In this next episode, I was joined by the great Nickolas L. Allen, MPH, CPH, once again. As you may recall, Nick joined me on Episode 10 last year. This time he’s back to share his experience moving from the Intel Analyst side and on to Emergency Management. What I found most educational about chatting with Nick, was hearing his thoughts on niche areas of emergency management that the average security practitioner needs to consider in their day-to-day work protecting people and property.
And who better to learn from than Nick, who has broad security experience and a master’s in Public Health, Biosecurity, and Disaster Preparedness!
Highlights from This Episode
- Emergency management and security need a multi-disciplinary approach to be effective.
- The role of AI and advanced systems in emergency management is growing: Using AI tools like GPT-4 for ideation and policy development can significantly improve security and emergency management processes.
- Continuous learning and professional development are crucial in the ever-evolving security and emergency management field.
- Understanding stakeholders and their needs is critical for efficient emergency management.
- Compliance with regulations is necessary but can sometimes hinder proactive and innovative solutions.
- Third-party risks are integral to security considerations, requiring careful evaluation and mitigation.
- There’s a need to develop broader skill sets, as hyper-technical skills may become outmoded with the progression of AI and other systems.
- Professionals who contribute the most to organizations are those who develop skills applicable to the entire organization, not just niche technical skills.
- Strong interpersonal communication skills, understanding of organizational dynamics, and adaptability are essential in this field.
- Mastery involves putting oneself in uncomfortable situations to develop broader skills and a holistic understanding of the profession.
- “Mastery” by Robert Greene
- SHRM (Society for Human Resource Management)
- IAHSS (International Association for Healthcare Security and Safety)
- Beautiful AI
- Ilya Umanskiy – past interview
- Dr Richard Diston, “The Real Security Doctor”
Use CONTROL + F to search the transcript below if you want to learn more!
Transcript from this episode
*Note: this transcript was generated using automated software, and may not be a perfect transcription. But I hope you find it useful.
Travis 0:00 ...Nick, it's great to chat with you again. And today we're doing kind of a special episode, we're going over a number of topics such as things that you've learned in your new role on the environmental safety and emergency management side over the past year and a half or two years. And then also, we are having some drinks during this podcast. So for me, I'm having some bourbon. This is Colonel eh Taylor, Jr. Small batch. sraight. Kentucky bourbon whiskey says of top most class, so that's where I'm at. Nick 1:45 I mean, we're a good company that I'm drinking so small batch Kentucky straight bourbon whiskey. Family reserve cast strength from wilderness trails. Nice. That sounds pretty good. I know, man, you got the H Taylor. I think he went. Yeah, my brother got me this. I really don't know much about whiskey other than this one tastes much better than I'm used to. The maps in St. Louis. I need to. Travis 2:13 Yeah, and speaking of St. Louis. I would like to spend more time out there. And speaking as St. Louis wanted to ask you so the last time you're on the podcast, you were somewhat recently you entered in environmental safety and emergency management role. And I wanted to see how has it been getting getting integrated and into that new role, especially since you came from kind of like the intel analyst side, I think the previous three five years before that. So what's it been like getting integrated into that new role? Nick 2:51 Oh, yeah, totally Travis it's been a steep learning curve. As an entire series to having to dive into a lot of areas are not necessarily familiar with especially coming from the side of security that we did too. But healthcare is a whole nother beast man. There's just so many nuances, different areas you have to understand. So I'm juggling fire safety, life safety as much as I am. Security to hazardous waste and materials training people on patient decontamination first we see how to evacuate a hospital and pray to God you never have to do it type event. But you know, you gotta train people. How do you move, ambulatory and non ambulatory patients effectively serve a large facility. So there's just so many different nuances I didn't even knew existed within that healthcare space is pretty spectacular. And then, you know, being a critical infrastructure sector, all the different interconnected interdependencies within the general lifelines of the community, including here. So what happens when you lose a hospital or one of the hospitals in your region loses power during a bad storm? How do you balance out that patient? So it's been a very eye opening experience, to say the least? Yeah, that's one really fascinating field because one it touches so many different areas around public health, but then to you also have like, the population of people that are coming into your facilities. It's almost like law enforcement to make an analogy where many of the people coming in, they're experiencing experiencing a crisis, they have high anxiety, high levels of stress. And then of course, you have these frontline workers whose job is to really kind of like de escalate some of these situations and take care of them and serve the community. So yeah, I think that's just such a fascinating role. And I think I could relate a little bit because I think around this same time last year, I just started in my role on the security consulting side, and I think it's Travis 5:00 been a little bit of the same kind of like finding a good way to drink from a firehose, like learning about so many different areas where it's understanding methodologies, it's understanding, really like developing better skills when it comes to interviewing stakeholders and eliciting information, because that's such a critical part about being a consultant is trying to gather the information you need from your clients so that you can help them in the best possible way. Because it really comes down to there's 1000 ways that you could ask someone a question about their security personnel or their emergency management plan, it comes down to body language, if you have the wrong body language, if you make someone feel like they're being interrogated, then they're just not going to feel like a partner, and they're just not going to contribute. And then of course, learning about different technologies, learning more about hardware. It's like the smallest things about hardware, there's just so much to learn about like, like recently, I posted this, I reposted this link on LinkedIn. And it was kind of like the anatomy of door hardware. And it was just like the most complicated diagram ever, where it's calling out like 50 to 60 different components that go into a door when we think through Hardware and Technology and sensors. So yeah, I can totally relate to, Nick 6:25 to just that steep learning curve and trying to find the right way to learn quickly. Absolutely not to take us on a rabbit hole, but absolutely did take us down a rabbit hole. Speaking of that, from the security consulting side, as well, as you know, stepping into health care, you having to know those extreme nuances and find how to apply something to the organization that you're working for your consulting for. Right. So going back to that analogy of door hardware security technology. If we look at most healthcare entities or organizations, most hospitals in the US are at least 50 years old. So when you're coming in trying to incorporate, you know, some emergent technology or security, technology access control, a lot of times you're having to figure out what is that existing hardware, the wiring that we have, you know, and what needs to be modernized, and how do we make things work or jerry rigged it? And also, what is organization's appetite for modernizing because upgrading whole hospitals very expensive or a school? Law schools are older too. Travis 7:33 Yeah, that's a great point. And that's something I tend to see. So often when we're doing security assessments, I think it's really only like, I'd say it's only the minority of projects where we're really dealing with a building that was built in the last 20 to 30 years. So I could totally relate there. And I wanted to, I wanted to share this quote that I that I read in a book recently that I think comes back to this learning curve that you mentioned. So let me read this to you. I want to get your thoughts. See. Do you agree? Do you disagree? Alright, so this comes from the book, mastery by Robert Greene. Are you familiar with Robert Greene? No, I got on my bookshelf. Oh, really? Yeah, you have mastery there? Yep. I have not read all the way through it. But definitely some great things in there, which one you got for me? Okay, so here it is. This is in one of his early chapters. He says this, this has a simple consequence, you must choose places of work and positions that offer the greatest possibilities for learning. practical knowledge is the ultimate commodity and is what will pay you dividends for decades to come far more than the paltry increase in pay you might receive at some seemingly lucrative position that offers fewer learning opportunities. This means that you move towards challenges that will toughen and improve you where you will get the most objective feedback on your performance and progress. You do not choose a apprenticeships that seem easy and comfortable. And I wanted to get your thoughts. So on your, in your career over the past 10 years or so. How does that match up with his quote here, which is essentially that we need to prioritize learning opportunities early in our career, rather than just trying to find the role that's going to be easy and pay the most? Nick 9:30 You know, I think, per se I agree with it. And I think another good word thing for looting, there is a fortress transferrable skills. I think we hit on that a little bit or during our last discussion. Those harder and skills in those gray areas that we have to really struggle to define how to go about doing something because I mean, what we do whether that be healthcare, emergency management, executive protection, intelligence, these aren't necessarily They codified fields within the private sector consulting space, especially when they're going into these organizations that are very distinct or diverse, you know, they have their own nuances. So those harder skills are really what is developed and trying to figure out, where do we find that place to make that difference? And how do we apply the hard skills into the soft skills to figure out how to get work done? And that's a tricky thing. Travis 10:31 Yeah, like the way that you put that, saying that, like, so many ask so many security subfields, from Intel, to security risk assessments to, to investigations, like so much of it is not codified, like essentially, many of these organizations that you walk into, you talk to the security manager, the program manager, and many times, they haven't been doing Intel for 20 years, they've been doing some type of federal, federal or state law enforcement for 20 years. And then they find themselves now they're in charge of developing an Intel program, of which, you know, this is not necessarily what they've been doing for the last 20 years, I think that's a really good point, Nick 11:15 you bring up an interesting point there too, just between emergency management and until and of itself, both fields within their non traditional spaces, right, both fields are growing out of their original traditional demands that are placed on them. And it's requiring a different modus operandi for both fields, you know, a lot of that really is going to be something that's difficult to define in terms of how do you go about it. And the demands are being placed on emergency managers or Intel analysts are constantly an ever changing. From the Intel side, they're usually end user, they've seen the end product, most of their careers, especially if they come from that law enforcement side. Same thing from emergency manager, if they came from the law enforcement or more traditional side where their end user, they don't see everything that goes into making that stew that soup, you know, the planning the train, the exercising, the stair step model of, you know, let's constantly build up our capabilities and test and develop them, find the gas, find the needs, improve them. And that gives us security risk assessments to a lot of people like to do security risk assessment by the book, you know, they check the boxes. At the end of the day, most of this is a gray area. Travis 12:30 Yeah, that's a really important point. It's like maybe in some municipalities and some states, there's, you know, some type of state or federal rules that kind of guide some of these. But then, of course, those are not the end all be all, because then so many of these exercises, just turned into an audit where you're just checking boxes, and, and then also tick off your point to have it not being a codified feel. Field. I think another thing that really contributes to success in some of these areas is like you said, it's just being able to develop broad skills, like to use an example from my last role. I remember I was talking with one of our, with one of our executives, and they said something like, Travis, when after working here for three or four years, or however long, you're gonna learn so much more than any of your friends that are in similar corporate gigs. And I remember he said that, and then, like, at the at the time that I heard it, I was like, Okay, I mean, I hope so I hope that's correct. But looking back working in a startup environment, especially in security software, it did help me just develop a really broad range of skills, that you really can't, that you can't really develop in most organizations, especially no large organization, like, for example, getting experience on this on the product development side, seeing how how the developers do their work, how the product managers gather feedback from clients, how they implement it, how they prioritize it, learning how the sales staff goes about doing their sales process, everything from their first contact with the client, doing their discovery calls to learn about the challenges that they're facing, all the way to them closing and also learning about the compliance side. And then it's like, all these tiny bits and pieces really make me so much better have a consultant like to give one example. Like part of my role today is helping some of our clients assess security vendors, whether it's, whether it's hardware technology software, and I think having been in that past role and seeing really how the sausage is made on the software development side. That's made me so much better equipped to just have kind of like a simple line of questioning that I could do Use in my mind, so that I could vet some of these providers a little more just to learn more about okay, like, how mature is this organization? Are they? Can we really put confidence in them to integrate with this other piece of technology? Or how mature Is there, like software development and security program? Like to give one example, there's a company I was vetting not that long ago. And when I kind of dove in and ask them, okay, do you have like any of these compliance certifications, and I know, compliance is not the same as security, but it's still a lot better than nothing. And once I dove into this topic with the vendor, they essentially revealed they weren't sock two, they didn't have their sock to complete, they weren't ISO 27,001 certified. And all they could provide was like a self attestation about their cybersecurity program, which is the equivalent of like, Bart Simpson writing an A plus on his homework, and then, and then going out, showing it to his parents. So it's kind of like the Nick 16:07 there's so much fear. And I think you bring up a really good point there as well as, or a good point in discussion. So you mentioned, compliance is not necessarily security. But when we're talking about security, or emergency management at the enterprise level, we're truly talking about Integrated Risk man, approach, the end of the day. And compliance is such a key component of that. Because, you know, if you're managing security risks, you also have to have that cyber physical security convergence area, and the Broadside risk of that is not having fully compliant systems, you know, especially in a industry or sector, like healthcare, where we're so heavily regulated, we really never want to take on a solution that isn't vetted, that isn't fully compliant with the latest best practices or consensus standards in terms of, you know, in the case, you're bringing up cyber security in terms of ISOs, you know, and that's pretty key there, because we have some of the most high stakes data there is, which is a personal health information on everybody that we see or come into contact with. And you know, from the security side, especially if you're looking at very high value organizations, intellectual property. Travis 17:28 Yeah, those are all really important pieces of compliance, that kind of contribute to the whole of the organization. And going off at that point, I wanted to ask you, so as you were integrating into this new role, how important was it for you to become involved with, like healthcare, healthcare, security specific organizations? What role did that play in you being integrated, and then diving into your new role? Nick 18:00 I think from the security side, I OS, their national association of healthcare security and safety was a critical, no organization to really become a part of, you know, having come from more of the traditional Asus side of things, you know, there's certain gaps and nuances that just were not addressed, or as tailored to the needs of the sector, which is healthcare, you know, on, but i OS is really, for health care by health care professionals. So that has been a great organization. They have things all the way down to was the best physical design for your emergency department to limit or prevent or mitigate the risk of violence? Yeah. Which is not something you necessarily find on other sites like, asis, that's been a very good one. Yeah, I would say that's probably one of the most Travis 18:54 key organizations there. Yeah, that's a really good point. Because as is like serves such a broad group of interests, they really don't have the bandwidth to develop, like very specific standards for each type of security niche. So that makes total sense to get more involved with I think you said International Association for healthcare security Nick 19:14 has been a great organization. It goes everywhere from your security officer. Policies and procedures, where are those consensus best practices like we would see on a as a basis, you know, but they're also looking at things like patient belongings. That's nothing you'd ever find from that traditional security or safety side. How do you handle patient belongings? How do you remain compliant with them taller, you can't turn a patient away from your IDI just because they are presenting a risk you have figured out was the best way to manage this risk. And, you know, that goes back to that compliance side as well. You have to operate within this heavily regulated domain or this ecosystem that one would additionally work in other sectors from a security side or from a emergency management side when you're doing your planning does not transfer over to the healthcare sector because we have such strict regulations such a diverse population that we serve. And, you know, going back to kind of the point we alluded to earlier is you're getting people, much like a law enforcement officer, or anyone who engages with the public, and people on the best and worst days of their lives. So usually, they're going to be on kind of not acting the best on their best behavior, necessarily, but you still have to be there to provide a service. Travis 20:37 Right. And you mentioned, the number of regulations that a healthcare organization has to has to have in place and has to be compliant with when it comes to stuff like that. And now this is like, like a very broad question, generally, who's in charge of enforcement for something like that? Like, is that something that tends to be enforced internally? Does the state have auditors? Do they require like a third party assess different aspects? Like, generally, how is something like that enforced or handled? Yes. Nick 21:16 I mean, going from Argos, a society that we have a accreditation organization that is contracted to ensure we meet the accreditation standards from CMS and other federal requirements, right, so the Joint Commission, they set their own standards, they come conduct their surveys, but you're also still going to be surveyed by state. If the state surveyors see anything that's out of line, or there's a complaint filed, you also have to be responsible to those entities. So a lot of it goes back to an internal risk management approach that in a lot of organizations is shared between different departments, because it is so broadly regulated. So you could end up with compliance issues from the fire code side of things, life safety code, in terms of how you provide care to patients, patient safety, medication management, you know, everything you name it, we're pretty much regulated on it and have some degree of compliance risks that we do have to proactively manage internally. And even on the best of days, you're still going to have things happen where you have to go meet that inspector, that surveyor, you got to go man, it's a complaint. Because it's just such a broad organization, are you a sector that we have serve? Go back to you, people on the best days and worst days of their lives? If they don't have a good day, they're gonna file a complaint, whether it's founded or not? A lot of times, Travis 22:54 right. Yeah, that's a very good point, too. It's like just the variability of emotion of the people that are there. And yeah, that's so many different areas. You mentioned everything from everything from life safety, compliance, to protecting information, protecting people you mentioned, like the procedure for protecting belongings of people that come inside. Yeah, that's just such a vast area. Nick 23:21 And I mean, as a hospital or healthcare organization, or as a occupational space is one of the most heavily polluted or dangerous areas that we have. So I mean, in terms of hazardous materials and waste, right? How many things do we actually utilize? You know, for a large facility, you store your hazardous waste on site, you are allowed to do that, because you are a large general. But that comes with a lot of compliance measures, you have to follow to the tea. So you could have been announced surveys at any time of how you're handling the hazardous waste. Do you discharge things into the waterways? So you have to be able to report and validate even if you don't, you still have to be able to say you don't and show the documentation to prove that. And that all goes back to that comprehensive enterprise wide, holistic risk management. Cybersecurity is a component by safety is a component. Cyber is a component. I mean, you want to talk about a convergence. Healthcare is the convergence. Travis 24:25 Yeah, it's definitely a fascinating area. And let's see. So risk management is actually one area where I'd really like to develop more experience. So right now I'm working on my PMP project management certification because I really just wanted to get more experience on that side, just so I could better understand, like, Hey, why do when I'm working with security integrators are architects and engineers, why did they approach the project this way versus that way? Like, why do they do all these things? So that's been one area that I'm learning recently. but kind of like the next big knowledge gap area that I've identified for myself, I really want to explore some risk management programs. And I've looked at several and kind of annoyed a lot of people in LinkedIn, DMS, like asking about what they thought of different programs. So yeah, that's kind of like one of the next areas that's on my, that's on my whiteboard over here to learn about because, yeah, I know, it's something that's so broadly important when it comes to security. So yeah, I just wanted to mention that. That's awesome. Nick 25:33 Yeah, I mean, even how do you go about conducting planning and managing that are a little bit backwards, but whatever, projects, you know, go on to implement them. That in and of itself can be generative of risk? Who are the vendors you're bringing in? What are their internal policies, procedures, what's the due diligence look like? If you have to meet XYZ deadline, you got to make sure that that third party, you potentially bring in from, you know, those integrators or whatever, are gonna manage their own due diligence and risk, so you don't end up getting broadsided. It's such a crazy field is so broad. Travis 26:13 And that's another interesting aspect too, is that kind of like in my last several roles, had more experience working with people who are specifically in charge of third party risk. So essentially, all they do is contact their vendors several times a year, run them through like a series of questions about some of their different policies, procedures, asking for evidence of doing X versus Y. Yeah, so for me, that was kind of like one really fascinating area, because I had no idea that this was a specific, like, a specific security subfield where you're doing nothing except continuously vetting vendors that the company is actively using. It's kind of fascinating. Absolutely. And, Nick, I want to ask you another thing. So for me, like putting on my security consulting hat, and you being, like, deeply involved on the healthcare security side, I want to ask you, so for me a big part of my role doing comprehensive security risk assessments, is going in talking with stakeholders, trying to really like establish their trust, confidence, and then eliciting and drawing information from them so that I can do my best job in identifying vulnerabilities and potential vulnerabilities, threats, potential recommendations to make them. So I want to ask you, on the, at least on the emergency management and the safety side, in your mind, what topics do you think it's ideal for a security consultant to dive into when they're doing some of these stakeholder interviews? Like, are there any areas that you think are super important? Or maybe you have like some cheat codes that will kind of like help us get closer to gathering information that we need? I wanted to get your thoughts on that? Nick 28:09 Yeah, I mean, I think one of the first baseline things I always want to understand, and my career role as emergency manager, I work across a lot of different departments, a lot of domains. And this is true on the security consulting side, too. But what is that stakeholder? You know, not in terms of the organization itself, but the individual organizational stakeholders are discussing? What is their individual risk appetite versus risk tolerance? And then how does that transfer and amalgamate to the organizational risk appetite and risk tolerance? Because from that, once you understand that you can really start looking at what do you need to prioritize in terms of understanding from the emergency management side? If they have a risk tolerance for day to day incidents? Right? We want to know, all right, cool. That's kind of where you want to look in terms of. So really, once you understand that risk tolerance versus risk appetite on the individual stakeholder and organizational levels, he concern looking at where do you want to target across the phases of comprehensive emergency management? Right. So are they more of a organization looks to prevent risk fully, that costs money, that caught that requires a lot of investment, a lot of time? Are they looking to accept some risk and just mitigate? Or are they purely reactive organization, which I find most organizations, despite what they say are much more reactive than they realize at the end of the day. And all of these requires some different degree of planning. Yeah, and different solutions. So if you're a fully reactive organization, you know, a lot of times you have severe Shouldn't resources that you are willing to accept that? Level? reactiveness but if you don't, yeah, maybe you want to look at something like establishing memorandums of understanding agreement, resource sharing part agreements and partnerships. Shared situational awareness. Perfect Case in point in terms of healthcare itself is why we have healthcare coalition's largely is to have that shared awareness. So if something happens, we know how to absorb that impact is reactive still, but you are proactively preparing to react to whatever incident causes some kind of cascading impact or failure that you then have to manage as a sector? Or, you know, if you're looking at large multinational corporation that's very similar and of itself. Yeah, you do have a healthcare coalition, you're not individual entities. But what does one cascading failure look like? And how do you mitigate take Pfizer? Right? They just lost what 25% of their domestic production capacity for certain drugs and pharmaceuticals to that tornado? How I can speak towards Pfizer, but how are they looking to manage that first point? Do they already have memorized understanding some kind of interdependencies or supply chain redundancies, so they can quickly rebound from that? So they can still provide the products and user and manage that risk? So yeah, it really just depends on what is that appetite? And where do you set that starting line, and then move forward from there. So one thing we may want to explore a little bit more to is an emergency management intersection, honestly, as I can get your cut there. But I mean, when we're talking about as a security consultant, what kind of comprehensive emergency management questions should we be having? Right? A lot of times, you should be asking, how are you integrated into that whole community approach? Are you do you have a seat within your County Emergency Operations Center, your state emergency operations center? Do you have those direct lines? Going back to the kind of supply chain side? You know, do you have a point of contact that helps you get prioritize over other individuals, you know, say for utility companies, or your preferred customer? Who do you call when something bad happens? Do you have those integrated into your plans? And this is a gap I see in a lot of organizations where they really don't think that far ahead? Are you pre positioning certain supplies for XYZ type of incident? So you can respond in more quickly and mitigate impacts from that? Prevent cascading failures? So like all of these things? I think that's a whole nother conversation, honestly. Travis 32:54 Yeah, those are those are really important topics to dive into. Yeah, kind of like, one, how integrated is the organization with the local community with the state agencies who are going to be coordinating a emergency response? And then also, yeah, thinking about, you know, something as small as like, the level of what supplies are, are available for responding to an emergency. Those are, those are excellent topics to dive into thinking about thinking about this from like the security consultant side. Nick 33:24 So I'll give you a perfect case in point here. And this is transferable to different organizational types of sectors as well. You know, the Midwest was hit over the past couple of weeks with a lot of significant storms that did a pretty good number had a lot of impacts to some good number of damages. I did call basically where? Yeah, rumor mill, we have two nursing homes who are about to send all their patients down to your hospital. We're already on search. Yeah, our capacity is pretty limited here. And it turned out after some discussions, you know, integrating with that whole community approach reaching out to the Emergency Operations Center for county that they just needed a generator at one and some E cylinder oxygen tanks support so they can sustain patient care activities at the other. So instead of completely crippling, while the most critical. Now hospital infrastructures are coming in lifelines within the St. John, we're able to coordinate with that whole of community to maintain operational continuity at these other facilities so we can maintain our own operational continuity, right. And that's really where that comprehensive side of emergency management comes in. Yeah, you're looking across all hazards, all of community. Yeah, you're really looking at all different phases of the emergency management cycle from preparedness mitigation to response and recovery. And what are those key components? that you need to make the machine work when the machine is put under duress or under a barrage of stress. You can't predict every situation, but you can pretty well predict who you need to call and build those relationships before disaster strikes. And if you do that, you are going to be more adaptable, regardless of what comes your way. That's something that transfers across all different sectors, all different organization types, and all different scopes of practice. Travis 35:33 Yeah, that really highlights the need at the top for coordination. And then also understanding how how some of those smaller sites that are part of the organization, how like some of the challenges that they face, and maybe maybe having like a more proactive approach, like you mentioned, where you can assess ahead of time. Okay, one of their likely scenarios that they might run into is they their backup generator goes down, and they need electricity. So they need some support there. Maybe they need extra supplies. But like you mentioned, just to having that. Having that top level knowledge helped you really avert like what could have been, you know, like a mini crisis, and you think about like all of the variables that go into transporting patients from one facility to another, like, potentially, maybe that save lives? Nick 36:27 Yeah, no, absolutely. I mean, I see this a lot coming from the security side to where people will do you know, their security risk assessments and everything they will look at. And, you know, even for executive protection, your protective intel assessments or your types of risk assessments, whatever you want to call it, right? What's the closest emergency room? What's the closest emergency department? But does anyone usually dive into the capabilities of that entity? Or the interdependencies at the community level? Right? Does that organization that you're talking about have the capacity under times of disaster duress and stress to truly meet the capability that you are trying to integrate into your planning cycles? So I mean, all right, cool. The closest emergency department is five minutes away. That's great. But what capacity do they have to protect the vital VIP type person, right? What is their day to day census and capacity? Are you looking at eighth hour? Wait, you may be better going down 15 minutes down the road? Yeah, to something that has a greater capacity. So those nuances are pretty key. Across the board, whether you're looking at infrastructural threats, security threats, you name it. Travis 38:00 Yeah, and I can definitely relate to that, too. I think, in the past, doing some of those types of assessments, developing emergency contacts for wherever, wherever the team or wherever the organization might be operating. I think, for me many times, it was just okay, what hospitals, ers maybe urgent cares are in the area. Where do we have like a level 123 Trauma Center? Where's our like, where, where's the best place around here? It's if someone has cardiovascular issues, like developing some notes on all of those, but not necessarily diving into, okay, what is the actual capacity for some of these different organs for some of these different hospitals or ers that we might be going to that's, that's really an excellent point, too. And then also thinking about maybe like a worst case scenario. Also thinking a little further, what if there's an earthquake in this area? How might that impact like this particular hospital? Is, is one particular hospital going to definitely overflow because it's in such a urban area? Because it's an area where people are going to have, you know, greater impact to them. So yeah, those are all excellent topics to think about. Much deeper than just okay. Do we have a trauma center? And do we have like a cardiovascular specialty facility in the area those and what Nick 39:29 are the nuances of that too? You know, I've worked in trauma for several years in grad school. And one of the big gaps within the trauma domains and I've seen it considered very rarely is burns. Burn traumas are an incredibly specialized model of care delivery, right? It requires a lot of specialized resources. So if you look at the state of Missouri, where I practice out of right, and Illinois My hospital is one of only two American burn associate accredited burn centers. In the state of Missouri. We're the only one with dual pediatric and adult burn care capabilities and certifications. So what's that look like in terms of capacity, there is no capacity. So a lot of times you receive the most severely burned patients, you most complex, you stabilized and you transfer out to a lower level of care. Now, we talked about a burn surge type scenario, where you have a large building fire, there are 20, burn casualties. There are very few places in the country that can absorb that level of burn trauma victims are burned patients. So it really becomes a stabilizing transfer out type situation. And we're talking multi state. Yeah, we're not talking. Just Alright, we're gonna go to the next city over if you have a large burn mass casualty incident, it is a multi state response where the infrastructure nationally does not fully exist to successfully operationalize that. So you know, these kinds of understand these these nuances, these understandings are key for security practitioners to, especially when you're talking about those VIPs Wow, things when you're at a conference, you've got half of your C suite there. Yeah, whether it be internal or whatever, something catches fire, or XYZ bad thing happens, you know? And how do you track them? Where are they going? That's a tough one. Travis 41:41 Yeah, those are all some really important considerations. And actually, I have an upcoming podcast with Dr. George debusk. Who's won, he's a practicing medical physician, but too, he also serves as a medical director for for like, high net worth families and for like some other similar organizations. And I think that kind of highlights the importance of having someone who eats breeds and thinks about the medical side to really identify some of these considerations, because I could tell you like, the average 22 year olds sitting in a G sock, who got a Political Science degree who Yeah, maybe it's taken like a couple cheap Intel courses and read a handful of books, are they thinking about the cascade of medical situations to the same degree that a medical director is going to or that an emergency manager is going to. So I think that really highlights the need for within some of these organizations, for example, executive protection, having someone who's a medical director, to think through some of these more niche items that the 22 year old analyst just is not going to consider based on their past experience and what they've seen. Nick 43:00 And identifying those resources within your whole community approach to planning, right? All stakeholders, fusion centers, amazing resource if you can tap into them, for example, a great subject matter expertise may have someone on that medical side, never know, depends on where you're at. But a lot of fusion centers will have a public health or medical focus test. Now, Travis 43:24 you do make a really good point when it comes to in talking to stakeholders understanding what their risk appetite is. Because yeah, of course, it seems like nearly every organization, of course, you don't want to spend money on security as like your first initial knee jerk reaction, because, one, it's not going to contribute money to the business. Like directly, it's going to cost money up front, it might take a while to actually see some of the benefits of developing different security programs and protocols. Nick 43:58 I have pinned it off of that one real quick, though, you know, because, as a discussion with someone relatively recently about that, you know, and understanding that risk appetite, that risk tolerance and their willingness to invest in whether moving that line from reactive to proactive posturing, you know, it goes back to the organization itself, right? And how sophisticated they are in understanding their own risk and their own liabilities. Because if you do not invest in it, you're gonna be chasing your tail. So, you know, our mutual friend Chuck Randall brings up a great point all the time, which is simply Are you a cost center, or are you a profit center? Do you contribute to the bottom line? Or are you a black hole that is for reactive capabilities within an organization? And that's part of where that risk appetite and risk tolerance conversation comes in and having those discussions with those individual stakeholders and bringing those to that organizational level of Understanding is really moving that bar forward towards. We are not a cost center, we are a profit center, whether that be emergency management, risk management. Yeah. third party vendor risk, man. Yeah. All right, while people will take on fixed costs third party models, because it's a fixed cost, they can plan around that. But if they do not do the due diligence of editing, they expose themselves to potentially a whole lot more losses. And how do you capture those value adds from the different sides of security, emergency management, risk management, and present those to those executives to move that bar forward to where you've changed the discussion. And you've really changed organizational culture as a Travis 45:47 whole. Yeah, and one thing I wanted to touch on to what you just mentioned, you mentioned like the degree to which organizations invest in security. And I think this is something really important, like when it comes to any young person or any job seeker, kind of like, as they're assessing some of their different opportunities, I think one really important place to look is how mature the organization is in terms of security. So for example, to To what degree do they invest in security, when it comes to technology hardware, is whoever the security leader is, or the security executive? How influential are they actually, when it comes to the mission of the business? Are they someone that's on the executive leadership team? Are they only on the leadership team in like, name, only do they are they actually able to implement the things that the organization needs to secure, whatever it is that they're protecting? So I think that's one extra important thing for people to think about, is really like, how important is security in the business in reality, when it comes to influencing everyday operations, and also just the mission of the business. Nick 47:05 And, you know, that's really where I think that value added, going back to our original conversation, I think a year and a half ago is from the Intel side, it was having that ability to understand, contextualize, and then capitalize upon those different strategic, operational and tactical nuances. The at the end of the day, I guess that's really business intelligence at its finest to just apply it out in the field at the C suite level, ideally, and I think those kinds of inputs help you move, whether you do have that C suite table, you know, you do have that influence as a security leader. And if you don't move to that point, because if you're able to accurately capture data, present that and get by and you're gonna move up that chain, you're gonna have more influence, because I use this quote a lot. With my current organization, and God, we trust all of this brain data. And data, if done well is difficult to refute. Travis 48:06 Yet, and that kind of boils down to really like having the right systems in place. So you could gather some of that concrete information that you could go ahead and show to a stakeholder and say, Okay, here's why I'm making the case for whatever this new operational changes technology procedure, whatever it is, yeah, that's a great point for getting, getting the building blocks building blocks in place. So you can start gathering the right data and the right information. Nick 48:35 Yeah, absolutely. And if you do not have the building blocks, blocks and blocks, the building blocks and places, having those transferable skills that oftentimes, you know, intel analyst we come with are really anyone who's done some out of the box type education or skills development, right? You did, I believe that PhD, right? Travis 49:00 Did a master's in Applied Technology. But definitely outside of the security box, for sure, Nick 49:06 absolutely. But you learned a lot of statistics, you learned how to truly tease apart what is credible versus non credible evidence, how do you recode or, you know, take these desperate data sources and make it into something that you can capitalize upon, and really validate. From my side, I studied epidemiology for just that reason. So either you don't necessarily even have to have those building blocks in place as an aspiration. But if you can really find out how to make the sausage out of what you have in terms of your organization for data and to start getting those insights, and building that pie, and that's the way to do it, you know, and this goes back to the whole point of your podcast here is really What skills does studio security need as something to be able to go into any organization and whether a security consultant, emergency manager, whatever you have at your disposal in terms of information and transform that into something that can be capitalized on and value added, so you can move forward your mission, which is, you know, in the case of us protection. Travis 50:17 Yeah, and one thing about that, that stands out to me too, like when it comes to some of the skills that you develop in those, maybe like more technical bachelor's programs or master's programs, one critical thing that I got out of my masters, like analyzing data, and all that stuff was really important. But a second really important piece, like, we had enough research projects where it definitely forced me to go out of like, outside of my comfort zone, in in doing in depth interviews with people that are using products, or when we're trying to figure out, like, what motivates someone to use a product or why they use it or like, you know, any of these motivations or things behind their product use, like having to go into these like hour long interview sessions with people who I had never met before, who I didn't really want to be talking to like, I was probably secretly hoping that they wouldn't show up to the Zoom meeting, like having to run through all of those interview sessions, when it's something that's really outside of my comfort zone. That made me so much better when it comes to being a security consultant. Because such a big piece is just doing interviews, asking the right questions, phrasing things in the right way, so that people want to respond rather than just closing off to you. For me, that was one huge piece. And then also, of course, after that, also being able to analyze data, being able to catalogue these responses that we get during in depth interviews or something similar. So yeah, I found such a huge value in that, even though when we think about security traditionally, like, typically how much is how often is it brought up being able to use Excel for data analysis, or being able to be a good interview or coding interview responses, like these things are almost never mentioned. But just having like these disparate skills, kind of make you so much better at any security role? Nick 52:19 Absolutely, it turns you into being a singular as a tool to being a multi tool, you know, it so it's already nice. That's why security consoles it really needs to be. Travis 52:31 Yeah. And when it comes to Swiss Army knives and innovation, let me ask you this, I want to get your thoughts is do you find chat GBT or any of these similar AI tools? Have you found any of those to be useful in whether it's day to day work inside or outside of your organization? And of course, I'm talking about using, like, non business confidential material in chat GPT not anything sensitive to the business? Nick 53:03 How did you know I was playing around with all that. I mean, at the end of the day, you know, anything that can free up time or allow you to hone and refine your practice and how you deliver on results is going to be key. I mean, I don't think it's something that at this point in time, you can trust fully without doing that due diligence and vetting going back to that. But, you know, it's almost like having a assistant at all times, right? Whether you're doing some quick research, whether you need to polish up your approach, shoot an email or write up or develop some policy or procedure. It allows you to have a force multiplier to where you can then go back and apply your technical skills that were hard earned, your subject matter expertise to vet the initial outputs and, you know, do more in less time. Yeah, Travis 54:07 I I totally agree. And I really just started messing around the chat. GBT probably in like the last, I don't know, six to nine months, I had lunch with one of my friends who was more on the IT cybersecurity side. And he pretty much told me that I'm like, he's kind of like, if you're not messing around with these tools, then what are you doing with your life? So pretty much after that conversation? I started using a combination of chat GPT and then also Grammarly, just trying to like figure out, like, how can I integrate some of these things into my day to day tasks, whether it's work related, non work related, so I'm kind of still experimenting there. But I have found like a ton of interesting uses. I think some of the more important ones are around ideation. Like for example, if I'm interviewing a stakeholder who works for maybe A type of organization that I'm less familiar with, or maybe it's a role that I'm less familiar with, like asking chat GBT questions that are going to help me ideate for, hey, what types of topics? What types of topics might I want to dive into when I'm talking to someone who's a CFO for this type of organization and this type of field? So I found those to be really useful when it comes to ideation. Of course, there's so many things that chat GPT can't do if I ask it for maybe like a chronological list of attacks against this type of industry in the United States from this date to this date. It'll just say, Sorry, bro, can't do it. Nick 55:43 Yeah, pretty much I'll you know, stuff beyond before 2021 or whatever. Yeah, exactly. Cut off the training dataset. But I think if you keep that in mind with these tools, you know, it goes back to methodology, right? How was the how was it trained? How was it built, what is the data set that it utilizes to provide these responses is key. So you know, you brought up the point of understanding stakeholder kind of conversational points, you know, trying to understand where that starting point is for those conversations. Other things I find that are really heavily embedded within that training data that chat GPT, in particular, was still all the time and standard operating procedures, you know, that a lot of those are open source. So instead of spending three, four hours to try and write the SOP, SOG, or something like that, you know, it's a really good starting point for just say, develop a standard operating procedure for fire response within XYZ organization type. You asked for slight revisions, and then you take that subject matter expertise that you have as a human operator, which is hard earned, to really refine and polish that up, but the day you're saving a lot of time. And a lot of times you may find something or think of something or be provided with some output that is normal to your own practice set. Travis 57:16 Yeah, that's a great point too. And I've messed around with some things around developing policies and procedures, like even just asked me it for hate develop me a clean desk policy for technology startup, like some of these things I could have used. I could have used so much just a few years ago, instead of having to go ahead and read so many examples of clean desk policies from universities, from people in tech from people in this other industry. Yeah, it's just one way to save a ton of time for like, at least that initial ideation phase to kind of like, figure out, Okay, here's, here's some extra building blocks that maybe I hadn't considered before, that I could integrate into, you know, developing whatever it is some type of governance. So yeah, I really like I really like it for ideation. Some other uses really outside of security. So I started using it too. So I create a transcript after every podcast. And then I've started experimenting, copying the text of the transcript into Chet GPT. And asking it to write summaries. And it's actually really good at writing some of the summaries of like, I don't know, 10,000 100,000 characters from an hour long conversation. So stuff like that has been really nice, or even just asking it to summarize, maybe like some type of public facing document like, Hey, give me the high points from this article, or from this PDF, I found things like that to be really useful as well. Nick 58:51 Absolutely. I mean, I've utilized it for some grant development as well, you know, when you're applying for federal grants and everything, you know, here's your inputs, refine it to this and give me that output for what the grant should look like. And you modify the structure based off of that. And that's been very helpful to really interesting one, you should probably check out if you're exploring Chachi Petey, I just started playing around with his beautiful AI. Have you heard of that? Travis 59:20 No, I'm not familiar. Nick 59:22 So it is a AI assisted, presentation developed tool, so you can make your PowerPoint presentations and slides and designs utilizing a similar language processing model. So you send out those queries that question, you know, develop me a slide template based off of the top five risks facing XYZ organization type. It's pretty cool. You gotta check that out. Travis 59:53 Yeah, that's fascinating. That's, that's something I definitely need to dig into. And that's also like another area where I've identified I had that myself, but also so many of our peers, let's say it's a big opportunity for them to grow. It is in, like the development of slide decks that are easy to read, and that people like looking at. So like one thing, another thing on my, kind of like on my whiteboard over here of things that I needed to get better at, of course, one is risk management, which I mentioned. But two, was taking some courses in Udemy, for using for using tools like Canva, and some others, just to develop like, more impactful PowerPoint presentations, because, of course, everything is about content. But also a really important part about content is like the initial, the initial reaction, the initial impression that people get when they when they see your presentation. Because like really, that first minute or couple minutes is kind of like the deciding factor in between someone watching your presentation going on their phone on Instagram for the next 20 minutes, or them actually watching your presentation. So yeah, as you mentioned, beautiful AI, that's something I will definitely dive into Nick 1:01:14 that it's awesome, man. I mean, the sky's the limit. And I think we had discussed this last time I was doing a plied a PhD in applied sciences with a focus on integration between GIS remote sensing and artificial intelligence, where I really started exploring a lot of these tools. But one thing that really stuck with me from that whole period, before I decided I was making too much money at the time anyways, to really justify making $30,000 on fellowship. Yeah, I'm sorry, not to come PhDs, but they don't pay well, right, generally, was the democratization of to an extent of what AI will bring, right? So we've had for years, this huge emphasis, this huge drive for these hyper technical skill sets, whether that be coding, programming, statistics, modeling, which really, to an extent is going to write itself out, I think, and it comes back down to now you need the subject matter expertise, and those almost liberal arts type capabilities to vet what you're putting into training an algorithm, you know, what you are getting out, and how that actually is accurate or not accurate? Right? A lot of people make the assumption that all right, cool. They as producers, Chet GPT, said XYZ still could mess up, it really goes back to what was a trained upon how many iterations of training cycles has your algorithm or model gone through? And knowing those very nuanced aspects of alright. What's the best practice on security industry, you know, how much of that is actually hidden behind a paywall or within great literature? That is not accessible to training data sets that these models are trained upon? Yeah, I think it really brings forward the skill sets that a lot of security professionals or emergency managers bring to the table. Right. And will allow us to have a greater focus on those kinds of type educational programs, those types of skill sets versus the hard technical things that have been emphasized for the past 20 years. Travis 1:03:41 Yeah, that's a really good point, like you mentioned, having some of the developing broader skill areas, like especially in education, because you do see this like for people with hyper technical skill sets, those may be some of the first skill sets that become outmoded, as AI. And some of these other systems become smarter and become better trained. And I could connect that back to I don't know, if you follow this guy on LinkedIn, he calls himself the real security doctor, Dr. Richard Disston. He writes a lot of really interesting and some ironical content about security. And he made a post a while ago, and he said something to the effect of like, many people in the security industry are hyper focused on developing niche skills. And he was saying, like, really, when it comes to the top levels of the organization, like the people that are contributing, that are making the most meaningful contribution. Those are not the people that are developing super niche technical skills, they're developing skills that are more broad that are more applicable to the entire organization. So Nick 1:04:54 absolutely. I think that goes back to the consulting side too, is Being able to speak different stakeholders languages while still getting across the same message. They are allows the soft skill 100%. Travis 1:05:10 Yeah, that's a great point like, Yeah, I think just interpersonal communication. And writing ability is an also like, understanding the dynamics in an organization. Like those things, you can't necessarily go to any course or any security program to learn about. Yeah, all of those aspects are incredibly important. Nick 1:05:35 And I think that brings us back to our original topic of discussion with the book mastery, and that quote, yeah, putting yourself in those spaces that are uncomfortable. Yeah, not necessarily easily earned. Because that's where you forge those skill sets is sort of trial by error. Exposure, if you just live inside of this box of this is what I do as a security professional emergency manager, whatever your profession, you do not develop those skill sets to broadly integrate within an organization, whether you're a consultant, you know, your work internal to your organization, just, you know, it's holistic practice and holistic practice takes exposure experience and understanding and the ability to see through different lenses and frameworks and contextualize what you're trying to achieve, or what your stakeholders trying to achieve in a broad and understandable way. Travis 1:06:35 Yeah, and I think that's actually how Robert Greene or actually made this another book. I heard another dude, essentially explain like, what does it actually mean to be an expert in a field. And it was really just having like, kind of like having a mental map of like, all these different items, and having a succinct, logical way for connecting them all together. And it does get back to just experiencing, experiencing broad educational programs, but then also having that experience across different organizations, different industries, fields, so that you could gain, like all of that really interesting nuggets of information that you could only get from experience on the ground, seeing how things are done, seeing what fails out there. And then also seeing what works. Yep. And then having the intellectual humility to go to where whoever you're consulting or your stakeholder advising, you know, if your internal, having that intellectual humility to go to where they're at. So you're not misconstruing information or advising off of your own frames of reference your own understanding your cognitive biases. Yeah, humility. Definitely important point there. And going back to LinkedIn, I wanted to ask you like, Are there any favorite organizations that you'd like to follow on the healthcare on the healthcare security side or any particular people that kind of stand out to you where you think, you know, if, if there's going to be any new trend in health service, healthcare security, I bet this organization I bet this person's probably going to be right on top of the topic. Is there anything that stands out to you? I mean, I would honestly say I try and look outside of healthcare for a lot of what is coming next, healthcare tends to be a little bit behind the curve in terms of Nick 1:08:36 thinking ahead, because they are so regulatory, they have such regulatory burdens, right? And it goes kind of back to education as well, you're dealing with risk, heavy, but resource for entities, right. So a lot of times you do not have the freedom or flexibility to think outside of the box. To the extent that we went back into the corporate sector, a lot of times are for profit sector. And a lot of times with accreditation and consensus type organizations, I should say accreditation organizations, they are learning best practices as time moves forward. So you're inherently have a time delay towards thinking 10 years down the line. Really, you're kind of forced to think five years behind other sectors in some ways. Yeah, that's an interesting point. And actually, I think when I was interviewing Ilya A while ago, Ilya Umansky with current consulting, he had mentioned something similar to where that he tended to also read lots of information and content that came from places like sh like s HRM, when it comes to the HR side of the house, or even looking at like emergency management organizations that are producing content about relevant topics, because he also thought something similar that essentially, like if you just concentrate on what's going on within the security industry, or like you mentioned, focusing on only the healthcare industry, there's so many trends and new ideas that are potentially beneficial for you that you might miss. Or maybe there's like a threat or vulnerability that you need to get ahead of. Yes. So that's a really good point, and just kind of broadening your appetite of information outside of whatever the niche is that you're actually focused on. Just so you can gather, I don't know, just a greater breadth of information from everything around you. Absolutely. Because I mean, if you're getting if you have some kind of risk or exposure in one sector, chances are it's coming down the line too, right. So having that holism, in terms of your practice is pretty key. And for better or worse, regulatory boundaries, set you on a certain course, that you're just trying to manage risk within that accrediting organizations boundaries. But that accrediting organization is the one who really shouldn't be looking out more probably to figure out, you know, five years ahead of time before they actually make something a requirement. Yeah, what risk needs to be a man? Or what best practices need to be developed and then matriculated down through the accredited organizations? Yeah, that too, when you mentioned regulatory boundaries, I imagine that a lot of these boundaries are also set, because they're a reaction to something that's happened in the past to so to a degree, many of those boundaries and some of these barriers that are set up, or restrictions, they're probably just based on something bad that's already happened, not necessarily thinking about the future and what could be. So that is really a point. And I think that really goes back to also just the burden of heavy regulations, which I'm not against regulations. But if you over regulate resource for sectors, which healthcare is one education's one, you know, it creates a certain type of inherent posture. And that makes it difficult to look beyond the horizons to start thinking, hypothetically, which is a tricky thing. Yeah, that was probably one of the bigger learning curves for me coming into the healthcare sector, I'd say, Yeah, and I see that too, because I work with a number of organizations involved on the education side. And I could definitely see that, for example, like when some states initiate regulations around safety and security. Really, it kind of like puts blinders on some of these organizations where they're thinking, okay, when the auditor we need to be prepared for when the auditor comes not necessarily, we need to be prepared for whatever is the most likely and high impact threat that might hit the organization. So and then, let's see, we are coming up on the hour here. Were there any other topics that you had, like a burning desire to talk about or anything else that was top of mind for your neck? Now, I think we've covered a lot here, Travis? Travis 1:13:23 Yeah, I feel like we covered a lot of really good topics, everything from how someone like me working on the security consulting side can kind of like better think about emergency management as far as understanding what, as far as understanding our stakeholders and how best to serve them. We talked about Chad GPT us on the security side, how it might be helpful when it comes to ideation and some of these other topics around developing policies, procedures. And then also, we touched on a number of topics, everything relating from Intel to compliance to third party risks. So we covered some really interesting stuff here, Nick. Yeah, I'm very appreciative that you were able to share your time with me today...