Cybersecurity in an IT-First World: Vigilance & Risk Mitigation with Ex-CIA Chief Christopher Burgess

So I wanna ask, at a high level, even outside of the world of technology, what are the larger kind of macro conversations we're having about cybersecurity right now? You're not alone. And and what I mean by that is you're not living in a vacuum. And and thus, you really have to engage to stay on top. Hey everybody. And welcome back to signal flow. I am your host for today, Ben Thomas. You know, one of the challenges that we have as an industry is we continue to migrate and evolve into the world of IT first technology is the idea of cybersecurity. And I know we hear it all the time, and it means a lot of different things to different people and different organizations and verticals. But look, it's commonplace these days to see an article. It seems like every single day about a new breach, whether it's social engineering, whether it's somebody who was able to hack in, via piece of smart technology. And I think it's important for us as an industry to have meaningful conversations around the world of cybersecurity, especially when we talk about enterprise security and protecting sensitive data and things like that. So, wanted to bring on someone today really who has a lot of expertise even beyond just the traditional hardware and IT infrastructure community. And that's Chris Burgess, who is a former CIA chief and current security consultant and writer. Chris, thanks so much for coming on the show today. My pleasure, Ben. Well, look, Chris, I gotta ask. I know there's there's a lot of folks in our community who who may hear the name, and not exactly be familiar with who you might be, but you have so much expertise. Set the stage for us. You know, tell us a little bit about your background and some of the ways that you've worked in the world of security in the past. Glad to. For those who want a deeper dive, they can, do a web search of my name, and there's, lots of exposes, have been written over at various entities who have interviewed me in-depth about my past. But, here here's the Reader's Digest version. I joined the CIA around age nineteen, and stayed there for, thirty years, moved from the literally, the file room, to, exit out as as a chief of station. So, I had the pleasure of working across four directorates, which gave me experience in, IT, computers, science, technology, inventing stuff, administration, analysis. I got a history fellowship along the way there that, took me offline, and I I got to write histories. That was, like, really cool. And that unknowingly, that sets the stage for my future, my long term future. And then, operations, which is what, I think I was birthed to do. So it is the operational world where I was able to leverage all of my technology knowledge and put it to good use, and I found that leading people and sharing knowledge was my bread and butter. This is where I shined. This is where I had the, the utmost joy in my own professional life was leading and showing folks how to do things. So what did I do? I created stuff. Did that for thirty years, popped out, wrote a book, got hired by Cisco Systems at the time, little company out in San Jose, and it had a hundred thousand people to be their senior security advisor, wrote more stuff, left them, retired twice, CIA, Cisco. CIA gave me a metal, Cisco gave me a bottle of, single barrel jack and a Stetson. They know they knew me well, and then started my own startups. And around two thousand fifteen, jumped into writing consulting, full time speaking, and that's what I do now and have been for the last ten years and loving it. So here I am. I let's sum it up into, one phrase. I think it's it's fair to say that you know what you're talking about. Especially I have a I have a Renaissance education. Somebody out there who is somewhat pedantic will say, he didn't talk about his university years. Well, that's because they don't exist. And it makes it easy. And they go, what? And, you know, the reality is there are still folks out there who learn things by the seat of their pants, and and I'm one of them. Well, look. And that's why we have you on. You've got the expertise. You've got that ground knowledge that that some of the folks sometimes in our industry may not have because we've got it here. Right? We we've heard a lot of the best practices and things, and and and I think making that transition from head knowledge to practical knowledge is one that that we can continue to do. The way you just phrased that. The transition from head knowledge to practical knowledge. Because frankly, if you don't have the dirt under your fingernails, then what you're espousing is theory is nice, but we don't know if it'll really work. Well, look. I think you just won over a lot of the the listeners here who literally live in, sheetrock soaked installations every day. So they'll they'll appreciate that. But I'll I'll I'll ask you this, Chris, to start us off. Right? You know, I mentioned it a little bit in the introduction, a large corporation or a hospital or, you know, a hotel. It seems like these conversations happen every day. And as a community who has embedded technology in every single one of these major corporations, we have to be able to have meaningful conversations about how our community can best secure whether it's intellectual property, whether it's, you know, data streams, whether all sorts of different things. So I wanna ask, at a high level, even outside of the world of technology, what are the larger kind of macro conversations we're having about cybersecurity right now? You're not alone. And and what I mean by that is you're not living in a vacuum. And and thus, you really have to engage to stay on top. In the AV Pro world, for example, y'all are experts at what you do in the audio visual. You're experts at what you do in marketing presentation, HR. But are you experts in the cybersecurity world? And if you're not, and and I understand some of our listeners and viewers are. But if you're not, then the first thing you need to do is engage a relationship with a cyber professional who is really good at what they do, so that you can focus on what you're really good at, and not do it halfway. The biggest threat that any entity has is to think of cyber and security as as as I'll get to it. I'll get around to it. Well, the world's got enough round to it's out there. We don't need more. What we need is focus. And if you're really good at doing A, that doesn't by extension mean you're gonna be really good at doing B. And doing b, in this case, is the cyber. So find yourself a partner to help you along. Because if there isn't focus, then there's tons of downside. And the downside is that if you're a small entity, you can find yourself out of business. And if you're a larger entity, you can find yourself in quagmires of losing customer to trust, losing, customer data, finding yourself tied up in ransomware, and now you have to make the decision. Do I pay a ransom and make it possible for these, miscreants to, do do this to somebody else? Or do I suck it up and say, you know, go pound sand because I had good cyber. I have everything backed up. I just turn it all off. I can turn it back on. I can rebuild it. I lost a day. I didn't lose my company. That that was fantastic. That was that was incredibly helpful and and very concise. And and, you know, I appreciate you kinda talking about that world of expertise. Right? And and you and I had a have had a chance to chat a little bit before. But, you know, the thing that we find traditionally with the AV and IT community is that a lot of the responsibilities now that fall into what I'll call the IT manager, the technical manager, even the facilities manager in some cases, includes that of cybersecurity where, you know, maybe somebody was proficient in technology or broadcast or a specific kind of workflow. Now there have been additional responsibilities thrust on them of mission critical importance in in many cases. You know? And and I wanna even ask, you know, what are some of those common vulnerabilities that you see, whether it's in an installation, whether you see it's in a piece of technology, or even just at a high level? What are some of the common vulnerabilities that you that you see specifically kinda from the IT world? So I'm not going to, read, the CISA, the the cyber infrastructure security, agency's website to you. But I'm gonna tell tell your listeners, if you're not reading them, shame on you, because they give you from soup to nuts all the threats that they're encountering, that they're seeing, and how you can make yourself more secure no matter how large you are. If you're a mom and pop, or if you're an enterprise. But let me talk to you about the common pitfalls in the hardware software world that organizations need to be aware of, and how they can be addressed. Number one, when, entities sell product, be aware vaporware is very real. Right? They they are getting to market as quick as they can, and sometimes it's eighty percent ready, sometimes it's ninety percent ready, sometimes it's a marketing feature that hasn't quite made it into the hardware. It's a marketing feature that hasn't quite made it into the software. So do your due diligence, ask the hard questions. Don't be don't be afraid to embarrass a vendor, and asking them to show you it, that it really works, not just in the demo world. Number two, privacy is critical, especially for those of you who wish to do business on a global scale. The rules in the United States are among the most lax when it comes to privacy. Step foot in Europe, and now you have real rules that you have to marshal your your enterprise, your company to to maneuver through. The safest thing is don't keep people's data, and you don't have to worry about losing people's data. Right? But, you need to protect that which you collect. And if you don't have the infrastructure, you don't have the means to do it, don't collect it. Or, put together an infrastructure. And then lastly, and this is gonna be a little long winded here is, updating is a constant. Device creation all may be well and good, but technology evolves. So that when they created the phone, today's model of phone is really secure today. But evolution occurs, and vulnerabilities are discovered that weren't discovered when that software mod comes out. And that's why vendors are always sending updates. And if you're not on board for those updates, what you're saying is, I'm okay with this delta of risk being open. Because the vendor is saying update today, and I don't get to it to tomorrow. That period of time is known as the delta of risk, and it's a very real one. Now, here's the other side of this advice. Make sure the update doesn't create other problems for you that are greater than that which you would accept by keeping that window open. And only you can answer that, I can't. Because I don't know what else is going on in your device, in your world, etcetera. But you need to know. And thus, that I'm going to loop back. That's why you need to know somebody who knows something about your cyber infrastructure and can can give you that answer. So you can make that business decision. Truly, stay on top of the updates, create persistent searches on your critical infrastructure and devices. And what I mean by that, use the power of AI. Use all these different engines out there. Why do I say this? Because they're looking every day for information in ways you can't, but you can tell them what to look for. And by telling them what to look for, you get it when the researchers publish it. Well, Chris, I wanna ask. Right? You know, you you even just mentioned the manufacturer a second ago, and and, you know, one of the challenges among many is that even though we recognize that this education and technology gap exists, whether it's understanding fully cybersecurity or whatever, You know, there's a lot that the manufacturer can do proactively. Right? Whether it's, you know, specific network integrations, features, functionalities, even recommendations in training in some cases. And, you know, one of the examples I'll use is, you know, you hear all the time about closed loop ecosystems and, you know, having your own private IP networks and things like that, which is which is great. That's one of the things that that our community is pretty good at. But what burden does the manufacturer have in in helping execute these strategies, right, especially understanding on the back end that there is a knowledge gap? Manufacturers want their giziwiz in your infrastructure. And they don't and and while they care if it's an open infrastructure or a closed infrastructure, you've got an an enclave, you don't have an enclave. If you're, what standards are you measuring yourself against? Are you in the government security world where you have the national industrial security programs that you have to answer to or the, director of central intelligence directives? Or are you in the ISO world where it's just the normal ones that the rest of, folks need to address? But in either case, no matter which environment you're in, you have standards, you have you have what I would call compliance. Well, compliance does not equal security. Let me say that again. Security does not equal compliance. You need both. And so many business decision makers who aren't who are who are interested in in building the company, and aren't so interested in how the sausage is made down below to keep the lights on, may view compliance as the bare minimum. And all it is is the bare minimum to keep regulatory folks out. Compliance doesn't keep the bad guys out. It keeps the regulatory folks because regulations normally chase experiences, and experiences that get chased the fastest are the worst experiences. And I, for one, you know, I had enough of that growing up with my mother. I don't need to be punished some more. I I always said, you know, you punish my eldest brother the most. He got my half. I don't need it back. I don't need to have those experiences of others, but we can all learn from those. And and thus, it's critical in my view that you have you train your personnel early on that security is part of our skeletal ecosystem and not the purse we get at Kate Spade to make us look good. I I love that that image that you just gave me right there. Well, you know, and and one of the things too that I wanna ask, right, is is it's easy to kinda finger point and say this person could be doing better. This person could be doing better. But the reality in the world of security is, it's it's a literacy problem for everybody. Right? But it's also a requirement for everybody. Right? If I'm going to use x piece of technology or exist in x technological ecosystem, I need to be able to speak to, on some level, the security concerns. And I wanna ask too. I I know that it's not an apples to apples comparison because the CIA, a lot of times, is dealing with far more, challenging circumstances ask. Right? You know, you you have experience in the world of of centralized intelligence, and and I think like I said, it it's not easy to always draw the apples apples to apples there, but I wanna ask, what are some of the things and examples and even stories that you have from that time that are directly applicable? Maybe maybe it's education. Maybe it's a best practice. Maybe it's how individual ownership, you know, was taken seriously. Tell me about some of those. So I've got a couple stories, maybe a few. And I never let the truth stand in the way of a good story. Just that's my preference. Right? We'll just take fifty percent of it at face value then. There you go. So early on in my life, I was on the computer side, and communications and technology side of, the organization. I was working with encryption methodology called one time pad. One Time Pad isn't so well known now except to those in the the crypto world. But it's a means of communication that is the most secure and still is the most secure. And what I so I was dealing with CryptoKey and plain text, and combining it manually, and creating encrypted text. And that that methodology of doing it by hand with a pen and a piece of paper and two separate documents, your key and your plain text, create a third document is fraught with human error. So nineteen seventy nine ish. Right? Two thirds of your audience wasn't even a twinkle in their dad's eye yet. Have gone, seventy nine? Well, yes. In nineteen seventy nine, the first home computers came out. So I took my trash eighty model one, sixteen k, and I created a algorithm, a little computer that automated the whole process. And I did it in less than sixteen k, and it ran for twenty years. And that was evolution. And why why am I telling the story? Because here's the teachable moment. Evolution can create safer environments for work because technology comes to us and allows us to do it. It isn't always bad. We should always be looking for evolution of technologies to make our job better, to do our job safer. And that's where I think the security vendor community really does us a great service, Because their researchers are way out ahead of us, and they're bringing to us that which is the art of the possible downstream. But most of us are just trying to remember that our objective is to drain the swab, and when we're up to our ass in alligators, it's hard to remember that. And so we focus on, well, how do I take care of the alligators? Another one, zone of control. A lot of folks say, oh, what I'll do is I'll just sweep the office for bugs and audio and video, and we'll be safe, and we can have all our sensitive meetings in this room. Are you sleeping in the room? And when I first said this to a company who would do monthly sweeps or annual sweeps, they said, we're all good. And I said, do you have somebody in there twenty four seven? Is it control twenty four seven? No. It isn't. Then it was only secure until the last person left. Because they don't think about the fact that the adversary could have turned it on, could have replaced it, could have put a new one in. You don't know because you didn't sweep. You left you you lost your zone of control. And so that's something that people can extend to their home. People can extend to their travel, when they travel. Do you leave your computer alone on, you know I'll I'll give you an example. I was in an airport this last, couple weeks ago. I'm sitting there and I'm watching people get up, get down. At at restaurants in an airport, they're leaving their laptops. They're leaving their phones. They're leaving they're leaving their life on the table. I wonder what they're doing at at at the office. And so this again, this is these are experiences that folks are very commonsensical, but you can meld it into your daily if you're a missive to your employees that you need to start thinking about security, or you need to be start thinking about your job security. A little harsh, a little hard, but true. And then last one is, that that I touch on in in that world would be no, let's just stop with those two. I think the zone of control, I think, is the most important, and maintaining your access to your information. And folks who lock stuff in the hotel safe, have you seen anyone leave their jewelry in the hotel safe because they forgot the combo and got on their plane and left? No. They call down to the front desk and a guy comes up with a gezyslitz, he pushes it in, he gets it open, and he hands it to you. Well, if he can do that in ten seconds for you, what do you think he can do in ten seconds for somebody who's handing him a wad of cash? Well, Chris, it's it's I love that second point that you made. Right? You talk about sphere of control, and then I like that you even took it down to the human level. Right? Whether it's, you know, using a specific app on your phone or or to lock your passwords or to to lock up your house or whatever all the way up, obviously, to the commercial side of the world. But it brings up a good point, and we mentioned it a second ago, the world of individual responsibility. Yeah. Now this is anecdotal, I believe. I don't remember the exact stack, but I I think it was something like sixty five percent of breaches were caused on some level either by human error or by social engineering. And that is such a massive part, of our ecosystems. Right? And and the the the biggest challenge that we have, whether it's from an installation standpoint, an IT management standpoint, or even down the line, is that there's an education gap. You know, I wanna ask in your experience even outside the world of just the technology, how have you seen folks bridge that gap between, hey. Here's how the technology first works. Here's your responsibility. Here's some of the things that you can do to prevent that. Why is that education gap there, and what are some of the ways we could do to close it? So your stat is low. It's higher. And I believe it. The the Poneman report sponsored by DTech Systems who, you know, client of mine, they have made, they they talk about the the the carelessness factor. Right? It's just people trying to do their job the best they can and they make careless mistakes. Perhaps they don't configure their cloud environment correctly. Perhaps they forget to set a password. Perhaps they use a weak password. Per perhaps they write their password that perhaps they do a thousand or one things they shouldn't do trying to do their job the best they can. They don't get up in the morning and say, today I'm gonna hose my company. Right? There are those that do get up in the morning and say that. Right? Those are those are few and far between, thank goodness. But they exist. So let's not say it it it's zero. But the folks who have human error, you you need to address the human error. So in your environment, in your ecosystem, when you have process and procedures and technology and expectations, first, you need to educate what the expectation is. Second, you need a way of measuring, compliance for that expectation. Third, you need to know when a behavior occurs that may downstream create a situation where an error could occur. Folks that look at the insider risk or inside insider risk. I don't wanna say threat. It's risk. Because these individuals, your colleagues are not a threat. Their behavior may become a threat. Their behavior may become a risk that creates a threat. But you need to have in place a means where folks have trust, they have no problem coming to you and saying, Joe needs an intervention. Or, we need to find out what's going on with Joe because there's a behavioral change or the work product's not the same. It it truly is see something, say something. I I I've been asked before, what's the most important part of an insider risk, management program? And I said, leadership. Well then, next comes something along the lines of an employee assistance program. Where you can use it for retraining, you can use it for lifestyle change, you can use it for counseling, you can use it for a lot of different things that doesn't equate to losing this employee that you've invested so much to bring on for errors. Those entities that have security programs that say three strikes and you're out, why the hell did you get hired there in the first place? Right? If they don't want If they think so little of you that with three human errors, you're gonna fire me? Give me a break. I'll fire myself. I'll go find some place that will, allow me to be creative. And yeah, I might make an error, but it's not malicious. Fire me for being malicious. Don't fire me because I made an error. Now, mind you, when you make the same error sixteen times in a row, we're gonna have a different discussion. But you you you get my drift, which is folks wanna do the best they can. You have to give them the tools. You have to measure those tools use. You have to be in front of them so that you can protect them from themselves. Well, Chris, look. Last question here. You know, even just kind of building on top of that, I I wanna ask about threats in the future. Right? And and it's I know it's always a little bit more challenging to predict. Okay. Obviously, technology is gonna continue to evolve. There's more vulnerabilities. People are more connected than they've ever been. All these things. But is human error going to continue to be our biggest biggest vulnerability as a as a community when it comes to cybersecurity? And if so, how can we address that moving forward? I think we're gonna have two issues. One is, the human side. Human side will always be there. The human is a vulnerable beast, but it's also your most powerful beast. Lots of folks say, Oh, the human's the weakest link. Nope. The human's your capstone. Your human is the one that holds it all together. They're the ones who are creating the content of the AI. They're the ones who are creating the process procedures and rules. They're the ones that are making the business decisions by which other decisions are then made. Folks in the IT world who think they are the driver are in wrong business. IT is a support organization. Business owns the risk. IT's responsibility is to highlight what the risk encompasses, put together the plan to, alleviate that risk, identify the deltas that exist that I don't have a solution for, you're just gonna have to take it. That's the risk we have. Now we're gonna work towards it and be mindful of the evolution. Business decisions, IT, finance, HR, we all support the business. Where's the big risk gonna come that isn't human? The new gizzy whizzes. I use that term a lot. You know, it's technology. It's it's gonna be the new whiz bang thing that we all want. It'll be the norm. All of that software and hardware will have AI included. Do you see anyone offering new products that doesn't have an AI feature? Right? My auto insurance company wants to put AI, here, we'll just put this in your OBD2, and we've got AI. Of course, you're gonna see every time I hit my brakes a little too hard, and I'll I'll watch the creep on my rates. No way something's going in there. But AI will be the norm. Software driven content will be the norm, and here's the double edged sword. And it's no longer just nation states. Manipulation of messaging in the AV world is a reality today. It will only be enhanced tomorrow. And so the ability to discern between reality and fiction, or manipulated data with the deep fakes, or with the content manipulation. You know, a lot of folks think what Russia did in two thousand seventeen was, oh my God, look what they were able to do. They've been doing that since nineteen seventeen. You know, they were just a hundred years ahead, and they've been with all that experience. This is not new. What's new are the tools that enable it to occur. Chris, that, you wanna talk about capstones. I think that's a way to capstone our conversation today. And and I'll tell you what, you know, you know, there's probably a lot of folks who may have questions, who may wanna reach out, whether it's folks who who wanna talk security at a macro level or even a micro level. How can people get in touch? C t dot com. Burgess c t dot com. Look at that. That's nice and easy. That's nice and easy. Well, tell you, Chris, thanks so much for coming on the show today. We we appreciate you, coming on. Thank you, Ben. It's been my pleasure. And thank you all for tuning in. Be sure to like and subscribe. Check us out next time on Signal Flow.