Show Notes: Crypto Risk, Improving Industry Practices, and Beyond with Ilya Umanskiy GRCP | Episode #29

Overview

In this next episode, I was joined (once again) by Ilya Umanskiy, an experienced security consultant who has advised security organizations and supported physical security, resilience, and investigative projects worldwide.

(It’s a tradition for me to join Ilya for a podcast session around the end of the year. )

In our last conversation (Episode #1), one of the most downloaded episodes I’ve ever published, we discussed Ilya’s career path and his projects to support aspiring practitioners.

Today, we touched on a range of topics from how to improve the security industry, recognition for practitioners, crypto risk management, and so much more.

I hope you enjoy this wonderful conversation to wrap up 2023 and kick-off 2024.

Highlights from This Episode

1. Nobel Prize of the Security Industry: Advocating for global recognition of outstanding contributions in the security sector.
2. Understanding Crypto Risks: Emphasis on understanding blockchain, trading in cryptocurrencies, and the psychology behind digital currencies.
3. Common Crypto Frauds: Description of prevalent frauds in the crypto space, emphasizing their human and psychological aspects.
4. Disconnect Between Security Practitioners and Clients: Concern about the lack of uniform standards and understanding of ‘good security’ in the industry.
5. Ethics in Tech and Youth Education: Advocacy for integrating ethics and philosophy into the K-12 curriculum to address the challenges posed by technology.
6. Reactive vs. Proactive Risk Management: Acknowledging the industry’s failure to instigate proactive thinking in clients.
7. Upstream Thinking in Security: Applying the concepts from “Upstream” to preemptively address security vulnerabilities (when possible).
8. Lack of Global Standardization in Security: Observing the need for a universal language and standards in the security industry.
9. The Role of Trust in Security and Society: Discussing the declining trust in technology, governments, and other institutions globally.
   
   
   

Memorable Quotes:

• “We as a community of practitioners don’t know what good security looks like.”

RESOURCES MENTIONED

Programs and Organizations

• Center for Humane Technology
• Plato Program (University of Washington)
• Active Parenting Program

Books

• “Upstream” by the Heath brothers

Other

• Edelman Trust Barometer

Use CONTROL + F to search the transcript below if you want to learn more!

---

Transcript from this episode

*Note: this transcript was generated using automated software, and may not be a perfect transcription. But I hope you find it useful.

Travis  0:01  
It's a pleasure to have you back, you were actually the very first guests that we had on podcast number one out of now we're up to almost 30. So you'll be pleased that you'd be pleased that I haven't quit yet. So I was doing some research about podcasting. And apparently, once you reach Episode 20, or so you're basically in the top 98% of podcasts, because the vast majority of people eventually figure out that they can't be consistent enough, or they're not disciplined enough, or they chose the wrong topic, and they're not passionate about it. So I'm very happy to be reaching almost episode 30. And it's awesome to have you back. Last time, we talked about lots of different career perspectives, we talked about your career, how you were coaching and helping younger professionals. So it's a pleasure to have you back. Aelia very grateful

Ilya  1:13  
to try this. A pleasure is all mine really appreciate that. You have such a positive perspective on delivering this, this folk, this content to the community, it's very much needed. So first of all, keep it up. And secondly, I really appreciate how you've been taking the time to be thoughtful about including different guests with different experiences on your podcast and giving them a platform. Sometimes, we can disagree as practitioners, but that's that's the fun of it is this this is together, we build something that could be a better legacy for the next generation of practitioners. And they can make their own choices about who to listen to, and how to aggregate our collective knowledge and how to shape their careers. But if we don't have a forum like this, which is what you're sharing with everyone, when you're providing, it gets a little bit more challenging. So you're already whether you're understand it or not, whether you feel it that way, you're already helping move the industry forward. So I'm very grateful.

Travis  2:21  
Thanks, I really appreciate your support. And just today, I stumbled across an article this was this was a post that you made on LinkedIn, it was back in 2016. I'm sure I'd read it back then. But I kind of forgot about it. But it was called ideas for improving the security industry. And after rereading it today, I thought, wow, this is almost like the battle cry for the security student podcasts that I didn't know that I had. So I'm definitely going to link to this in the show notes. But I was rereading it. And there's so many great ideas in there about creating universal definitions about adopting frameworks for security, about standardizing some of the education and experience requirements for executive level security roles. There's some really awesome ideas in there. And one that I wanted to dive into a little bit more and get your thoughts on. And a little more background. You mentioned. In this post number nine, you mentioned implementing a global professional achievement recognition program. And I wanted to ask you, could you share a little bit more about that? What did you have in mind when you talked about it?

Ilya  3:40  
First of all, thanks so much for digging through the past publications, we both probably do the same. I always try to remind myself what my thought processes have been. At the time when I let's say wrote something back in 2016, when I really started to scan of trying to share my ideas and thinking that there's not enough of a platform for practitioners to actually share those ideas. That's when I kind of went on LinkedIn and started started trying to share ideas with with the community. And so you'll be probably surprised and so will your listeners. But I look at this as the Nobel Prize of the security industry no less simply because we have such a fantastic story to tell, regardless of the challenges that we have. Okay. We so far have not been able to communicate what a what a great set of accomplishments we as a community deliver to our clients, to those who look to our advice to those whom we support and so far what I noticed is that we live If across multiple industry associations, some of us do, we kind of traverse those associations. So you might appear at the forum for one and you go to another. But as an industry, I feel focusing on something more central, where something a form of a global recognition system that looks at practitioners and how they deliver value to organizations. I think it's something missing in our community, we are such a, such an important part of the global, commercial and public sector systems, that I feel like our contributions are recognized, sometimes, you know, by by our own brothers and sisters, if you will. But that's not really enough, there has to be something that almost like World Economic Forum level, where we as practitioners get the recognition that deserve because the case studies are remarkable. I mean, I am not going to, you know, I'm not going to bore you with, you know, too many examples, but we had people who did sacrifice their lives during 911. Only thinking very quickly on their, on their feet, being senior security executives, and, and helping hundreds, if not 1000s of people evacuate the towers. That's just one of the examples. But we have so many more, especially in more recent years. And that is just because of the fragmentation that we call, unfortunately, within our industry are still subject to, we're just not able to organize ourselves in that manner. But I really hope that we will.

Travis  6:55  
Yeah, that's a really interesting idea. And I think also a kind of like span, other categories, too, like, of course, you have like individual practitioners, individual practitioners who are making a difference in their organizations, or maybe they implement some change or do some training opportunity, or, you know, they do something, and that has a much larger impact. Maybe it stops and attack, maybe it saved someone's life, something like that, you have those. And then just just over the past couple of weeks, this has really been stuck on my mind, I was listening to an interview with a gentleman named Tim Kennedy. He's a former Army Special Forces guy. But he's also involved in all these different entrepreneurial projects that are really focused around helping just the general population, the average person in the US develop skills for emergency preparedness for medicine, for really just being prepared to react to difficult situations that they're going to encounter in everyday life, especially as we think about how how much uncertainty there is in the world with wars with economic challenges with political issues, really just be for someone like that, for someone like him being able to really just spread his message and his philosophy and his thoughts to such a broad audience, even far outside the scope of security practitioners. It's something like that that could have such a gigantic impact. So I do think that is a really cool idea for a global recognition award. And it could be across many categories. I really liked that idea.

Ilya  8:48  
Yeah, we as a community, like I said, we do come together to recognize each other. And that's fine. I think that the world is so volatile today. And our work is so important that I think we should start thinking far more broadly. And finally, bringing that recognition and aligning it with the profession. We are so keen on building and delivering to the next generation. Because you and I have talked about how we can professionalize our field, our industry. And this is one of the ways in which you can start really diving into the substance of the work that many of us do, and deriving the benefits, the greater benefits beyond just one flavor of you know, we we have practitioners who might have influenced an entire industry with their with their innovative approach with how they've applied security and other practitioners are learning from them. And so there's a lot of merit for this for this global award. And it also helps helps look at the skill sets of practitioners across the world. Because I'm very humbled to tell you that when I came to Asia now many years ago, 2012, it was very interesting to see how there are some practitioners here who could run circles around a lot of practitioners in the United States. And, you know, probably a smaller community of those in Asia, nonetheless, to what extent are we offering that equal opportunity for practitioners who know their stuff to be recognized? Whether or not they live in states or in other countries. So I think that like I said, we owe it to ourselves, to really get the snapper, get this up a notch, and begin, really, this wider forum, wider recognition system, for for really accepting that we're, we're doing great job for our clients, and then those who may not be doing a great job will probably have an opportunity to learn more and to change their approach. But I think that beyond our associations, we really need to think how we can work together and not separate ourselves to echo chambers.

Travis  11:35  
Yeah, I think that's a fantastic idea. And then even just thinking about recognition on the most micro level, micro level possible, like within our own organizations, or we see it with some of the security industry associations, really just being able to highlight some of those practitioners that are doing outstanding work that are kind of like the role models that we all want to emulate that should emulate. I feel like that adds that adds so much. And also I wanted to ask you, Ilya, so getting more back to you, I was curious, for this year, or maybe for the coming year. What are what are you focused on learning, like for you? What are some of your learning goals? Are there any particular areas that you've been focused on, or projects that have had your attention?

Ilya  12:28  
You know, this is, again, a humbling experience, I have a very good colleague in my, in our CEO, Bjorn Wallstrom, who always tries to put boundaries with the services and the quality that we deliver to clients. And very recently, we started a crypto advisory practice within our firm, and it's been growing steadily. And we now are proud to have delivered multiple projects. And we haven't been doing that before, but in a slightly less organized fashion. But now it's got the marketing backing backing, it's got kind of its own legs, if you will. And interestingly, I had to pause and remind myself that I knew very little about crypto and Bjorn was actually smiling when we had conversations he's like, Well, you know, it's nice that you can go to Bitcoin ATM and buy a fraction of a Bitcoin with putting, you know, a paper bill into into that ATM, we did that in Hong Kong is just just as a as an experiment, right. And that was a revelation for me. And obviously, that elicits kind of a lot of questions like a lot of curiosity about, well, what am I doing? What kind of process is this? How is it organized? You know? So it's like, if there's a risk management practitioner, you kind of start asking questions, and you start applying the skills you've learned before to this new field. Now, I have to tell you that I'm proud to say that I've authored our court ready, report template. So this is something that we learned from several cases and how to present information when you're working with with legal practitioners, what did they expect, particularly in crypto cases, because it's always a work in tandem, it's very rare that when you would just have investigators riding around and trying to recover assets for for for victims of fraud. And so here you work with legal practitioners, they have to go in front of a judge and so that entire process, but it was a an interesting learning experience, and I look forward to learning a lot more about ways in which you investigate fraud and in crypto ways in which you recover assets and how you inter interface and collaborate with practitioners on I suppose, three slides. So one would be the client because they have their own perspective, of course. And mind you is interesting because I was interfacing with one with One client recently, and I asked him, Have you ever worked with investigators? And their answer? To my surprise was No, we never have. And this is the first time and the lost quite a bit of money in crypto. And so then the second part of this, and another collaborator of ours is the legal team or multiple legal teams, because then it'll be a project that covers multiple jurisdictions and legal legal teams, sometimes they are jurisdiction specific, right. And so one firm will work with another firm. And so because they're filing in different courts, and you have to be a very, very good listener, and really try to navigate the intricacies of this of the fraud, the way lawyers are shaping the legal strategy, and how they're looking to present their cases in court. So here I am telling you about my recent experience. And this is what I'm hoping to learn in 24, to play more of my skills. And I'm learning both the this this soft way, and the qualitative way of how you run different acid recovery and investigation project. But at the same time, I'm also learning how investigative tools work. So for example, we have a license from elliptic, right certainly saves us a lot of time in trying to get the results for our clients. But it also has ways of improving, if you look at it from a purely investigators perspective. So you talk about learning in 2024, if I stay on that topic alone, it's going to pretty much fill my year, because there's so much to do, right. But at the same time, I also want to learn more about the field of broad management. I want to explore kind of how the changes in the world today how the changes in economies politics, the way businesses operate, what kind of new frauds are arising because we see some, some examples. Some of them are very much related to crypto, some of them are related to different means and methods. And it's just that's that's a topic that's an area that's, that's really, just again, it could fill the year easily in trying to explore how criminals today apply different means and methods to perpetrate their fraud. So So I suppose that's my, that's my answer.

Travis  17:45  
Well, that sounds like quite a lot. Like for me, personally, I know, I'm definitely very much a novice novice around all things crypto. I saw a really fascinating interview not that long ago, with a gentleman He goes by the name of coffee Zilla, and he does lots of in depth breakdowns of financial frauds. And then just other common frauds that we see online throughout the culture, like everything from the FTX scandal all the way to, like people on YouTube running different types of frauds where they try to convince people that there's a specific, I don't know, health intervention for solving their problem, or that they need to pay $10,000 to learn how to become an online millionaire in the net in the next 12 months or like any of these crazy things. So I am really fascinated when it comes to some of those crypto frauds in particular. Yeah, and when you talk about crypto risk management, where where does one even start with? With breaking down the topic of crypto risk management?

Ilya  19:02  
Good question. Thank you for for asking, by the way, just on the tail end of your thoughts, I want to say like what Brazil is actually very interesting example because he's, he fills this this void between a YouTuber and journalist and an investigator. So it's very interesting how a young young guy just decided to find a niche for himself and I do watch some of his some of his content and he is very cool. The production value the way he delivers content, something for all of us to learn in how you communicate your your thoughts, ideas, whatever. So where does one start in in crypto? Probably not the best person to answer that question competently. But I will try. First and foremost One would need to understand blockchains and how they're designed, built and how they operate. And now, the reason why I use plural for blockchains is because they are different. Okay? So far so so blockchain can be built in a very private mode, where it serves the purposes of just one organization or a blockchain could be global, where, for example, Bitcoin is built on a blockchain, right? And so when you as a participant, let's say if you're buying a fraction of Bitcoin or full Bitcoin, you are adding digital records to the blockchain, there is a question of what is data provenance? Okay, and so, there's, there's, I think, a symbiosis between design of blockchains and data provenance that one would need to understand. And then I feel like just starting to learn what what is the world of trading in cryptocurrencies? Like starting with the most obvious Bitcoin, right, then do a little bit of a deep dive into what Bitcoin is? How it started? The very funny poor idea behind bitcoin is the the point of agreement. So think about how we value our paper bills or you know, the fiat currencies, right, the US dollar or various other currencies around the world, right, we as a society, agree that this is a valuable instrument, okay. The same agreement is required for cryptocurrencies to be successful. Okay. And it is interesting, how, then you see the breakdown in trust across the crypto world, very different, different dynamic when you compare it to fiat. And because Fiat is fairly stable, right, you know, it's backed by the government, you know, it's got value, it fluctuates, of course, but there are no, no, like, very few crashes, if you will, well, in crypto, it's the opposite, you'll have somebody an influencer propping up a coin just to make money. And then they know this thing is worthless. And yet, enough people agree that it has value, that it props up the price of the coin, and therefore, some people very small group make a lot of money. And then a larger group of interesting dynamic here is that the space is so unregulated, that you see failures, like you said, the FTX failure, the the many other coins that have come and gone the Doge, coin, the Luna, Terra Luna, whatever. And, and so there's so many of these failures, simply because it's interesting to observe the choices that the the the founders of these enterprises are making in obscuring their identities and obscuring how their organizations are set up and where they're registered, because a lot of these companies are offshore, and then trying to present this veil of trust to their customers. And so there's lots to be done. But I'm trying to just paint a picture of where one would start and what actually currently exists, right? Everybody got taken by the failure FTX Okay, everybody, and people who have years and years of experience in traditional finance, because very large investment firms hedge funds were playing with in aligning with FTX and also celebrities that data, because they were paid crazy amounts of money for presenting that brand. Right? And there's a it's it really is a very nice litmus test of what's going on with our societies like what do people believe? Who do they believe and where the breakdown is? So you, you can start at the crypto side right studying Bitcoin studying blockchains. But you will quickly realize is if you're if you're if you have enough observational skills, that unfortunately, it's a very human problem, like like anything else around us. Right?

Travis  24:56  
Yeah, that's interesting. And yet as you're talking Can you talk about how the fiat currencies, they at least have something behind them? At least there's a government and military something. But then yes, so for so many of these coins, like Dogecoin, or something, yeah, it's really just the belief that this coin is going to go from a couple of cents to being worth something else. And yet, a lot of it too, is like you mentioned around personalities, like, I have some friends, and they're infatuated with some of the tech entrepreneurs that push some of the different types of crypto coins. And yeah, it's nothing. It's very much their belief and their infatuation with some of the personalities and their, I don't know, their, like grand visions and the future of what the coin will turn into and how it's going to be used. Yeah, it's really interesting that much of it comes back to just human belief and psychology. And I won't turn this into the crypto hour. But Okay, one more question. I was just curious, are there any particular common? I don't know. Are there any particular common frauds that are there any frauds that are more common than others that you see in the crypto space or that you deal with, with your organization?

Ilya  26:21  
Yes, I'll tell you about a few that recently came up on our radar that we worked through with clients, and who were, by the way, quite emotional, one client, I don't think that they ever recovered most of their funds or all of their funds. That was a big loss for them. And their state, their emotional state was pretty, pretty difficult to watch. It's it's a combination of digital cons. So for example, in one of our cases, the fraudsters were observing patterns of how one wallet was making transfers to another wallet, and they then created a wallet of their own, that had a few characters at the start of the of the address, and at the end of the address that were exactly the same as the receding wallet as the legitimate receiving wallet. And then as they noticed the pattern and the hours and days of transactions between the the legitimate wallets, they inserted themselves into that fraud, or into that scheme. And then they basically replaced the legitimate wallet of using the clients in attention, blindness. Okay, again, a psychological trick. first few characters of the address are the same. Last few characters are the same. The middle may not even show up on my, you know, user interface, if I'm using a mobile phone, which is what a lot of people use, and the client transferred quite a bit of, of money through that, through that attack, and the recovery is a very challenging process for the client and for everyone else involved. Another way, is basically a traditional type of fraud, that then has a crypto transaction component built into it. So for example, a client could be dealing with with a regular fraudster who basically says, Yeah, I'll sell you this, this commodity, this product, right. And the client is dealing with that fraudster online basically interacting, truly thinking that yes, this is a legitimate operator, and I'll I trust and they also there's a bit of a bias because the commodity they're looking for is really valuable to them. So they they're really interested. So they kind of lose the sense of risk. And they follow what the fraudster does, but then the fraudster in order to obfuscate kind of how the money will be taken. They start in Fiat and then the at some point, basically tell the client actually would be easier if we start making transactions in let's say, in cryptocurrencies Bitcoin and Aetherium, and so on. And so then, that traditional fraud, at some point changes to being a hybrid between your typical con and the added component of crypto try exaction and obfuscation. And so that's again, it's kind of a combination, you know, both frauds that are the examples I just have given you, they have a very significant human component, there has to be some sort of interaction that will take place between what the victim believes is another human being. And then from that point, it could either immediately jump to a crypto world where transactions start taking place, or it gradually arrives at the the crypto transactions, just because it's easier for fraudsters to hide the proceeds of the fraud of the fraud. So those are some of the cases but we also have these just completely abusive cases where, or I should say, exploitative cases, because it's very, very clear from the very beginning that the victim is dealing with a dishonest operator, because they're basically Oh, I'm this, you know, beautiful girl, here's my photo, I'm based in Macau of all places. And I know of this crypto investment scheme, and the victim is somewhere in another country, and they are taken by how beautiful the girl is, and obviously, you know, whatever they fantasize, and their sense of risk is depleted, and they trust and because they received very positive kind, and enticing words their way, maybe they don't receive that on a daily basis, their sense of risk is non existent. And they then are victim of a, they're being taught how to trade in crypto, you know, they might not know at all how to do it. They're walked step, step by step, all of the interaction happens on WhatsApp. And in the end, that person loses 10,000 Us $10,000. Right? And then we've had a couple of calls with people like that. And we're like, well, even if it's $100,000, like the recovery effort is going to cost you half of that, if not more. So what do you think that victim will do? Right? Yeah, they can go file police reports, they can move into those kinds of formal channels, but very little can be done, to be honest, by different jurisdictions. Without very lengthy, involved, meticulous process, which is costly. So those are a few things that we've been picking up.

Travis  32:46  
Yeah, and as you're talking about some of these different types of crypto scams, I'm kind of thinking through some, I guess, some other similar social engineering attempts, but it's really just them taking similar social engineering attempts that already exist. And just making crypto another part of it. Like you mentioned, the naming conventions for the wallet. It's just like when you get a email, and it has your boss's name and the first half of the email address, but then they're asking for Apple gift cards, or you mentioned like the romance type scam, like those are, those are also so common. And it really just shows how much more education there needs to be. Not just in the US, but really all over the world for being aware of how some of these different scams, initiate some of the different indicators of, you know, anomalies that need to be investigated. So, yeah, it really does highlight a need for education. And I'd be curious to learn too, and you don't have to talk about it. But I also am curious about the age cohorts that happen to be being defrauded the most at that. And also, like some of the means, whether it's whether they initiate over the phone, or they initiate in person ever or just 100%. Online. that's those are just some my initial thoughts, but I won't, I won't bug you with crypto questions for our whole session today. But there's another topic I wanted to ask you about Ilya to. And this is something that I've heard you talk about online quite a bit. And that was around the disconnect that you see sometimes between security practitioners, security departments, security consultants, and then the end clients themselves. I wanted to see if you could share a little bit about about your thoughts on this.

Ilya  34:54  
Yeah, I appreciate it. Thanks, Travis. Well, you Imagine a situation where you visit a doctor, that was just actually giving the same analogy to a client. And you are receiving this, this, this information from a doctor and the doctor speaks in terms that are medical, right. And so they're giving you some terminology, but they're also trying to be they, they're trying to use plain language, right? So what they share with you, as a patient is the tiniest of slivers of their total knowledge. And it just so happens that doctors in most jurisdictions, I'd like to think are fairly trusted authority, right. So they are subjected to very rigorous academic testing professional testing apprenticeships, and so they arrive at their professional station in life, having significant experience, for the most part, to share with the with their patient. They're their opinion. But unlike the doctor, patient scenario, we as a as an industry in security and asset protection. We haven't yet reached that station in life, where we can claim to be of the same stature as doctors, engineers, lawyers, and other professions that have very recognizable reputational paths, and professional paths. And so when we interact with our clients, the the message that we share is is is not for the most part is not uniform. So we don't use exactly the same terminology, we don't use exactly the same, the same means and methods. And so it's not really recognizable by a client in one jurisdiction versus a client in another jurisdiction. Yes, there are some, like fairly similar expectations. But even those expectations, for the most part, are fairly below what what we as practitioners think, should, you know, a client how a client should should should operate, right. And as a result, what happens is the client is none the wiser, that they're actually being sold snake oil. They think that it's, it's the right approach, for example, why? Or why is American video surveillance market saturated with Hikvision? So I just I, this is a question to our entire audience. Why is it that Hikvision and Dahua have been so successful in saturating the market, whereas the reports about concerns regarding these two brands in terms of cybersecurity and exfiltration, infringement on privacy on intellectual property, and so on and so forth, right. exfiltration of information have been circulating since I want to say about 2016 2017. Right. And, to this day, we have clients who just have no idea they all they know is that they have video surveillance, but they don't nobody told them that actually, this this brand, has had a dodgy history with, with concerns regarding exfiltration of information, and cybersecurity and so on. And also those brands, obviously have this slightly more of a political angle to but the question then is, do the clients understand? So the gap that I see is across the board, not just in video surveillance, but in the way executive protection is delivered? In the way the security assessments are delivered? Clients actually don't have the wherewithal to evaluate what a professional product looks like, what a professional solution looks like. Right? And we don't have standards. We don't have enough professional stature to make clients. Just have a some some easy resource, a reference library to say, Okay, well, so I will in order to, let's say, get into the security assessment. Right? I should be expecting ABC. Okay. That's why when you see requests for proposals coming from clients, whoever helps them write those proposals, or those RFPs, right? They sometimes are so shallow, and they don't have the right metrics in place, they don't really ask for the right things that they believe they're buying a security assessment. And instead, they're basically buying a facade of security to security theater, if you will, like, that's Bruce Schneier is words, right? So the gap I see is, here's the client who puts their trust in in the competence of a security practitioner, that client does not have a way to understand what good security looks like. And we as practitioners also are lacking the means and methods and resources to demonstrate what good security looks like and why. And so when the clients have challenging conversations with us, when they challenge our positions, what we tell them, and how we propose to deploy security, the reason why clients challenge us, like they wouldn't challenge a doctor, to be honest, or a lawyer, is because we're we have this suffer Mourik competency standards. The clients have uneven expectations, and sometimes they're jaded, and sometimes they're tired of receiving poor security. I mean, how many people? Can you ask the client side and say, What do you think of security garden? What? What type of answers are you going to receive? Very rarely will you have a client saying more than it's just bodies in uniform? And I think I'm paying too much for it? Or do I need it at all? Okay, so that is yet another example of why I feel that across our industry, every service that we deliver, suffers from the disconnect between what a client needs really, and what they're aware of in terms of standards, and what good security should look like, and our ability to communicate and deliver that good security in a justifiable fashion.

Travis  42:44  
Yeah, that's a really good point. And as you're talking, I'm thinking about some of the some of the security vendors out there that have incredible marketing that have a fantastic sales organization behind them. But then, when you look at how their products are performing out in the field, there's, there's one weapons detection system that comes to mind. And I see so many mentions of them, were the places where they get deployed, particularly in education, where there's, essentially every time it gets deployed, it's a failure, it doesn't do what the end user thought it would do. It disrupts their everyday operations, it makes them have to do all kinds of quirky, all kinds of all kinds of quirky policies so that they could kind of implement it, but kind of not and kind of like find ways to shoehorn these different systems into their everyday operations. And yet, it's because they don't necessarily know what good security looks like, or they're just not familiar with the security process, rather than starting with a risk assessment and identifying the assets, the threats, what they're trying to, what they're trying to prevent what they're trying to what they're trying to stop without having done all of that. It's, it's a, it's easy for them to fall into a trap when one of these vendors reaches out to them directly and has a great slide deck that talks all the right language. And if they have the money, you know, it's easy for them to make a poor decision and invest in something that looks really cool, where they could go to the executive board or their boss and say, Hey, look at this great, cool piece of technology that we implemented, but then at the end of the day, it doesn't do what they said it would do.

Ilya  44:47  
Yeah, and now, if I could jump in for just a second to add here. My suspicion is that not only do the clients not know what good security look So, but I fear that we, as a community of practitioners don't know what good security looks like. So ponder on that for a second. You know, I've worried I've worried that if I am in a room with Akhmatova with I don't know, my, you know, boldly Mateus Travis le shock. The John Friedlaender. Right, Shawn Aaron's Matt Dimmick. Right, and we all are sitting and discussing security. I worry that I will walk away feeling that we each have different perspectives on what good security looks like. And I respect each and every one of the of the people at the table. And so why is that? And I that's, that's the part that I have to struggle with every day with clients who are looking for security advice. And every time a security practitioner says to me, well, that's just what the client wants. Okay, that moves us farther and farther away from actually making a case for what the client actually needs. And building from there, that should be always the starting point. I understand it's harder, I totally get it because it's easy to sell a commission, because it's less expensive, the client doesn't want to spend a lot, I get it. Okay, you could sell more more trinkets that weigh fine. But when it comes to the actual point about, like, how do you justify the fit for purpose? And how do you meet client's needs when they're apparent to you? And what is the gap in your communication between what you believe is necessary? And what the client wants to see? Or based on what level? We don't know? Right? And who was their advisor previously? That's the again, the question from it. How did they come about to think that they need 100? cameras around their 10,000? Square foot? Facility? Right? What? How have they been informed by whom, right? Every consultant who tells who says that's what the client wants, and does not tell the client that there's a delta between what you want and what you actually need. I think that there is a there's a concern. And I feel like it's, it's ever present. We as practitioners, unfortunately, we sit around the globe, we only have associations that are disparate. So far, we're not speaking the same language, and therefore, the clients are none the wiser. So I see a lot, a lot of mediocre security being purchased, and mediocre at best, I should say. And the clients think that it's the best thing since sliced bread, and then to convince them otherwise, is a more challenging undertaking.

Travis  48:08  
As you're talking or reminds me of one conversation that I had, when I was back at my old company talking with Fred Burton, he has a really interesting perspective that when clients would reach out to him and tell him, Hey, I need extra security, or I need this, I need that he would always start off the conversation by trying to dig deeper, and figure out why they think they need a security detail why they think they need the security technology at their house, or why they need x and y. And I think that's a really fantastic approach for a lot of security practitioners to take is not just accept, okay, the client wants to deploy 100 security cameras at blah, blah, blah, blah, blah, but really to dig in further, and make sure it's something that they actually need, it's something that's actually going to serve a legitimate purpose for them. So I think that's, that's one really cool idea that I took away from a lot of my conversations with Fred Burton, is around understanding the why or the motivation behind what the client is asking for. Because when we could understand that we could tailor the solutions to be so much better and actually provide whatever it is that they're looking for. That's under the surface rather than just their initial request for for whatever security technology or whatever service. And yeah, I

Ilya  49:36  
agree, I think friend, Fred makes a very, very good point. We, we sometimes don't prod enough with clients to understand two things. One is what Fred mentioned is like why, why are you trying to do this? What's so important to you that you're asking for this right? And another is are you going to be a competent steward? Oh, have the solutions that you're buying. Okay, time and time again. I wonder, why did this client buy the solution? Because it seems that there was a significant investment. And it's working at a marginal level at best. Okay. So, you know, the easiest, the easiest way to think about it is our mobile phones. Okay? I dare say, every time you buy a mobile device, let's say you upgraded your Android phone or the iPhone to the newest model in 2023. Okay. It is so feature rich, that I would like to think that any normal user would be using probably about 30% of the features. But you have invested into a device that, you know, that does so much more, but you just don't need it. Okay, so it CZ where you know, because the barriers of entry, you know, for for for mobile phone upgrade, there's so much easier like, Okay, fine. So you buy something that's overdone, over designed with features that you may use once a year or once every five years, that's fine. But in security, that's very different. Okay, you invest money into something that brings immediate liability and responsibility, like it's right in front of you. Okay, moment you sign on, you ink, the contract, you're buying something you are fully responsible for, you're demonstrating that you are enhances your security to the rest of the world, okay? Auditors, lawyers, your customers, whoever they will, whoever is your, you know, who whomever you're facing in this world, you're demonstrating to that group of people that this year, you will improve your security, and if in fact, your security is not really improving. Okay. Through your investments, it's actually deteriorating because of poor choices, right? What are you subjecting yourself to? Right? Yes, it's, uh, you know, on the one hand, yeah, everything is every, there's a lot of bells and whistles, but we can't just think about how easy it is to buy an iPhone, because you're not responsible to anybody, it's your personal tool. But here, you're, you're, you're buying an extra set of responsibility and accountability. So in a sense, it requires a much more thorough conversation.

Travis  52:40  
Yeah, that's also a great point to thinking about through thinking all the way through, like additional impacts of having to implement those security solutions. Yeah, whether that's like you mentioned added liability in these different aspects. But also just the gigantic task of maintaining it all of keeping it up to date of doing periodic upgrades of testing the technology of verifying that it's working in the way that the manufacturer's said that it would be working, and then having someone be an administrator and oversee all of that, I think it's it's easy to, like you said, get caught up in the bells and whistles but not think through, like the long term requirements for, for keeping a successful system in place, it's going to do what you what you originally wanted it to do. And also, I do really like your idea of talking about how, really, we can't start with educating clients if we don't necessarily have like a minimum standard of education for ourselves. And this connects back to another recent podcast, this one will be going out probably a couple weeks before this one. But I was chatting with Jim McConnell, and he comes from he's a director with a telecommunications company. And one of his one of the big ideas that can't wait for my conversation with him, too, was just around us personally. And then also within our organizations, of defining the different assets, defining, defining specific definitions around security from risk, threat, vulnerability, all these different aspects so that we're all using a common language. He talked about doing it in, you know, as a consultant having as a consultant having, having specific definitions for those but then to like working in a larger corporate setting, ensuring that everyone's speaking the same language. And that kind of goes to show that, you know, from working in one corporation to being a consultant to working in a startup, all of these people may have different definitions for all of these different aspects of security. Which is interesting.

Ilya  55:01  
Yeah, absolutely. Couldn't agree more. We, we have a tough road ahead of us. And the world is not getting any easier to deal with.

Travis  55:12  
Yeah, absolutely agree. And then another topic I wanted to touch on. And this is something that I've heard you talk about over the years. And then I've heard you reference one book, in particular to upstream by the Heath brothers. And actually, I noticed recently, it looks like ontic, at their next, their next annual conference, in the next annual get together, they're actually having one of the Heath brothers come and talk specifically about upstream in terms of security, which I thought was really cool, because I think I feel like I got that book recommendation from you. And then I think I might have like, told other people in that marketing department are in that space. So it's kind of funny how I think that idea hopped from you, to me, and then back to ontic, which I think is really funny. But I wanted to hear your thoughts on how you see upstream thinking influencing the work that you do.

Ilya  56:10  
Well, first of all, I'm very happy to see that you and I are kind of contributing already to success of an organization like ontic in this in a small way, and something that may not be necessarily immediately visible. But that is how a lot of new ideas and new solutions and innovation. That's how that's how it happens. It starts from nothing, you know, and all of a sudden, that somehow scales up. So it's amazing to see that you're our casual conversation about a book, and then you mentioning it to someone at a firm that you worked with, really takes off. That's That's awesome. And I think that I want to take inviting here, one of the Heath brothers to their event, it says a huge leap, I think that everybody will be impressed by by what will be shared. So how I look at upstream thinking. You know, on the one hand, the many years of experience have taught me that I, I can't just go by wishful thinking in wishful thinking, in a sense that unfortunately, we deal with clients that don't wake up to risks and threats, until it really hits them. And so what upstream? You know, it's like, look at FTX I mean, I again, I'm not trying to take us back to crypto, but look at FTX. You know, and the testimony from John Ray, if you just read what he says about the sheer volume of incompetence around managing an organization, right? Well, you can take the entire book upstream, and you can apply pretty much every concept that is shared in that book, with, you know, you can apply it to the FTX example, in the examples from various other firms. I was actually rereading some of the interesting examples of failures, the insecurity and and risk management. And it's, it's striking how you are you continue how we continue to observe same things, affecting organizations where a simple change, simple tweak could have helped avoid massive losses right now. So how I think about it is I do my best in the, you know, in the context of my profession, to inform clients about what could be said them without making them worry, like, I'm not trying to sell FUD fear, uncertainty and death, if you will. I'm not trying to constantly bang on the table and say, Oh, this will happen to you don't do this, right. I try to align the clients thinking with prioritization of their assets, what are their mission critical assets, so you can have a conversation with the client, about what's important to them. And it could be either a high net worth executive that's trying to protect themselves in their family where it could be a large corporation or could be a nonprofit or government agency doesn't matter. Okay, they all have mission critical assets. Okay. You might not call them that they might not think about the important things in their life without which they they would suffer, right? But nonetheless to a to us practitioners. Those are mission critical assets. And so once you start having that conversation And believe me, there's you already can solve at least a few of the challenges upstream. Okay? Because the client will be more receptive if they can apply the last scenario to themselves, if they themselves can rationalize, if this acid does not exist, or it's taken offline for me, I'm not able to function, it causes me further stress, right? So they themselves are guided to the right answers. And therefore, you as a practitioner cannot completely facilitate the entire change on your, you know, in your clients mindset, and the way they operate only the client themselves. And within their sphere, whether it's like, like I said, a high net worth executive, or it's a large organization, only the client themselves needs to believe that they need to address the challenges in front of them. And they need to address them sooner than later, in order to avoid further losses down the line, they need to believe that and if you're able to have a meaningful conversation with them to turn their attention to mission critical assets, and what is important, and what could be some, some some challenges related to achieving their objectives, right, we, you know, profitability, sustainability, whatever that may be right? The client needs to be guided to those answers, right. So I think about my role as as an advisor, as it says, A person who will find the vulnerabilities and will help the client understand that if this vulnerability is exploited, and the mission critical assets, assets is made unavailable, or or you know, temporarily is inaccessible, then what would be the ramifications, right? And then it's also important to help the client understand, well, how realistic is right, because obviously, clients who are very sophisticated, the lowly say, Yeah, but you're, you know, you're trying to scare me into thinking that, you know, something like this will happen. So, yes, you have to have a balanced conversation, and you have to inform the client of what the reality is. But that conversation typically helps avoid certain future mistakes and challenges. That's how I think about it. But like I said, I used to be far more on the side of prevention. But I realize that our industry hasn't done a good enough job. So we have to be very reflective about why clients are reactive, more than they are proactive, but it's our failure. It's our mistake, it's what we haven't done properly to inform the clients to think in a proactive manner. So my I try to do my job as as, as well as I can to inform the clients, but I've lost the passion for only thinking, from a preventative perspective, I understand that the reality of the of the world today on at least the client pool that I that I work with, that it's it's a bit of both, there will be a lot of reactive measures, and I have to be respectful of that. Because humanity, unfortunately, as you can see, we it goes well beyond security, humanity makes a ton of mistakes, and a ton of gets themselves into a ton of twists and knots. Where obviously things could have been prevented. It's visible, you could you could, you know, do a ton of case studies on forget security, just in general, how societies work, how neighborhoods develop, and so on and so forth. Right? There's lots of cases, but you have to, like be a little bit wiser to work with clients that are suffering from recent challenges, or are trying to avoid some challenges and give them the best advice, advice you can. When clients come to you and they're, they're on fire. You have to be respectful that it's not just their fault. We as an industry also have a role to play in that. That's

Travis  1:04:36  
a good analogy. Yeah. And also, I really liked that philosophy. You're kind of like, kind of like taking like a really like the standard security approach with starting with assets but you're overlaying that you're overlaying the upstream thinking, moving for mission critical assets, and then getting the getting the client getting the end user to think through The different impacts and the criticality of any, any type of threat scenarios that might impact them. That's really interesting. And that also reminds me, I had written down a note because I was checking out some of your other writings recently, Ilya, and in one of your other posts, you had mentioned something to the effect of reactive always beats proactive in risk management. So that'll have to be another idea that we jump on in the future, because I know we're just about at the top of the hour here. So that'll have to be for the next podcast. But continuing on. So before we wrap up today's session, I, I just wanted to finish today by going over what we're looking forward to in the coming year in 2024. And I could kick things off first. So really, personally, definitely looking forward to spending more time with family. So we have some of the holidays coming up with Thanksgiving with Christmas. And then also really just taking advantage of some of my remote work when I'm not traveling, being able to go spend more time with family. So that personally, also actually doing more cooking this year. Also, I need to, I need to improve my cooking skills. So I'm actually follow just testing out a lot more recipes that I see on LinkedIn. And sorry, not LinkedIn, on Instagram, testing out some some recipes that I see from some of the chefs and influencers that I follow, they're in the cooking space. And then really on the professional side, what I'm looking forward to first, testing out more AI tools. That's one area where I know there's so much more to learn. And like recently, I started testing out, there's a slide deck creation platform called Beautiful AI that Nick Allen had recommended that I check out. So I've been testing that out, which is actually really interesting for creating like very visually appealing and engaging slide decks just on the fly. And then also more stuff with chat GPT and some of the some of the other functions around creating like infographics and imagery and doing more with documents, that and then also really starting a starting a CISSP study group. So I'm really looking forward to that, which I think will kick off in early January. So really just learning more about the foundations of protecting information. So that's kind of what I'm looking forward to in 2024. And Ilya, how about you what's on your radar,

Ilya  1:07:58  
all good things to look forward to try this. So I'm,

Unknown Speaker  1:08:03  
I might borrow some of those. Thank you for sharing. Well, I'm looking forward to recovering from my injury. I tore my Achilles some time ago, and I'm really looking forward to

Ilya  1:08:19  
it getting past that and getting back to yoga. I've now been away from that, unable to do it since June. And so I really would want to get back to that. Certainly, like you said, family time is super important. So I'm looking forward to the holidays. And then also finding time for you know, to spend with the larger family that I have scattered across different places. And I want to I want to try to learn more about practices of mindfulness and practices of stress reduction, because it is a growing challenge in our industry, I want to shape something into a discussion about ethics in a you know, in a in a primary school setting, and then the K through 12. Because I feel like the tech world is becoming unwieldy. It might have become unwieldy some time ago, but I feel like today it's just it's much more challenging to comprehend. And what comes out of it is like I've written in my previous post 50% I agree will be good for the world for humanity. And there's another 50% And I feel Like, we don't understand the dark side well enough. And I think that our next generation is, first of all struggling already, with the with the dark side of technology have been since around 2016 2015, something like that even probably earlier. And I feel like this is something that I want to invest a little bit of more of my time into. Because I think there's an organization that's called the Center for humane technology that have been releasing very powerful content. And companies are starting very important conversations, but I don't know to what degree they're, they're moving beyond the United States. And I think that it's just not fair to the rest of the communities around the world, the rest of society to be to be kind of lacking in that content, and know that there are a couple of countries like UK and others that talk about it. But again, all of it is disjointed. It's it reminds me of our industry, several different industry associations, in this case, several think tanks, scattered across the globe that all breed from their own soapbox, and it doesn't really, you know, achieve the objectives that, you know, should be collected. And so there is a program called Plato, that was developed, I believe, at the University of Washington that talks about how to infuse philosophy and ethics into school curriculum. I think if I'm not able to do it, right, let's say because I, you know, obviously, we all have projects that work and don't work, if I'm not able to do it, if somebody can hear this, right, for the, for the sake of your own children, for you, if you're a family person, please do pay closer attention to the center of humane technology to the PLATO program, because it's interesting, the PLATO program has been created. But once I checked, very few schools across the US, and none of the schools around the globe have deployed this program in their in their curriculum. It's it's startling to me, okay, so I want to blend what I learned through active parenting, which is a separate program, the platform for educating parents. And they also want to combine that with Plato and see how a platform like that can be useful for the next generation that comes after us and that are having to deal with the remnants of our own mistakes and challenges that we subjected them to. And, as I can see, if you listen to the Edelman Trust Barometer, which is an interesting tool for everyone to just take a peek at, right? It's the world, the trust around the world, trust in technology, the trust in governments, the trust, and in different types of social networks and so on, is actually decreasing. And I don't worry about it for myself, I worry about it, for the sake of my children. So that's something that I want to invest more of my time into.

Travis  1:13:14  
Oh, that's a fascinating idea. And yeah, absolutely. There's just less trust in institutions globally, it's almost just spans, it doesn't matter what aspect of society so many different, so many, so many areas, there's just a lack of trust, lack of the same social connections that existed decades ago, not quite there. Yeah. And that's a fascinating idea of the playdough program that you mentioned. That's something I'll definitely check out. So, Ilya, I really appreciate you, sharing your time with me this morning, slash this evening. It's been a really fun conversation. And we covered a lot today. And I'll definitely be sure to link to some of the different topics that we talked about some of the writings that I mentioned. So I'll link to those straight to your LinkedIn or your medium, wherever I could find those. So yeah, it was a pleasure chatting with you. And I know, there's some really cool ideas that all take away from here that I think I could apply day to day in my own consulting when I'm talking with clients. So yeah, I really appreciate it. And I'll be sure to share this with some of my friends at work as well. Ilya, thank you, I appreciate you sharing your time with me. And

Ilya  1:14:31  
Travis, thank you so much for giving me this platform for sharing with me as well. I learned from you every time we speak. So yeah, I hope this is going to be useful for your community and always welcome follow up. And yeah, I wish you very strong and healthy and have the 2023 and I wish you peace and enjoy them. Got 2024 Thank you to the rest of your community as well.

Travis  1:15:03  
Thank you. I really appreciate it.

---