In this episode, we discuss the importance of mentorship and how it shapes the careers of professionals in the cybersecurity industry, the challenges CISOs face in the corporate world, the industry's reliance on outdated strategies like defense in depth and security awareness training, and practical advice for improving communication skills. Don't miss out on this engaging conversation filled with valuable insights for leaders and professionals in the tech industry.
Guest: Rick Howard, Chief Security Officer for N2K, Chief Analyst and Senior Fellow for The Cyberwire
On LinkedIn | https://www.linkedin.com/in/rickhoward/
Website | https://thecyberwire.com/
YouTube | https://www.youtube.com/channel/UCIC1L2vbbyotqEF0ZLhaOdw
Host: Dr. Rebecca Wynn
On ITSPmagazine 👉 https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/rebecca-wynn
________________________________
This Episode’s Sponsors
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
________________________________
Episode Description
In this episode of the Soulful CXO, Dr. Rebecca Wynn welcomes welcomes Rick Howard, N2K Chief Security Officer and Chief Analyst at the Cyber Wire. His impressive background includes roles at Palo Alto Networks, TASC, iDefense, and the U.S. Army's Computer Emergency Response Team. He co-founded the Cyber Threat Alliance and leads the Cybersecurity Canon Project. Rick's latest book, "Cybersecurity, First Principles," is a must-read. We discuss his career journey, mentoring, effective communication strategies, CISO challenges and strategies, handling risk and recovery, why security training is outdated, the Netflic chaos monkey architecture, and impactful career advice. Don't miss out on valuable insights.
________________________________
Resources
Cybersecurity First Principles: A Reboot of Strategy and Tactics: https://www.amazon.com/Cybersecurity-First-Principles-Strategy-Tactics/dp/1394173083
Unlocking Cyber Resilience: Your Essential 2024 Security Guide: https://www.linkedin.com/pulse/unlocking-cyber-resilience-your-essential-2024-guide-dr-rebecca-ecf7c/
NIST CSF v2.0: Simplified Cybersecurity Guidance:https://www.linkedin.com/pulse/nist-csf-v20-simplified-cybersecurity-guidance-wynn-the-soulful-cxo-efvvc/
________________________________
Support:
Buy Me a Coffee: https://www.buymeacoffee.com/soulfulcxo
________________________________
For more podcast stories from The Soulful CXO Podcast With Rebecca Wynn: https://www.itspmagazine.com/the-soulful-cxo-podcast
ITSPMagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
Secrets to Building a Resilient Cybersecurity Program | A Conversation with Rick Howard | The Soulful CXO Podcast with Dr. Rebecca Wynn
[00:00:00] Welcome to the soulful CXO. I'm your host, Dr. Rebecca Wynn. We are pleased to have back with us today, Rick Howard.
Rick is the N2K Chief Security Officer and the Chief Analyst and Senior Fellow at The Cyberwire, a cybersecurity podcasting network. His prior jobs include Chief Security Officer (CSO) for Palo Alto Networks, Chief Information Security Officer (CISO) for TASC, GM for iDefense (A commercial cyber threat intelligence service at Verisign),Global Security Operations Center (SOC) Director for Counterpane (one of the original MSSPs) and Commander for the U.S. Army’s Computer Emergency Response Team (CERT), where he coordinated network defense, network intelligence, and network attack operations for the Army's global network. He was one of the founding organizers who helped create the Cyber Threat Alliance (an ISAC for security vendors), and he also created and still participates in the Cybersecurity Canon Project, a Rock & Roll Hall of Fame for cybersecurity books. He also taught computer science at the Academy from 1993 to 1999. Additionally, he has published many academic papers on technology, security, and risk, has contributed as an executive editor to two books: “Cyber Fraud: Tactics, Techniques and Procedures” and “Cyber Security Essentials” In an April, 2023, he released. His own book. Which is an excellent read, highly recommend it. Cybersecurity first principles. And reboot strategy and tactics.
Rick, my friend, sometimes mentor. It's great. Seeing you again, welcome back to the show.
[00:01:57] Rick Howard: Well, I'm sorry you had to read all that. God, I, well, I, thanks for all those kind words.
[00:02:02] Dr. Rebecca Wynn: I have to ask you. I know that you've talked about a couple of times just for our audience. Can you go back about, Hey, I wanted to get out of high school early and go to us air force. And like, can you kind of just walk us through briefly your career?
I think that's a great story.
[00:02:15] Rick Howard: I grew up in South Dakota and, uh, the, the main job you get there in my little hometown was gold mining back in the day. And I knew I did not want to do that. Yeah. The only ticket I had to get out of there because we were pretty tight. We weren't poor by any means, but we weren't rich either.
So going to college, I was gonna have to do that on my own and I couldn't afford it. So I joined the service in the early entry program and, um, uh, joined the air force cause I didn't know any better. All right. All right. And then I got this opportunity because if someone pulled some strings for me, uh, somebody who took care of me, Helen Morganti, right?
She liked me for some reason. I wasn't a great student. I wasn't anything like that, but she took me under her wing and she orchestrated an appointment to the U. S. [00:03:00] Army's Preparatory School, which is a school designed to get enlisted people Ready to go up to West point to become officer. So they, the whole purpose of the program is to update your math and English skills so you can do well at the school and, you know, I had no business getting that, but she did pull those strings for me.
And so that's how I got in the U S army. That's how I got to go to the West point, uh, become an officer. So, yeah. Thank you, Helen.
[00:03:28] Dr. Rebecca Wynn: Yeah, I think that's great. And by the way, I've done a stand up at West Point as well, too. Way after you, I did the medical treatment facility upgrade up there. Love it. Oh,
[00:03:35] Rick Howard: did you really?
I did not know that. Or at least I forgot about that.
[00:03:38] Dr. Rebecca Wynn: Yeah, you were at Filbert Balboa. I did the new community hospital from the ground all the way up. So, yeah,
[00:03:43] Rick Howard: when
[00:03:44] Dr. Rebecca Wynn: I was looking at this, you and I crossed paths. I was just crossed. So many years after you, everything I was doing for the U. S. government under NCI information system.
So again, thank you for your service.
[00:03:53] Rick Howard: Oh, You
[00:03:54] Dr. Rebecca Wynn: know, we were talking briefly before how much education is really important. I'm always like more, you know, more, you [00:04:00] know, so, so teach me. I'm glad that you also mentioned mentors. Cause I think it's really important how we realize that you have people come across your path.
You're either there to help them or they're there to help you, but. You know, how do you go about, you know, mentoring others? Or how do you go about even finding mentors yourself? How does that happen for you? Because I think it's really important for people today to realize that we're not in an island. We can get through the cyber war, but only if we work together.
[00:04:26] Rick Howard: Yeah, I'm with you. I totally believe in mentorship. I couldn't have got to where I am now, uh, without people above me, you know, taking an interest and help, you know, pave the way. So I think it's part of giving back that you do that yourself. We all do it as security professionals. Right. But, uh, what typically happens to me is somebody will reach out and say, I have a question about X or Y or Z.
Right. And then we'll get to talk in either email or over the phone or something. And then they will ask if. If I could, you know, routinely meet with them and which I love to do, cause usually mostly when they're younger [00:05:00] folks, you know, they have a fresh new perspective on things. And you talk to old people like us, you know, we're kind of setting our ways, right?
So a young person will come and say, well, why do you do that? And then you have to really think about that. So the way I set it up though, is we set up a regular cadence, the mentee. Comes up with a question and then that they want to talk about, and then we'll just have a regular conversation about that.
So I, I try to do as many of those as people want to do them, but the onus is on the mentee, right? To come up with the things they want to talk about. So, um, that has worked out for me over the years. I don't know. How many are you doing these days? I usually got five or six going on at any given time.
[00:05:38] Dr. Rebecca Wynn: Yeah, five or six.
And it's interesting because people know that I've spent the last couple of years really getting into wellness a lot more. I think you're only as good as resilience as yourself, not all. So some of them are even, they're not even directly in our cyber field, but they're in other fields. It's like, how can I go about getting my health and check my family and check, and I went ahead and became certified health and career coach as well, too, just so I could do that better.
[00:05:59] Rick Howard: Oh, [00:06:00] that's, that's good. I have a similar thing for military people transitioning to the civilian world, not necessarily security, but you know, just some of the obstacles to look out for. So I have a handful of those folks too, that I advised as they make the transition.
[00:06:15] Dr. Rebecca Wynn: Yeah, I encourage people out there. I keep a daily wins.
And what I mean by that is I, I try to list at least 3 wins a day and I tell people that might be getting up making your bed and moving forward. And if that's what it is, that's a win. But I also say that I paid back in some fashion today that I add value to someone's life. And I tell people that could even be just sometimes a hard day.
And you're just saying, Hey, I really do appreciate you're doing great. Maybe it's helping with the groceries, but did I do something to add value? And you can do that beyond your field and have a very positive ripple effect. And I think that's also very important to do.
[00:06:49] Rick Howard: Well, I also get, I get a lot of out of it too.
Like I said before, you know, uh, one of the things you have to do in our career is network and communicate. All right. And so, especially when you're talking to [00:07:00] newbies who are asking, you know, general questions, they'll challenge you on things and go, Oh, maybe I don't really know what I think I know about that.
So it absolutely helps me get my thoughts together and how do I explain that? And I think you and I've talked about this before. One of the best skills you can hone. Is to communicate really complex ideas to smart people, but who are not necessarily familiar with the idea. So if you have that kind of a skill set, you will do well in any field, but especially cyber security.
[00:07:30] Dr. Rebecca Wynn: Yeah, I talked on another show of mine. I said, 1 of the things that I did just to get. More used to speaking and speaking a little bit more concretely, you know, might seem like I don't always do that is I did Toastmasters. What did you do? I also took public speaking and critical thinking in college. What did you do to try and help yourself in that area?
[00:07:48] Rick Howard: Well, a couple of things, right? Uh, one is just go do it, you know, go. Speak, right? There's a thousand cybersecurity conferences going on at any given time. And they're always looking for people to speak, come up with an [00:08:00] idea, have a fresh idea and figure out how to communicate it. So when you do another, you know, 10,000 hours max, you know, Malcolm Gladwell, you start to get good at that kind of thing, but I will tell you also, all right, is, um, part of that.
Hand in hand, he's being able to write, you know, not write the novel, like the Stephen King novel or something like that, but you have to be able to communicate what you know, to people that don't know what you know, in writing. So you have to practice, you just don't do that on the fly. Right. And so the way I started doing it was writing book reviews for books that I like, not just security books, but.
Any kind of book, right? Whenever I finished a book, I always take the time to write down my thoughts so I can remember what the hell I read, you know, 10 years from now, and that helps me hone the craft, but for people just starting, there's lots of places you can put your thoughts like LinkedIn is they'll take anybody you can write your essay on whatever you want to write about.
And that helps you, you know, practice your craft. So writing and speaking, you just have to [00:09:00] practice them.
[00:09:01] Dr. Rebecca Wynn: I absolutely agree. I keep a notebook myself. And so every time I'm reading a book, I'm like, Whoa, that was poignant.
[00:09:06] Rick Howard: Yeah,
[00:09:06] Dr. Rebecca Wynn: that's the point, but this is how Rebecca would say it. And so yeah,
[00:09:10] Rick Howard: exactly.
Right. And you know, the secret tool I use is, uh, I read my books with Kindle, sorry, Kindle reader, because you can highlight packages and you can take notes on it. So you don't have to, you know, find the book, write it down yourself. So that saves me an immense amount of time. So that's my, my, uh, secret for people trying to do this and stuff themselves.
[00:09:31] Dr. Rebecca Wynn: That's excellent. And I tell people, you always have to remember too, if you're going to communicate. I, and I know you did this evening on your bio to me, even though I changed a little bit is do you need a hundred words? You need 144 words, 250 words or 500 words. And that's good practice as well, too. And how pithy do I need to be in my communication?
[00:09:50] Rick Howard: You know, I do have a recommendation for a book. If you're struggling with writing and you don't know how to do it. One of my favorite authors is Stephen King's. I like horror stories, right? But he wrote a book [00:10:00] called On Writing. And it's, he talks about his craft, you know, and, uh, if you like his stuff, he refers to his books and his movies as he's writing the story.
Right. And, but he tells you about sentences and passive versus active and what you should be trying to do. And, uh, it's just very enjoyable. I hand that book to any newbie coming into my organization.
[00:10:20] Dr. Rebecca Wynn: Oh, awesome. for that. You know, when we talk about communication in the workplace, one of the things my pet peeve is, and anybody who works with me is.
Keeping emails on topic. What is the subject line? What are they looking for their information? And then if you're going to be changing topics, write a new email. How do you coach people? And how do you feel about, unfortunately, bad practices are really getting into the communications within business?
[00:10:45] Rick Howard: Well, I'm pretty strict about that kind of stuff, especially, you know, if you don't tell me what you want me to do in the first line, I'm not reading that thing.
All right. And so if you're, you want me to make a decision about something, you better tell me what decision you want for that. You know, I'm an old military guy. [00:11:00] They beat it into you. Okay. That, uh, something called bottom line up front. Um, bluff, right? And so before I even say, Hey, Rebecca, how you doing?
And all that in the email, the bottom line up front is I need a decision on this thing by X date, right? And so they know what I'm asking for. And if I don't get that from people sending me notes, um, I tell them to rewrite it.
[00:11:24] Dr. Rebecca Wynn: And I'll tell everybody he does do that. Somebody's like, here's a subject line, bottom line, when you need our feedback.
And it is put your request up front because I don't always, even though I like to write dissertations too, I don't always have time to read your 5 or 10 page dissertation to try and figure out what you're asking me first. And what I do is this is what I need. And by the way, then I always do like a break.
And then I'll say, here's details.
[00:11:49] Rick Howard: Yeah. The email body is, you know, the explanation of all those things. All right. But if the guy, or if the person doesn't have time for that, then, uh, yeah, at least they know what they got to do.
[00:11:58] Dr. Rebecca Wynn: That's great. You [00:12:00] know, we talk about you being, and I always have to ask this, being a cyber strategist.
Analyst as well as a cybersecurity officer or chief information security officer. And I know there's people out there sketching. I'm like, what does a strategy officer really do? That's different from the tactical from the CISO. How do you view those separately and how should we as leaders think about when we have to switch hats?
Cause it's hard to be only one facet in anymore in today's world.
[00:12:27] Rick Howard: Well, yeah, I think you have to do all those things. Right. And, but your title, You know, I've been a, some kind of see. So like three times, officially four times, if you count my army time. Right. So, and there's chief security officers and there's chief information security officers.
Uh, but I think all of those folks have to know a little bit about strategy and a little bit about tactics, right? My experience is the chief security officer has a larger responsibility. You know, they just, they're not just doing information security. They're also probably thinking about [00:13:00] risk and. And, um, physical security and, you know, all kinds of other things.
Whereas the chief information security officer normally, okay. Is just dealing with digital, uh, information. So that's not always the case. I've seen lots of exceptions. There is no one way to do things out there. So, um, but can we talk about strategy? Right. Because strategy, I feel like our whole industry has not done this well.
Right. We. Continue to keep, I don't know, what's the word I want to use, uh, making incremental improvements to things that we've been doing for 30 years. But we have failed to stop and consider if we're going in the right direction in the first place. Right. And that's kind of where strategy is. Right. But kind of the, the biggest strategy that came out of the nineties was defense in depth.
And most people use some version of that when they describe it to their You know, leaders or to their peers, but I can make a pretty strong argument that defense in [00:14:00] depth doesn't work. Right? And so maybe we should have some other strategies. Right? And perhaps we should talk about those.
[00:14:06] Dr. Rebecca Wynn: I agree. I, when people talk about defense in depth, I'm like, you know, I want to make an onion.
If you're going to get to my golden nuggets, you cry very, very hard because it took all that time and energy, but you're right. And today's, For our profession, you know, people call me so, but I'm like, but you really do almost everything I need son. So I say, well, how about you call me? I don't know that woman or something because you are doing everything you are doing everything underneath the sun.
And let's face it, there's an incident to sit there and go, I hope and pray. It's going to be okay. You're in it as well, too.
[00:14:37] Rick Howard: You can call me the grand poobah for all I care. All right. Uh, just don't call me late for dinner. That's the only thing I want. Right. Exactly.
[00:14:44] Dr. Rebecca Wynn: Well, most definitely. So you've been in a lot of tough situations and I'm sure you've been in some situations where the words are coming in your mouth.
They just want to hear it. I mean, I've had that quite a bit, unfortunately, last couple of years. And then after I leave, they're like, Oh crap, we should have listened to you three years ago, four years ago. [00:15:00] What words of wisdom do you, do you have, or do you have even an example That wasn't a big failure, but this is how I learned from it.
[00:15:07] Rick Howard: Well, I can tell you an old IT story and talk about, you want to, uh, mention leadership skills, right? This is back when I was a young captain and I was, I was teaching at the military academy, but I was also in charge of the network and IT stuff in the, uh, electrical engineering and computer science department.
So I was in charge of all that networking stuff. We're going to upgrade to new things. And I came up with a big plan and I went to my boss and said, boss, this is what I want to do. And he gave me that, you know, the horn growing out of my head kind of a look, right. And he had some questions, but, and he said, are you sure you want to do this?
And I said, absolutely. This is the bright plan to his credit. He let me do it and it completely failed. It burns it. I mean, it was just a disaster. Right. And when I went to him and told him, Hey boss, I failed here. He did not to his credit, you know, do the, I told you [00:16:00] so kind of thing. He just said, okay, what'd you learn and how do we fix it from here?
Talk about a leadership. Example, right. Uh, to say, you know, we're going to make mistakes. This is a very complex field in whatever you're doing. Okay. It doesn't have to be security only, but you don't have to be perfect everywhere. And leadership helps their underlings, uh, provide direction, give them resources and support them as they move out, try to execute some of these plans.
And boy, I learned that early with, uh, that boss. And I really appreciated it.
[00:16:32] Dr. Rebecca Wynn: I always think those are great mentors to have in your life. But as we talk about CISOs too, and the fast pace that's changing right now, one of the things people ask me is, how come CISOs change so frequently? I said, it's not always that you want to, but sometimes you just realize that.
You know, you're pushing the boulder uphill and there's absolutely, you're the 1 who keeps getting smashed by it over and over again. So it's either like, at times, it's like the criteria expectations for you. There's no way you ever can meet it. [00:17:00] Or there's not that mentorship on knowing that you're not going to be perfect all the time.
Risk is out there all the time. And then they, you know, they don't have any leeway as much as I do for CIO or CTO to. You know, live and learn what words of wisdom do you have. For for people who are trying to put up with that, or how do you even think that we needed to change that conversation? Because people do talk about that where people are spending out 15 months now, sometimes even earlier because of that lack of support.
[00:17:27] Rick Howard: Two things there, right? One is first just corporate officers change out pretty fast. Right. Uh, and my last gig, I was the CSO of Palo Alto networks. I was there for six years, but a new CEO came in. All right. And he had a different idea for what I should be doing. It was totally amicable for me leaving, but, uh, you know, he brought his crew in and that just, That's corporate life.
Okay. That's just what happens, right? So I have no ill feelings toward those guys at all. It's just the way it goes. But more specifically for cybersecurity, I think we've done ourselves a [00:18:00] huge disservice on how we've described security to our leaders. And so they're confused. They don't understand what's going on.
We may, you know, when you and I were starting, we, our community, Made the point that cyber security was somehow different that, you know, information security risk was somehow different from all the other risks that the company leadership has to deal with. And it's just not so okay, it just isn't right, but we didn't learn how to communicate.
With senior officers about risk in the, and how it would affect what they're trying to do when their overall goes. So for us, the way I've approached it is try to capture the security posture of the organization in terms of risk that senior leaders can understand. And by the way, Our community is really bad at this.
Uh, we totally suck it and we could really use an upgrade for sure.
[00:18:52] Dr. Rebecca Wynn: Yeah, I tell you, I use the cost of primer quite a bit. Just trying to think about humanistic financial as well as technology and different [00:19:00] impact. But I'll tell you, I've been in a lot of organizations will come across. I wouldn't I do that as well too.
They're not you're right. They're not used to us having that conversation.
[00:19:07] Rick Howard: Yeah,
[00:19:07] Dr. Rebecca Wynn: I know that some of the other groups. Maybe they were like glossed over because now they realize there's another person who's actually trying to get into that conversation.
[00:19:15] Rick Howard: I have this notion that we should be talking about, uh, material risk because not everything, not everything cyber related is material to the business.
If, if, you know, some hacker group comes in and steals the menu for the local cafeteria, eh. Who cares? All right. That's embarrassing a little bit, but didn't really impact the company. That's not something we should be spending a lot of resources on. However, if some hacker comes in and changes or steals the, you know, source code repository for our secret sauce product, that's material.
All right. And so if we could talk to business leaders about what is and wasn't, isn't material and convey it in a way they can understand that as a more pleasant conversation. All right. It's also, by the way, it's not an on or off kind of thing. Okay. If you get, [00:20:00] if you, in the old way, if you get breached, I failed.
All right. But in the new way you asked, you tell the leadership that, you know, there's a 30 percent chance, all right, that, uh, your source code library is going to get, uh, impacted. Are you okay with that? Is that inside your risk tolerance? And if it is, Hey, that's good. You don't even have to go to the next board meeting.
All right. But if they don't like that high number. Then you can come back to them and say, Oh, you can reduce that number by, uh, new people, new process, new technology, right? Um, there's lots of ways we can reduce it, but the culture has to be able to accept it.
[00:20:37] Dr. Rebecca Wynn: Yeah. I was talking, I was consulting with a company just right here a couple of days ago.
And one of the things they were Obviously their cyber strategy and what was going on before this new CIO came on has to take a look at it because it's pretty honest with you. It's kind of crazy, but they, but they said, oh, yeah, by the way, we had a pen test and I said, what was tested? What was the scope?
And I said, well, we have this many endpoints and this many printers, all [00:21:00] that kind of stuff. And I said, yes, I said, did they just test that it was on. Because that would be a pen test too, is it on or off? And that's the other thing too, I don't think we always have clarity on if we're going to test something, if we're going to do something, why?
What's the, so what? What is it more than just a checkbox? Cybersecurity training should not be a checkbox, for example. How do you usually deal with those type of attitudes on how do we just security compliance and privacy off our back? Not that we want to make a change to the culture.
[00:21:30] Rick Howard: Well, I mean, I'm, I'm probably in the minority here, but penetration tests are not the, First thing I'm going to reach for there.
They're not that useful. Right. Uh, in the old days, when we had to convince leadership that there may be an issue just to show them some success. But today you can look at any news headline and show that hackers are having success out there. So that isn't useful. There's like 20 other things you got to, I would rather do spend time on to get those right.
Then to do a penetration test up front. I just don't need it. Now, when you get all those 20 things [00:22:00] done, craft a penetration test to see if they can, you know, those guys can penetrate what you built for them. Okay. That might be useful. Right. But man, there's a lot of work between a and B there. Same thing for me.
Uh, and I'm also a naysayer and this is security awareness training. Good Lord. All right. That's blaming the victim. If your security program is based on grandma, okay. Not clicking the link, you're going to lose that one, right? We should do all kinds of things before grandma has to decide it. Not what grandma, right.
Looking at, you know, URL headers and email messages, trying to decide if she should click on it. Now that's over exaggerating. I agree that there's some just awareness training just to be aware of stuff, but, uh, that should not be your frontline thing, in my opinion. What do you think about that?
[00:22:47] Dr. Rebecca Wynn: Yeah, I don't like it either.
I tell people I don't like to send people to training hell and if I'm going to go ahead and go ahead and explain something, let's make it interesting. Hey, guys, you hear about this? Come listen to me and let me tell you what's going on and how they're getting [00:23:00] caught. Make it a little bit more interesting, but I tell people it's really points of reminder and how can you make that as creative and light as possible.
Can you do through a funny screen scaper, can you go ahead and have a great talk on something that's hitting the news right now that people are wondering about, then you can go ahead and remind them of a great point but you're right it's the human. And so, humans are going to be humans and other humans are going to be creative to get the humans.
So, you know, how can you trap that click. That it doesn't go anywhere else. How can you sandbox it? How can you do things along those lines? You don't want to be sloppy, but you don't, don't want to punish them for being human in my point
[00:23:34] Rick Howard: of view. I agree. I mean, we've been doing this stuff since the early nineties, right?
We're still, we can't protect those people from those kinds of things that that just shows you where we are as a profession here, right? I agree. They should know not to click on it. Links they don't want to know, but that's about as far as I'm willing to go with that as a security program, the one that I build, I want to protect my users from all of that stuff.
[00:23:55] Dr. Rebecca Wynn: And I tell me the same thing goes when they say, did you have your annual business continuity test? Did you have your [00:24:00] annual answer response to disaster card test? I'm like, well, we have an incident response and disaster recovery all the time plan. And then I'm like, what's business continuity? Are you doing a tabletop just to do a checkbox?
Are we doing it actually to walk through? So then we can come up through with a playbook. Or several playbooks, and then we're used to being able to at least. Not have that panic mode when that, that event happens. If so, that's a good thing. But if it's just a checkbox, I've never been up on checkbox security privacy.
[00:24:28] Rick Howard: My favorite example of who does this well is, uh, the Netflix chaos monkey architecture. Are you, have you heard this before? Do you know what those guys do?
[00:24:37] Dr. Rebecca Wynn: Not in detail. Can you explain to us in detail a bit more?
[00:24:40] Rick Howard: Yeah. So about 10 years ago, they started, they on purpose wrote code. This is Netflix now. All right.
That would destroy pieces of their infrastructure on purpose. All right. That sending the message to their developers that they would have to withstand routine outages, right. All day [00:25:00] long. That's a lot of, uh, can I say. curse words here. That's big balls. All right. I would never do that. All right. But uh, that is taking it to the extreme, right?
That they continuously practice recovery operations and resilience every day because they know something is going to fail every day. Right. And by the way, it seems to work because I never see, you know, any kind of outages in her. And so it must work for them.
[00:25:25] Dr. Rebecca Wynn: That's great. I can't think of any company that I've ever advised that would say, sure, go ahead and
[00:25:29] Rick Howard: do that.
Go ahead. Yeah. Destroy your operational network, uh, just so you can have more resiliency. Yeah. I don't think anybody would do that, but Netflix love those guys.
[00:25:38] Dr. Rebecca Wynn: Well, our time has totally run short, but I'm thinking everybody for joining us for today's episode. And I think Rick, for his time, Please go ahead and look at the description. That's where you find the contact information for Rick and his company, as well as other resources. Please like subscribe and share the show. Also make sure you check out and subscribe [00:26:00] to the soulful. CX newsletter. Available on linked in as well as every other week.
I usually post a brand new article with great insights. Rick. Thank you so much for being on the show.
[00:26:12] Rick Howard: Yeah, . Okay. I'm easy to find. I work at the Cyber Wire, as you can see from my background there. So go to the website and you can find me there.