Illuminating your path to impact
Feb. 2, 2024

Candid Conversations with Chris Roberts

Candid Conversations with Chris Roberts

In this episode of Candid CISO, host John Donovan has a conversation with Chris Roberts, CISO at Boom Supersonic. Together they discuss the importance of being candid and authentic in the cybersecurity industry. He emphasizes the need for CISOs to...

In this episode of Candid CISO, host John Donovan has a conversation with Chris Roberts, CISO at Boom Supersonic. Together they discuss the importance of being candid and authentic in the cybersecurity industry. He emphasizes the need for CISOs to protect not only the organization but also the people within it. Roberts also shares advice for those looking to break into the security field, suggesting that they get involved in the community, contribute to research, and attend conferences. He also highlights the importance of articulating ideas effectively and understanding the business side of cybersecurity. Overall, Roberts encourages open communication and a willingness to learn and adapt in order to be successful in the industry.

Some key takeaways from Chris Roberts' discussion on the importance of candidness and authenticity in the cybersecurity industry are:

  1. The primary job of cybersecurity professionals is to protect not just the organization, but also the people within it and the data entrusted to them.
  2. Being candid and honest is crucial in building trust and affecting change in the industry.
  3. It is important to be able to call out and address issues without using too many fancy words, but still conveying the message effectively.
  4. Understanding and adapting to different audiences is essential, whether it's speaking to practitioners or leadership.
  5. Being humble and ready to admit mistakes is important, as well as being open to learning and improving communication skills.
  6. The role of a CISO goes beyond technical expertise and requires the ability to deal with people, ask the right questions, and support and manage teams effectively.
  7. The mission of cybersecurity professionals should be to protect stakeholders, including people and not just shareholders.
  8. Conferences and events that focus on practical and real-world discussions, like BSides and FWD:Cloudsec, can provide inspiration and valuable insights for cybersecurity professionals.

Overall, being candid, authentic, and adaptable in communication and leadership is crucial for success in the cybersecurity industry.

Visit https://www.candidciso.com for show notes and more episodes.

Candid CISO is produced by Nonconformist Innovation Media

Transcript

Steve:

Well, this is a crowd. We have three, so I think we can get started.

Chris Roberts:

You're welcome. Thank you for having me. I've got water. I'm good. I'm in good shape. It's just literally off one onto another. I've got liquid. We're good.

I need a G&T. It's that time in the afternoon where I want gin and tonic.

John:

Chris, we really appreciate you taking some time here to be with us. We're just looking to have a good conversation here today, but also, I really want to talk a bit about, so this is our inaugural episode, a little bit about what I think it means to be a Candid CISO, and then, I've got some questions for you around that once we get into it a bit. But, before I do, I do want to start off just a little bit and say thank you to Steve who's joining us as a third special guest here today. So, we'll have a three-Way conversation. Just, why don't you talk a bit, Steve, about the Non-Conformist Innovation group and what got us started over here with Candid CISO.

Steve:

Yeah, John. So, to kick things off very quickly, my career hit a brick wall in 2015. I didn't know what the hell I was going to do. I had a couple of stints in the startup world and tried to find my way back to corporate America, and it wouldn't work. There was a graphing issue, and it dawned on me that maybe I should try something different. I found myself unemployed. I was fortunate to have a little bit of money saved so I didn't have to go back to work. And I asked myself, "What's going to get me out of bed today?" It's not coffee, because I drink my coffee and read the news from bed, and I was just trying to be radically honest with myself. "What is it, Steve?"

I came to realize that innovation, starting new things, was really exciting to me, and the more I spent thinking about that, it wasn't just any new things. I think there was... Everyone has heard of disruptive innovation and Clayton Christensen and all the trending academic conversations around that from Harvard Business School, but I wanted to put my own spin on it. So, I called it the Non-Conformist Innovation Podcast, which was, we can't just have capitalism as usual because that's failing, right? We need to think about things a little differently. We can't just serve shareholders in the world of data breaches. They affect minorities and vulnerable populations disproportionately, and I wanted to do something about that.

So, the non-conformity for me was we're going to swerve, right? Not conforming to the needs of the shareholders. We're going to look at all of the stakeholders from all different angles and from every stage of the business world, from startup. Tom Kemp was an excellent first guest on my podcast. He had just sold his company, ironically, and then we've had some other amazing guests, too, to help explore that world and from angles, right? Ethical leadership, entrepreneurship, innovation. Richard Clark was on there. So, I haven't gone too deep in the political world, but we've seen those perspectives.

So, I didn't want to have a security podcast. And so, the idea for the Candid CISO was to take the same idea, but to firmly plant it around information needs and trends that CISOs are thinking about.

John:

Steve, thanks so much for that. And, I did want to kick it back to some things from nonconformist innovation. I've had the pleasure of participating in and listening to a number of those podcasts, and I agree with you, there's definitely room here for, in the many, many security and CISO-focused podcasts that are out there, for something that maybe we get a little more real. And so, what do I think it means to be a Candid CISO and what are we looking to accomplish with this podcast? Have real and candid conversations with practitioners, like our guest here, Chris Roberts. Today, share some interesting stories and maybe leave our audience with a few bits of practical advice or at least some things that will make them think a bit.

And so, with that, I'm not going to dive into much about me. People will hear that in the first kicker for our series here. But Chris, first of all, thanks for joining us, and can you tell us a bit about yourself?

Chris Roberts:

Yeah, no, appreciate it. Thanks for having me, especially on the inaugural one. It's cool. I'm looking forward to this, especially, let's face it, when you talk about non-conformist, I probably fit... I don't fit that profile. I think it's tattooed on my bloody forehead half the time, let's face it. And it's weird because it's not a deliberate thing.

So, yeah, a little bit about me. Let's see. Currently, CISO for Boom Supersonic as well as do a bunch of stuff behind the scenes from a research standpoint, obviously a hacker, and from an inquisitive tinkerer and a number of other things. Formally jumped out of airplanes for a living and got kicked off of submarines as well for a living. And then, prior to that, I also got yelled at a few times within the early early days of the computing world.

So, I've been creeping around this industry for longer than I probably should admit to, longer than this thing's been growing, let's put it that way. And yeah, I'm still here, and I've straddled the line between .gov, .mil on the vendor side a number of times, including my own companies. And then, obviously, now, back on the client side, I think, should we say,

John:

Chris, thanks for that. And a little background about yourself. Most folks who Google Chris Roberts will see all kinds of things about some of the areas he was speaking about before. But, before we dive into things like Hacker Summer Camp and other things like that that are coming up here, I guess, what does it mean to be candid from your perspective? And let me ask you a second part of that two part question, which is, how does this change when you move from being that security practitioner to being in the trenches or jumping out of the airplanes to becoming a leader? So, that first thing is candid, and then how did it change for you?

Chris Roberts:

The candid thing is, it comes with the honesty and integrity side of it. So, at the end of the day, when we look at our industry, we've got one job, and that's to protect. That's it. When it all boils down, we have a single job to do. And to Steve's point, it shouldn't necessarily be, "How do we just protect the organization?" It should be, "How do we protect the people inside the organization?" How do we look after the very data that somebody has entrusted to us?

I'm fortunate. At Boom at the moment, we're very, very focused, obviously, on the plane, the aviation, the engines, all sorts of other crazy stuff. But, at some point in time, when these things are actually out in the commercial use, that also includes every single sodding person that's on that airplane. That's who I'm responsible for.

And so, for me, there's part of it's candid being on that one, it's actually taking realistic approach. It's not, "I'm out for me, I'm out for my team, I'm out for a land grab, I'm out to put my stake in the ground to build the biggest empire I fricking can." It's having the integrity to actually take that step back and go, "What am I actually really doing here, and how do I affect change?" That's number one.

Number two, I think the honesty thing has to come into it as well. We wrap ourselves up. To your point, when you start off as a practitioner, you kind of come in pretty raw. Let's face it. I mean, some people are polished. Those that went through college and university typically are a little more eloquent, should we say, than those of us that dragged ourselves up by the scruff of our necks from the streets. And so, it is coming back to a level of reality. It's calling bullshit when you see it, and I think that what changes on the leadership side is still calling bullshit, but being able to do it maybe a little more eloquently so that people listen, because if you're a practitioner and you go to another practitioner, you can call bullshit all day long.

I listen to the fricking team here and it's hilarious to listen to it, but I can't take those exact words and those feelings and use them when I'm talking in leadership. But I need to convey that same message, and the only real big difference is, "How do I convey that message without wrapping it in too many fucking fancy words, to be perfectly honest." How do I still walk into that meeting and go, "Yeah, I'll be screwed," but do it in a way that's actually a little more civilized so that they will listen and won't instantly shut down, because you know as well as I do. You walk into a boardroom or a leadership room. If you don't look right, you're automatically having to get over that first barrier, and we're way beyond just race, color, creed, orientation, religion, and everything else.

We're into the fact that, half the time, I am sitting here wearing my hoodie. Now, the other time, I'm sitting and wearing a pair of trousers and a shirt. Practitioner versus a little bit of a CISO, but it's still being true to myself. I still need to be able to look into the mirror and go, "I did the best I could, the most effectively I could, and the message got across." So, that'd be a longer version of the answer.

John:

Well, no, and I'm hearing you talk about striking that right level of candor, then also knowing your audience and how to speak to them, and it's different when you're talking with the exec team and then when you're talking with the board, and I know those are areas that you've had to navigate as well. So, do you want to speak with whatever level of candor and candidness you feel comfortable with about? Not specific conversations, but exec team and then board, I feel like they're two different kind of conversations.

Chris Roberts:

To me, they absolutely are, but at the end of the day, we're all still human, and I think that's where a lot of people lose it. They lose it because they're like, "Oh, I have to be..." No, they're still fucking human. They still pull the trousers down or their skirt down and they still sit in the bathroom on a fairly regular basis in the same way the rest of us do. So, you still have to treat them as a human. Going in there on bended knee is not an approach that I actually like, and if there's a leader there where that bended knee approach is necessary, I'm in the wrong place.

Now, is there a level of respect because of what they're doing and how they're doing it and the fact that, especially at Boom, you've got a guy here who came out of the tech industry and went, I'm kind of done flying on these stupid things as slow as they're flying. I'm going to build one of these fucking things myself. I'm like, "Yes, I've got a shit ton load of respect for him, because I know what it takes to build an organization, let alone an organization that's taking on the aviation and engineering industry." So, there's respect there, but he's also still human. I can still wander in and go, "Hey, you got a second?" I can still walk into ZA- yeah, go on.

John:

No, I was going to say, that may be a good segue for a little bit to talk about, what are you working on now? I think people would be interested in that. I mean, obviously, as much as you can share with us now.

Chris Roberts:

Yeah, so, there's a number of things. That is a good one, because I turned up and we hadn't announced the final shape of the airplane, let alone the bloody engines and all the other crazy stuff that we're working on, let alone... And I'm literally stood here. I could throw a rock and hit what we call passenger experience, which is where we have the inside... Hang on a sec.

John:

Hey.

Chris Roberts:

Live podcast. You've got muppets over there making bloody noises, weird noises, bless their little cotton socks.

I love it. Again, candid. Let's shut the hell up, you Muppet.

I think part of it... We're working on some pretty cool stuff for the passenger experience. We've got Paris. Paris is obviously happening, and some other fun things that are going on as well. And so, there's design work. You're building an airplane. We've got the experimental jet Anima Harvey doing some fun crazy stuff out there, but we've also got the internals. How's it going to look? How's it going to feel? How are passengers going to experience going on the plane, off the plane? What data can we take? What electronics? How do we safeguard, how do we secure it, as well as the engines themselves? How are we going to design them efficiently? How are we going to be more effective than the current stuff that's out there, which is fairly easy, and then a whole bunch of other kind of crazy stuff that we're doing.

My job, support it, help it, make sure it gets safeguarded, make sure the business can do what it needs to do, make sure that the supplies and vendors and supply chain can officially collaborate and communicate without me getting in the way too much, but also making sure that it doesn't end up in hands that we don't want it in. And that's everything from the physical side all the way through to the digital side. So, yeah, it's a pretty extensive and fun realm, should we say.

John:

You mentioned Paris, and I think you guys are off for an airshow coming up here in a couple months. And so, that brings to mind this whole role that someone as a security leader has around talking to people about situational awareness, right?

Chris Roberts:

Yes.

John:

And when you show up in public and where competitors might need to be, and you don't want to be too candid with the wrong people.

Chris Roberts:

Yeah, just one conversation-

John:

But you don't want to pass on- Yeah, sorry, go ahead.

Chris Roberts:

No, literally just had that conversation an hour ago, and I kid you not, about wearing badges. We have badges. We have badges that we wear in the office and I'm great, and we have badges that are worn at the air shows and in the chalets that we have and all this good stuff. And I'm like, "I love it. I love the fact we do this, but do me a favor. When you walk outside, take the darn thing off, especially when you're in a different country. Don't make yourself a target." So, it's always this conversation, and it's conversation with leadership as well as teams of other folks that are going out there. It's conversation wise stuff. It's situational awareness as to who's around, what's around, what do I say, where do I say it? What am I wearing? How much do I stand out, how much do I blend in?

We're working with a third party security team that can have boots on the ground there, so fantastically liaising with their team, and they're ridiculously professional, really, really good team that we're working with. And we're talking about primary route, secondary routes, tertiary routes, escalation procedures, all these other good things, and you can see some of the leadership folks like, "Holy smoke." And I'm like, "Yeah, we've got to grow up. No longer are you just a company that's got this really cool idea for having a jet. We've got the stupid thing moving. We've got some crazy stuff we're building. More and more adversaries will care about what we're doing, and therefore, we have to be very careful about it." But it's taking the human approach. It's not being an asshole about it. It's taking that human. How do I explain it in a way that they understand it and they care about it?

To your point, it's a different conversation with practitioners than it is with an exec level than it is with the board. How much of that conversation gets still to a board level? Well, you walk into a board and go, "Hey, we have this, we have this. Here's probability, here's risk, here's our mitigation strategy. Any questions?" Done.

John:

I think that that also speaks to being prepared and showing up in the right way, knowing who your allies are in the room, more situational awareness if you're in a certain exec meeting or that board meeting you're going into. It's always been my experience that, generally, you want to make sure that everything was set up ahead of time before the official vote happens, but then, that doesn't always happen, right, Chris?

Chris Roberts:

And, okay, now back to the candid stuff. I don't play political games. I'm not very good at them anyway, and I never have done, and I really don't give a shit about them. This comes back to that military side of the world. This is like, "Hey, we're all in this together. We're all getting the same fucking paycheck. Let's just get on with it." The land grab by this team and the what by this team and this political stunt? No, no, we need to deal with that. We're going out back with a set of boxing gloves and we'll deal with it that way. That, to me, is where the candid side of it comes in, because there's too much of that shit going on, and it drives me nuts.

What I love about being here. I'm sitting here. Charles, who's the CIO, sitting literally a poke away from me. Engineering is half a poke away from me over there. I've got everybody else is within literally, and we're all focused on the same thing, and I think that's so different than so many other organizations. Whereas I go, "I don't want to speak to them because of X," or the IT team doesn't talk with the network team and the database team smell and the security team always say, "No," and the users are useless because they click shit. I hate that stuff, and I'll call bullshit on them when I see it. And that's, again, I think, maybe a difference. I don't play politics. I grab a big rock and I'm like, "All right, who's ready to have a conversation?"

John:

Well, the rock-based conversation sounds like we're coining a new term here, so it sounds good.

Steve:

Isn't that itself a form of politics though? Some leaders don't want to hear fud. You hear on other podcast, "Hey, when we go into the boardroom, we're going to be perfectly practicing stoicism and we don't want to get too emotional." I am horrible at stoicism. Even though I know it's a thing, and when you're talking to a C-level person, it's like, now, you can plot their emotions on this boring graph. And I'm like, I am all over the fucking place. I can't do it, even if I tried. And that's why you see the icon for the mascot for the non-Conformist Innovation podcast. Chris, he has purple hair. I think when I first met you through RT and a conference from titanium, your beard was a little more colorful than it is now.

Chris Roberts:

Oh yeah, totally.

Steve:

But I would argue that that's actually a form of politics, Chris, slightly different than the norm.

Chris Roberts:

And, I think, that's where it is. And I think you hit it perfectly, which is, what you see is what you get. I care, and I think maybe that's... This isn't just a job to me. This isn't just get a paycheck, come in, leave, whatever. I care, and I care enough that you are going to know how I feel. You are going to know what I think, you're going to know where I stand on certain situations and stuff like that. And it was a very different...

You talk about board meetings. The first board meeting I turned up to, I turned up, I was somewhat civilized. I had the shirt on, I had trousers on, I had my funny feet on my vibrance. I think my beard was probably colored as well, and you could tell they were like, "What the heck is it? This is different than what we've normally been expecting in all of our other boards and our other companies. Is it going to meet us or is it going to be useful?"

Steve:

No slacks?

Chris Roberts:

Yeah, no, no, no. No. And I've changed it up. I do it deliberately. This last board meeting I turned up, I had a nice pair of tailored trousers, I had a purple jacket on, and you could tell they were like, "What the hell?"

I'm like, "Oh yeah, I'm just going to interviews. You're fine. Don't worry about it." You son of a bitch. But I think it gets to that because you open yourself up, which is good and bad. You open yourself up for attack, you open yourself up and you've got to sometimes defend, you open yourself up for abuse sometimes, but if you open yourself up, at that point in time, "This is who I am. Either you accept me or you don't." And you're right, there is a form of politics in that one, but I would much rather be, "This is who I am, this is what you get." There's no messing around and deal with it rather than just try to play any hidden game, if that makes any sense.

Steve:

It sounds like a tabletop exercise, like a simulation of a breach in the boardroom before it actually happens. And if you can condition them in the boardroom, "Hey, hackers aren't going to look nearly as friendly as I do."

Chris Roberts:

Well, I am a hacker. Let's face it. Let's start with the easy one. I am a hacker and this is how I look. And, let's face it, from an adversarial standpoint, the attackers definitely come in different shapes and forms and features and stuff. And you're right, they ain't as friendly and they're sure as hell not going to give you a warning. Well, maybe they will, and you probably missed it.

John:

Well, that tabletop exercise. Yeah, bringing that up is an interesting one as well, Steve. So, Chris, I'm sure you've done plenty, plenty of different types of exercises. You've done the red, you've been on the blue side, you've done these types of things there. Have you ever had a successful tabletop with your exec team that helped bring them around?

Chris Roberts:

Oh, yeah. We had a fun as all hell one. So, this is back in the day, as I was doing consulting, and we were in at a healthcare organization and they had their CIO and their CISO in there, and we'd done some exercises with them and the challenge became one of, their CISO was answering the questions. He wouldn't necessarily let anybody else get an answer in, and it was interesting because the team, very much so, just when you asked a question, the team just looked straight at him, and he just answered. And it was always interesting, because nobody typically challenged him as much. Very, very nice guy, but very... Just, he was the leader, shall we say.

And so, we went through a couple of exercises. We were like, "All right, we have to change this. We have to help him understand where maybe he's failing and maybe some behavioral changes." So, we went into this tabletop exercise, and we're like, "Okay, we're declaring an incident." And he's like, "Well, I'm ready."

I'm like, actually, you... Because he used to race cars. And we're like, "Well, actually, it's a Sunday we're declaring the incident. You're actually out at the track. You got a notification and, unfortunately, due to this, this, and this, you just crashed your car. You're actually on your way to the hospital at the moment. You're going to have to listen." You're on the way to the hospital. You got to listen.

And then, we started walking through it, and his team would keep going this. I'm like, "You're in hospital, you got to listen." And really, really quickly, and to his credit, he actually came to us afterwards. He's like, "Thank you. My team have talked about this, but this was the first time it's been put in front of me that I do need to shut up and let others talk." And it was a fantastic way of doing it, and it was really nice to see. And, to his credit, he was accepting of the situation.

John:

That's great to hear. It makes me think a bit about, you do some self-reflection about your leadership style, especially as you grow in your career and things like that. So, the one thing that sticks in my head, and I'd love to hear if there's maybe a saying you have around this, is... And I love to cook. I love to eat really good food. I think that's one thing we have in common. We'll talk maybe about, like I said, Hacker Summer Camp later and other activities, but on the food front. So, if you talk about chefs, I've always said, I want to be more Thomas Keller and less Gordon Ramsey.

Chris Roberts:

Yes, yes. So, in the UK, there was a gentleman, and unfortunately he passed away several years ago. I don't remember exactly when. It was Floyd, Keith Floyd, and it was Floyd on Food. If anybody's listening in on this one, look him up online. In fact, I'm actually going to do a quick YouTube search while we're doing this now, because I'm pretty sure. Gosh, I hope he did. I hope he's up on YouTube. I hope people have actually put some of his stuff up on there. Floyd on Food.

John:

Yes.

Chris Roberts:

Oh my gosh. Keith Floyd, he was amazing. He would basically cook, he'd have ingredients all over the place, but he would typically cook. He would have a bottle or a glass of wine in one hand and ingredients and stuff on the other hand, and it would just come together. It's like magic happened. It's like... There was an Australian painter years and years ago that did the kid stuff and everything else, and he'd be like, "And here we go."

And you're like, "What the heck is he doing?" And then, in the end, you stand back and you're like, "The hell did that come from?" And it was just amazing to see somebody take what appeared to be nothing and make something absolutely amazing out of it. And I love it because that's food, that art. That's our own food. That's incident response 101. You are walking into a burning building. No two ways about it. Shit's going wrong. Everybody's running around their heads. You are the one that has to walk into that burning building, go, "And here we go, and co-ordinate and-"

John:

You're going to take this line. You're going to take the grill line, and yeah, no, that makes sense.

Chris Roberts:

And I love-

John:

It's interesting, because you hear that word "Chef," right, was from chief. So, how do you become that chief, that leader, that is not the one that's yelling at everyone and they're still getting their work done? It's a challenge, right?

Chris Roberts:

It's a human thing. And again, so, this comes back to... We look at the role of a CISO. The role of a CISO, I would argue, it isn't just to be that technical source. That's why you have senior leaders. That's why you have fellows. I love the fact, when you walk into a company, and they have a track for fellows, which is amaze as hell, and you've got the track for the lunatics of us that decide we want to try and deal with humans sometimes. But, with that, to your point, comes that introspective reflection to go, "Am I somebody who can deal with people or am I somebody who just wants to deal with tech?" And, if I can deal with people, how do I become somebody who knows the right questions to ask, who knows the different types of people and who knows how to get the best out of them they possibly can, and who knows how to support them and manage them and be there as the shield, but also be the steel toe cap boot when you need to be, and do those balances.

And that isn't always something you can read in a book. It's not always something you can get out of a StrengthsFinder or something like that. It's something you learn by watching other people. It's something you learn by listening. It's something you learn by having good mentors and by asking good questions. So, that's how I-

Steve:

There are a couple of pieces in that calculus, Chris. You started off by talking about protecting, and what are you protecting? You're going to be protecting people, stakeholders, right? You can protect revenue and shareholders. But I think if you see your mission as broadly to protect, you view stakeholders almost equally on same footing as shareholders.

Chris Roberts:

I've always looked at it and I've challenged people about this. You go to some of the, not necessarily Hacker Summer Camp, but you look at maybe some of the bigger conferences, the more corporate ones, without naming names, I've always wanted to challenge, and I have done it a few times online. I've challenged people. I'm like, "Okay, you go take grandmother, grandfather, and the kids of data you just lost and you walk them around the floor of this conference. Would they be happy about the fact that we're doing the best we can, or would they be absolutely appalled about the fact there's nothing more than a circus? If you can't do that in good conscience, then you shouldn't be part of that issue. You should be part of the way of challenging it, and how do we solve it more effectively?"

John:

That's a great... It brings up to me the rise of a lot of these conferences that have come up besides the main conference, the BSides, whole section.

Chris Roberts:

BSides. Yep.

John:

I will mention one. I was just down in Southern California. Amazon had one of their big security focus conferences, which is Reinforce, because they have Reinvent, and there's a great group of cloud security practitioners that have created their own thing called FWD:Cloudsec. So, they're like, "Hey, you're trying to be just replying, we're moving forward." And these guys were talking about amazing topics. And so, I guess, to me, where do you find those spots of inspiration and how do you get your team members to go to things like that? I don't know. I'm making this one up as I come along on this one, Chris, but-

Chris Roberts:

No, it makes perfect sense. I think you're right, because I've got my home, my kind of spiritual... I got two, and one I'm actually heading out to, which is Cyber Week in Israel. I love that one because of the diversity of the conference. You get 60, 70 countries turn up, if not more, and it's fantastic. But my home, US and stateside, is GrrCon up in Grand Rapids, Michigan. It's in, I know what year, 10, 11, 12, whatever the heck we're in at this point in time. And to me, it has that amazing ethos of BSides conferences. It maintains the integrity. It's half students, it's half... It has some absolutely amazing people in there. And I love the questioning. I love the fact it's still challenges. I love the fact that your booth is still nothing more than an eight by eight by eight square with a tablecloth.

They don't allow anything else. Y'all are on a level playing field, get used to it, and you're here on your merits. And so, for me, those are great. I find them through word of mouth, I find them from being part of the community. I'm very fortunate I get invited to them. And what I do with the team here is I'm like, "Hey, y'all want to come along? We're going Hacker Summer Camp." I'm renting a house and we'll bring as many of the team as we can along and we'll use it as a safe space and everybody can go out and have fun and get arrested, and then we know where the hell they are so, it's a fun way of doing that. And you encourage. It's like, "Hey, there's this conference going on. Go to it."

I'm also fortunate that one of the crew, Justin, who I'm actually seeing here, he runs the Car Hacking Village. That's his and a bunch of others, that's their baby. You've got some amazing people as part of, that's his baby, as part of it now. So, I bring people in, we bring people in from the community. Tara is doing a shed-ton load at GRC. She just did a whole bunch of LinkedIn live stuff, which goes public soon, very soon, actually, this month or next month. So, I love the fact that I'll bring people in from the community to work... I won't say for me, but with me, inside Boom, and that's how we do it.

John:

I think that's a great thing. And bringing up the Car Hacking Village, I've had the privilege, and just for our audience members who aren't aware of what Hacker Summer Camp is, that's Black Hat, DEF CON, BSides Las Vegas, all these other little gatherings that happen in Las Vegas in the summertime. And I know, Chris, you mentioned you're going to be taking some team there. I'd definitely use that as a way to bring team members together, to try to mentor new folks in, but it can be a grind over the time that's there. I guess maybe a couple words on finding your right tribe at these types of things and maybe suggestions for folks to, "Hey, do you want to be in the blue team or the red team or the car hacking or..." Any recommendations you might have for folks from someone who's been in these.

Chris Roberts:

Been in it a few times. I think for me, I go there nowadays to see family. That's how I look at it. So, for me, I think the very first thing to do is go in there and just talk to people, walk up and introduce yourself, but also go to the villages. A lot of us, somewhat introvert, don't like walking up to strangers. So, go hit the village, sit down and ask questions.

The talks are okay, don't get me wrong, but I wouldn't spend the entire time at the talks because you'll miss some of really what brings the conferences together, which is the people. You go sit in a room, you listen to people, like me and others that are out here as well, that's fun. But do me a favor. Only spend 25, 35% of your time there. Spend the rest of the time walking the halls, spend the rest of the time in the villages. Go to the parties, go hang out, go meet people. Actually go around the vendor area, as well. As much as I have a love hate on that side, they tend to put the money towards the conferences that allow them to happen.

So, if nothing else, I typically will go to most of these conferences with a shopping list. "Hey, I'm searching for identity management solutions, or I'm searching for this, or I'm looking to do stuff with data securities." I'll walk the hall, at least on some of them, and I'll make introductions, and be like, first and foremost, thanks for being here. Secondly, it sounds like you're doing something interesting. A, you don't get to scan my badge, but B, give me a business card and I'll have in contact with you. So, the villages are great. There's so many of them. Everything from the Hacking Villages to the Hardware Hacking Villages to the wireless, to the wall of sheep, to all the other ones that are out there doing things. That's the community coming together. That, I think, is absolutely key.

But a lot of the conferences will also put on their parties for the evening. Go along, hang out, and come out of the shell a little bit, but even go online to LinkedIn or any of the other profile sites online. Come here, talk to the audience that's here, and go, "Hey, are you going there?" So, that way, maybe if it's your first time, you've got a friendly, "Shit, come find me, for crying out loud. I'll introduce you to people." There's so many of us out there that are approachable. There are definitely some muppets out there in our industry, unfortunately, who are not approachable. But for the most part, most of us are relatively approachable, even if we are drunk. And I always have a whiskey case with me, so come by me, and I'll share a drink with you.

John:

And so, you heard it here, guys on the Candid CISO podcast. Chris is volunteering to be your DEF CON Sherpa, if you can find him. And he's pretty recognizable. I'm pretty recognizable, but I think...

Chris Roberts:

Yeah, I'll be there. I might have the kilt on, I might not do, but the beard will definitely be colored. And let's face it, just ask somebody, "Where the hell is Sidragon?" They'll find me.

John:

Well, since you brought up that one handle, and in the interest of candor, I need to share with our audience members. So, Chris will talk a little bit more about this little bit, but I got a T-shirt that says, "I am Sidragon," for part of an EFF fundraiser, the Electronic Frontiers Foundation, and it was actually not at a security conference. I was taking my daughter to go see FanimeCon which is kind of the anime and fans of science fiction and stuff like that based in San Jose. And this gentleman came up to me. He said, "Where did you get that t-shirt? I was there when we made these ones."

And so, I'm just bringing this up as a way of saying, you never know where you'll find these connections in community. And so, anything you want to say about that era and that fundraiser that you helped EFF with?

Chris Roberts:

Oh my gosh. Yeah, it's interesting, now, isn't it? That I'm now on the inside of an industry that I was throwing rocks at for so long. I'm a researcher. I research interesting things, and it starts off, we were researching cars, part of the village and everything else. We were trying to figure out how cars worked and how we could make them work the way we wanted to. We deviated off into hacking cows and hacking trains. But we ended up looking at the aviation world, and we did it in as much of a collaborative way as we could. We found a lot of stuff. We tried to advise people of things that were going on, and unfortunately it didn't work. I think part of it was, the industry wasn't ready to hear. The industry wasn't at a point where it knew how to process the information, let alone what to do with it, let alone how to deal with it. And we'd ran afoul of that.

To put a long story story, we ran pretty badly afoul of that for a bunch of reasons. It caused a lot of angst, grief, and hassle. It caused a lot of angst, grief and hassle. It caused some issues and challenges, and unfortunately, caused some hardship that there still is to this day. The upside is, Aviation Villages has gone from strength to strength. No two ways about it. The industry, somebody plays in the industry, have definitely gone strength of the strength. And one of them, let's face it, brought me back in. So, we're having some fantastic conversations. We're looking how to change the industry to be more efficient, more effective, and do the right things.

It's a journey. It always is. This whole industry is a journey. There's no actual solution. It's all a game of chess, unfortunately, both internally as well as with our adversaries. So, yeah-

Steve:

Speaking of games-

Chris Roberts:

I'm here. I'm on the inside.

Steve:

... Can I ask a question? I think one of the things that stands out to me is the interest that the boardroom has in gambling, quite literally. We talked about this while prepping for this episode, how the role of the CISO has evolved from looking in the rear view mirror to looking at what's happening today to predicting the future. There's some research, you said you're a researcher, that actually demonstrated the trend line of data breaches decreasing, but predictive models showed data breaches increasing, but that's only to 2019. I think, since then, it's probably a different story.

So, here's a three-part question. As the same audience is recovering from those conference places that you mentioned, I can't remember what you called them, what should they be thinking about in terms of bringing something valuable or useful back to the boardroom about what they learned, how to shift their focus from risk management to predicting the future and protecting their company and their assets?

Chris Roberts:

I mean, that's a fantastic question, and it's probably relevant for us probably more than a lot of organizations because what we're building now won't be commercially available until several years time. So, if I build something with today's technology from today's systems and I try to put in something in five, 10 years time, it's going to be outdated.

So, from my standpoint, as I start to look, as I walk the halls, as I walk around, I do care what we're doing about things today. But I want to know who's throwing that crystal ball a little bit further out. Who's taking a look? Perfect example, let's take a look at identity. Identity is a crazy, convoluted, complicated, asinine, ass about face solution that everybody's thrown every acronym known to mankind at, and we still haven't figured out whose fucking hands are on the keyboard.

Tell me I'm wrong. Passwords, we've had them for 40 odd years, and still the most prevalent one is 123456. Put some complication in it. You add 789. So, how do we change that? And so, you start taking a look at the companies that are trying to change it differently, looking through things through a different lens. You're taking a look at transportation. In my case, where are we in transportation? In its infancy? Where are we going? Who's going to help us get there? Who's focusing on what tomorrow's problems are and who's looking at... And are not taking the next buzzword? I'm not looking at that, but I want to know concrete hard issues. Who's taking a look? Perfect example with us. We are flying something that's burning fuel. Well, how do we do it sustainably? How do we do it? Looking at what tomorrow's problems are going to be? We're going to run out of certain types of things. How do we do things in a sustainable manner? How do we bring the next level of technology into this, and we start looking at where it's going to be.

Is it intelligent systems? Probably, yes. Is it today's ChatGPT systems? Hopefully not. And so, who's pushing those boundaries? And you start talking to those companies, or you take a step back and go, "Who's putting those companies in the conferences?" What vulture venture capitalist organizations are doing that? What countries are doing it? Where should I be spending some time looking at conferences? Do I still go back to Israel? Do I go look at Turkey? Turkey has this fire to be the next Israel. You look at Saudi. Saudi has the fire to be the next tech hub of Dubai. So, where should we be looking to actually help foster that, put some time into it, and say, "Hey, let's collaborate. Let's work on this." That's how I look at it.

John:

I like how you bring it back to, again, human relationships, conversations, and that's what it does take for us to get there. You did bring up the gen AI specter just a little bit there. That seems to be the super heated topic of the moment, and it is a little scary how good some of these things are getting.

Chris Roberts:

Yes.

John:

But, I guess, any thoughts on, whether it's the Google Bard, the ChatGPT, whatever large language models we're looking at these days?

Chris Roberts:

There we go. Yeah, exactly. Big old pool of data and we're trying to make sense of the darn stuff. Nothing changes. We just give it a different name, don't we?

Yeah, it's a challenge, because up to recently, we had pretty good safety bars on most of the tech that we'd put out there. Maybe it was in there for human consumption in a general way or the mass consumption generally. But we really didn't let it loose on the masses. Now, we handed it to the masses without any warning labels, without any instructions, and it's interesting to see the results. My concern is, we've handed it over without training people to ask more questions. We've trusted it, and I think that's my biggest thing. It comes back to security. It's trust less, validate more, whichever way you want to look at. We talk about trust but validate or any of this. To me, it's the other way around. It really has to be this day, so it's like, "Hey, you ask ChatGPT a question. Great, I love the answer. Let me go check it somewhere else. Two or three other different places, maybe."

And I'm actually doing a talk on this, a couple of days time, doing a prerecorded one because I'm flying when they're officially releasing it. And it very much is about, it comes back to the human. It's how do we educate people rather than just simply hand them a loaded weapon, which in this case is an intelligent system that lies. Not deliberately, but it just lies. It makes shit up as it goes along, and we haven't been trained to ask it questions.

It's an authoritative figure, and in the digital realm, it's the same thing. You get stopped by a police officer or a law enforcement individual. How many of you, the first question is, when they say, "Hey, can I see your license?" "Yeah, can I see your identification?" We don't do that. We assume that the authority is there, rather than saying, "Love your idea, I'll hand you my license, but do me a favor. Just give me some identification so I can actually validate that you are who are."

Now, I'm... Let's just be very blunt about this. I'm six foot three, I'm white, I'm an elderly guy. The chances of a police officer going, "Don't be such a smart ass, sonny," and smacking me upside the head are pretty negligible. If I wasn't the color and the size and the orientation I am, the chances are, I'd probably get a smack down, let's be honest, which sucks because that's not how it should be. In the digital world, we need to teach people to actually ask more questions before they trust things. So, yeah, that's my little political thing to go with today's hand grenades.

John:

Well, we are looking for candid conversations, so I appreciate that very much.

Chris Roberts:

Yeah, let's face it. You're going to get it from me. Let's just be honest about this one.

John:

This is one point, and I know you've got a packed day and we really appreciate you-

Chris Roberts:

No, this is good. I enjoy the conversations.

John:

That's awesome. I guess one of the questions I've got, because we're speaking to our CISO peers and other people who are leaders in this realm. A lot of times, people talk about, "How do I break into a security field? How do I earn my chops?" And, on the other side of that, we talk about, "Hey, there's all these open positions that we're trying to fill," at the same time.

Chris Roberts:

Yes.

John:

I guess, there's two parts to that. One is, advice to folks breaking into this field, and it's very different from when you and I were coming up, right?

Chris Roberts:

Mm-hmm.

John:

There are now degree programs on cybersecurity and stuff like that, and yeah. Yeah.

Chris Roberts:

Yeah. Terrible stuff. I'm like..

John:

Yeah, and that's the path for some people, but people take the different paths they get to get there. So, for those people, trying to get themselves established, and then for those middle managers to try to think maybe creatively about bringing those people in.

Chris Roberts:

All right, so, I'm going to hit the middle managers first because that's the part that annoys the hell out of me, to be honest. I think what ends up and what I've seen too often is leadership inside an organization says, "Oh, I need another person on help desk or an IT analyst. Doesn't really matter what." And they're like, "People team or HR team, go deal with that for me. Go find me somebody."

And the HR team goes, "Well, yeah, I could do with sitting down with you for half an hour to determine what we need." "No, no, just go Google it." And yeah, people team to do the best they can. They're like, "Well, I'm going to go Google an HR person. Well, they need this and they need this and they need this and they need experience and need this." And all of a sudden, they've got to list this long, and they're like, "Well, is this right?" And the management person inside the company and they actually, "Yeah, it's fine. It's fine. Just post. It'll be fine."

That doesn't work. That's not collaborative. So, this is where you sit down and you're more efficient, you're more effective, you're like, "Hey, what do I actually need? Well, I need somebody who's got a basic understanding of this and a basic understanding of this. I need some of this."

Now, conversely, the people team also need to learn not to put it into plain or business speak all the time. And the degree requirement needs to go away, or degree or equivalent experience. Take your pick on that one, and I think we also need to stop putting such a long list together because a really good friend, Charles, actually pointed out to me. He's like, "You put a list of 10 things together, most gentlemen are going to look at it and go, yeah, I've got six of those. I'll be fine."

Unfortunately, that's not the same for others. They'll look at it and go, "Oh my gosh, I only have four or five of those, I shouldn't apply." So, that list needs to be much more defined, but also, "Hey, there's a caveat that, hey, you only need four or five of these. We don't need the whole list of things. Give me four or five of them." So, there's a level of realism that needs to be put into the post, number one. Number two, the hiring person also maybe needs to get out onto LinkedIn or go to the conference with an open mind to going, "Hey, I got some people I can help. I can train them. Who's got the integrity? Who has got the drive, who has got the fire, and who can I train up more efficiently?" So there's got to be that. It takes more work on our part, but it pays dividends. So, that's one.

Now conversely, let's look at it the other side. If I'm looking to break in, I shouldn't just be throwing resumes everywhere, because that shit just doesn't work. I shouldn't necessarily be paying a recruitment to do the same thing, because that doesn't work either. Maybe I should go get certificates because that's how some people look at it. But maybe I can do my own research. I can publish something. I can go to a conference and say, "Hey, I've just spent the last six months working on how to adapt one of these things to break into these, and I'd love to just publish my journey." I'd love to talk about it. I can get onto LinkedIn. I can have that conversation on LinkedIn.

John:

For our listening audience, I just have to point out that Chris has been showing one of the hot security toys of the springtime. You want to share with what that one is?

Chris Roberts:

My precious. It is a Flipper Zero, for the listening audience. It is a Flipper Zero. It is a Swiss army knife of the electromagnetic spectrum of signals and all sorts of fun things you can do with it. Basically, you can change channels, you can get into garages, you can open cars, you can do all sorts of other fun things, and it's a really good learning tool. And there's all sorts of other fun things.

But, yeah, so, I think, if I'm coming into the industry, research the Flipper, or heck, if I can't afford one, because the stupid things can be expensive, go down to Micro Center and go by yourself and Arduino for 20 bucks and learn on that. Use the journey. Go research the community, be part of the community, contribute to the community. Turn up a DEF CON, get a free ticket for DEF CON because they're out there and come in and be part of the village.

You'll get noticed that way. People like me look for people like that and go, "Hey, you want to come and hang out? You want to join?" Volunteer. All the conferences look for volunteers. Go volunteer your time, because guess what? You'll make friends, you'll talk with people. You'll be seen in the community and folks will come up and go, "Hey, what are you doing?" "Well, I'm looking for a job." "Well, what are you looking for? Well, hey, I've got an opening over here. You want to come and hang out?"

And so, that, to me, is probably one of the best ways. Or knowing people on LinkedIn. Hit us up on LinkedIn and say, "Hey, I'm looking for something. What do you got?"

Steve:

I think that's-

Chris Roberts:

So, there's ways to do it.

Steve:

... So refreshing. In 15 seconds, I would just, for the managers, you need a moral compass, probably more than you need a risk register. You need a moral compass. For those trained to break in the data science and economics disciplines are going to help differentiate and give you more tools. Hacking skills are valuable. Data science and economics are going to give you a much needed, valuable lens and tool set to apply your hacker skills in a business context.

Chris Roberts:

Let me give you two others to add to that. That's really, really flipping good points. The ability to articulate is key. You can break into everything to mankind, but if you can't put it down on writing or you can't actually discuss it with somebody about what you did, how you did it, and the findings and what you need to do to fix it, you're no use to man or beast.

And the second one is, know about the business. Do a little bit of business research. Why would a business care? Probability? We talk about risk, we talk about leadership. How do you talk to those different tiers? Yeah, perfect. Great example, Steve. Thank you.

Steve:

Probability. Good one to lead with. Well, there you have it, John. There's your Candid CISO.

John:

There we go. Well, hey, I really appreciated the conversation here today. Before we sign off, I want to say, any advice you have for people trying to walk that line of being candid enough to get your point across, or do you feel like you've just been out there and you've made it work?

Chris Roberts:

I've made mistakes. I think that's the fact. You've got to accept you're going to make mistakes, and sometimes, you have to be ready to apologize for those mistakes. I've walked into meetings and I've said my piece, and there are some people that have been like, "Oi, vague," and there are some people that have gotten it. And I've had conversations with somebody afterwards. I did it recently here. I asked him a question, and I forget my size. And so, I asked a question and I thought I was okay, but apparently, it came across as, "I'm going to chew your head off and I'm going to spit out the rest."

And I'm like, "I didn't mean that," but I have to be humble enough to be able to walk up to them after and say, "Look, I'm ever so sorry. That's not what I meant. That's not how I meant to come across. Help me understand how to be more effective at how to talk with you." And so, if you're going to go in with the balls to the wall, rock conversation, you've also got to be ready to have to be able to.

But to your point, John, both you, John, and Steve, you both shared the conversation which is, read the room. So, be prepared to have a conversation with other people in their language, as well, and the way they're receptive to it. You can read people pretty easily as long as you spend the time understanding how to do it.

So, yeah, I don't know. Be humble enough, ready to know to when you're wrong and actually be accepting enough to actually stand up and say, "Hey, I'm wrong. How do I do it differently?"

John:

I think that's good advice for us here. I think we've had a great candid conversation. I guess I will kick it back to Steve. As we mentioned, he's helped get us started here. Any last questions you've got for Chris or thoughts you want to leave our group with?

Steve:

There's so many great ideas here. I think the idea of a CISO that has an MBA with communication skills is the next modern CISO? We can't just be hackers. We need to layer that with nuance at all levels? Bring your data science, bring your economics, bring your business, bring your communication skills, and layer that with your hacking skills, and you have a powerful combination for a NextGen leader.

Chris Roberts:

Yeah, wholeheartedly agree.

John:

Excellent. Well, I feel like we're hitting towards a wrap. I want to say, we will maybe give Chris a couple minutes back in his super busy schedule here. I'll say, I'm looking forward to seeing you at Hacker Summer Camp.

Chris Roberts:

You too, sir. You too. Definitely.

John:

And thank you so much for being our guest here today.

Chris Roberts:

No, I'm honored and I appreciate it. Thank you very much, the pair of you, and absolute Godspeed and good luck and all that other ones.

Steve:

Thanks so much.

Chris Roberts:

Definitely.

Steve:

Cheers, John. Cheers, Chris. Take care. Bye now.

Chris Roberts:

Thank you.

 

Chris Roberts Profile Photo

Chris Roberts

CISO

CISO, Hacker, InfoSec, Safety, CyberStuff Researcher, Advisor, Hacking is not a crime henchman, and various other names on the technical side of the world.