a journal. Perspective, like 20 years.

I think the first blog post I've ever written about was something called like the co cube based worm that was going through Facebook and something like that. I literally had my own stupid blog that started covering it. I started dissecting like all the issues and somehow I think that led to me like getting A job that focused on like social engineering and building content around that.

And that's really like my background. So that was my, I promised I would throw in some of that in there. I do work for a automated compliance company now. I lead a creative team there so I don't have to deal with the evil sides of marketing, although we don't really do that there. We are very white hat in what we do, and that's why I work where I work.

But yeah, I, again, I think we're just very fortunate. The people that have just been open to it. We started with zero, zero listeners now we're like averaging like a thousand per episode, which is awesome. But the folks like Andrew who just like, Hey, I'm in I mean, you don't have any follower. You don't know what you're doing, but, you know, hit record and they're in, I mean, it's just amazing that these people have been so kind to kinda join us and now we've.

Folks like Nick who has his own series who, you know, was part of a whole epic component of zero trust per the government. We have folks like Chase who fell on I don't know, he picked up where. John over at Forrester, kind of form zero trust. So it, I don't know. I think we're just very lucky and fortunate and obviously have used a lot of my journalism capabilities to like annoy people to help a reporter out to ask things like that.

And I can't tell you how many requests I've put now. I think I've got 10 really good ones outta that, outta like the 300 that we'll get back. So fortunately I've got a couple more in my inbox right now that I'm actually gearing up to get us scheduled for season two. I won't necessarily name drop them until we lock them in place, but there's anything from very large cybersecurity companies that might be like former competitors to Zoom, and now they spun off some other really big companies and some of the biggest publishers that are out there they're just sitting on our inbox, like ready for us to schedule and have conversations.

And I, I don't know why they want to channel this, but hey, let's go. 

Neal: Good. Well, it's cuz it's you. That's why they see the face, they see the beard.

Elliot: Oh, it's definitely the beard. I can go for that

Neal: Oh so maybe we can rebrand to two Beards and zero Trust

Elliot: It does have a better ring to it. I will say that. And I also check like I vaguely checked through analytics, like it's a, you know, it's good to know that people are actually listening and that we're not like, you know, burning time for no reason. But yeah, there's some like SEO stuff so I can I have a mission to attack the term Zero trust so I can like Deth throw in some of those very large companies that spend so much money and we usually like rank in the top three for adopting zero trust.

But I don't know if two beards and zero trust is gonna be as searched as much as adopting zero trust. But if I can still de throw in some of those other brands that abuse zero trust, I will call that a win any day.

Neal: I was thinking we could start our marketing swag brand. I thought I had one sitting here, but, you know, zero trust, beard palm, guaranteed to hold things together when all else fails, you know? No

Elliot: Nice.

Neal: Back on the note of next year, dude, the I haven't sent the email to you yet, but we talked about this very loosely.

I have some stuff in the works for us, potentially for whether we want it to be our first legit panel or not, however we wanna play this. But with DHS and some risk and compliance folks over there. And you know, there's a gentleman who's very open and happy to engage and he comes with him with two to three other people that basically wrote the National Risk and Compliance Zero trust.

Document and framework that is now what is currently in the process of being adopted officially through dhs back up to the fed gov space. So that's my one. Aha. Holy crap. Look what Neal can do. People think. Obviously we'll get that lined up, but I think this is gonna be exciting, dude.

We're gonna format, you know, we're talking about what's going back to the format piece, the panel idea. that we've mentioned a couple of times in prior calls. You know, ev almost every time we've mentioned it, the person on the call has been like, dude, let's do it. Bring me on with whoever. Let's have fun.

So I'm hoping, you know, we can get, you know, maybe a third or half of the people that we had on this first round to come back and have a larger engagement conversation. You know, we'll have to put a little bit more brackets around this. But, you know, , you know, there, there's some people who like to talk a lot more than I did.

which is good. You don't wanna listen to me for an hour. But, you know, put some structure around it, put some times on these and rubber stamp, Hey, go two minutes to reply kind of thing. That'd be about it, right? And then yeah, I think that's what's gonna be fun is getting people in a room. Most of the people we had, I, I didn't actually hear anything overly contradictory,

Across anyone except for the very last with.

Elliot: Chase. Yeah.

Neal: Good Doc and that, that was good. That was a good endpoint there because you know, when we asked the obligatory where to get started questions and what do you think about this standard and all this, he's you know, you know, and it's a good perspective, you know, a lot of the other people were coming at it from, you know, DIY mentality to some extent which is I guess really where most people are, to be fair.

But, you know, they were looking at very easy to go through industry standards as a good response, as there was nothing wrong with those. It was fun to hear him just be like, you know, yeah, read this book. And then go that way. So that's what I like. I like the fact that, you know, as a whole, everybody was very complimentary in the sense of what they approached and how they discussed the overarching environment.

Especially when we start talking about the vendor space and then we still had enough variance and differentiation of whether it's something as simple where to look to get started or from. You know, the long-term goals of what they're trying to do outside of just trying to adopt security models.

Right? That, that was fun to see, you know, good thematic throughout everybody. But at the same time, there was a lovely amount of variance and perspective that still obviously brought each episode its own unique taste. I was, I'll be upfront. I was very worried that we were gonna get into this and everybody was gonna be like, , you do this to block that because Ness says to do that.

And then if you do that, then you do that. And it was all gonna be the same response in some high level mentality, but it wasn't. Every single person came at it with a good little nuance as a whole and everything complimented once again. Everybody complimented each other and it, it was just neat to see.

And you know, it just definitely goes to show you. perspective is key, and the topic is so awesomely large, even though it's still just two words that you know. Yeah, it's neat. And then we still got a long way to go and that, I think that's where I was worried that we'd get there and be like, eh, 15 episodes in, we go from here?

But we're not. We have a good way forward and we have a lot more questions to ask

Elliot: Yeah, absolutely. In fact, so one of the areas where I try, I'm trying to build community around this concept is a Reddit of all places. Cuz they have a pretty good pool of people in our world and a lot of them are jumping into. Cybersecurity and having an understanding of zero trust out the gate's helpful.

But anyways I recently put a post in there, like the different flavors of zero trust, and that's exactly what you're covering right there, is that every single person has like a different take on it. They're calling it a philosophy, a strategy, a framework, and. while, you know John and Chase, sort of like champion, well mostly John champion, like the formation of Zero Trust.

It is now significantly out of their hands and the world has taken it into, shape it in whatever, you know, way that they want to mold that. And, you know, to I guess I'll shout out to the Project Zero Trust book, so I'm not very far into it. Well, not necessarily speak to the writing, but as far as resources go, that is such a great point because I tried reading, you know, I'm in layman's term again, we've already made this super clear, like we have technical expertise with you, and then there's the words guy here.

but if I try to read through DIS and CISA and all the other kind of like technical aspects, I can definitely understand it, but the terminology is very heavy. There's abbreviations, not so much that, but like just the language and be able to mold it from like a business perspective. . A lot of that's not really there.

And at least with things like this book, project Zero Trust and some of the other resources that I still haven't, well, I gotta get through this and then I'll get to chase's other options. But this is more like . The way that I jokingly said it to Neal is like, it's kinda if you're trying to learn to read this is that.

George, I'm gonna mess up his name. Phy, Finny, sorry. My bad. , he basically wrote this as like a narrative like a tech company which is basically Peloton in this was breached and the. Security person's coming in and he's tasked with building zero trust. So it brings you through a hypothetical journey of a company who has popped and they have to build zero trust to create preventative measures.

And that's like the idea of for it. And I think if you wanted to get an understand from like a business perspective, This is exactly what's missing. That's some of what we're trying to build obviously here with our podcast. But these are people who live and breathe it.

Obviously Chase is involved. Kinder Vogue is listed on, is like the Ford in it, so there's industry expertise just off the bat. So there's stuff like that now being created. , but usually again, our bread and butter is people are referencing like NIST and csun. Those are great for people who actually have to implement it and turn it into like things that they can apply to.

But from a business perspective for like people who want to adopt their address, there's that layer that happens before it. Like how do you get that buy-in? How do you understand the concepts and the benefits and is prevention like reality? Those are starting to form and I think as we, you know, continue these convers.

We're gonna find more resource like that. And that's exactly what, you know, we need more of in the world. You know, prompts to them on being able to create a narrative. I don't know if it'll be a Hollywood Blockbuster or a Netflix movie one day. But there, there's some action in there, so I can appreciate that.

But I, I think

Neal: Liam Hemsworth reprising his role as the hacker.

Elliot: that is . Oh God, you're gonna kill me. Yeah, that's exactly right.

Neal: So is there a, I haven't had a chance to look. Is there a uh, an adopting zero trust for dummy's book out there yet?

Elliot: you know what, there's gotta be like a Zero Trust for Dummies book somewhere. But usually and I don't know if you've ever experienced this, so I've worked in a company that has produced one of the Four Dummies thing, and basically you license the thing, you get a couple of ghost writers to do it, and they put it together.

But that means it's usually like a security vendor that's involved with, like actually producing those things. There's very few things where who, what. I cannot think of the brand often. Who's the company that has like those smaller, is it O'Reilly that has like those prints on the front of the books?

Like those are

Neal: Yeah. Yeah. O'Reilly's the big one.

Elliot: Yeah. So I'd say if they have one, I'd look for one of those. No, like a four dummies. Hey, there you go.

Neal: I had to look this up obviously but to your point, this is brought to you by for net. So you know, you're right though.

Elliot: you're welcome.

Neal: or the most of the Four dummies books like this. Yeah, they're usually sponsored from a vendor specific focal point. I was about to say, if there wasn't actually one out there, I finally found the first book I'm gonna write, we're gonna go write this, but someone named Lawrence Miller already beat us to that courtesy of for net.

Elliot: Yep. There you go.

Neal: yeah,

Elliot: Hey, you could still write it. We'll have the neutral version,

Neal: I got a we can co-author one and then get get Dr. Cunningham to do the Ford. And then zero trust for dummies. Two beards, two beards, and a ZT strategy away. So first step, grow facial hair. Second step. If you can't grow facial hair, just glue it on. The beard will

Elliot: you go.

Neal: you from everything. No.

That's funny dude. That's good stuff now. Yeah, I think the the educational pathways that we have the fun stuff here. I think this year, funny enough, listening to the people we've talked with this has been a legitimately defining year beyond marketing fluff for. what ZT is, what Z T A and that construct really means.

And we're gonna see more books like what you've got. We're gonna see more for dummy style things, thankfully. And with any cyber security or any knowledge bridge period, you know, diversification of resources is key to be able to make your own strategy. , whether you're listening to us on this podcast, whether you're listening to the other podcasters that we've had the privilege of having on our own or anything else, or reading 16 different books you know, the, this is the one thing as an Intel analyst I will never get tired of, is when there's a vertical that I need to research.

I would rather see a million nodes of information than five or 10, you know? From an analytical perspective, it's a lot easier to come up with an assessment with an overabundance of information than a lack of information. And so I think this year has been critical and to this type of community, this mentality.

And now that we have government standards being written, we have risk and compliance methodologies from the government. We have private industry methodologies that have literally been published this year or end of last year , we're only gonna see more of that and it's only gonna help end users realize how to do this within their scope of their use case.

Right. So we talked to business manufacturer type companies. We had two different companies that rely on device security. This year we had a couple of just general corporate entity mentalities from a corporate office lifestyle as well. We had what are some of those other we had. A couple different business aspects.

I'm blanking on them now, but long short, you know, we had we had some cool diversification, right? But what's neat is, you know, we're gonna have even more of that next year. and we're gonna hopefully help someone build a story around healthcare, help someone build a story around maritime or, I, I don't know.

It's gonna be neat to see what we get through. And it's gonna be neat to see the growth of this terminology in the private industry as it's being applied versus just marketing fluff terminology now. Yeah.

Elliot: Yeah I totally agree. I think if there were two things on my wishlist for the next season and I don't know if one of them will be feasible for the next cause I basically put out like another call to the world. If there is a company who is just in the early stages of adopting zero Trust and they would be open to two weird guys with beards to kinda like shadow and check in with them, that would be absolutely amazing cuz I, I don't know that. The, this like Project Zero Trust book does that in a hypothetical scenario. But I would love if we can find an organization who's in the early stages of going through the adoption. and can walk us through their progress through it to the extent that they can without, you know, opening any cans of worm that'll get them in trouble.

I think that would be absolutely amazing. And then while we did have some international folks like we chatted with Andrew I think the other piece that would be fantastic for us to focus in on is like an international piece of the conversation because cybersecurity is a universal language, so to speak. I think if we start chatting with some guests from around the world and how Zero Trusts is kinda applying to their piece of the you know, the world, I think that would be great as well. And then we'll probably look at some kind of like segmentation, not necessarily putting too much as far as like rails on our conversations, but.

I know a lot of our content, like you have to sort through. I do recaps that helps, but I only capture like a fourth of what's in there cuz there's only so much time that I could do between this and a whole, you know, 500 other things we got going on. But yeah, I think if we.

Create some like small segments that I can break into little pieces of videos and it makes it super easy for people to consume. Making information accessible is absolutely on the top of my list for season two, so that'll definitely be going in. But yeah, so if we've got other folks listening from an international perspective that are interested, slide into our inboxes, let's chat.

And if there is an organization that is open to us, kinda like checking in and doing some shadow. Also slide into our inbox, cuz we would love to be able to do that again. I don't know. That would be a season two thing. That in itself could be its own whole side thing, but you know, we'll get to that road when we get there.

Neal: That is no joke. I'll tell you one thing that I would like to have a just. When we think about the panel pieces something that, that I would love to see us do focus exclusively on for an hour. Hour and however long is literally just the concept of distributed ledger and blockchain exclusively.

You know, we touched on it with one or two people this year loosely on the impacts and the possibilities of what that really means. And I think I know there's blockchain podcasts and all that other stuff out there and what they actually mean and trying to educate people that blockchain is not just buying drugs illicitly on the internet.

You know, it's a lot of things, right. So I think from the ZT perspective, you know, I would love to see us. As there's companies, there's product companies that do this, but I'd love to see us find someone who's legitimately taking the distributed ledger construct and applying it to the security of whether it's the document structure that they have, whether it's to the actual network whether it's, whatever, it's, whatever layer they're doing this at, you know, coming back 8, 9, 10 years ago, whatever you know, the government side of the house.

Kind of has a concept of, had they do now more aptly, had a concept of what distributed ledger was in a sense with the way that they handled classifications and portion markings and automated checks for access to data and the real world out here. Closest thing we had to, that was, you know, you could get your own PKI I or your P G P type certs setups, and you know, swap those around and buddy swap keys, blah, blah, blah.

And then set up things like SVN repositories. Anyway. So like we've talked about before, it's not that zero trust is new in the sense of the technologies or the structure. It's just new in the sense of wrapping it up into one larger piece. So I say all that because it'd be cool to see how someone's taken those old security models of document repo and logins and sharing information applied the distributed ledger mentality to that and that zero trust structure that brings to do all that stuff.

So that to me seems like a really fun one because it gets us to explain. crypto in a sense, and blockchain and how blockchain is something that we're all using today. Whether you want it or not, every time you pick up your phone, I guarantee you there's a more than likely something on your phone that's using blockchain to do its job nowadays and get people over this hump and fear a little bit more.

And who knows? Maybe that security guy that's trying to figure out how to lock down his doc library realizes that the best thing he can do is literally just click apply. zero trust and that distributed ledger mentality. Anyway that's something I would love us to explore. I think, you know, the weight of all this and this year now that Elliot's got his feet wet and knows how to manage me a little bit better in this mentality will probably have more episodes, I'm assuming for for the year.

And then Elliot's gonna have me on here twice a week for the next nine months. I'm okay with this, but you know, it's cool. It's gonna be neat to see that growth and see some of the topics. So for you, perspectively, I'm gonna ask you a question then. So I just blabbed on about the one thing I would really love to talk about next year.

What is you've mentioned some focal points that you're working on for us, but what is the one thing that you want to have? Have a. No joke. Let's get this out there. Discussion four.

Elliot: Yeah. I think I sort of joked about this, but I'm totally serious. Where and I like for the reference point, it was the Duke in, out with boxing gloves. If we could in a room, put the companies that are using Zero Trust as their critical talking point of what they're offer. And then put someone else in there like Chase or someone that's active with Gartner and Forester and just to rip it apart, that would be the dream.

And I mean that as mostly like a joking kind of situation where I think where. There's like a deviation. I am very much applauding organizations who are moving this forward, especially because the ones that are moving forward are the security vendors who have the financing to refine it.

And they are creating their own flavors too, which don't necessarily directly relate to the concepts and strategies, but more of a tooling perspective, which is important because if their customers are gonna use it, they need to know how it applies then all that. I just want to like, bring it back down to earth a little bit.

I can't remember which company it was mostly cuz I don't want to knock on them too much. There is definitely one company in particular that loves to use Zero Trust a lot, and I don't think they, it applies in any way, shape, or form. And they recently launched the certification program. and if they just said My company name certification instead of zero Trust certification, I don't think anyone would've been talking crap about them on LinkedIn.

But that's kinda like the background. So I think if we are able to get the level set, which it happens all the time behind the scenes, and that's just how, like the aspects of building market guides for Gartner and Hype Cycles and all that works. It's basically a lobbying machine.

I'd love. bring that out into the open. That's not something that happens today because I've seen it. I've been in those conversations, I've been fly the wall in those conversations and it's. , it can be intense and I mean, I think even Chase alluded to it where he gets like hate mail and cease and desist letters and that kind of stuff where it kinda like pokes at.

But if we could find organizations who are, you know, comfortable enough to have those conversations out in the open and we can do some editing if we need to, I would absolutely love that. I think, you know, it would benefit everyone to just get some transparency into what that looks like. It wouldn't necessarily.

Gartner or Forrester kind of coaching them through it. Even though having Chase in there through that live would be amazing. He already has his own Dr. Zero Trust podcast and he does some of that there. But having someone like a Chase in the mix with a couple different vendors to chat through it and be like, you know, that doesn't really apply.

Or maybe if it was more like this, just kinda bring it out to the open. That would be my dream.

Neal: No, I love it. See, I'm gonna ask Elliot more questions. What are your thoughts? It's not so easy when you're the one getting asked No, what are your thoughts on us doing something finally face-to-face? Pick a flavor, pick a conference, pick a whatever. I know we, we obviously put in, you put us in happily for you know,

Elliot: That didn't work out.

Neal: Yeah, that's, I mean, that, that's, let's be fair. You need to have, you need to know some socialite, some rock stars, some. You need someone big who's hiny, you've kissed or you have a lot of money and can kiss hiney with the money to get in there.

Elliot: We also only had two episodes when I put that in there and I do actually know some hineys to kiss to get us in there if that's our mission for a year or two out. But this South by Southwest, just for people who are listening, we, I don't know, we were like two episodes in, we'd put that on there.

But yeah, that's the other fun one. For anyone listening, Neal and I have never physically met Cy, where was fully remote. I've now worked for multiple remote organizations. But yeah, let's bring this out to the real world. So if there's a conference that we can bring this to or find some sort of focal point that makes sense in fact, I even.

Took over Charleston Cybersecurity meetup here. It doesn't even have to be any huge conference, but you know, we'll find some sort of place in the real world to facilitate the conversation. I would absolutely love that. I think people would find value out of it too.

Neal: Cool. Yeah, so stay tuned for the Brom to continue in person for the first time. We'll film the airport pickup and everything. And you know, flowers, chocolates, dinner, whatever long conversations at

Elliot: Your chickens are mine,

Neal: yeah no, we're not talking about who's Rooster or who not but

That being said, no I think. , you know, the world is obviously back. I've really haven't stopped traveling courtesy of this work that I do now with Cy. But you know, there, there's we talk about gardening it up a little bit and having some kind of rift between vendors and a few others.

And maybe that's the fun thing maybe , maybe we find time in a spot in a co-host company to let us grab some seats at RSA or Gartner or one of those larger conferences like that and see where it goes. I think that'd be fun. And hacker Valley Media, hacker Valley Studios to give them a shout If New find, he's looking for another podcast to follow, go look at Hacker Valley Media and Hacker Valley Studios and follow those wonderful people. But, That's how, in a fun way, that's really how I think they, they really got the two gens that really launched themselves into what they were doing is they.

they set up and ran a, just a train at RSA in 2020 before Covid in February. And they actually were in, in the space that my prior company I was with at they'd taken over one of our little spaces and they had in, in two days, I think they did some 20 interviews. Maybe not that many, but that's what it felt like, you know, they just wield and dealed and it's because that in person, Connectivity, right?

They were walking around, they had a schedule of people, but I think they wouldn't surprise me if they were walking around oh, hey, you do this. Let's go talk for five minutes, and, you know, catching people in the hallway kind of thing. So yeah I'm looking forward to that. I think we'll find a place, we'll find a time, and if it's not up on a legit stage somewhere, it'll be in a nice little nook with a couple of people.

And we'll have some drinks on the table or something and go at it for an hour. moving forward, you know, there, there's some good stuff to think about.

There's some good, fun things to do. We will have an in-person at least once, maybe five times this coming year. We'll make that happen. And then who knows, maybe I can fly up there and we can go eat a pig butt at your, at a barbecue shack and record something over a beer and a pig butt.

That'd be fun. And then, We got good stuff ahead of us, dude, so

Elliot: You may actually be a little offended. Our best barbecue place is actually a Texas barbecue place. He was from Austin Lewis is, I don't know, they had the best brisket, but it's Texas barbecue. We've got a you know, endless Caroline Barbecue, which is all like full port, you know, pig, whatever.

Eh, it

Neal: you're

Elliot: They got better sides. Yeah. Whatever Lewis. This is so damn good, man. Yeah,

Neal: I'll tell you one last thing. I was in Brooklyn two weeks ago for maritime transportation ISAC conference. Whole nother fun story there. By the way, if anybody wants to figure out the world of maritime security and what, especially what New York City goes through with the Port authority.

Holy crap, that is an amazing endeavor up there. Even pre nine 11, but I went to a barbecue shack. My last. Claimed to be Hill Country Barbecue. So for those who don't know, I live in the Texas Hill country, which is the heart of Texas barbecue amongst all things styles vary throughout the state.

Were huge, so let's thinking about that one. But I was like, you know what, whatever it popped up in the maps and it's literally two blocks away from the Airbnb I was staying at. walked in, sat down, and if you're from Texas, you'll get this vibe. You ask for your brisket. The first thing the person behind the counter should ask you, do you want it moist?

Do you want it leaned or you know, wet or dry? Whatever their flavor words are. They asked. I was impressed. I get my brisket. I go sit over at the bar. I jokingly ask this guy who's got a very thick Brooklyn accent. It's Do you have a shiner? And the guy chuckling, he was like, oh yeah, we gotta shine for you.

So he pulls it outta the cooler, puts a shiner down, and then it turns out this gentleman to wrap all this back around works full-time at the Port Authority doing cybersecurity. So that was the hilarious thing here. And apparently during the tour that I took the day before I. Must have walked literally right behind his desk in the office space that we went through.

And he was working part-time at the Barbecue Shack cuz he likes Texas barbecue. And I do recommend it, I can't remember the name offhand, but different podcast, different day. So I, yeah, we'll get some InTime things, we'll do some over food. I gotta make use of my domain tacos and intel dot.

Elliot: Yeah.

Neal: we can do some weird one off crap with tacos and zero trust and start that weird crap up.

I don't know, but 

Elliot: I'm sold.

Neal: it'll

Elliot: do it. Yeah. Tacos is my everyday food group, so I'm always down for that.

Neal: Well, man, so all, one last thing. Thank you for dragging me along on this. And once again, for those who do know me, for the few who listen to that do know me very well it's not dragging so much as just preempting me to get in the right spot. But, you know, with all the work that Elliot puts into this and the outreach and the stuff, you know, this I.

I do hope and believe that this is less complicated than when we were together. It's high because you're not having to make slides or do that production value. But you know, Elliot does do, once again, a bulk of the work here getting all the stuff done. Obviously he's doing all the edits, he's doing all the outreaches for the moment.

I'm hoping to help out with that at some point in my life and be useful. I know I get on here and talk. I get on here and I. As best as I can, but none of that's possible without someone like Elliot. Behind the scenes, getting all the stuff done, domains updates, outreaches emails, edits, the whole nine yards.

So thank you once again for 12, 12 episodes now, right?

Elliot: Yeah, that sounds right.

Neal: Something like that. We'll go with that number and even dozen and we'll get a baker's dozen maybe. But thank you for one, getting me involved and two dragging me along for this and you know, giving me something to do after hours.

Elliot:

see what are the beauties of, one of the beauties of being the editor is I'm gonna chop all those nice things out and just gonna leave like a couple of like fragments where you're just calling me an asshole. We're gonna close it out.

Neal: Oh God.

Elliot: All right. So jokes side. Yeah I thought this was gonna be a short episode. I apparently was way off. We're at like we're gonna be at about 60 minutes, but hey, you know that's how it works. I'll let Neal talk. He makes me talk a little bit. So yeah. That is season one for y'all, everybody.

We will be back for season two. You get an idea of what we have in mind. We have some calls for where we would love our community to get involved and join up. We are always al open to, you know, our standard approach too. So if you are adopting Zero trust or you have strong opinions on it, either positive or negative, we still don't have that episode where people are just shit talking all over it.

So if you're down for that too, you know, come slide into our inboxes. We're definitely looking forward to it. And I'm absolutely terrible with receiving feedback. So again, thank you for all the kind words. I do appreciate that. , I think it's the ti , we tend to kinda like gloss over that, but, you know, but you know, this podcast would not be here without your expertise and I would not have been able to find anyone better to join this, you know, pathway.

And I'm excited to see what you know, comes for season. Again, we just have so many additional flavors of zero trust to focus in and build into our giant ice cream cone. But yeah, I guess let's let's just see what happens.

Neal: Sounds like a great plan to me, bud. Thank y'all. Appreciate all once again and look forward to the next couple of months.

100

Your latest changes have been saved.

Version history

Settings