In this episode of the Candid CISO podcast, Tyler Pinckard, Head of Security and Data Protection Officer at Support Logic, shares his provocative insights on the evolving landscape of cybersecurity. Tyler challenges the traditional view of security as...
In this episode of the Candid CISO podcast, Tyler Pinckard, Head of Security and Data Protection Officer at Support Logic, shares his provocative insights on the evolving landscape of cybersecurity. Tyler challenges the traditional view of security as merely a cost center, arguing that when leveraged correctly, compliance and AI can become powerful competitive advantages. He delves into the critical role of preparation and rehearsals, emphasizing that many security failures stem from a lack of planning rather than the complexity of threats. Tyler also advocates for embracing AI and automation to stay ahead in the fast-paced tech environment, urging CISOs to disrupt rather than be disrupted. This episode is a must-listen for security leaders looking to sharpen their strategic edge and rethink their approach to modern cybersecurity challenges.
Takeaways
TrustLogix is a sponsor of the Candid CISO podcast. Visit their website at: https://www.trustlogix.io/candidciso
For show notes, transcripts, links, and more episodes visit https://www.candidciso.com
The Candid CISO podcast is produced by Nonconformist Innovation Media.
John (00:00.322)
now here with Tyler Pinkert. All right. So this is the pre -roll of the pre -roll. And can you hear me okay? You're coming through loud and clear too. And the way that Riverside works is it does like a local recording and uploads the high audio. So you'll see kind of the, uploading percentages go. And the main thing is we just need to wait till the end until they both show up.
Tyler Pinckard (00:11.047)
You're coming through loud and clear. How am I doing?
John (00:27.478)
We'll actually have two different audio streams so he can normalize us for what's across there. But, hopefully I will be talking into the mic well enough this time. Awesome. So we'll go ahead and dive right in. Like I said, I'm sorry, I'm with an icebreaker. I'm to walk through kind of the four seconds I had, but the main thing is we're just going to have a fun conversation. And this is going to be an awesome version of the candid CISO podcast. So I'll kick it off by saying.
Tyler Pinckard (00:34.835)
Alright, and I'll be doing the same thing.
John (00:55.042)
It's really great to be joined here by the head of security and data protection officer of support logic and all around awesome guy, Tyler Pinker.
Tyler Pinckard (01:03.657)
Well, thank you very much, John. Very happy to be here as well.
John (01:07.702)
So besides working in cybersecurity and information technology, you've had a pretty interesting set of side projects. Can you share a bit about how you got into the coffee import business and any tips for our audience on crafting that perfect cup of coffee?
Tyler Pinckard (01:23.995)
All right, well, that's a very large and loaded question, but let me see if I can unpack that. When I married my wife, she's Colombian, we went down for a honeymoon to Colombia and we went to visit a coffee farm. So I grew up in a horse farm in Arizona. You know, I like agriculture. It was an FFA. was an FFA. Got to make sure I'm not mixing that up with the federal administration. But future farmers, I like farmers.
John (01:51.874)
Future farmers of America, would just say lean into it and speak up a little more, man. We want to keep you higher on the green. I'm sorry. Okay. Yeah.
Tyler Pinckard (01:53.299)
Yeah.
All right, I gotcha. Yeah, no, and I did compete in Creed speaking once upon a time back in the redneck up inception story on my part. But yeah, went down there to visit and I just couldn't believe how much how little the farmers themselves are getting paid for delivering a plus beans, right? This is a commodity product bought and sold on international established markets.
specific into Columbia, they are buying and selling to the coffee federation, right? There was a change in the legal status mid last decade where they started to allow direct exports for qualified folks that could, as long as you pay taxes to the federation. And so the whole concept was, all right, how about we pay more? This gets us better beans, right? We pay a larger percentage back to the farmers and hopefully builds like a
sustainable markets so we can keep drinking delicious coffee on a daily basis. So it was a great experience. I went down there with a documentary crew and filmed a documentary which you can find on YouTube called Coffee Shift Growers if you're interested in checking it out.
John (03:12.14)
We'll put that in the show notes for all of our folks that are listening into the podcast.
Tyler Pinckard (03:16.157)
I mean, ultimately my day job, this whole cyber security thing was getting busy at the same time. So I kind of leaned into what was paying the bills. but I still had a strong passion for coffee and Columbia in general. And with respect to making the best cup of coffee at home, there's a few different approaches you can use. My daily go -to is a stainless steel, double walled, French press. That's my daily driver. Right. And that's cause.
Glass stuff tends to break with me. I can be hard on things. And that just makes a really delicious, you know, liter, liter and a half, depending on how much caffeine I'm feeling I need in the morning. Single cup of coffee. It's going to be really hard to argue with the AeroPress. Like if you want to scientifically produce the most perfect cup of coffee you can, it would be using a manual burr grinder. So you can figure out the exact setting you want to the beans to, because that's one of the variables that matters.
a thermometer so you can get the temperature exactly right for the water before you pour it in and then the time in which you let it imbue before forcing it through the filter the Dero Press method uses as well. You'll find, I mean this turns into a religious discussion really quickly right because there's the espresso purists and then the mocha pots and the chemix guys right and there's it's like there's no single path to nirvana right and
John (04:35.33)
pour over people, you know.
Tyler Pinckard (04:41.183)
Coffee could be like pizza, where even when it's pretty bad, it's still pretty good. So that would be my tips. The most important thing, start with good beans. You have a regimented process so you can deliver a consistent output on the other side.
John (04:58.274)
Well, I think this is something that'll come back in when we start talking about, you know, technology and security, which is the important of kind of measurement and improvements and things like that. But man, I feel like we, if this was the candid coffee podcast, we'd have a whole hour on this and the different things. And maybe we'll come back and do that as a special edition in the future. But I think we should probably get back to cyber security.
Tyler Pinckard (05:17.525)
Stick to the Cybers. Yeah, I mean, I could talk about coffee all day, but I can also talk about the Cybers all day as well.
John (05:25.216)
Well, I appreciate you starting us off with a good cup of coffee for our listeners who might be, know, thinking about this first thing in the morning and figuring out how they can start their next day, maybe with an even more perfect cup. So thanks for that, Tyler. so we'll shift from that perfect cup of coffee to kind of different type of technology. And, you know, I guess I want to start kind of maybe back in the beginning because you can't have the Cybers without the computers. So how did you get started with computers?
Tyler Pinckard (05:50.101)
Yeah, that's true. Well, how would I say I would call myself a lifelong nerd? I've been playing games on computers, breaking computers, fixing computers since grade school. I had an internship in high school working for a local computer manufacturing company in Arizona. You probably didn't know this, John. Where slapping, yeah, like instead of going to class for...
John (06:13.366)
I'm learning new stuff,
Tyler Pinckard (06:17.535)
Four days a week, I would go to this company and slap computers together. I just really love it. I had a small business driving around fixing people's computers in high school, and just getting deeper into it as I go. Like, healthcare IT, and then go to college, do my army time. But yeah, I moved to Silicon Valley on purpose because I wanted to come play the King of Nerd games, and these are where the King of the Nerds reside.
Man, feels good. I'm happy to be here.
John (06:53.826)
All right, so we got Tyler starting out in Arizona, making it to the Silicon Valley. In between you were in the military. Which branch were you in and tell us a little bit about maybe your service there. Yeah.
Tyler Pinckard (07:01.877)
Okay, yeah, sure. So I knew when I was starting my senior year in high school, I did not want to be living with my parents that following year, right? Need to get out of the house. So I go in to talk to the guidance counselor and unbeknownst to me, this guidance counselor was a 24 year retired army aviator, right? And can't, she definitely steered me in that direction, which turned out to be an excellent fit for me. I
was awarded an Army ROTC scholarship, which is how I afforded to go to school and studied computer engineering while I was going through it. Did research in undergrad, had worked here and there while going through it. While I was in school, I was considering whether to go full -time or go try and pursue like a PhD in academic route. So I switched to what's called a guaranteed reserve.
Forces Duty Scholarship. So instead of going active duty, when I graduate and commission, I would go into the National Guard, which is the quote unquote one week and a month, weeks a year, what they call -Day Soldiers. After doing a little bit of research at Davis, I kind of thought, man, I don't know if grad school is for me. I kind of want to get paid. So yeah, when I graduated, I commissioned as a second lieutenant in the California Army National Guard.
branch as a military intelligence officer and you know it was life -changing for me like excellent training excellent experience and really set me up on the path of success that's brought me to where I'm at today.
John (08:46.05)
Well, that's great. It gives us an idea of your background there. I know we've had many stories you've shared about some of your time there. Maybe not ones that you want to broadcast, but is there one learning from your time there in the National Guard that you feel would apply towards either your career or might be relevant to folks that are looking to get into security, whether they've been in the military or not?
Tyler Pinckard (09:09.257)
I we're all working on teams of people to deliver some unified outcome, right? And the one that I fall back to that served me in industry is people first, was it mission first people always, excuse me, right? Like how you build high performing teams is developing a, making people feel safe around you, right? It's okay to make mistakes and it's not necessarily fatal to make mistakes. This is you learn to get better. Real growth.
real progression happens, not from just crushing it every day. It's stepping into some landmines, analyzing what happens and doing your best not to wander back into them. But yeah, I mean, if you take care of your people, they will take care of you. And this is how you can deliver outstanding performance. Hopefully, right? Some of those knobs you have controls over some of those knobs you can't, but
I think ultimately in leadership the idea is to reduce pain for the subordinates to the greatest extent possible.
John (10:12.14)
So how was that transition kind of to civilian life and private industry from the military?
Tyler Pinckard (10:18.545)
You know, since I did the bulk of my military career as a reservist, it kind of was easy because I mean, I would go do my military service and then I would come home, put on my, what do call it, your engineering uniform. Not quite pocket protector, but know, named badge on lanyard and go to work. So it wasn't nearly as treacherous like if I had been full time, right? Where you've got
Now you need to figure out how to go find a house. Now you got to figure out how to take care of all your stuff. And there's ways to make that transition. Like I loved my time in the military. Like the baseline level professionalism that I encountered in the Army Officer Corps is like amongst the highest of any organization I've been a member of at any point in my life. But yeah, like the transition to guard or a reservist, right? You still have some...
of that military, I guess, life framework. But at the same time, you still have to take care of your job. You still got to go find a rent. You got to keep your boss happy, right? Take care of your career. So it's like two parallel tracks. And if you try to figure out how you would make that transition, it's not a bad way to go about it.
John (11:36.13)
I guess maybe before we kind of transition out of that transition, I'm going to challenge you with one thing. So give us one maybe, I don't know, tough case, you know, where it was either a fail or it was, you know, something in that military experience that became a lesson for you kind of going forward. And you're free to opt out of this question, but I, you know, yeah.
Tyler Pinckard (11:59.675)
No. Like what was something that was hard for me that I learned from in my time in the military? Okay so this isn't prepared so let me see if I can rack my brain and dig stuff up.
John (12:05.729)
Exactly.
Tyler Pinckard (12:14.813)
I mean, it's not so much fails because I didn't actually have that happen to me too much in my time in the army. Right. But the reason you don't have the failures is because you invest in the preparation. Right. Like you, you, you manifest a successful outcome by going through all the required steps to deliver that successful outcome. Right. So any failures you'd encounter is just a failure to plan on the operator's part. so.
Like, what did I learn? The most, the biggest thing I learned that has direct implication in my day -to -day job is rehearsals, right? How do you get good at running a combat team to capture a bunker? You practice, right? And you start it, but maybe you're going to go try set up cones and a square and pretend this is a bunker, right? And then that would be your crawl. You just step through it and then you'd walk, right? Okay. Now let's come up in a tactical formation and support each other and do it like we would. And then you get to the run stage where it's actually, you know,
John (12:42.338)
I mean, this, this, this.
Tyler Pinckard (13:11.313)
Maybe there's people shooting blanks. Like you just increase the effectiveness of it. And then the advantages, right? When you hit that stressful situation, when you're dealing with calamity, it prevents you from locking up. Like you fall into that, things that you planned for. like, that was the biggest thing I got out of it is I don't get stuck. We just keep pushing through, right?
John (13:40.642)
I mean, that sounds like it would have all kinds of interesting applications to things like let's do a tabletop exercise, whether it's for incident response or a disaster recovery or other things like that.
Tyler Pinckard (13:51.103)
So by SOC requirements, I only need to do a DR exercise once a year, but I practice that twice because I want those muscles flexed on my DevOps team. if shit hits the fan, we know what we need to do. And so, yeah, absolutely. You have to practice those muscles. You don't know what's not going to work until you try and do that restore. And it's much better to find those tripwires when it's not an emergency situation.
You
John (14:24.096)
No, I mean, truer words have been said around this kind of thing. And a lot of people talk about that whole prepare, but, know, it seems like once you get into startup life and we'll get into that maybe kind of next around kind of cybersecurity strategy leadership and doing that for, you know, a startup, cause I know you've been working in a number of environments, but like your current one with support logic, you know, you have kind of security, you've got all the DevOps and technical infrastructure, you've got compliance. And I think you added data protection officer recently.
Tyler Pinckard (14:53.779)
Yeah, that's me. Now I get to review a lot of contracts.
It's funny, it's coming as an engineer scientist, right? Like you're like, I'll just focus in on math, science, you know, I'll be really good at crushing computers. But once you step beyond the individual contributor role, right, the real value to deliver is in the written words, the policies you write, like you don't make changes by just talking to one person at a time. You put out materials that can be consumed by lots of people simultaneously. And it's definitely something I've
John (15:00.844)
So I, yeah, go ahead.
Tyler Pinckard (15:30.33)
invested some cycles in and getting better at as I continue to develop as a full spectrum cyber security leader.
John (15:38.89)
No, I mean, it's, it's, a, it can seem like it's a bit of a cliche and there are people that definitely come from the people side of things, but most CISOs and most technology leaders kind of come up the technical track. so, you know, figuring out how you can operate in that area and then, you know, kind of the stretch into things like contracts. Man, I thought we just brought in lawyers for that. Well, the lawyers don't know necessarily all the technical and cybersecurity.
Tyler Pinckard (16:01.508)
And moreover, lawyers are expensive, especially if you're talking startup stuff, right? Like, you're going to ship this contract over one of these 20 you need to review to attached legal counsel. And what's that rate set right now? 800 an hour? I don't even know. I'm just guessing. like, the reason I've been developing these skills and getting good at it is this directly impacting the bottom line of the company.
John (16:27.616)
And that, that's a great kind of transition to one area that we often talk about, which is a lot of times, whether it's technology or security, especially security, maybe up until recently, it's been seen purely as that cost center purely is kind of like a tax. so, you know, how do you kind of address that, especially when the budgets get tight and, know, is there a way that you can kind of flex it such that it becomes competitive advantage?
Tyler Pinckard (16:52.373)
Well, if you're dealing in the software as a service space, right, there are compliance, like milestones you need to achieve in order to sell to enterprises of a certain size. Most common one people run into is SOC 2, SOC 2 outlines a set of requirements that you need to maintain for your business. And this may include like log management, log review, intrusion detection, vulnerability management.
yada, yada, yada, I'm sure you guys have done this. Right. So the thing is it becomes a, a, a customer retention and sales crowbar, right? We can't lose these features because this will impact our ability to make new deals and keep the deals we've got. And so that gives you your baseline. Right. Now that defines the lower limit of the expense you need to deliver on the promises you've made to your company. Now advocating for a budget above that.
right? It steps into where you're at in the funding cycle of your startup and also, how would we say, executive opinions, right? As you said, up until recently, it's been viewed as a cost center. So it depends. mean, your job is to advocate for increased spending so that you can deliver a more secure solution to the market, right? But
the in practice, the crowbars I've used has all been compliance focused. Right. So we had the baseline level for SOC 2. We wanted to get ISO. With ISO, we had to add some additional capabilities. And I mean, either I can spend spend months to try and build that in -house or you go out and buy vendors to close those requirements gaps. So that was interesting to me to learn in industry. Stepping above the individual contributor level is that
The bulk of security spending is driven just by maintaining those compliance that you need in order to fulfill your requirements to your customers.
John (18:59.584)
Hey, I think that's important. And I think a lot of people kind of use that compliance driver and customer cases around there. You know, the, the, alternative is, know, a lot of times we see that people maybe get additional budget and spending if there's been a breach, if indeed they keep their job. now we're not going to go down that breach path right now, unless that's something you want to speak about, but you know, we have the whole set of issues where now you've gone and picked the best kind of,
tooling that's out there. And I don't know if you're using CrowdStrike, but since that's kind of topical and been in the news, whatever the tooling is.
Tyler Pinckard (19:33.883)
I fortunately was not at this job. I have deployed it in previous positions as well. I think it's a fabulous product, but man, if you fake your way through your CI CD testing, like the hubble -loo I heard on that, right? Is it went out and it was their Australian team that was active, but they were all on Windows laptops with CrowdStrike installed. So as soon as that went out, all the guys that were responsible from the build couldn't pause it because all their laptops were now in a boot loop. And that's why it got it went out globally from there.
John (20:04.492)
My goodness. Well, I know there's a bunch of people who have deconstructed that both from the official things that are there and on the sides, but the, you're hitting exactly on what I wanted to kind of bring up there, which is, you know, a lot of times from the securities perspective, we're a stakeholder, you know, in making sure that people deploy things right. But man is really brings up the importance of that whole kind of testing and making sure that you've got those automated processes in place, not just for security, but baseline functionality. And,
You know, I don't think we are at the place where we want to say, well, we're going to pull back from all those cloud services, right?
Tyler Pinckard (20:39.413)
I mean, the whole step they missed is they did their driver install, right? But they didn't reboot the computer. So it never hit that null pointer, which is what put it into the boot loop. So it's a bummer, right? Aw, shucks. Testing software is hard, man, right? If you've been working in this industry, you know better than to throw stones, because it's just a matter of time until you're in that glass house getting them shot back at you.
It's a bummer. Like they should have been done better. I'm sure they will next time. Right. I'm glad I was not SRE when that that stuff was on fire because I'm sure they had a few, a hard few couple of days and will continue to, to as this grinds through the court on who ultimately is responsible for the systems their customers were running and then stopped working.
John (21:28.502)
Well, I guess, as we see with the root of this one, even though it was kind of security tooling, it's core in that CI, CD. So, obviously you guys deliver software as a service. That's got to be part of the way that you're always delivering. And so how do you make sure that security is a first -class citizen inside that and that you're meeting your compliance requirements, but also making sure that your stuff isn't a vector for your customers to have issues.
Tyler Pinckard (21:56.149)
Yeah, well, in practice, you do the best you can. In reality, I am forced to be a member at the table as a function of our compliance that we need to maintain. Like this is in ISO 27001, that security is a stakeholder in software development. I'm in charge of the ISMS, Information Security Management System, and I'm a stakeholder in the secure software lifecycle development. I guess it's one of those axes that I'm starting in.
John (22:25.142)
The SDL, SDLC, hey, we've got, as our friend, there you go. Our, our, our buddy, Brooke would, we'd probably call it the SDN, but you know, Hey, all these different acronyms we have overloaded. But yeah. So, so you're, you are then not core responsible for security in the product, but you are the expert that they bring in to make sure it gets done.
Tyler Pinckard (22:26.855)
Yeah, there you go. SS, the SS DLC. Thank you.
Tyler Pinckard (22:44.957)
Yeah, well, like I sign off on builds, right? And so we have security tooling that's part of our build process, .e. static and dynamic analysis that runs, right? And then I look at the outputs and if there's crazy different, no new highs, new crits, we go ahead and give security approval to move forward with the build and push it out from there. Now, that's just the security tooling and part of the build.
We're also doing vulnerability management in parallel, just as an ongoing task. Internal and external network scans, that asset management, it's really funny. It's all these really basic level security stuff that really makes or breaks how effective your system is. You're patching, keeping our infrastructure up to date so that we don't have our assets hanging out when they shouldn't be.
takes, you got to have a lot of tooling to do the detections, the signals, and then being able to sort the signal from the chaff is not trivial. And it's different for every system you work on because it's really built up over time as the system capabilities increase and you figure out what needs to be monitored in order to deliver successful outcomes.
John (23:59.327)
And you can do all this stuff and then you might have some dev or accountant or whatever that gets fished and ends up with another attack factor in the environment. But, you know, I guess maybe we won't go too far now. There we go.
Tyler Pinckard (24:09.369)
Humans are always the weak part, man. You know, I am targeted just as a function of my job. You've been targeted as a function of previous jobs you've been in, right? Execute good sanitary, but like the access to two systems is different at each level, right? Devs have different access than my DevOps, which has different access from finance, different access from sales. And so like as part of your security assessment while you're building the system is how do you limit the blast impact of an individual?
loss like right yeah you say phishing but the other side of that coin is insider threat which is also a big one right and they're both handled almost the same way the difference is intent
John (24:51.712)
I got you there. Right. So is it a malicious insider? Is it someone that made a mistake? Is it someone that got fooled by a criminal, et cetera? I mean, to certain degree, it sounds like the challenges are the same in the overall scope running in a smaller startup, fast moving, except maybe things move faster, right? That you have in a larger organization, except you got a smaller team. You got to depend on more people throughout the whole organization.
Do you have any other kind of tips for folks that are either in that role or looking to move into that role for kind of that fast growing startup segment?
Tyler Pinckard (25:31.17)
and how you'd work your way into the startup space.
John (25:33.59)
Will that or just, you know, hey.
Tyler Pinckard (25:36.199)
or landing in a new security role inside a startup and how to succeed. Let me tackle those separately because I got different answers. So, I mean, as far as working into the startup scene, I mean, what worked for me when I got here to Silicon Valley was going to what they call hackathons or startup, like many startup competitions where get a bunch of people in the room, like, hey, let's make a bunch of teams and try and build a concept to win the contest and whatever this one is.
John (25:39.916)
Sounds good, sounds good.
Tyler Pinckard (26:03.605)
was what I won from Airbus that got me a trip out to the Oshkosh fly -in, I think back in 2014 or so. Like, it, obviously it was going to be to fly on their electric airplane, but the plane that was going to fly their electric airplane broke, just turned into a nice go hang out in the Oshkosh fly -in. But I've met some amazing people in those meetings and the people that go to those are the ones who've got the spare cycles that are looking to get deeper into the startup. So if you're looking for
Co -founders, you're just looking to try and tip your toe in the water. That's a good place to start. Startup incubators, makerspaces. An earlier startup I was at was at a place in San Jose called Founders Floor, where we were co -located with about 40 other startups. And it's just interesting connections. I've made lifelong friends from that place. So those would be another avenue I would check out. And makerspaces, there's a...
similar space in Mountain View out here called Hacker Dojo. And same way, you get to hang out with the cool people and see what happens, makes part fly, right? It's a business, so everybody's got their part to play. But you kind of figure out how to play that by just repetition, at least on my side. Okay. So that's how I would say as far as getting in at least your toe in the water in the startup space here in the valley. I mean, maybe...
geographically different depending where you're at, but it would be startup competitions, hackathons, and makerspace like incubators.
John (27:30.892)
Sure. But now that the
John (27:38.722)
I think that's some, some great stuff for folks that maybe scratching their head or aren't from an area where those things are all out. So then the flip side of it is, okay, you got the gig, you've got some funding. How do you succeed?
Tyler Pinckard (27:50.485)
Well, you biggest thing I would recommend is making sure you're aligned with your leadership, right? How do you be successful in a job? You understand what your boss wants and then you work your ass off delivering the outcomes that he desires. Right? So when I landed here, my objective was to get ISO 27 ,001. We were chasing some big European customers and they have a preference for that compliance as opposed to the SOC 2. And so how do you get
ISO, if you don't already have it, you do a gap assessment. What do I require to have that I don't already have? And what do I need to build to change in order to deliver that outcome? Now, I'm using that as a specific example because that was a task I was given to me. success, right? You got to figure out the lay of the land. You need to understand the technology to the greatest extent possible. When I came here, we were 100 % GCP hosted, and I come from a nine years of being hosted on AWS experience.
Right. And John, one of the things you told me is that's a good thing, right? Cause that's going to keep me from jumping into the cloud console and doing stuff because my job as a leader is not to be adjusting WAF policies. My job is to be directing my team to have those policies adjusted and then making sure we've got that knowledge spread around so we can all share the load. so
John (29:08.992)
Hey, I appreciate that, that call back to some of the conversations we had earlier around this one coming from, know, if you're the techie, you're the nerd, it's really hard not to jump right in, right?
Tyler Pinckard (29:11.752)
No, I get it.
Tyler Pinckard (29:18.905)
I mean, I like to fix things. I want to be a helper, right? And if I'm giving too much help, I'm not developing my team, right? And the idea is that I'm not making myself a critical piece in this wheel. I want to be able to go on vacations, right? And if I am the single point of failure, that's not going to happen. And so it's not just me that has to have that information. It's the institutional knowledge of my team that we can all be able to do this work.
share the load and then we can all take our vacations and enjoy our time off as well.
John (29:51.65)
And that applies not just kind of on the technology side. like you said, you had one cloud service provider that you're really familiar with, new company, new set, hey, it have been Azure instead of GCP, whichever. But that applies in other areas like policy, like security training. You can't wear all the hats all the time. It's good to have that experience, but have you applied something similar to the other areas, like as you're getting more and more compliance in the DPO?
Tyler Pinckard (30:20.373)
as much as I'm able, right? Like I can delegate responsibility or I can delegate authority, excuse me, but responsibility remains mine. so, like we've got our policy library we built and we got it blessed when we went through our initial ISO audit. And I'm decorating that or adding new capabilities as like, for example, like an AI usage policy, cause a lot of our, we deliver AI services.
today and prod and a lot of our customers are getting, you know, gently freaked out about it as they learn more about how that happens. They want to make sure their data is not going to end up in a third party training set, which it absolutely is not. But
John (31:04.055)
And we'll get back to some of the AIS stuff. I got a future section on that one. I don't want to catch you off there too much, but yeah, that's a good one.
Tyler Pinckard (31:08.413)
Okay, cool. No, I'm just using that as an example of, you know, additions to the policies that happen over time as a change, changing needs of the business, right? Like it's a living document, it's never set. And you just, you snap the chalk line when you get to your audits and then prove that you did what you said you were doing in that audit. I mean, over the course of the year, while you do that audit itself.
John (31:32.962)
Well, I do want to shift gears a little bit. And like I said, we're going to get back to some of that AI stuff, but so we just finished that annual gathering of security folks in Las Vegas. That is the hacker summer camp, black hat, DEF CON besides Las Vegas. and it's interesting because that one has become not just the technology nerds, but I think you and I were walking by and there's a long line to get into the policy village, you know, and there's like lawyers that beat up, know, it's so I. Yeah.
Tyler Pinckard (31:37.353)
Yeah.
Tyler Pinckard (31:45.897)
Holla my people.
Tyler Pinckard (32:00.627)
No government, right? Because you have to understand that's, that's, I mean, unless the government's going to war, they're making changes through policy. So we like it when the government makes policy. Right. And so the reason you see a policy village there at DEF CON is because I see my government trying to interact with my people in the computer security space and make sound policy changes on a national, international level that won't impede progress and deliver.
more successful outcomes for United States businesses.
John (32:34.306)
I mean, hey, we're in an election year, not diving too far down that road as far as the election side of things. It's always good to see the voting machine village and some of the other things that are there where it used to be very adversarial, but now it seems like, whether it's the automotive or aviation industries, they really are embracing these different.
Tyler Pinckard (32:55.453)
I mean, you could be adversarial with the hackers. They're still going to hack your shit, right? It's better to make friends with them. So at least you get the opportunity to respond to the zero day as opposed to it being spoken on stage. And now you have to, you you've got with your pants down, right? The like, I don't understand why you wouldn't try and be friendly with these guys. Like I try not to piss them off because it's not typically career enhancing. There's some examples we can call out depending how.
far back into the hacker nerdery you want to go. But like, it warms my heart. Like last year at B -Sides, I saw a director of CISO, Jen Easterly on stage with LED cat ears. And I was like, this is a seminal change in my government. Here they are trying, they're trying. my God, look at them trying their best. And yeah, it's still dorky. They're still the government, but I'm a dork too. And I see them trying and like, it gives me hope.
I think we will figure out a way through this that doesn't doom us all to some sort of technocratic, authoritarian hellhole. you know, I guess we'll see what happens when we get there.
John (34:04.514)
So it sounds like maybe besides just seeking out some of those, you know, startup focused hacker spaces and, you know, builder spaces, go to one of these conferences like, you know, black at DEF CON.
Tyler Pinckard (34:15.023)
my gosh, Like, now that I've been going and it's you and our other associate Mike who brought me into it, right? I will be at that conference as long as I continue to play this game. And it's actually a requirement when I'm interviewing for positions, like, hey, I only ask you to pay for one. It's going to be this one.
John (34:35.894)
I think that's a great thing. And, and, know, maybe we'll, we'll talk a little bit about that one when we come back to, know, developing your staff and, like you said, along with delegating, how do you kind of get them charged up? but I want to start making shift gears a little bit, cause you mentioned Mike and that, that for the rest of our listeners here, that's Mike Skirka who's currently the president for Silicon Valley. say Tyler is currently the CFO. Thank you for your volunteer service there, the VP treasurer. you've been involved with that chapter for a bit, guess.
There's a two part question I, five years, man.
Tyler Pinckard (35:06.261)
Five years now, man. Yeah, no, I recruit like crazy for the ISSA. ISSA changed my life. And, you know, here's my stick, right? I joined for CISSP training. A job before I had when I did the interviews, I was getting messed with technically, and I wanted the nice big stick to bring out on the table to defend myself. Like I get much friendlier interviews now that I've been through that CISSP gate. But I stayed for the vibes.
I came for the training, stayed for the vibes, because it's turned into actually the most productive professional networking I found anywhere in industry to include startup incubators and startup competitions, right? Just as a function of the camaraderie and the mentorship to include from yourself, that I've gotten there, right? I am successful in my position right now because I have a team of guys with more wisdom than me.
working to also make me successful. And when you find yourself in that position, it's tricky to winning and it becomes the default outcome.
John (36:11.548)
I think that's good. I mean, guess, you've answered it already. was going to say, how does this help your career? And maybe, you know, whether it's ISSA or other local security and, you know, I guess community organizations, this is, sounds like something you would definitely advocate for and specifically ISSA.
Tyler Pinckard (36:29.039)
yes, absolutely. No, I invest time in this. I am actively developing the charter. We're working to build a student organization with the local Santa Clara University right now. The thing is, jobs come and go, right? If you're just trying to tactically win it, crush your existing job, you'll succeed, right? And then you need to go find your next one, and that can be a challenging experience. Reputation persists.
beyond individual jobs, right? Every single one of these interactions is additive, even if it's not directly towards, you know, some defined objective right over the hill. What goes around comes around and help in a community, just, I can only just speak from what's happened to me, right? It's been an crazy career accelerating, like.
I'm not even done yet, It's been exciting and it continues to keep building from here. I'm excited to see what happens next.
John (37:29.662)
Hahaha!
John (37:36.796)
I I think you brought up a couple of things, which kind of leads a bit into kind of that giving back and how do we fill a bunch of these positions that people are talking about? How do we, you know, make, there we go. Yeah.
Tyler Pinckard (37:48.885)
You got to recruit and build them same way you do everything. Right. You think they built the first automobile and then they're like, man, we got to go to Purdue and hire these automobile engineering guys. No, no. Right. What do you, what do you learn in engineering? It's how to solve problems using a system. All right. And you can apply this same problem solving system in different contexts. Now, are you going to pick up some random person and are they going to be a 10 X, know, crush it rock star engineer? Not maybe, maybe not.
You know, you got to find out. But even if they're not, there's still opportunities to contribute in this computer security space. Like spreadsheets. man. My life lives off spreadsheets, especially in a compliance context. Right. Like, let's make sure we've got all the evidence we need. Who's collecting that evidence? How is this the right evidence we want to submit here? And you don't need to be slinging Python in order to be pushing forward on those successful outcomes in that case. Right.
Or maybe you're like a puzzle man, right? Like you want to work on a one tight thing. Well, maybe you should be trying to find vulnerabilities, right? And like, there's so many different ways, like ways to attack this job and ways you can contribute to the field. Right. And I haven't met anyone who would not have some ability to provide constructive to any organization. It's just figuring out.
how best to make use of their skills.
John (39:18.038)
Yeah. And, I think it's important for us to, kind of bring that up, which is not everything has to be super technical. In fact, a lot of the. Yes. Yes. Here we go.
Tyler Pinckard (39:24.981)
And it shouldn't be, right? You're going to, when it is, what you're doing is reducing your audience set from 80 down to 20, or even tighter, depending on how nerdy we're getting on that field. If we want to get into like MOSFETs or quantum effects or crazy stuff, right? I believe you, I believe you. I'll keep dropping, dropping little jelly beans on the way there. Right. But,
John (39:41.743)
We'll get back to the quantum and AI, promise. We'll get there.
John (39:49.538)
But I want to stay with people for a minute, right? And so like, yeah, yeah, yes, exactly. Okay, okay, yep.
Tyler Pinckard (39:51.925)
No, no, no, I'm coming back to that. Give me a sec. Bear with me. So one of your jobs is to assimilate very complex things, break them down into simple blocks so that you can increase the consumption of that information across the field. If you just go around saying fishing, say 20 years ago, and people didn't know what that means, people are like, I don't know what you're talking about. It's like, hey, be careful with.
emails you send because if you click them, you can have bad things happen in our network that like you can connect these dots to make it easier to be more consumed by a wider audience. And that's our job as leaders in this space. Like it's too easy to just hide in the technicals. Trust me. I know. Like you got to be able to explain it to a kindergartner or is this like, what are you doing?
You
John (40:48.759)
So I have some thoughts about this and I don't know if it applies in your current place, but you can recruit out of other parts of your company, right? Both by implanting people that have security consciousness and compliance consciousness and other teams. But I've found some of the best folks coming out of like a customer service team or someone who has no security experience, but knows how to do training. And have you been able to tackle that? Cause we're talking a lot of tech here, but let's talk on the human side of things, right?
Tyler Pinckard (41:15.828)
Yeah.
Yeah, have I recruited from inside the company? Not in my current role, right? Because I'm not trying to upset the other leaders, right? We're all pretty protective of our people. But I have seen that work, especially in earlier positions, because in security, right? This is still customer service. Who are my customers, right? It's my leadership and my auditors.
John (41:30.626)
Hahaha.
Tyler Pinckard (41:48.925)
Right? Like I'm delivering good security services to the employees of my custom, my company, but like they're not writing my performance reviews.
John (41:59.082)
Okay. I think, I think we've, we've maybe, gone down this path enough. So I said, we'd talk about kind of the future of cybersecurity AI, the role of a CSO in that. So, you know, we have seen this explosion of AI and gen AI related technologies. It feels like it's a little bit peak, like it was peak cloud. Everything was cloud for people that weren't cloud, but now we just live in the cloud. There we go.
Tyler Pinckard (42:20.711)
That's AI and SBOM, man. Having just come back from Black Hat and DEF CON. Yeah, it's AI and SBOM. Yeah, I mean, it's just the current marketing flavor of the week, right? What is the marketer's job is to try and get eyeballs and attention. And if AI happens to do it, people are sticking it in there. really? With the development.
of these really complex LLMs. think what was the chat GPT? Was it three version three is when it really like people started getting in front of people and they're like, wow, this is it, right? Still going to be able to develop good business outcomes. There's a big lot of fear right now that these AI tools are going to automate a lot of jobs away. And that might happen, right? This is part of the creative destruction that Silicon Valley brings forth.
however, as a fan of disruption, right? Hashtag disruption, like so hot, just like those AIs and S -bombs.
John (43:24.588)
Hahaha.
Tyler Pinckard (43:30.321)
I would rather be on the disrupting side than the disrupted side. So, yeah.
John (43:36.236)
So you see this as a way to potentially have some competitive advantage? Are you using anything there, planning it kind of?
Tyler Pinckard (43:41.415)
yeah. No, I mean, I again, deliver AI services as a living today. And the way I use, we use it inside our product, right? As we were delivering signals on customer interactions, typically from support, we do like a neuro -linguistic programming to detect, you know, the happiness of the words and this context, and then be able to use that to predict escalations. But we have some features that utilize
LLM specifically in the context of case summarization. Say if you've had a support ticket open for three weeks and you've got 80 emails back and forth, right? Somebody new comes in, they're like, what the hell is actually going on here? Push button, read all that, get a one paragraph summary. yeah, exactly. Right. And so that's my perspective on how we use AI.
John (44:25.73)
instead of trawling through like the 12 pages of, you know, transcripts or other things like that, right?
Tyler Pinckard (44:36.871)
inside the enterprise today. You want it to deliver like concrete specific outputs, right? That typically aren't generating automatic changes on a system. They're still going through a human to do sanity checking before you take any action on it. And since we're delivering signals that are read by people, Those old, it's a pretty safe use case for it.
The other one, right, because you don't want make sure that those customer data is going into the training set, you pay for the pro API version. So you're not using the free one, you're paying for the real one, and that's so that you can have confidentiality on those inputs you sent into it.
John (45:16.61)
So that's a great way of kind of bringing back some of those basic fundamentals, know, the confidentiality, the integrity, the security of not just your data, but your customer's data in some of these new environments. And, you know, that sounds interesting. I guess, you know, there's been a lot of talk about how different security service and tool providers are making use of this too. Anything you think unique there, or is it kind of more of the same?
Tyler Pinckard (45:45.333)
I mean, I'm seeing the onset of it. There's been no like earth shattering, my God, everything's different now, right? But it's like enhancement of existing capabilities. Some of the cooler ones I've seen is like using LLMs to automatically fix static analysis findings, right? Because like if you've got a big mature code set, you run it through a static analysis tool, maybe you'll come back with 30 ,000 findings, right? Depending how big this set is. I mean.
It could be any number. I just throw that out there random. Who knows what would actually be. But right now you assign a senior level security application engineer, not a cheap bill rate, right? And let's say he's able to work through maybe 20 of those a week. And I think that's optimistic. That's a lot of weeks, right? I'm not going to do the math, but I think it would be longer than that guy would be alive. So you can throw more people at it. But as our buddy in the
The mythical man month told us, right? You can't throw nine ladies to make a baby in one month. Like there's a decreasing efficiency in adding it. like a company I met at a security conference in Santa Clara earlier this year, Y Combinator funded actually, what they're doing is using LLM to do the static analysis and then automatically make the git commits to do those changes, right? You still have to go through the two -party approval to merge those commits in.
Like the kind of stuff that you can automate the drudgery of the work to make the people you have, right, focused on the bigger prize instead of just having to constantly do the boring security stuff that is so important to delivering those secure outcomes.
John (47:28.212)
It seems like we, like you said, we're still early days. There's lots of interesting stuff there that people are figuring out. How do they secure their use of these models? Just like they would any other technology, how do they protect their customer data? But then the applications from other areas, you know, it's interesting. think, you know, maybe one of the things I'm taking from this and tell me if I'm wrong, which is, you know, don't fear the new, figure out a way to apply it. If your company's not doing it a whole lot, like one of the CISOs and one of our, groups, I know,
wanted to experiment with some of this, had some cycles themselves and applied it to contract review. Right. And so just, sure there's a product out there somewhere, but he was able to kind of dive in and have a look at it.
Tyler Pinckard (48:02.346)
Mm.
Tyler Pinckard (48:06.995)
Yeah, like the one I'm waiting for someone to make would be a policy generator tool, right? Interview me, push button, get policies, and now your job to get your compliance is just enforce those policies, right?
John (48:12.864)
Ha
John (48:20.69)
We still somehow need to get the people to carry it out, tying us back to the people side of things.
Tyler Pinckard (48:23.433)
Well, yeah, I know like, it's always the squishy parts of the people, right? But now, now at least you don't have to struggle over getting the words on paper, which can be tricky. And you can do that yourself with, with open AI and just like guide it to help you write your generating words is a tricky thing for you. you can use those training wheels to accelerate, just make sure you're not leaking confidential information into the training set. Dot, dot, dot.
John (48:51.478)
There we go. Well, who knows? Maybe we'll end up with, you know, the security analyst prompt engineer will be a new category here of a cyber jobs as it were. let's see. I guess, you know, before we shift to, and I'm not sure we're going to make it in this one to the, we'll have to get Tyler back to talk about some quantum stuff. Cause I, I saw him talk about that at a conference there and down there in Bogota last year. And it's definitely, it's a whole nother hour topic for us, but sticking in the AI.
Tyler Pinckard (49:11.028)
That's all right.
John (49:20.896)
kind of area. so if you're a leader who maybe hasn't dipped their toes in, how do you even kind of start making sense of this with this quote unquote new age of AI and LLMs and generative AI?
Tyler Pinckard (49:35.285)
I mean, if, if, if you've got programmers working for you and you're not already paying for GitHub co -pilot, you are deficient in your leadership skills. Like our job is to make our technical folks as efficient and effective as possible. Right. And 10 years ago, that was buying him a second monitor this year. It's making sure they're using GitHub co -pilot and pay for the pro one for the same reason. So your data doesn't leak into the training set. Right.
But that's the easy one. Like how do I win? It's by making my guys as effective, AKA as dangerous as possible. And so I'm always willing to try out new tools, new ideas, right? We still have to maintain our security. Got to make sure we're not going to be leaking stuff where we shouldn't be, right? But you can use like NDAs to provide little frameworks. You can try things out without actually having to have a fully onboarded vendor.
Right. But the way I would say is if you're personally curious, go fire up chat GPT and start asking questions. You might be surprised where it would take you. I mean, it was revolutionary to me at a, I saw a coworker at an earlier position, AWS console, chat GPT. And so his, would write questions, output would come into chat GPT and that would go into the input into AWS. And I was like, Holy shit. I'm not comfortable doing that, but.
It's amazing that's working for you. And I can only imagine that that's going to become more effective and more widespread as time goes on.
John (51:07.724)
Well, it sounds, it sounds like, you know, in your case with support, logic kind of core to the business has been applying these different machine, you know, techniques and things like that. So it's less of a cultural change. There you go. All right. I guess I want to tie it back to, know, one thing where we were talking with people, right? So, and.
Tyler Pinckard (51:16.861)
I mean, what we say, we were doing AI before it was cool.
John (51:34.594)
How do we kind of expand that tent, you know, to make sure that we've got people coming from, you know, different communities and, know, you and I both, you know, we're, we're a couple of white dudes here, but, you know, we come from some different backgrounds, not necessarily as privileged. I, I'm really happy when I see more women, more people with diverse backgrounds. How, do you see that as a, as a way to kind of help security win? Or do you, you know.
Tyler Pinckard (52:00.551)
Man, I wish I could find some... No, absolutely, no, I mean... I don't want to step in any culture war landmines here, right? But the reason you invest in diversity in a corporate environment is because diversity of opinions allows for a more successful outcome. I am not aware of the holes, that which I don't know, right? Those unknown unknowns are the scariest risk to me because I can't even see those bullets coming at me from the dark. And the way you...
reduce the risk of those coming at you as you put people around you that have very different perspectives. Right. And the easy way to do that is just a function of diversity. Right. I want people who don't think like me around because together, like I want to be able to produce, you know, as, as perfect of an output as possible, you know, within the context of being a human and not being able to produce perfection. Right. And so that's why we want to.
develop diversity and invest in this. Now in practice, how do I do it? Well, like I go hang out and support the blacks and cyber when we're at DEF CON, right? They had a kick -ass pool party. Like I got friends over there. I mean, in practice, you do the best you can, right? You go out your way to make sure you're making the tent bigger, not smaller, right? There's room for everybody inside this space, right?
One thing I'll say, right? Cybersecurity. We are the land of misfit toys, right? We all have our individual features. Tend to be a fairly neurodivergent set of folks, right? And so the diversity is how you can fill some of those gaps that might just be a function of your human programming that you're blessed with.
John (53:48.002)
Well, I there's a callback to one thing you were talking about in context of the ISSA, right? Which is, so, you know, I've been involved with that Silicon Valley chapter for a long time and we've had different kind of students groups come and go. And I'm really excited to see that build up again, because, you know, Santa Clara university, Hey, you know, private university in the area, but also San Jose state. And also we've had connections with like Cabrillo college and different community colleges and seeing that stuff happen. And I think the same encouragement goes to.
people that may be listening that are students that are not really in that career set already, go to those makerspaces, find those locations and talk to someone, ask them, right?
Tyler Pinckard (54:25.075)
Yeah, absolutely. I mean, I've gotten here as the function of the old guys telling me what to do that let me get here. And the way you pay this forward is I do this for other folks and help them try to get to where they want to be.
John (54:41.548)
Well, man, I feel like that was a little cathartic to me. don't know. We'll, we'll see how much of this makes it into the final cut. No, we're generally live to disc. So, and very candid. So I guess I'm going to close with, you know, be as candid as you want, maybe a call out to folks who are, you know, insecurity, any last Tyler thoughts for, for closing out our candid CISO podcast this time.
Tyler Pinckard (55:06.727)
Yeah, let's see. Shout out. Well, I want to give a shout out to John first and foremost. Thank you for having me on. Beyond just this interaction, like your wisdom, your mentorship has been very important to me.
Tyler Pinckard (55:25.405)
that what would I say? You give what you get, right? You want to be successful, you're not going to get there by being asleep at the wheel. Like life rewards active participants. So swim upstream, row row, fight the power. If it was easy, everyone would do it. Right? So it's good to do hard things. But at the same time, don't forget to have a good time. You can do both.
John (55:52.116)
Excellent. All right. So we can have fun while we're doing this whole cybersecurity thing. In fact, it seems to be driving a lot of things and, know, the annual gathering there of DEFCON and B -sides that definitely shows us that, man, like you were saying, the blacks in cyber village at DEFCON, where, know, you've got the CISO for the city of Philadelphia there, you know, kind of in full goon dress and bringing people in that was awesome.
Tyler Pinckard (56:15.539)
Yep. Yeah. SWE is another one. Like I was in, I did some, some payload software development back in my undergraduate days as well. But I mean, yeah. The way you open the tent is you go out there and try to open it. Right.
John (56:35.638)
Awesome. Well, Tyler, thank you so much. It's been awesome having you as a guest here and we'll close it out by saying stay candid and thanks for all your great conversations and look for our show notes. We'll have a couple of links to Tyler's coffee exploits as well. So you can figure out how, where the beans really come from and how to make that awesome cup.
Tyler Pinckard (56:58.015)
Thanks again, John. Cheers, man.
Head of Security, DPO
Tyler Pinckard is a Systems Engineer and Silicon Valley veteran of technology companies of all sizes and all stages (from seed start-up to series A to late stage through IPO) currently working as a security and devops leader at SupportLogic.
Interests include beagles, blockchains, computer security, crypto, and skiing. He is a former U.S. Army Intelligence Officer with degrees from UCLA and Embry-Riddle Aeronautical University. He holds a CISSP along with other industry certifications.