Get ready to simplify cyber in three, two, one. Thanks for tuning in to simply solving cyber. I'm Aaron Prince
Cody:And I'm Cody rivers.
Aaron:and today we're here with Jim Wales. He is actually a senior cybersecurity consultant at reveal risk. So we know Jim well, but we are excited to get you to know him. So Jim has an interesting background. We're going to meet him here in a second, but he started out at the. I am PD, actually before that, military service and intelligence and all sorts of cool things. I won't steal all of his thunder, uh, but pivoted into cyber and applied a lot of those skills and we're excited to unpack that and more. Jim, how are you doing today?
Jim:I'm good, thanks for having me here today guys. Looking forward to the chat.
Aaron:Awesome. Well, we like to start out on the show, kind of getting a little bit of a backstory on kind of how you came into cyber and, some of your. Outside of cyber experience and how you've connected the dots and applied that. So. So, without further ado, why don't you tell us your founding story and, uh, we might have some questions along the way.
Jim:Okay. Like a lot of, career changers that I've talked to, that have gotten into cyber along the way, it kind of almost fell into it accidentally. And it was never my intention to get into, to tech or cyber. I played around with a lot of technology when I was a kid. My, my dad was a guy that kind of saw the value of it, early on and bought us a home computer and played around a lot with that when I was a kid, but never really got deep into tech. I got into the military and, worked in, intelligence and then got into law enforcement. Um, and my military intelligence experience led me into, working in intelligence, in law enforcement. And, the way that I fell into cyber with that was that I, we had a lot of information that we were trying to make sense of and organize and share in a, in an efficient way. And so I started doing some research trying to figure out how to do that. And I stumbled into databases and I thought, okay, I can understand what this is and realize I need to build and learn how to manage a database. So I started trying to figure out how to do that. And again, I didn't have a strong tech background, so I didn't really know a whole lot about it. So I went to the, to the guys that I knew that were the biggest techie guys that I, was aware of and that I was friends with and they worked in the digital forensics unit with the police department. So yeah, I went over there and I started talking to those guys and said, Hey, I need to learn how to do this. And they started helping me out. And I ended up going over there probably two or three times a week. And I probably turned into a bit of a pest after a while. And eventually, I think they got tired of me going over there and bothering them for all the help that I was asking for with building a database. And they decided they were going to put me to work. So they said, Hey you seem like you've got some aptitude for this technology stuff and we've got an opening coming up on our team. Why don't you come over here? So I put in for that job and I ended up, getting into, digital forensics, with the police department. I did that for about seven years and, through that process, found out that I really enjoy technology, and the. The marriage between technology and people through that, I decided I wanted to continue to work in cyber security.
Aaron:Jim, just to back up to digital forensics and I know and assumed when I met you and we started talking about this. You've seen, I know you've seen a lot of like really bad stuff, but through that and forensics and being able to unpack, evidence and all of that, you've done a lot of really good things by, taking pretty scary people off the street. Can you talk a little bit more about that? And I know when we've talked, you've talked about explaining technical mumbo jumbo to jurors and judges and how that really correlates a lot in cyber to telling the story. To business partners or users or executives say more about that.
Jim:so a big part of the job when you work as a digital forensics analyst, especially in law enforcement, as I did, is being able to take these highly technical concepts and make them understandable to people like other investigators, prosecutors, judges and juries that may not have a lot of experience technical acumen, they don't that's not something that they work with every day. And these are pretty foreign concepts and you do work in a lot of technology. When you are working in digital forensics, you have to have a deep understanding of hardware, the operating systems and file systems that you're working within, and how you extract information out of those systems and how you do it in a forensically sound way. To protect the data so that it can be used as evidence. And you have to be able to explain how all of that happens to somebody who really doesn't understand the technology. So you end up working a lot of times in a lot of analogy and that's something that I was able to take that skill set, and then bring that over to more of the, Consulting seat or, even the corporate seat of cybersecurity and take those concepts and use that to talk to people, within different businesses to say, you've got this technology stack, and, here's how you want to apply this. but then also here's the way that you can change the behavior of some Of your workforce and how they approach the technology and to understand that you can't solve all those problems just by buying a tool and pushing a button. You have to be able to have that conversation and communicate clearly to your workforce. This is what the technology is doing and how to work with it. and not getting too deep into the weeds technologically so that it's understandable for them and they understand why it matters. So being able to take that skill set from forensics and being able to take those technical concepts there and break that down has lent itself very well to being able to work in a lot of the programs that worked in with our clients, especially a lot of the awareness programs that we've done.
Cody:Yeah. So that's kind of my next question really is like talking about the translation of when you first got into cyber and the years on the force and digital forensics and taking information that people need to know that may not work or know that information, in other parts of their life and business. But in that moment, they have to know how to stay safe. So if we translate to Jim of 2022 thinking about that, what are some of the engagements you're seeing? Some projects that are showing the most transformation within organizations.
Jim:The one that comes to mind, at first, it's a, pharma company, that we've worked with. And you'll probably, between 30 and 40, 000, uh, employees globally. And we've done a lot of work with their awareness program, that has been really impactful. Being able to take a look at where they were when they started and what their folks needed to have an understanding of and kind of do an evaluation of, where's the low hanging fruit where we can get some easy wins. Um, but then where are also some of their biggest risks. And taking a, take an evaluation of that. It's like, where are they most vulnerable and how can we, Take their program and, build it so that it addresses those issues. But then one of the other things that I think has been a big win with that particular company, and something that we have had success with also, with other companies that we've done this with as well, is. And this is a phrase I like to use a lot is to meet them where they are so I think it's important to try and put yourself in the shoes of that end user of that everyday Employee, you know that um that is either working in front of a computer or working on an assembly line somewhere Trying to say, you know, well, what would I see? If I were that person coming to work every day, and if somebody is trying to show me some information or give me some information about how I can be more secure, and working with information. How do you get that message to those folks? And how do you get it to him in a way that they're going to be receptive to that? They may even enjoy seeing, and you know that they're going to be able to see because not everybody works in front of a computer every day. So we've done a lot of things with developing champions programs and building those out so that we actually have people that are liaisoning with the cyber security group. But they actually work within the job functions, that we're trying to reach. So now we've got that person that can help to bridge that gap. And it's a great conversation piece between, with those champions, between cybersecurity and those, those other areas within the business, because then they can tell the folks in cybersecurity, this is what we need, or this is what we don't understand, or this is where, we have some confusion. And that's great insight for the cyber security folks, because then they can get some insight on where they can cater the training and how they can tweak that to make it more impactful for these end users who they're trying to get them to change their behavior. So those have been huge. Great wins there.
Cody:So I'm thinking of things like, you know, awareness is kind of a growing topic or human risk is another way that people are saying it nowadays. But what's the key challenges you're saying? Cause a lot of people I say, there's no before or proof point or there's like basic training that people send out. But what are some key challenges? And like, how have you overcame them, within like larger awareness programs?
Jim:Yeah, so first of all, I'm a big fan of no before and proof point and what they do. I think that they put out great content. So I definitely don't want to throw any shade on those programs at all. I think they're, they add great value. But there is the problem with just the same kind of repetitive training over and over again. Where, If you get a, a company where you've got a requirement where they get, one hour of security training annually, right? And that's what you do is find a one hour video and you mandate that the workforce watches that once a year. You've got their attention, however much of it you're going to get for that one hour out of the year. You can check that box, for compliance to say, well, we've done that, but what's the lasting impact of that for that workforce? And are you really making the workforce more secure? Those programs like proof point, like no before, they, they've got additional stuff that you can put those shorter videos out and the other tools that they have. But a lot of those, I think, are more geared toward people who are able to, sit in front of a computer every day as they do their work, and not everybody does that, we've seen situations where you've got, folks that are part of a major sales force, and most of them are, the road warriors. They're doing everything off of tablets and off their phones. They're spending a lot of time in the car and how having meetings in person face to face, they're not sitting, for 78 hours a day in front of a laptop or a desktop and able to engage in that kind of training as easily and they don't want to. So finding ways to reach them, with short bits of information like blog articles, like infographics, and especially if there are things, that go along with the company branding. And then if you have the capability To build some branding into your security program that just levels everything up because then it becomes recognizable, something like a character that you use certain terms that you use that are Only for your security program that when people see them, it rings that bell for them. And makes them think about the security program. Those little things that you can add to that program and then you use those for these quick little bits of information. You send out the infographics about certain topics, password security, like information classification and then you also include those in short blog articles. That you can send out via email, or you can embed those in newsletters that can be sent out, as part of a larger communication to the workforce. But just building that so that you get more of that constant drip of contact with your workforce about security rather than just here's your hour once a year. And then they're going to need those little reminders and as we all know that work and security, the threats change, and sometimes you have an old one that comes back. One that comes to mind, is the QR codes, when COVID first started and, everybody was worried about touching things, and rightly so QR codes, became very in vogue. You go to a restaurant, you didn't get a menu anymore. You could scan a QR code at the table and there was concern around there about people. Attaching malicious code or sending people to malicious sites via the QR code. And then it seemed to die off for a little bit as people got more used to it. And now recently there's been news that's making a resurgence. Sometimes what's old becomes new again. So you have to have that constant communication going on from security to the workforce to keep them, aware of what's current. Cause things change.
Aaron:You guys know why that resurged? It was a quick way to bypass Microsoft safe links.
Jim:That's right. Yeah.
Aaron:People would pull up the phone. So it was very interesting. We saw that blip after COVID cause people were using them, but then they stayed in use and then the threat actor found that it was a backdoor. Jim, I want to ask you one question. We kind of skipped over it in your background and how you've connected the dots between. Not only forensics, but, police force and law enforcement in general. And I like to think about, awareness as you got to understand the things you want people to do, but help them a little bit understand. The threat actor, the cyber criminal, the bad guy, the bad girl for to be inclusive and Jim, I know from our actually was a lunch you Cody and I think another guy and I had about a year ago, you gave us some blast from the past about some of the undercover work where obviously when somebody is undercover, you pose as a bad guy to infiltrate. The dealers and get to the suppliers. Sorry, I didn't mean to do the 21 Jump Street reference there. Nick will be proud. But anyway, talk to us about some of the skills and things you had to do to accomplish human deception in that role and maybe how we can understand more about. A malware engineer, a threat actor that is sending out phishing or vishing or smishing or the other 10 ishings,
Cody:Take us into the mind of a bad actor, Jim.
Aaron:without revealing your persona, that is, it is locked down. So we don't unveil your double life.
Jim:Yeah.
Cody:Jim Hales. What was his undercover name?
Jim:So yeah, I and you're right, Aaron. I did breeze over that. But, in my time that I worked in criminal intelligence, for the police department, I did do some covert work and, as part of that, you use a lot of the same social engineering techniques. that get used by, by cyber threat actors. And It's a part of what we did was, just looking the part, you show up somewhere and you shouldn't look like you're supposed to be there. And this is more of a physical security kind of issue. But a lot of them a lot of them cross, even into the more of the digital. If you craft an email to somebody, and you do so in a way that you you use language that, conveys that you're expecting an action or you're expecting an answer, that is more powerful than one that is crafted to be more of a request. And just, using those kinds of tools, adding urgency, one of the techniques that I used to like to use, if I was trying to get into somewhere because we would do physical security assessments. One of the techniques I would enjoy using, sometimes it was always a little fun, was to be in a hurry and generally, have something that I, that made me less likely to be interrupted. Usually it was a cell phone. So if I was having a heated conversation on a cell phone and was dressed to appear like I should be in the area, especially if I looked like I was somebody in a position of authority sometimes wearing a suit and tie, would help, sometimes dressing up in coveralls, to make it look like I was working on something technical that somebody didn't understand. So they just wanted to let me go do my thing and not get in my way. Little things like that. And understanding the social engineering, aspect of human nature and what makes people uncomfortable. And, also what makes people comfortable. Those are all techniques that we used then, that I used then, and techniques that I see used by threat actors, and things that I now, with my knowledge of that, try to make people more aware of, and point out things like, Creating a sense of urgency, coming from a position of authority, all of those things that, make people less likely to challenge someone, and try to raise awareness of those so that now those become red flags.
Cody:Jim, and I think about too, so to your first point, I agree, because I get a text a week from a number that's not Aaron Pritz that says Aaron Pritz that needs me to buy him Amazon cards immediately because he's in a company we can't talk.
Aaron:doing that. Stop doing that.
Cody:Well, I said 1, 000 is my limit. I won't go a dollar over. So far we're staying with this thing of them living on the corporate credit card, but you said another thing to that I wanted to think about was like human risk is important and awareness for programs and keeping the company safe. But let's just pretend there's a world where not every employee cares about the security at their company. Okay. I know this has probably never happened in, business, but in that scenario, what are you seeing as far as helping them to understand the importance of this for them personally, outside of just the good corporate ethos or corporate governance? Yeah.
Jim:Working in government and, I didn't always like my employer every day. But I always liked my friends. And I always thought about the people that I worked with and enjoyed working with them. I always had people that I cared about. And that's something that I tried to when I'm working with these awareness programs, I try to focus on if the subject matters is correct for it. I try to humanize it and try to get people to think about if you're supposed to be concerned about the security of the information at the company that you work at. Well, why? You know, and, most of the time people think, it's because of the bottom line because the company wants to make money and, and, that's just greedy and I try to get people to, to back away from that sometimes and think about, this is where you work, right? This is your place of employment and it's also the place of employment for these other people that you work with that you care about. And by protecting the information, That is owned by the company. You're protecting yourself, but you're also protecting all these folks that you work with. If you get a major data breach and it's very costly for the company that you work for. Well, somehow that's got to be paid for and that puts a company at risk and that risk can lead to you. potentially to job losses. And by protecting the information that you work with, you're protecting not only your job, but the job of everybody that you work with. Not only are you protecting it, you're helping the company that you work for to thrive. So maybe there's going to be more opportunities for you in the future. Maybe there's going to be more opportunities for the people that you care about that you work with in the future. It really is about the people and trying to get people to change that mindset from it's about the bottom line to it's about the people that you work with and around.
Cody:Yeah. Great. I mean, all the great points and love the background and the transition into what you're doing now, so two things here. 1. I always like to say for our listeners and for our career, our fellows that are listeners are early in their career. What advice does Jim of today would tell Jim of, 10, 15 years ago, just getting into the industry. What do you know now?
Jim:Um, so I think the first tip is to, don't assume that cyber is all about technology. It's not, it's about people. Technology plays a big part, but technology, enables information security. It really is about the way that people work with information. And the processes and procedures, and having those right, tools help to make that easier. The technology helps to make it easier. The technology enables us to do things with less effort and do things faster. But really it's about information and the way that people interact with it. So you don't really have to be super technical, and that was an assumption that I made that I know a lot of other people have made, being kind of a job changer into cyber, um, thinking that you have to be super technical and you don't, because it really is, it's more about, about people and processes, the technology helps to make it happen, it really, does, but it doesn't have to be super technical all the time.
Cody:So now flipping that looking into the future, this is Jim talking to him in five or 10 years down the road. What areas do you think will continue to improve the most? So based off kind of then current and then future.
Jim:sO future me, when I have those conversations with future me things that, that I think can be most impactful are things like organizational change management, and getting, more experience with that. Learning how organizations, Get that information across to the workforce so that they can get that organizational change made. A lot of these companies, they're not tugboats, they're battleships and it takes a long time to turn them, it takes a lot of effort to get that done and, developing a plan for that, so that you can get that information, yeah. Organized in the right way and figure out what's a schedule that you can develop to put that information out so that you can get that consistent behavior change. That's a that's something that, I'm concentrating on personally. And I think, it can be very impactful for, for a cyber security awareness program is to have a better understanding of that. And then some of the other things around, the processes and, an interesting idea that I've been talking to one of the other guys that we work with about, is the post, pen test kind of evaluation of things and looking at things, um, to say, okay, well, you've had a pen test and these vulnerabilities have been found and we've seen situations where, maybe there's a certain number of servers that are in scope, for a pen test and vulnerabilities get found there. And then the following year or three years later, there's a different set of, servers that are within scope and then those same vulnerabilities get found. So we're finding the same problems over and over again, just in different areas of the business. And the conversation came up about, well, what's the root cause of this? And does it go deeper than, just a misconfiguration? Is this something that we can take back to the way that the processes themselves are being set up and are there policies that can be changed that then impact the process and how things get done so that rather than bringing a new, server or set of servers online and setting those up the same way that we did in the past. And now we're setting ourselves up to have that same vulnerability present. Can we take a look back at our processes and do an evaluation of that and say, okay, let's treat the disease and not the symptom, right? Let's find out what the root cause of this is, and then we can do an overall process improvement so that we don't continue to have these going on in the future. And we can spend less time on those and more time concentrating on other things to improve the program. So we're still, trying to build out the idea. But just interesting conversations that we've had about, how do we help folks be more secure?
Aaron:Cool. Quick pause. We can edit this out. I saw the stuff in there about pen testing. Cody, do you want to Do anything on that, uh, and then we can trim to the best parts of everything or what, what, what do you think?
Cody:Um, let's see, Pinterest. Yeah, I like it. I mean, I, I, I still like the, I mean, this all trimmed out. I still like the part about like heavy on the awareness part because that plays right into his background. So the background is translated. And then I think the future looking forward about the awareness and OCM are probably two biggest things, pen test. And I'm not sure what the crowd, how much they know about pen test, but it's up to you if you want to double click into it. But I think, I think the, the, the nuggets were in the awareness and OCM stuff. All right, Jim. So I do always ask this question to all of our guests and, feel free to just tell us the most intimate personal secret, you know, that you can, so I want to, I want to preface it, but for, for listeners and for us out there, give us a interesting fact that no one would know generally about, about Jim Wales.
Jim:So I think 1 that most people would never really guess. Because I think it's maybe not, as common as, a lot of others. I was on the water ski team in college. I, I grew up water skiing, a lot. My dad bought a boat when we were kids and we go out to the lake almost every weekend. So I started learning to ski when I was probably, I don't know, five or six years old. And, just continue to do it as a hobby, growing up and was looking for something to do, when I was a young man in college and, gravitated toward the water ski team and did that for a little bit and had a great time.
Cody:water ski team in excellent, man. All right. Well, thank you for sharing that, man. I appreciate that. I have to see a big sometime, man.
Jim:There were no cell phones when I was in college. So there's not very many pictures.
Cody:There's gotta be a Polaroid somewhere. Well, awesome man. Thanks again, Jim, for joining us. We really appreciate hearing the story. And love working with you and you've done some some phenomenal work. So, um, Aaron, I'll let you wrap us up, but, um, yeah, Jim, again.
Aaron:so much more that could be applicable to cyber, military professionals, I've helped people that were in sales roles that were in financial roles. There's a lot of, potential to move into cyber. You just got to find the synergies and really bring the diverse ways of thinking that maybe a traditional tech background person might not have. So thanks for joining the field and yeah, love having you on the team.
Jim:Well,
Aaron:much everyone. Have a great
Jim:for having me. All right. Thanks, guys.