Celina Stewart: Demystifying Cyber Risk Management

[00:00:01] Welcome to the Phillip Wylie Show. Take a look behind the curtain of professional hacking and hear compelling discussions with guests from diverse backgrounds who share a common curiosity and passion for challenges and their job. And now here's your host, offensive security professional, educator, mentor and author, Phillip Wylie.

[00:00:33] Hello and welcome to another episode of the Phillip Wylie Show. I'm excited to have Celina Stewart joining. Sorry to butcher your name, but Celina and I met at Dia de los Hackers on November 2nd, which is the same day as Dia de los Muertos, which is a holiday in Hispanic culture to honor the dead. And so interesting enough,

[00:01:03] Celina was wearing a Nuvik shirt and I've had some Nuvik folks on the previous podcast had Dave on as well as Moses. And so it was kind of cool to get to meet someone else from their team. And what else was even cool is it was someone a little more unique than what you would typically think of when you hear, think of Nuvik because I was introduced from the red team side, the pen testing side and Celina does something totally different, which is very important.

[00:01:32] It doesn't really get mentioned enough. I mean, I think maybe more some of your less technical podcast webinars may mention it, but it's something that's really needs to be discussed. And I think also too, as far as career options, something for people to think about, because when people think about cybersecurity careers, they're looking at, everyone always thinks pen testing first, because that's what they hear about.

[00:01:57] And sometimes they hear about the different blue team functions, SOC analysts, digital forensics, but sometimes they don't hear about the area you're in. And so if you wouldn't mind introducing yourself and kind of sharing what you do. And then if you'll share your hacker origin story.

[00:02:16] Absolutely. Yeah. And thank you so much for having me. And it's funny from my side as well, I was a little bit starstruck because I overheard you say your name to somebody who's like, oh, I've heard folks at my company talking about Phil. So I'm super excited to be here. And as you teed up, happy to share more about myself.

[00:02:33] So I'm the director of risk management, as mentioned for a company called Nuvik, which primarily does offensive testing, as well as obviously anything related to the risk side of the house.

[00:02:43] And so when we talk about risk and cybersecurity, what we're really talking about is basically everything from almost the blue team side, but I would say also the strategic cybersecurity side, because risk really encompasses not just understanding what the different vulnerabilities are, the different issues, the different threats,

[00:03:00] but really tying those to the business and understanding from the business perspective, what actually matters.

[00:03:08] So let's say something actually goes boom within whatever part of the IT environment. How does the business actually think about it? What does it mean?

[00:03:15] And so my basic definition of risk management is, is basically thinking about potential impact to the business, potential harm to the business.

[00:03:22] And frankly, that's kind of the origin of my kind of hacker experience, quote unquote, itself as well is I actually started out completely non-traditional for the cybersecurity field.

[00:03:33] So did liberal arts degrees during my undergrad, primarily focused actually on geopolitical risk and kind of threats that way.

[00:03:40] Dabbled a little bit in the government and through some of my government work actually just fell in love with cybersecurity, but wanted to have a little bit more of that private sector perspective on it.

[00:03:50] For a number of reasons, frankly, I just realized politics wasn't for me. It was a big one.

[00:03:55] And so going from there, basically just started thinking about, OK, how do we think about risk? What does cybersecurity look like?

[00:04:02] And I actually took a very business perspective to it. So from undergrad, went directly to large management consulting firm, really got to experience from a very strategic perspective.

[00:04:12] What are boards thinking about? What are executives asking about? What do they care about from a cybersecurity perspective?

[00:04:18] And the things that I kept seeing were that, number one, frankly, a lot of these folks are dying to understand what cybersecurity is, but no one's really translating it for them.

[00:04:28] And then number two, there's this increasing pressure, obviously, from regulators, from different legal sources, obviously from consumers to make sure that if you are obviously any kind of public entity, you have to have cybersecurity in place.

[00:04:40] You need to be thinking about its impact to your products. And so cybersecurity just really became this increasing thing that we were seeing a strategic need for.

[00:04:48] And so ultimately, for me, I was like, how do I better get involved with some of those conversations?

[00:04:53] Ultimately did an MBA, came back and realized, you know, frankly, I can probably have even more impact actually partnering with more technical folks.

[00:05:01] And so that brought me to Nuvik. And I'm really excited to now be working directly on that piece of translation where we have these really deep, rich technical insights from the offensive side.

[00:05:11] And then we translate that directly to that business impact, leveraging all of those different strategic pieces that business leaders are actually really looking to understand and think about as they go to set their priorities, obviously invest in cybersecurity and obviously keep their organization secure as well.

[00:05:27] Yeah, that was a very smart move on their part to hire someone with that cyber risk management experience.

[00:05:33] Because as you mentioned, translating, because there's so many times you take some of these boutique pen test firms and they can do a good job of describing some things, but not sometimes at the level of detail that someone on the business side, you know, trying to justify why you need to spend all this money on remediation and to be able to show the business impact and speak in terms that they understand as

[00:05:56] is very helpful. But it's kind of interesting to see that that is becoming more popular and catching on more.

[00:06:03] Absolutely. And frankly, I think it's overdue in many ways. And I think that's one of the big challenges I see is that even, for example, the way that you teed up kind of what we were talking about at the conference where we met, right?

[00:06:13] There's this very big divide where that was so offensively focused. And I think I was one of the only folks speaking on more of the business side at that hacker conference.

[00:06:22] And so that's actually been a theme through most of the conferences I've been at this year. They're either business oriented kind of big ones such as an RSA, or they're very, you know, tailored to the offensive strategy or excuse me, offensive testing with less of that strategy piece.

[00:06:35] And so that divide between even the way we talk about red team versus blue team and all of these, right?

[00:06:40] Like purple team is still kind of a, it's a term that people who are within the space will use, right? But from a business perspective, purple team, what does that mean? I have no idea.

[00:06:50] And so there's definitely that need to really build kind of the muscle tissue and the communication between the two sides.

[00:06:56] Yeah. And even on just typical practitioner conferences, you know, regardless of red team or blue team, some that are more general and less focused, like some of the hacker conferences that are this much needed.

[00:07:10] But it's interesting because a lot of times the risk management piece gets overlooked there. You don't see anything about GRC either. So it's just, you know, tailored more towards, towards that side of things.

[00:07:21] And so that's really, really important to, to have that, you know, that those discussions to be had and share that information.

[00:07:30] Because the thing is, is a lot of the businesses are aware of that, but it's more of the practitioners.

[00:07:35] And maybe this is another career path because you take somebody that maybe they were working in pen testing, but they're tired of working the crazy hours.

[00:07:43] Maybe it's, you know, a lot different than what they expected. So this could be an option for them.

[00:07:50] I think this, you know, there's so many times you hear about the different roles. This is one of the areas that get overlooked.

[00:07:55] You'll hear like risk and compliance, but risk management in specific, you know, you don't hear a lot of talk about, but, you know, those are important roles.

[00:08:04] And, and as you mentioned, kind of, you know, you were working on business focused degrees.

[00:08:08] And so if someone has those business backgrounds, it could be an easier pivot than, okay, I'm, you know, I have a business background,

[00:08:17] work in accounting or something, and all of a sudden I want to change what I'm doing.

[00:08:20] So now you could, you know, learn something different that may not take the in-depth technical education that would be required to do one of the more technical roles.

[00:08:32] Absolutely. And frankly, I think there's a lot of space, both as you mentioned within GRC.

[00:08:37] So obviously from governance risk compliance, there's a lot of opportunities there.

[00:08:40] But I'm also increasingly seeing for a lot of companies, even if you want a role, for example, with transferable skills from business, like a project manager,

[00:08:48] things like that are helping write reports, create data visualization.

[00:08:53] Frankly, a lot of organizations also struggle with things like metrics or, you know, doing the board reporting pieces like that.

[00:08:59] So folks with, you know, communication degrees, other liberal arts backgrounds where you have that skill that's more writing, reporting, communications.

[00:09:07] All of those pieces I think are incredibly important.

[00:09:10] And frankly, as long as you have the interest and find, I find it super fun just to work with hackers all day and kind of hear what they're doing.

[00:09:16] And, you know, like it's such a rich and always changing environment to work in.

[00:09:20] And so having those transferable skills, I think for folks who are trying to get their foot in the door but aren't quite there or don't have an interest in learning how to obviously be hands on keyboard.

[00:09:29] I think there's a lot of opportunities for folks like that as well.

[00:09:32] And then the secondary thing I'd say, too, is even for some of the hackers, a lot of the hacker cons that I've been to this year,

[00:09:38] I've actually been speaking to those folks about how they can level up their own skill set just by learning some of this translation.

[00:09:45] Because I sit in conversations all the time with CISOs who have fantastic information, amazing technical teams, really good, obviously, investments in a whole portfolio of tooling.

[00:09:56] But they then get bogged down with all of this.

[00:09:58] You know, how do I translate any of this?

[00:10:01] I'm not getting traction in the boardroom.

[00:10:03] I'm not able to be proactive about what I'm tracking because folks don't understand the metrics.

[00:10:07] And so I think for anyone, whether it's CISOs or obviously folks much more junior in their career, if you can start to internalize and understand how to talk, at least in the language of risk, that's kind of a cheat code in some ways.

[00:10:19] Because then you're not just, you know, the person behind the keyboard.

[00:10:22] Then you're actually getting a seat at the table in a very different way as well.

[00:10:26] So what are some good ways for someone, just say, for instance, someone that's an experienced practitioner, what are some ways that they can learn more about risk and be able to have that conversation with the board and the CISO?

[00:10:40] Yeah, it's a great question.

[00:10:41] I think there's a couple ways.

[00:10:43] So first and foremost is just figure out what risk actually means for your organization.

[00:10:48] And this is a little bit I'd compare it kind of to OSINT, like what you would do, obviously, if you're hacking into a different organization.

[00:10:54] But there's all sorts of information publicly available about probably your own company, especially if it's publicly traded.

[00:11:00] So things like financial statements, end of year reports, any kind of board documentation you can find online.

[00:11:05] And basically just start reading that.

[00:11:07] And the reason I say that is because that will help you build that muscle of, number one, understanding what the priorities from the business are.

[00:11:13] And then number two, actually understanding, OK, how are they thinking about and talking about risk?

[00:11:18] And how can I start to frame the pieces of the conversation I do have access to in those ways?

[00:11:24] Second, I would say any kind of reporting that you can do where you're actually adding that bespoke layer on top of it.

[00:11:30] So I know, obviously, depending on what software you're using or kind of how you've set up your different reporting, anything you can do to really take, you know, whether it's a template, whether it's a bespoke report all the time,

[00:11:39] and start to just think about, OK, again, given that kind of quote unquote OSINT, if you will, of risk at the company, based on what I'm knowing about what the company wants, how can I apply that to this report?

[00:11:51] How can I really think about what I'm doing here?

[00:11:53] And then third is really just find folks across the business who, again, are those non-technical partners.

[00:11:58] So this could be folks from enterprise risk, could obviously be within GRC.

[00:12:02] If you have a large cybersecurity program and folks are working on things like strategic projects or just broader initiatives, again, working with them a little bit and just kind of raising your hand to say,

[00:12:13] hey, even if I can't contribute to this, I'm curious to at least maybe sit in on meetings or join some social connectivity.

[00:12:18] Basically, just find ways to get yourself in the room.

[00:12:21] And then frankly, again, it depends on relationships.

[00:12:24] But if you are more junior and you are working with someone like a CISO, maybe just ask them if you can have a little bit of maybe mentorship time, things like that,

[00:12:32] and just start picking their brain about some of these topics to really see, number one, how are they thinking about it?

[00:12:37] But number two, what are the tools that they're using?

[00:12:39] How are they framing this out for the folks that they're reporting to?

[00:12:42] All of those different pieces.

[00:12:43] So I realize that's a lot of different skill sets, right, and a lot of different techniques.

[00:12:47] But that's where I'd start, obviously, depending on your organization and kind of internal politics and all of those different things.

[00:12:54] So if someone wanted to pursue a career in risk management, what would you recommend education-wise?

[00:13:00] Yeah, it's a great question.

[00:13:02] I would say, unfortunately, unlike being a hacker, right, where I think it's much more kind of your skills give you the street cred, so to speak,

[00:13:10] I do think probably some type of education, whether it's a degree, again, in risk management or cybersecurity writ large,

[00:13:17] or, again, I think there's plenty of room for folks who have, quote-unquote, nontraditional degrees for cybersecurity,

[00:13:23] whether that's, you know, communications, some type of project management,

[00:13:27] obviously a number of certifications around those different types of ideas.

[00:13:31] I would definitely get something on your resume, right, because, again, you're going to be working more with the business.

[00:13:36] And I do think, unfortunately, today the business is just looking for some type of credential.

[00:13:40] But from there, I would also say, you know, start building out a portfolio, whether it's, again, working on risk,

[00:13:46] showing familiarity with some of the big risk frameworks, doing different types of assessments,

[00:13:50] whether those are enterprise risk assessments, any type of other security space.

[00:13:54] So depending on what industry you work in, some of the, for example, supply chain, heavy industries,

[00:14:01] like there's a lot of risk management that's kind of, quote-unquote, operations for them, but is actually risk related.

[00:14:07] So just really identify what those different transferable pieces might be,

[00:14:10] and then really just kind of sell that, obviously, on your resume in terms of what's transferable versus what's kind of purely cybersecurity.

[00:14:18] And frankly, we just went through hiring for the risk team for our company,

[00:14:23] and we interviewed folks with portfolios that were totally non-cyber related at all,

[00:14:28] and we're purely looking for some of those skills that were transferable.

[00:14:31] So I think there's a lot of room for folks with a number of backgrounds.

[00:14:36] So what about certifications?

[00:14:38] Because I know on the blue team side, the red team side, there's all sorts of certifications.

[00:14:42] What certifications would be helpful in a risk management role?

[00:14:47] Yeah, I think, honestly, anything that would demonstrate that you have the practical skill sets.

[00:14:51] So the key ones that I might be looking for, certainly project management,

[00:14:55] especially if you're going to a company that is more offensive or kind of testing focus, that would be one.

[00:15:01] Obviously, anything related to kind of conducting the risk assessments themselves, right?

[00:15:06] So familiarity with major frameworks, things like that.

[00:15:09] And then last, and I think this is a little bit more probably secondary, right?

[00:15:14] I wouldn't go for this first.

[00:15:15] But there is a lot of different software and tooling, obviously, for the GRC space, things like Archer.

[00:15:21] So anything with certifications that obviously prove your familiarity with that and ability to apply some of the frameworks in a more technical way as well.

[00:15:29] Yeah, Archer.

[00:15:30] I remember that name.

[00:15:32] Yes.

[00:15:32] One of my previous jobs when I was working in application security, we used Archer a lot.

[00:15:39] And then one of the other banks I worked at, we used Archer there as well.

[00:15:42] So it's honestly, it's a great tool, but it is it's a beast to set up for the first time, which I've been a part of.

[00:15:48] But once you have it set up, it's fantastic.

[00:15:51] And it really also I love from a risk management perspective, because I think that's one of the few tools where obviously you can just track everything over time and really just organize it depending on your organization,

[00:16:01] which I have many thoughts on risk tooling and risk frameworks as well.

[00:16:05] But it's a fantastic way, especially if you get it set up correctly to organize all of your findings and track things.

[00:16:11] So speaking of frameworks, what what frameworks do you recommend or what are some of the frameworks?

[00:16:16] FAIR is the only one I'm familiar with as far as risk goes.

[00:16:19] I found out about that one last year, but that's all I know.

[00:16:23] So yeah, yeah.

[00:16:25] Sorry for my terrible pun there.

[00:16:27] No, so FAIR is actually a really interesting one because it's specifically focused on actually risk quantification,

[00:16:32] which frankly is a really hard part of risk and something that's actually really kind of I don't want to say a niche space because there's obviously a lot of demand for that.

[00:16:41] But I would say the most common ones that I typically see would be basically anything within the NIST category.

[00:16:48] So obviously, you know, kind of National Institute of Standards and Technology.

[00:16:52] The primary ones in the cybersecurity space that I use on almost a daily basis would be the Cybersecurity Framework 2.0, which came out in February of this year.

[00:17:01] And that really basically goes across everything from how do you govern your cybersecurity program to obviously how are you identifying different threats, protecting the organization?

[00:17:10] And then, of course, the whole incident response process.

[00:17:12] So how are you detecting incidents, responding and recovering from them?

[00:17:15] So that's probably the first one that I would say for anyone looking to get into the space.

[00:17:20] Become familiar with it.

[00:17:22] It's also a fantastic way I've noticed that a lot of CISOs will actually organize the way that they think about the program,

[00:17:29] the way they structure it from an org design perspective.

[00:17:31] And obviously, from a metrics and reporting perspective, it's a pretty good tool as well.

[00:17:35] So the more familiar you are with that, I think the better.

[00:17:39] NIST also has a lot of other frameworks that I find quite useful.

[00:17:41] So they actually have a framework called NIST 800-53, which is basically the same, I would say, content-wise as NIST CSF 2.0, but with much more detail underlying it.

[00:17:53] And it's much more of a maturity framework, right?

[00:17:55] So if you're trying to understand how good your organization is against certain metrics, and good is a little bit of a proxy, right?

[00:18:02] Obviously, not everyone should be aiming for perfect.

[00:18:05] But basically, it helps you understand, okay, if you're just starting out, here's the foundational capabilities.

[00:18:10] If you're super mature and you're already thinking about next generation, whatever it is, here's maybe where you want to aspire to.

[00:18:16] So I would say CSF 2.0-853 from NIST would be my starting bread and butter.

[00:18:22] And then from there, there's a number of other ones.

[00:18:24] Obviously, if you're working in the healthcare space, be familiar with HIPAA, especially the security rule and HITECH, which is one of their provisions around technology.

[00:18:31] And then in addition, if you do any work internationally, GDPR and data privacy regulation is huge, as well as ISO, which is very similar to NIST, but more of an international context for some of the similar controls and kind of how you would think about maturity at organizations not based in the United States.

[00:18:50] Very interesting.

[00:18:51] Very interesting.

[00:18:51] So how was it making the shift from going from other organizations where you weren't working with people on the offensive security side to go into a company that specializes in offensive security?

[00:19:03] Yeah, it's been a really interesting journey for me.

[00:19:06] From just an impact perspective, I feel like, at least for me, having the technical backing has made it so much easier to justify a lot of the recommendations that we make.

[00:19:16] Because I think you teed this up at the very beginning of the conversation where, obviously, risk is a huge, you know, it's great for communicating.

[00:19:24] It's great for kind of describing to the business.

[00:19:26] But you have to actually understand what's going on in your environment.

[00:19:29] And so being able to kind of connect the dots there, at least for me, and kind of see under the hood has been super helpful from having more of those strategic conversations.

[00:19:38] But it's also it's just been a lot of fun working with hackers.

[00:19:41] And I have to say the hacker mentality is something that was totally new to me transferring to this company.

[00:19:47] And it's just been so much fun because I found two things about hackers.

[00:19:51] One, it's the total opposite mindset from risk, right?

[00:19:54] Where you want to get in, you want to break things, you want to dirty it up, you want to just figure out, OK, what's going on?

[00:19:59] Where is it?

[00:19:59] How can I craft my way through?

[00:20:01] And obviously, that's the complete opposite of risk where it's, OK, how can I follow the rules?

[00:20:05] What's the letter of the law?

[00:20:06] How close am I to it?

[00:20:07] All of those different pieces.

[00:20:08] So that's been fun.

[00:20:09] And then also just getting to see what hacker tools look like.

[00:20:13] It's such a fun, you know, there's I think I can't remember.

[00:20:16] It's Metasploit or a different tool, right, where it has the dinosaur on the homepage.

[00:20:20] And there's all these different like little graphs and kind of Easter eggs within the tooling.

[00:20:24] So that's been really fun for me to see as well.

[00:20:26] And it's certainly not to knock any of the risk management tools, but it's certainly a little bit more fun than some of the interfaces that I work with on a regular basis.

[00:20:35] Yeah, that's cool.

[00:20:36] I'm sure it kind of helps when you're in your work to understand that a little bit more working with people in the area.

[00:20:41] But I'm sure at the same time, it's probably helped them to be working with someone like yourself to kind of understand what's important for you to have.

[00:20:49] And so I think that they would learn better.

[00:20:51] This is what we need to put in a report, better ways to communicate with our clients.

[00:20:57] Definitely.

[00:20:57] Well, and it's interesting, too, because I think at least on our organization, we try to do kind of what I described where for every single report we put out, right, obviously we have the very rich technical insights.

[00:21:07] But then we really do try to kind of tie it to the business.

[00:21:10] And so it's been really interesting, I think, for them seeing some of the clients who before, again, really appreciated the work that we were doing, but had to do a little bit of that work of actually tying it to the business impact themselves.

[00:21:21] Versus now that we're adding this really risk kind of, excuse me, rich risk wrapper around it.

[00:21:27] It's very easy for them to then go.

[00:21:30] We've even had conversations with CEOs who are like, oh, my gosh, I had no idea.

[00:21:34] I know that you've told me some of these things before and I know my team is working on them, but, oh, like, this is actually really scary.

[00:21:40] And that's what happens when you're able to kind of abstract it multiple levels up to that very non-technical, very impact oriented language.

[00:21:47] And so, frankly, that's what I've encouraged everyone I've met at all of the different hacker conferences I've spoken at this year.

[00:21:53] Just like as much as you can do that risk language, that's what the business resonates with because that's how they make decisions.

[00:21:59] And so it's really I think it's been a step change for NuVic, but hopefully it's also just going to be a step change for folks across the industry who are able to internalize it and leverage the skill set.

[00:22:09] Yeah, it'd be nice to see more of that because I know sometimes people get pen tests done and it's very limited on what they provide outside of the technical piece, executive summaries, but then not really translating that well sometimes.

[00:22:23] And so that's nice to have that.

[00:22:27] Absolutely.

[00:22:27] And it's interesting, too, because one of the other things I think there's two problems that I see across the industry.

[00:22:32] One, to your point is the translation just isn't happening, but I think number two, there's almost a little bit of a mindset shift that even some of the CISOs that we work with are kind of starting to make, but I think aren't quite there yet on actually wanting to know what the risks are.

[00:22:46] And so what we've seen in a number of instances is that folks will actually really almost try to narrow the scope of their pen tests so much that they don't get any findings and therefore they don't have to say, oh, no, there's these critical vulnerabilities or whatever it might be.

[00:23:00] And so I think it goes both ways as number one, it's kind of a cheat code, obviously, for technical teams, as I mentioned, to do the translation.

[00:23:07] But there's also a little bit of kind of mindset shift that needs to happen for some of the executives where it's like, but you need to actually care about risk and want to hear it.

[00:23:15] And, you know, you can't actually address risk if you don't know what it is and you're not going to know what it is if you're artificially kind of de-scoping things or narrowing your testing program or whatever that might be.

[00:23:25] Yeah, that's pretty common because I've even, you know, I've worked as a consultant, worked as an internal resource.

[00:23:31] And I've worked places where people were trying to narrow the scope, as you mentioned, to try to get stuff out of scope for the pen test.

[00:23:38] There was one I was working on one time that they kept trying to remove servers out of scope.

[00:23:43] And then one of them, I had to go back and read the PCI documentation to make sure I was on the same page because they told me the server does not transmit or store PCI data.

[00:23:54] But they said it was connected to the PCI environment.

[00:23:56] So it is a scope for PCI.

[00:23:58] So I took a screenshot from the PDF, attached the PDF and sent that to them.

[00:24:04] And fortunately, the QSA for the company was on the phone, on the call and said, yeah, that is correct.

[00:24:10] So they kept, I mean, it's scary to see because I know some people are trying to get things out of scope because they want to pass compliance.

[00:24:17] And, you know, in the big picture, you need to make sure that you reduce your risks and not just try to generate a report that makes you look good.

[00:24:25] But it's very interesting to see that.

[00:24:27] I've heard instances where people said they would go in somewhere and they would not want people to find things or they would come up and just they would say something and not want them to document a report.

[00:24:38] Or just kind of totally ignore it, not have pen tests or further pen testing because they didn't want to see it there because then it has to be fixed.

[00:24:46] Then they have to answer to it and they may not have the budget to fix it.

[00:24:50] Exactly.

[00:24:50] I think that's exactly what it is.

[00:24:52] And it goes back also just to some of the resourcing constraints and everything else for folks in the industry where I totally understand.

[00:24:59] Right.

[00:24:59] Teams are very small.

[00:25:00] You may not have the talent in house to actually go fix some of these things.

[00:25:03] In many cases, too, we see we do a lot of work in the health care space and it's hard.

[00:25:08] I mean, if you have legacy infrastructure or specific, you know, industry devices that you actually can't do much other than segment them off a network, it's it's really hard.

[00:25:17] And that's another place also where risk can be your friend, because obviously, if you do know what those are and you have identified them, then you can go through the risk acceptance process, create exceptions where need be.

[00:25:27] You know, obviously documented in policy and everything else.

[00:25:30] And so it's it's kind of a it's a chicken and an egg problem in a couple of ways.

[00:25:34] But I think that's again, it just speaks to the fact that risk is helpful in so many different areas of this.

[00:25:41] And if folks would only let us give those findings, they they might actually, you know, come up with even better solutions for themselves.

[00:25:48] So, yeah, and hopefully more conversations like this, get more people getting getting aware of risk management and kind of learning to help help them in areas that, you know, where they may not be using it.

[00:26:01] Exactly.

[00:26:03] So we're getting down towards the end of the episode.

[00:26:05] Is there anything you'd like to share before you end it?

[00:26:08] No, honestly, I think we've covered almost everything.

[00:26:11] Frankly, obviously, if anyone is curious, you know, certainly happy to continue the conversation again, work for a company called Nuvik and otherwise best of luck to everyone.

[00:26:21] Honestly, I think there's so much opportunity, whether you're on the offensive side or looking to get into risk management.

[00:26:26] And so certainly, I guess my big my big talking point is just don't let a nontraditional background keep you away from cybersecurity.

[00:26:33] There's so much room and we need so many talented folks.

[00:26:36] So definitely risk could be a great way of getting a foot in the door.

[00:26:40] Yeah, I think it's great that there's other opportunities for people because, you know, like I said before, everyone knows about pen testing.

[00:26:47] Pen testing sounds cool because you're hacking for a living, but sometimes those roles aren't easy, easy to land.

[00:26:53] And if someone started out in risk management, did that for a while and they end up getting their dream job of being a pen tester.

[00:27:00] Can you just imagine how much more effective they are?

[00:27:03] How much easier it's going to be for management and for risk management folks to be able to work with them?

[00:27:08] Absolutely. I feel like that's such a unicorn profile that you could I mean, you could do so many different things if you have both skill sets.

[00:27:15] So you'd be unstoppable at that point.

[00:27:18] Yeah. If you're interested in doing any kind of training, I think you should create some training, maybe a risk management course for cybersecurity professionals.

[00:27:26] Honestly, I would love to do that. So I definitely definitely will consider that strongly.

[00:27:31] Yeah, it would be nice to have because I know like for GRC stuff out there, Gerald Osher has a GRC course that he created.

[00:27:38] It's pretty low cost. But yeah, so that would be interesting to have.

[00:27:42] If you create a course like that, I would take it to understand the risk management side of things better because I actually worked for a company for a while.

[00:27:48] We had a cyber risk quantification solution for our pen test platform.

[00:27:53] Oh, sure.

[00:27:54] So it was interesting. And the sad thing was, is they never have made a standalone product yet.

[00:27:59] When I went to work for them, it sounded like it was a standalone product that we're working towards that, but they didn't.

[00:28:05] But the thing was, is you would have to use their pen testing service to get this output because there's a really nice portal that would give you any kind of GDPR fines, PCI fines,

[00:28:15] showing how much it would cost if you were breached. And this was all based on cyber insurance numbers.

[00:28:22] Oh, interesting. Sure.

[00:28:23] So this is where they're getting their information from. And I thought, you know, if they'd ever put that out as a standalone product,

[00:28:29] there'd be a lot of consulting companies, a lot of individual companies would be interested in buying that because you're able to feed in your pen test data

[00:28:35] and get that cyber risk quantification piece out of it.

[00:28:39] Absolutely. Honestly, that sounds like an intriguing product. So you're giving me lots of ideas.

[00:28:44] I promise I won't do any IP infringement, but that's some great ideas there.

[00:28:49] Yeah. Hopefully need more stuff like that out there. Just more, you know, ways to extend the pen test reports and get more actionable and valuable information.

[00:29:00] 100%.

[00:29:03] Well, thanks for taking time out of your schedule. It was great speaking with you and really great to learn more about risk management.

[00:29:10] So you got me interested. I need to need to learn more.

[00:29:12] Absolutely. Anytime.

[00:29:14] I'm happy to, and if folks, you know, if folks reach out or have additional questions,

[00:29:18] I'm happy to grab more time on other specific topics within risk.

[00:29:21] So definitely hope this is the first conversation of many.

[00:29:25] Sure. And I'll be sharing your LinkedIn profile in the show notes so people will be able to find you if they have further questions.

[00:29:33] Flint, thank you so much.

[00:29:34] Really appreciate you having me on.

[00:29:36] Oh, thank you. It was a pleasure.

[00:29:39] Thanks everyone. And we'll see you on the next episode.

[00:29:41] Thank you for listening to the Philip Wiley show.

[00:29:47] Make sure you subscribe. So you don't miss any future episodes.

[00:29:50] In the meantime, to learn more about Philip, go to the hacker maker.com and connect with him on LinkedIn and Twitter at Philip Wiley.

[00:30:00] Until next time.