Terry Ziemniak of TechCXO

Alright. Welcome back to another episode of Modern Cyber. As usual, I am your host, Jeremy with Firetail, and I am here today with Terry Ziemniak. Terry, I'm delighted that you'll take the time to join us today. Terry brings over twenty five years experience in information security with work ranging from technical, compliance, and executive leadership.

His recent positions include ten years as information security officer for multibillion dollar organizations across The US. Terry now works as a fractional cybersecurity executive, helping SMBs understand, manage, and reduce their cyber risks. We're going to definitely talk about what SMBs need to be thinking about currently in the current cyber landscape. Terry's a partner at Tech CXO where he works as an interim and fractional chief information security officer. Officer.

We're also gonna talk about the role of the fractional CISO in the modern landscape. Recent engagements include working with the data analytics firm, an AI driven targeted advertising company, as well as traditional furniture manufacturer looking to modernize their tech and security stack. Prior to that, Terry worked in more traditional full time CISO roles in several large organizations. Terry has a master's of science in information securities information systems security, pardon me, and presented his master's project tying AI and cybersecurity together at an academic conference in Germany. That's another thing I really want to learn more about as we go through today's conversation.

Terry, thank you so much for taking the time to join us on Modern Cyber. It's a pleasure, Jeremy. Well, just to start off, I'd like to kind of just understand a lot. There's a lot in your background there about having had, you know, various roles with large organizations. In your own words, what's been your journey?

What's brought you to where you are today? Yeah. So my my career journey really has three phases. The first phase right out of college was very technical, so bits and bytes. Over that first decade or so, I got a very broad experience on a whole lot of technology.

So, I went to school, college computer science, just writing code like like you learned back in the early nineties. But early on in my career, I was building computers, networking devices, databases, all all the sorts of cool stuff. And that that that broad, but not particularly deep served me well because a consulting company I was working for was building a cybersecurity program. And they said, hey. We need security guys or guys and gals.

What does a security person look like? Back then, it's you had to be good at a lot of things. Not necessarily great at any one, but good at a lot. So if you wanted to, you know, scan servers, detect the vulnerability, exploit it, write code to do something, those were things that I could do and I could chain together. Again, being good at a lot of things served me well in the cybersecurity space.

So that was really kind of first part of my career. And when I was working in the security con consulting company, one of the salespersons came over and said, hey. We got a someone asked about HIPAA. What's HIPAA? And like, oh, jeez.

I don't know. So I'm looking around. What's HIPAA? I'm like, I don't know. I I'll go figure it out.

So I, I guess this is before Google, so I I threw in there into Yahoo or something like that and searched for HIPAA regulations and printed out the 200 plus pages of regulations. I went through it. Like, this is pretty cool stuff. So that that that that segued me to the second part of my career, which compliance and then leadership roles. So that that that's really marked by me learning how to do more of the business side of cybersecurity.

In that time, I I worked at three different, large healthcare organizations as their CISO. At the time when the CISO role was really evolving, they really didn't know what it was. We didn't know what it meant. Frankly, I didn't have much, I didn't have mentors in the sense there aren't a lot of people in the cybersecurity leadership space at that time. It was it was all new.

We're all kinda learning on the fly. But it was great. Got to learn a lot. Again, it was more of the business part of Cybersecurity in the technology. One of my roles, as a matter of fact, I wasn't even in the IT organization.

I was in a legal organization, but but I was the CISO. So that that's the second part of my career. And then the, current phase, maybe the last, maybe not it's left some time to go, but my current phase is, consulting. Yeah. So what I'm doing is I'm working as what's called a fractional CISO.

And what I do is I provide the leadership in the cybersecurity space for organizations, really kinda tying them together in that the business leadership, the compliance, the risks, with enough technical acumen that I can make all the pieces work together. And and that's that's where I'm currently at. And when you go into customer organizations in this kind of fractional role, what's typically the first thing that gets discussed or that you end up looking at? Yeah. I I tell you pretty much all my engagements always start with the question of, you know, why why are we here?

Why do you wanna be secure? It's kind of interesting because that's always conversation with business leaders, not the techie teams. Yeah. And I've had some, you know, people say, well, I just feel like I have to be more secure. I had one woman who's really smart executive I've been working with for a long time.

She says, well, we gotta do the right thing. We gotta protect the data. But I also want it to be a business differentiator force. That's the kind of thing you'd love to hear from your leadership group. But more and more, Jeremy, what I'm hearing is this is becoming an obstruction for sales.

If you're a midsize company and you're selling into a bank, to the government, to the military, to to health care, to whoever, these buyers have all of these, cybersecurity concerns to what they consider third party risk. So if they're buying Widget or your service or your staff or whatever, how do the big guys know that you're not introducing cybersecurity risk to them? So that really has been a big driver for my business over the past five years. Yeah. That's really interesting because, you know, one of the things you said earlier was that part of what got you started on this journey was looking at HIPAA for the first time.

And under HIPAA, as you know well better than I do, you've got this concept of a BAA, a business associate in a business associate agreement, where you might have downstream vendors that support your organization. And in a way, they kind of inherit the HIPAA requirements almost. Even if they themselves aren't handling data that is in scope for HIPAA, you know, it can be a risk to your HIPAA ratings or your HIPAA kind of compliance in in ongoing certification if you've got these kind of gaps. And I've been telling people for a while that, you know, part of it just to take a sidetrack for a sec, we as a as a, like, a small organization, we did our SOC two early on, and we've we're in the process of doing our ISO 27,001 right now. And I tell people, you know, a big part of why we do that is so customers can have trust to, you know, let their data sit with us.

And I see that this is the direction that pretty much all of it is going. HIPAA may have been the first to kind of set the standard for, hey, we've got a business relationship as partners, you serve us in some vendor capacity for something, but I think it's becoming prevalent and I think it's kind of going everywhere. I generally view it as a good thing, but I guess this is a big part of what you're seeing with the organizations you're working with as well. Right? Yeah.

It it really is because the majority not majority, but a large amount of the large number of the breaches and security incidents you're seeing for big companies are not the big companies themselves. It's their partners. So just historically, it's always been the partners beyond even if you know the one of the more famous breaches that Target had about twenty years ago, and they're one that really opened everyone's eyes to what's going on in cybersecurity. Target was breached. The bad guys got in, got on got on their credit card swipes.

I mean, about twenty years ago, that breach actually came because someone hacked their HVAC maintenance company. Yeah. So they got into their their their heating and cooling company, and that that got them into Target. And then and there was a a huge breach and a huge issue. So, you know, I I I think that's also where we take Jeremy to the idea that this is a differentiator.

If you're selling widgets or services or whatever, and if you can lead with a cybersecurity discussion, you know, hey. There there's three people sell what I do, but I got my SOC too. I've got my ISO. I've got whatever. Right.

Those are conversations that may well be a differentiator for you. Yeah. Absolutely. Absolutely. So you have that first conversation.

You talk about why we're here. You talk about, hey. Is it because we wanna view it as a sales differentiator? We wanna do it because we just feel like we might not be as secure as we need to be. I I would hate for anybody to be doing this, you know, either because, a, they don't know why or b, because they've gotten breached.

One thing that I tend to see is we tend to see a lot of you know, I've worked on the cyber vendor side for a little while now, and what we tend to see is it's it's not us who got breached. It's one of our competitors who got breached, and that often is a trigger for organizations to go out there and look at it. But once you've gotten past that initial, what's the impetus for the conversation? Where do you then look? Is it kind of a, okay, let's assess where we're at?

Is it kind of a, let's set the goals for the outcome? Where does that how does that typically play out? Well, so that's where I transition and I I I I focus on, like, why I'm here. I they bring me in as a fractional CISO. They're not bringing me in to do an assessment necessarily or particularly task or deliverable.

I'm really engaging as a as a cybersecurity executive for the company that works one day a week effectively. So as an executive, you know, with my experience doing this, this is why if I was there full time, this is what I would do. I would assess, I would establish a road map, I would, communicate the road map, get buy in on the road map, budgeting, whatever else we need to do, and then I execute the road map. And then I do the same thing every year. So road map, execute, road map, execute.

That that that's what an executive, whether it's a CFO or a COO or a CMO, this is what they all do. It's the same exact concept. Typically, though, I do have a I I start with a true assessment where I align with NIST or some other kind of standards based assessment to kind of figure out, where they're at because it helps facilitate the conversation for the road map itself. Gotcha. Have gaps here.

You should be here. This is red. This is green. So that that first communication of conversation on the road map, it helps to have some kind of framework or standards to to align us. Because the other question really, Jeremy, is how security have to be?

Do you want to be Fort Knox? Maybe, maybe not. That's a very expensive journey. It may not be necessary to be Fort Knox. Maybe you just want to be very good, or maybe you can afford being just good.

There's different levels. So it's really important as an executive. Again, you need that road map. You need the buy in. But to make that happen, you need to have the conversation.

Yeah. I mean, that's one of the themes of over the 50 plus episodes that we've done here on modern cyber, one of the themes that's always come up at well, two of the two kind of related topics that always come up are, one is security is never done because the organizations don't sit still. You're never kind of locking in. Okay. We use these systems.

They never change, etcetera. That's never the case, with anybody. And and the second is that there's no such thing as being done implementing, you know, or being done looking at managing all of your risk. And it's always a question of, like, what is the risk tolerance that the organization is willing to have? You're you're never kind of guaranteed to be fully secure against every threat.

New threats come out all the time. Organizations adopt new technologies, all of that. So I I I really understand and kind of empathize with that. I do wonder, like, with the organizations that you're working with, you're working with, let's say, smaller organizations. Do you find that they really have that understanding of, like, this is a risk and trade off kind of conversation from the very beginning, or do you kind of have to educate them on that?

They they that's an excellent question. And that's something that I learned on my personal journey as an independent, consultant, which is where I started about five or six years ago, trying to sell this concept that, Hey, I'm a cyber executive. Let me help you with your issues. So I did I did the training classes and I and I talked to other people that were successful to kind of figure out how I'm gonna sell and how I'm gonna market what I do. And and I really honed in the idea that this is a risk that we're dealing with.

And if you have a business leader that understands risks, not necessarily cyber, it could be financial risk, competitive risk, regulatory risk. If they understand those concepts that there's something that we need to address, we're never gonna correct, but we have to manage and we have to tolerate risk, then I can work with them. If I have people that just don't get risk and there's there's business leaders like that, they just don't get those concepts up. There's a gray area. You're never gonna fix this problem.

You have to be good enough. You have to have secondary controls. You have to have backups, everything else. If if these people just wanna buy a widget, if I buy a widget, I'm secure. Those are very hard sell, either we're selling solutions or just discussing this problem because, you know, that that that's been the historical problem with cybersecurity over the past twenty five years.

You know, if the leadership thinks you can just buy five or six widgets and be done, you know, you you've got a communication. You have a leadership issue. And Yeah. And I mentioned a lot of times, it it's communicating with the organization is a key part of what I deliver as an executive or a part time executive. That culture and and leading and and teaching at leadership is important, but you're spot on, Jeremy.

This is a risk conversation. And and Yeah. If you get to that point, you're halfway halfway there. And and so along those lines, when you sit down with, let's say, the leaders of these organizations and you talk about, you know, what is the right level of risk for them or what is quote unquote secure enough for them, do you find that you end up kind of needing to bring your knowledge and background and your experience up to that point to that conversation? Yeah.

Two things. One is I can facilitate the conversation because I've had the conversation a hundred times. Right. But yet it is. That that that that's kind of the the the magic of, you know, my experience being in the executive suite for such a long time.

So I I've heard those conversations again on the regulatory side. I've heard HR people have the conversation with finance through the so, I have had that conversation and participated many times. Actually, one of the large organizations I was at, they had kind of pockets of risk, and and and I partnered with the finance folks and the insurance folks and the cyber sharks, and we started normalizing the risk conversations. Okay. So that you know, I learned a lot doing that because leadership already heard knew about financial risk, and they knew about the insurance risk because this is a health care organization.

Yeah. And then I brought in cyber. So the three of us started talking the same language using the same metrics. So we leveraged the risk knowledge that was with already within the organization, but big organizations could do it. Small ones can't.

But, yeah, it's that you need to teach part of leadership is teaching. You you gotta teach about risk and what that means. Well, I guess one of the next questions I would have along those lines is as you're thinking about these smaller organizations, so you come in, you have this conversation, you maybe establish, okay, why we're here, you establish what some of the outcome desired outcome goals are for the whole engagement. When you think about kind of, okay, you've set the direction, you've kind of defined a timeline for various activities to take place, and to then take the next measurement point and kind of check on the progress of the program. One of the challenges I've observed with smaller organizations is that they often, you know, don't have the skills to get this done in house.

So how does that end up playing out? Does that end up being kind of a partnership with somebody like a manage detection and response provider, or does that end up being, you know, an MSSP or some fractional implementation folks? How does that typically, you know, take shape nowadays? Yeah. So, again, putting my hat back on that I then I'm an executive.

I only work one day a week. I've got a road map, and we all agree where we're headed. Part of that road map has to be resource allocation. So most companies have perhaps desktop support in house. They have development staff in house.

Right. They may or may not have a SOC in house. They probably don't have penetration, testers. They probably don't have SOC two analysts. They don't have policy people, whatever it may be.

So once you agree on the road map, they start on conversations of of resources, and you pull the resources from you've already got them in house. We already have partners. You know, I bring my own toolbox of partners. So if they need a pen testing company, for example, I, I can certainly make some referrals for that. My company, Tech CXO, one of the reasons I joined the company is I have staff available to me.

So I've got SOC two analysts that I've worked with on a couple engagements. I can bring those in. So once you have the ramp, you find the right resource based on the company. If they all have it in house, great. If not, you know, you you find the right cost effective resource to get the job done.

Yeah. That makes a ton of sense. So ideally over that time period, what would you say? Like, do you think most of these organizations are able to make significant progress over the course of six months, or is it more like a year, two years? Yes.

They there is low hanging fruit that most companies have, You know? So so there are some things you could check off. I a common one for smaller companies is they're using Google or they're using Microsoft Office online. And, like, well, first thing we're gonna do is we're gonna get the Google guidance on, you know, how to configure Workspace. We're going to do a simple audit, and there's like 15 things we're just going to go through one more time.

Microsoft Office. So, yeah, there is low hanging fruit. Multi factor authentication is generally Sure. Pretty well distributed, but not everywhere. Simple audits, user access audits will flush out a lot.

So they they it it almost runs like a spike. It low hanging fruit. You knock a bunch out. Then you got maybe the unsexy policies and auditing stuff. Yeah.

Yeah. They they can start doing more of the technology stuff because, I I'm a big proponent of of of a well written policy. Well well written meaning small, digestible, actionable sorts of comments because a well written policy, then it becomes empowering. Hey, development staff, we have our rules on writing code correctly. Go do your job.

You you you have directions now. Hey, desktops for people. We've agreed x y z. Here it is. You're empowered.

Go do your work. So Yeah. Well written policy, frankly, allows you to get more out of your staff because there's clarity and agreement, and and you can get measurements out of that pretty strict, you know, pretty easy to track measurements and metrics and KPIs if you do them correctly. Yeah. Yeah.

That it's funny. I, you know, I kind of laughed as you were giving as you started giving that answer because it it's so matches a lot of my experiences in the cloud security space. And, typically, what we would find with customers who are implementing a cloud security program and and, you know, typically based on our tooling that we had at the time, the company that I was at, it was very much this initial spike of, oh, crap. There's all these things we didn't know about. And then there just the, you know, the obvious glaring things like, oh, shoot.

This database is exposed to the Internet, this set of files, whatever it is that was inadvertently exposed. That was the number one, by the way. I mean, across those two resource types, that was really the number one that would come out of those things. Then it would be things like, oh, we've got, you know, a a shadow admin or we've got an IAM policy that gives everybody admin privileges. You know, you knock out some of those low hanging fruit very quickly, and then it really does set into kind of, well, what some people would call the slog of going through real policy assessment as you go through it, but which I'm sure you can relate to, but it it's so batches.

And I I kinda feel like it's probably the same with almost any security program. You you really identify yeah. Go ahead. If I could distill that even more, Jeremy, it really comes down to most companies don't know their stuff. Yeah.

You can't protect your stuff unless you know what it is and where it is. And that means always starts with visibility. Devices, data, contracts, partners, everybody struggles inventorying their stuff. And and that is a universal problem everywhere. It's funny.

It's one of two problems that I feel like has been around in cybersecurity for, like, as long as I've been doing it. So the twenty seven ish years or so that I've been in in, you know, in the IT world, from my time, which by the way, my my experience kind of mirrors yours in the sense that my first half of my career was really hands on keyboard slash, you know, racking in a data center type of experience. And and I have the cuts and the scars on my hands to show the experience from those Rittal nineteen inch racks that, I'm sure we're all for too familiar with. But, you know, that that kind of the two things that I've seen consistently is we struggle to maintain inventory and visibility. And number two is we struggle to patch.

And I'm I'm just, like, devastated by the fact that that patching statistic hasn't changed, that it's been, you know, six months to, from the time to of identification of a CV to the time of patching in most enterprises, and that has been the case for, like, twenty years. And And I really wonder, I mean, from your perspective, any feedback on why that's the case? It it's it's hard. I I I well, it's gonna be a lot of things. I didn't really tell you my background.

I I was twenty years ago at Sears corporate. So Sears and Kmart right after they merged, which was a cultural train wreck. Yep. Hey. What was yours?

The company's worst. I was in charge of vulnerability. You may imagine. So I was the patching guy for all of Sears and Kmart. You know, there's 2,000 stores all across the world.

It it was a nightmare. They they were, like, fourteen months, behind on their patches in some cases. But it was just a variety of little nickel and dime problems. They had small stores that had, like, ISDN, if you guys remember where that was. It's Yeah.

Nancy Ingram. They they didn't have time to download the patches across the wires. Mhmm. There was political issues. They they couldn't get approval to to do stuff.

You know, it's technology issues. We're afraid something's gonna break, so we don't wanna do anything. So the way I handle that is I just went pure visibility mode. It's like, hey. We're doing you know, I can't fix all your problems, or we're gonna start making sure everyone knows what's going on here.

And when you had the visibility, then leadership would support you because it became less of a nebulous, we don't know what's going on. And, hey, let me show all the red issues all across the organization. And and we we made a lot of progress, but it was it was politics because we couldn't get approval from certain people. It was processes. You know, we couldn't get sign offs and and the testing wasn't working correctly.

We couldn't get test groups. We didn't have, you know, some of the tools we needed. So it it really was not a technology issue. It's rarely a technology issue in patching. It's just organizational will and someone to to to just keep raising the flag and keep beating on that on that drum.

But I think in the cloud, it's it's it is easier. It it can be done, but it's still, I think, the problem, Jeremy, of of where's all of our stuff. It's easy to patch 98%. Yep. It's easy to it's their last 2% that could take you forever.

Yeah. Yeah. Yeah. I I mean, it's whether it's eighty, twenty, 90 eight, two percent, whatever. But, you know, it is very often getting that first chunk done is is pretty easy.

Do you find that with the organizations that you work with, if they could look across, whether it's, let's say, like, multifactor patching, whatever. If they could go across each of those, like, key categories for the different types of risks that they might have as an organization, and they could knock out that 90% whatever it is, do you feel like they'd have better results? Just, you know, just stop there. Just accept that you're not gonna be able to get that last two to 20% done. Do you feel like that would, you know, drive positive outcomes?

Oh, absolutely. Because the majority of the attacks that are happening are unknown exploits. Yeah. So the it's rarely a zero day issue. It's rarely China targeting you and attacking you.

It's people exploiting known issues. So if you can go be really good at a lot of stuff, that's where you want again, really good at a lot of stuff, as opposed to perfect at any one. If you're perfect at multi factor or or your identity and authentication, it doesn't help. And if your backups are screwed, you know, it it does feel good. So go be good at a lot of things.

Yeah. Yeah. Yeah. I'm sorry. Leverage that framework.

So as I mentioned, my assessment start with the framework. The framework tells you who you should be looking. So NIST CSF is a great one to start with. There's Yep. I don't know dozens of categories there.

Go be pretty good at all of them before you try to be great at any one. I think that's a fantastic point. Yeah. That makes a ton of sense. I mean, if we we in our own lab where we test APIs, when we stand up APIs, a couple things happen.

Number one is they all start getting traffic typically within three to five minutes, sometimes even quicker than that. And these are, you know, unpromoted, no DNS name, random IP address provisioned by one of the cloud providers that we use to stand up our testing labs, etcetera. So this is, you know, some random IP address gets traffic very, very quickly. And what we see with the traffic is, well, there's one thing that we definitely see as we're talking now in kind of early twenty twenty five is that the traffic is a lot smarter than it used to be. So it used to be that we would just get, you know, kind of spray and pray, stupid kind of, like, script kitty.

Let me just test a bunch of idiotic things. Now we see a little bit more educated and more informed follow-up requests. Oh, okay. We got a response from something. It looks like it's running Python on the server side because an initial request that we issued tried to kind of discover the tech stack of that API.

Now we're seeing a little bit smarter. But to the point that we just discussed, it's still only only somewhat smarter. It's still going to be the lazy attacks note saying, okay, now I know you're Python. Let me check Python CVEs. Are you doing something with a compromised PyPI package that I know about in the CVE that's embedded in that through some supply chain mischief or whatnot?

So, you know, getting good at those basics, I think you you can you can kind of avoid a lot of the the lazy attackers with automation. And I I always remind people hackers have automation too, and theirs might be just as good as yours, if not better. I agree. There's not a lot of surprises out there. You know, things are evolving and changing, but, you know, if if think about the bell curve, deal with the stuff in the middle of the curve, the the the the fringe Yeah.

Until you get good at the big stuff, don't worry about the fringe stuff. Yeah. Yeah. It makes a ton of sense. I I wanna pivot and talk about a couple of other things.

And I I'm curious about one thing, which is, you know, how when you talk to these organizations, right, there's the let's call it the CIA triangle that I'm sure you've, you know, seen multiple times. You talk about cybersecurity and you talk about confidentiality, integrity, and availability. Right? And okay. Security generally is very good at those first two in terms of, let's say, the confidentiality and somewhat the integrity of systems, networks, identities, etcetera.

But availability is something that I do know that small businesses historically have struggled with. When you have an attack, you you always see these headlines of such and such company is completely offline, you know, down right now, systems down, not accepting orders, whatever. You can, you know, insert the kind of, message there. How do you see the connection between, let's say, the security activities and the programs that you engage with customers on and resilience and availability and uptime? Well, I I will let me inject one thing first.

So take your conversation, your question back to the third party risk. Again, if you're selling a bank, a hospital, and or the government, for example, and and you get knocked offline, that's a big risk. You're not breached, but DOS serves a fire and you're offline. A lot of the outages we're seeing in 2024 and 2025 are tied to service providers and partners of the big guys going offline. So that is absolutely a threat that you need to worry about and your customer needs to to worry about.

So, yeah, availability is a a big deal. Availability, if you use a proper framework like the ISO or SOC two to degree covers it, your your NIST, you will be covering those topics. So those that fail the availability are probably those in the bucket that aren't worried about being, you know, again, be good at a lot of things before you try to be great at anything. So it's, frankly, lack of of vision if they're not thinking about their availability. None of these things are particularly complicated.

You know, that most of the engineers out there, they know how to solve these availability issues. But the question is, is it on the road map? Does leadership aware of it? Are they willing to pay the money to make it happen? And, again, if you align it with a framework and you have the right conversations, though, those are not difficult to sell.

Because, again, we're gonna spend we we assume we can stop 99% of the hacks. We assume we can stop 99% of the ransomware attacks, 99% of the phishing hacks. Some are gonna get through. You know? Will our business survive in that case?

And and one of the hot topics the past couple years, Jeremy, in the business in the, cyberspace has been business resiliency. Yeah. That's exactly that concept of we're gonna try to stop the bad stuff from happening, but if it does, how does our business survive? And and that requires non a lot of nontechnical skills at your business impact analysis. What do we really do?

What's important to us? What's important to our contractors or our clients? To our employees? If you can't make payroll, you're gonna go to business real quick. So so be aware what's necessary to make your business function.

Yeah. Yeah. And along those lines, when you talk to leaders about that, I guess, kind of going back to one of the first conversations that we or first questions that we had in this conversation, which, you know, to these SMB leaders, do they understand the value of resilience? You know, just similar to how we ask, do they understand security? Do they understand the value of resilience and what resilience really means for them?

No. They don't. Okay. It's it's it's it's a difficult concept because it it's it has a more risk based concept. But you you can couch it in different terms than resiliency.

So, if you work through the conversation of, hey. We're putting this stuff in place with with what we're willing to put in from resources and business disruption and technology. And we're gonna be 99 covered in things we're worried about. What do we do about the 1%? And then have that conversation.

And business resiliency doesn't have to be terribly expensive if done well. You know, maybe it's only three business processes that are really important. And what do you do about those three processes? And and maybe you just go as far as the mental exercise of what do we do if it's down? You you maybe you don't wanna spend a million dollars on secondary technology to to support x y z, which may frankly have the same cyber risks that your primary structure has.

Maybe you don't wanna build all that out, but you wanna go through the business risk conversation of if we can no longer produce our widget because our active active directory servers are offline or infrastructure's out, what are we gonna do? Who are we gonna call? Are we gonna insurance online? Do we have partners we can deal with? So it can be paper exercises and paper, tabletop sorts of efforts.

You can get a lot of value. But if you're shocked and surprised, you know, day one, you have nothing. You're you're you're really gonna be in a pickle. Yeah. Yeah.

That's really interesting to hear and and great, great lesson learned for me and and for our audience. I wanna pivot the conversation with the last topic that we have time for today. And I I wanna hear more about your thesis, about what led you to write it, what led you to present it at an academic conference in Germany. Did you do that in German? Just love to hear more about that story.

Yeah. So, I completed my master's degree, boy, twelve years ago maybe in DePaul, University in Chicago. And it was a degree in information systems security, ma master's degree. And it was really neat stuff. So I was pretty well into my career.

I I knew a lot of what was going on, and I enjoyed graduate school much more than undergrad because I knew the basics. And I knew what they meant. I knew the value of it. So I I got a lot more out of the classes than I ever did in the undergrad space. They took a couple classes in artificial intelligence, which I also took way back in in in undergrad.

And my voice is really cool stuff. You know, it's kind of basics you see these days, but it's it's it's like the assembly version. If if today AI is is at, you know, Python, I was dealing it at the at the assembler level, very low level sorts of stuff that we were doing. But we're building neural network, engines where we're building all sorts of neat things. And while we're building it, it it one of the things we worked on is is using a neural network and and, decision tree sorts of of of logic, to do grouping.

And what if I took our logs out of our application and grouped people? What would that look like? So I was working in a health care organization. I scrubbed all the data, obviously, but I had, you know, millions of transactions. Doctor Jeremy did this.

Nurse Terry did that. Receptionist Susie did this. Threw it all in there, and and I mapped them all together. I said, we're we're gonna we're gonna map these people together. And I had a good mathematical model of what doctor Jeremy what what doctors look like.

So doctors on average across the million transactions printed seven times in a day. They logged in 14 times. They saw six patients, whatever it'd be. So the transaction would map them out. Now with that, I could say, I I can well map doctors, but Jeremy doctor Jeremy doesn't look like the rest of his peers.

Why is that? So what I would do is then then I can find the outlier. Basically, it was mathematically mapping who does not act like their peers. And that that was just the way. Yeah.

It's really neat. A lot of neat things. I I was able to find, you know, people sharing credentials that otherwise would not have popped up on the radar. Yeah. I also was able to tell.

I I could map the hospitals based on how recently they had their new medical records application installed because well trained people act the same. After five years, everyone's habits start deviating. So the training drifts and they're all doing different things. So it just worked very well. So if you look at the entire sample size, once you start to see drift outside of a certain band, then you know that it's been in place for a little while and people start to develop some of these unique habits.

They forget some of that training or they realize is it more that they forget some of the training or is it that they learn how to kind of bend the system for different workflows or some of both or what do you think? I think it's the latter. So they're they're all doing, but, you know, you don't have prescriptive statements. So these are the 13 clicks to accomplish a task. You have generally here's where you're working with people start they they find their own shortcuts and their tweaks and whatever else they wanna get their stuff done.

Yeah. Yeah. But, anyway, I did that. I wrote a paper for it, and I and I submitted it to, I triple e to to to just to get it published. And after I did that, like, I'm like, well, why not?

And I start sending out to the conferences to see if I can, present. And, Stuttgart University in Germany said, yeah. We'd love to have you. I'm like, what? Surprising anybody said yes.

I'm like, sure. So made a presentation based on that, flew out to Germany, and really neat experience. So it was the CIO of Stuttgart University, was facilitating the whole thing. He ended up taking the speakers, Jeremy, out to dinner the the night before the conference. He takes us this is a German guy.

He takes us to a Chinese restaurant in downtown Stuttgart, and we had a Scotch tasting event. It was like just Okay. Whole little cacophony and with all these Yeah. Yeah. Yeah.

And the guy knew how to play the bagpipes. And so he's playing the bagpipes, this German dude in a kilt while we're drinking scotch. It was just surreal dinner, but it was it was neat. Learned a lot about scotch. The next day, I ended up giving the presentation.

It it it went well. But the interesting thing is I I I gave my pitch, went through it, you know, polite polite applause at the end. And after the presentations, you typically there's three or four questions kind of to follow-up is that I got nothing. So I get the presentation, just sat there quiet, nothing and nothing. And and finally, some guy raises his hand and back and and keep in mind what we're talking about is all the activity out of the medical record application and and and then we kinda group people together.

The question is, do people know you're you're watching what they're doing? Yeah. Yeah. And it's just it it took me a while to kinda click what he's talking about. Do they know we're watching the logs?

I'm like, why wouldn't we? And and I talked to the guy after the presentation. He's like, you know, we're Germans. Like, we don't let the government look at anything. You know, no one just Yeah.

So just the cultural disconnect of why would you even want to do that What was really a lesson learned and they opened my eyes to that. It's never occurred to me. Yeah. Yeah. You know, I've lived in a couple of countries overseas and spent some time working in other countries and exactly that point about what the different standards and norms are in country to country relative to things like data collection, privacy, what have you.

You know, I lived in Singapore for a number of years, and one of the weirdest for me as somebody who spent most of my life in The US, One of the weirdest things is that, you know, there's one login for every government system. And once you have that one login, you use it for your tax, you use it for your, you know, for your health insurance, you use it for your retirement funds, you use it for social security, you use it for everything. Everything related to the government comes down to that single login. We use it for our visa renewals, things like that. And here, you know, it's just a mess.

Everything that you do across when I log into the IRS, I log into well, I don't know that I even have a login for individually for many other government organizations, but, you know, I've got a login for a hundred different things. And then similarly, a lot of my family come from Finland. I've spent years living over there. It's your bank account login that you use to log in to any number of services from the bank to the post office to Wow. Health insurance, etcetera.

So, yeah, seeing these little cultural differences and and system differences is very interesting. I'm I'm really awesome to hear about that experience. I personally applaud you for going through it. I think it's really fascinating to get off the beaten path, and I actually think it's something that we as cyber people should be getting out to non cyber communities. So they tend to think that we kind of, like, we do our research in a bubble.

We talk in a bubble. We have our conferences that are very much a cyber bubble. And and, you know, even if you go on LinkedIn, I'm sure your LinkedIn feed is very much like mine where what I'm gonna see when I check it from time to time is a bunch of cyber stories and, and not really too much exposure to outside or, or other things. Yeah. Because you gotta think about why are we doing cyber?

Cyber is there to support the business. Cyber doesn't exist. I don't know. In and of itself, it's there to support the business. That's right.

Business has mission statements. Do you know your do you know your business's mission statement? Yeah. You know, the things like that that that's why we're all here. I think that's a great point to close conversation on.

It's not cyber for cyber's sake. It's cyber to support the business, to provide security, to provide resilience, all the other things we've talked about on today's episode. Terry, thank you so much for taking the time. For people who wanna learn more about you, about your work, maybe they wanna find that paper, where's the best place for them to go look? Well, you can find me on LinkedIn or, my company website.

So I I as a fractional executive, I work for a consulting company called TechCXO. So we're a collection of of of fractional executives, COOs, CEOs, CMOs, and a couple security guys as well. So you can look me up there. I assume in the show show notes, we'll have those links, Jeremy. We'll have both of those linked.

We'll have both of those linked for in all of our audience. Well, Terry Zemiak, thank you so much for taking the time to join us on modern cyber. To our audience, please rate, review, share, subscribe, all that good stuff. You know what to do. Also, if you know somebody who would like to come on the show, please have them reach out.

We've got a couple of guest slots open in the months to come. We'd love to learn more about new topics, new areas in the cyberspace. And for now, thank you so much. We'll talk to you next time. Bye bye.