Cloud Security Today

The Cloud Security Today podcast features expert commentary and personal stories on the “how” side of cybersecurity. This is not a news program but rather a podcast that focuses on the practical side of launching a cloud security program, implementing DevSecOps, cyber leadership, and understanding the threats most impacting organizations today.

All Episodes

Cloud Security Today

Dr. Zero Trust on zero trust

January 20, 2025 • Matthew Chiodi • Season 5 • Episode 1

Send us a text

In this conversation, Dr. Chase Cunningham, aka Dr. Zero Trust, shares his unique journey into the cybersecurity field, emphasizing the importance of purpose and self-care in a high-stress industry. He discusses the challenges of implementing zero trust strategies in organizations, the significance of understanding offensive tactics to enhance defensive measures, and the need for systemic change in national cybersecurity. Dr. Zero Trust also provides valuable advice for aspiring cybersecurity professionals, highlighting the supportive community and the importance of continuous learning.

Takeaways

Zero Trust is a strategy, not a product.
Self-care is critical in high-stress environments.
Understanding offensive tactics is essential for defense.
Start small when implementing Zero Trust.

Matt (00:00.783)
Chase, welcome to the show.

DrZeroTrust (00:02.54)
Hey Matt, thanks for having me on this, so this should be fun.

Matt (00:05.739)
I am, I'm looking forward to it. So I think we've only met in person one time. Was that this, that CSA event?

DrZeroTrust (00:11.414)
Yeah, you were giving a talk on Zero Trust and I carpet bombed and dropped in there and you know, just looked around.

Matt (00:18.893)
You did. came in and sat. That's right. You sat in the front row and I thought, my God, here I am giving a talk on Zero Trust in Dr. Zero Trust is going to sit right in the front row. thank you. Thank you. well, thanks for coming on. I really appreciate it. first of all, I think you have a really cool background, really diverse background. I actually wasn't aware of it until I did some of the show prep today.

DrZeroTrust (00:29.356)
It was fun. You did a great job. It was awesome.

Matt (00:45.615)
Starting, were a Navy chief cryptologist. You've done work with NSA, CIA, and now you're a leading voice in cybersecurity.

DrZeroTrust (00:56.14)
I'm a voice. How much leading I do is a different story, but I'm a voice.

Matt (00:59.983)
Well, I follow you at least. So, and I appreciate that. I'm curious what initially drew you into the world of cyber, cyber operations.

DrZeroTrust (01:09.868)
You know, honestly, it was kind of a fortuitous mix of insanity that everything put me in the place where I am now. I tell people all the time that I think most, some folks wonder if they're blessed. I know that I am because I started out my career in the military as a diesel mechanic. Funny enough. Yeah.

Matt (01:27.887)
I didn't know that.

DrZeroTrust (01:29.728)
And long story short, the way that I got into cyber was I fixed a problem on a controller that we had by stealing someone's laptop and changing some settings, which is illegal in the military. And the person who ran cyber on our ship happened to see me do this. he, instead of, you know, punishing me, saw that there was an opportunity for maybe a different career field. And he was kind enough to, you know, let me sweat bullets for a couple days and then start me on my path.

Matt (01:58.415)
That really awesome. That's a good leader. I think when they can, when you can kind of see the big picture for what the person's doing rather than try to penalize them for something that was really good actually.

DrZeroTrust (02:05.911)
Yeah.

DrZeroTrust (02:09.896)
He could have crushed me. mean honestly, was a I was I was a spent about three days just sweating bullets like crap man. I'm going to Leavenworth.

Matt (02:18.671)
So now the question I have is, do you still use any of your diesel mechanic skills?

DrZeroTrust (02:23.51)
You know, I've got a 1970 Oldsmobile Tornado out in the garage that I do some work on and I do work on my motorcycle and stuff like that. So I can still turn wrenches when I need to but you know, I don't consider myself an engineer much anymore as far as engines go.

Matt (02:41.379)
Well, I think I'd be curious, you know, with that background that you have, what, what were some of the things that you picked up early on? What were those key lessons that maybe you still use today and apply to your work?

DrZeroTrust (02:55.32)
mean the biggest thing for me that I think I learned early on in the military really was that I continually see the issue that we have with people talking about the lack of human capital, whatever else, it's because we're so myopic in our vision of who can do the job. Like I said, I was a diesel mechanic. I'm a farm kid, man. If I can do it, anybody can. We just have to give more people the opportunity. And then on the follow-on side, I was lucky enough when I came out of the military that I was doing Red Team stuff.

I don't think enough people give credence to the value that you can get from red teaming and actually trying out systems from the perspective of the adversary. We try for perfect defense and we try for no breaches and all those things and it's just not possible. You're never ready for a fight until you've been in a fight and I think that that's what people should spend more time doing and that's why Zero Trust stood out so much to me. It was the first time I really looked at ZT from the perspective of an adversary like a red teamer. I was like, man, this...

Matt (03:43.405)
you

DrZeroTrust (03:54.656)
If a system was built this way, maybe miserable, I quit. And then it was like, okay, there's something to this.

Matt (04:02.287)
It was interesting. was looking at, I always troll my guest posts just to see what's, you know, what's something interesting they're talking about. And, and again, this is one of things I love about you. You, you, you speak your mind and I respect that. but one post that I found, really interesting was a post on, purpose. was a, it was a post basically talking about, know, it's the new year. People are talking about resolutions. And you said about how, this year you chose the guiding word.

purpose last year was value talk a little bit more about like how did you how did you arrive at that again so many people talk about resolutions we all laugh because we know they're typically gone by you know third week of January how did you arrive at this one word

DrZeroTrust (04:48.206)
Yeah, so it's a few years ago I started really trying to do this because like you said, I think they actually have a term for it. It's called, Quitter Friday. It's like the second Friday in January where everybody just gives up which we're already kind of there. So I mean, I think that for me that was one of those things of well, there's so much stuff that I could try and do and basically I'm kind of setting myself up for failure. Like typically we look at, I'm gonna save $100,000 this year and you know, five pandas from the nearest zoo and whatever else and in reality...

Matt (04:59.364)
Yeah.

DrZeroTrust (05:17.294)
you know you're probably not going to achieve those goals. Whereas to me it just made sense if I said, want to base everything that I try and do this year around one guiding principle, I can do that. And if I don't do it perfect, it's okay. But the good thing is the majority of my decisions were around that one thing. And like it's value was the one for last year and I did okay with that. There was some stuff where I missed but in general I think I did 85 % good on my value sort of side of it. And now for me really right now is purpose just because

I'm like everybody else. think a lot of times we go really hard at something because we think that there's a reason for it to be good when in truth we're just doing it because we kind of want to achieve that objective and I'm I'm like my wife would tell you one of the worst things about me is like if I don't have something to go after I'm a miserable bastard so having a purpose and having a reason to do things is is real critical and I mean that in my

my work with my family, my work with my job, anything I could do to help others. just think that having a purpose is going to be really.

Matt (06:21.903)
And I guess the benefit of only using one word is that it's not hard to remember.

DrZeroTrust (06:27.22)
It's clear, it's concise. I write it on a yellow sticky and I put it on the door coming into my office and I put it on my desk and that way at least twice a day I'm seeing it and reminding myself like that's it. mean, is way more, I think one word is way more clear to you than trying to have a bunch of things you're trying to aspire to.

Matt (06:49.753)
Yeah, I would agree. And I know that there's, there's power in writing something down, right? There was this famous research, I think that Harvard did 30 plus years ago about people who had goals in their head, people who had goals written down, people who had goals written down and reviewed it regularly. And there was a massive difference between those three or four categories. So I appreciate you mentioning about having it in strategic places. So you're thinking about it frequently.

DrZeroTrust (07:17.26)
Yeah, there's times where I'll sit down and I'll look at it I'll be like, God! And then I'll just take a second and I'll go, Alright, what's my purpose? You know what I mean? Like, and it could be, what's my purpose in this next call? But at least I take a second and go, Alright, let's realign. Like, follow that, you know, same thing.

Matt (07:24.845)
Hmm.

Matt (07:34.297)
So I'm curious, you use, so you don't set goals per se for New Year's resolutions, but when you think elsewhere in your life, do you use goals or is it just, how do you look at goals in general?

DrZeroTrust (07:46.478)
I think goals are good but I think most goals, especially for me, are... there's so much change that happens, especially now we move so fast that having a goal, especially like I can't stand when people talk about stretch goals. Like you can't keep moving the goalposts and expect me to achieve, you know, what you're trying to put out in front of me. So I'm just very big on clarity, brevity and you know, mission and if I can figure out what that looks like, then I'm good to go and...

Having a goal, know, set something that you can achieve that's not beyond the pale. And then, you know, it does... I tell my kids all the time, I'm like, when they do something good, I'm like, look, take a second, take the W. Like, enjoy that you achieved it. Because usually we're like, okay, what's the next thing? Like, no, just take a minute. It's okay to take a day or however long you need and sit back and go, like I got there.

Matt (08:42.223)
Appreciate that. Yeah. I think you're, uh, you're right. know that that's the way I am. I've always been a goal driven person. And, the hardest thing for me is to stop and celebrate. It's like, I see it, I hit it. All right. What's next. What's next.

DrZeroTrust (08:55.854)
Well, I openly admit like when somebody says, you a team player? Like, I don't like team sports to be perfectly frank. I would rather, I like golf, I like lifting weights. I like that type of stuff because it's me. I hate it when I play a game and somebody loses for us. You know what I mean? So I think there's also a self-realization factor that has to happen there. And it's okay. If I'd rather have somebody tell me I'm not a team sport guy, then, oh yeah, I'm a team player and you put them on a team and they don't play with the team.

Matt (09:24.877)
Yeah, that's self-awareness. And I think that comes with time and just quite frankly, being honest about who you are. So you, there was an article that you wrote recently talking about, us cyber warfare and, about the cyber cluster that's going on used a little sharper language than that, but really it painted a very stark picture of some of the challenges that we face here in the United States.

DrZeroTrust (09:29.73)
All the gray hair in my beard, you know?

Matt (09:54.367)
I'm curious, maybe you can give us just a little bit about what was some of the context for the article. And then I'd love to hear from your perspective, if you had carte blanche to implement your top recommendations tomorrow, like what would they be and why.

DrZeroTrust (10:09.548)
Hmm fun. So yeah, the the impetus for the article was I had a couple of magazines and publications up near on the hill that asked me if I would write an op-ed and I was like sure cool. I'll write an op-ed. So I wrote what I thought was a pretty, you know, well put together crafted op-ed sent it over and all of them said now we're not going to publish this because it's a little bit too kind of calling people to the carpet. I thought all right. Well, if you won't then I'll just post on LinkedIn and we'll see what the masses say.

So that's kind of where it went, that's where it came from. That was supposed to be an op-ed in one of the major publications around here, which whatever. And it was pointed just to let the hopefully maybe get the ear of someone in the coming administration and say, look, there's a way to fix this problem and that's why I left the very end of the article. I said these problems are fixable. We need to do something and it's no more bureaucracy. It's no more just dumping money down the, you know, well of trying to solve the problem.

We need strategy and execution and authority and then we can do those things. And I mean, I'm an American, I'm a patriot. I can't stand the fact that last year about 90 Americans died because of ransomware activities on hospitals. They couldn't get care or they refused care because systems were down. you know, if a, if a Russian Antonov plane dropped a bunch of Spetsnaz guys on some hospital in Kentucky, you can guarantee that'd be an act of war. But because it's cyber, we just kind of go, the nerds, know, they'll, they'll figure it out.

Matt (11:20.879)
Yeah.

DrZeroTrust (11:35.598)
That's not the way to do this. That's the wrong approach. And I think we need systemic change to be perfectly frank. And it starts at the top.

Matt (11:43.727)
So there's no shortage of talk. There's no shortage of NIST documents that are talking about what should be done. it, know, is the, is it, how much of it do you think is endemic of just the fact that we have an extremely large government? If you look at the size of government, look at the size of the department of defense, how much of it do you think is just sheer size of the organization? I mean, if you think about the size of the DOD network, that attack surface is larger than probably anything else in the world.

How much of it is that versus, you know, it's certainly not a shortage of money either, right? You look at how much the government spends on cyber and it's probably the largest in the world.

DrZeroTrust (12:17.827)
No.

DrZeroTrust (12:22.7)
Yeah, it's a tenth of the overall budget for you know, the DOD which is a staggering amount of money and where we're really at, what I see from my experience is we have a lot of bureaucracy, we have a lot of checklists, we have a lot of compliance initiatives but we don't have a knot of action and we have leaders that are not enabled to actually do anything and that's a problem. have you know, I wrote it in the article like we have border czars and economic czars and all these people that are the point people to do whatever which is fine.

We don't have a cyber czar. Matter of fact, I looked and I reviewed it. I couldn't find a single reference to anyone coming into the administration that was tasked with cyber for the next administration. There's people leaving from the current one, but who's the new people? And that's a problem because cyber is where the war is fought now. You don't send people in, you do it via digital. And most of the time too, there's this weird...

misconception from people they say, well CESA is going to do this or the FBI or whatever else. The problem is those organizations and I think Jenny's really talked about it. They have so many hoops to jump through to actually do anything that it's almost prohibitive like the the ability for them to do simple stuff is just not there. I do stuff from my house all the time on my own podcast that I sit there going like why is CESA not doing this and it's because they

can't because they can't ask for the authority but technically which is weird it's not illegal. I can do it one person at home but CISA the organization with a billion dollar you know budget they can't do the same thing.

Matt (13:55.969)
Yeah, it's almost like they've, handicapped themselves with the amount of bureaucracy and red tape that at one point was likely there for some good reason, more than likely, maybe. And then over time, yeah. Well, Nick Shalon has been a big, a big critic of, of the DOD and whatnot for the last couple of years, as well across many different areas. So I think there's some, I think there's some unison there in those, in those comments.

DrZeroTrust (14:06.382)
I mean, I think it was well-intentioned, yeah.

Matt (14:23.555)
Where does, where does, you know, so you're synonymous with, with zero trust. Where does that fit in? Where does that fit in with all this? So obviously the government, they've talked about zero trust and there's been a lot of money that's been spent on it as well.

DrZeroTrust (14:37.486)
There's a lot of progress that's gone on in ZT and the government. give Randy Resnick and Dave McCown and those folks a lot of credit because they have done some really good leadership in that space and they've put a lot of ZT in place. I think the US Navy is pretty far along, US Air Force, Marine Corps. So some of those major combatant commands. There's a DOD ZT program office, which is an interesting piece too. So they're doing it and it's a large rollout. However, I still think that there are some glaring holes in their overall strategic approach and I've submitted

paperwork and documentation up the food chain to see if we can fix and plug any of those but it's better than nothing and we're moving in a direction that at least makes sense. think we're still a number of years from getting towards an in-state that looks like what ZT is supposed to look like but this is a you know a sea change that needs to happen and they're starting to see that there's value in that approach.

Matt (15:12.91)
Hmm.

DrZeroTrust (15:31.168)
And honestly, if somebody fights me on ZT, I tell them all the time like, think you probably don't realize that you live in a zero trust mindset. You just don't give yourself credit and they're usually going like, what do you mean? So you know, let's imagine you're sitting at your house, chilling, watching football and somebody just rolls up in your driveway and comes and knocks on the door. Do you just open it up and let them in? Like you don't validate who they are why they're there and then once they do get in, do you let them just live in your front yard? Like no, you know, they there, they do what they need to do and they go away.

Matt (15:39.544)
Hmm.

DrZeroTrust (16:01.196)
unless you're just trying to get murdered in your own house but I mean that's not what we want to do so you know we live in a not paranoid but in a zero trust sort of approach to the world why can't we do it in cyber and cyber is built for this

Matt (16:17.145)
What do you think most organizations and let's contextualize this to even like Fortune 1000, like from a Fortune 1000 perspective, what do most organizations still get wrong when implementing Zero Trust or maybe not even implementing it, thinking about it, creating a program, what do they still mostly get wrong?

DrZeroTrust (16:36.206)
Most of the time they usually have drank way too much Vendor Kool-Aid and they think that they can just go buy it and turn it on and then they're ZT'd and that's not the case. I mean it's not a product, it's a strategy. I think where they also go wrong is they usually try and go too big too fast and that just makes people miserable when you roll out you know weird controls of things that don't work and problems. Like I did a ZT workshop with a bank and that was a huge bank. They wanted to start their rollout with 5,000 users and I was like whoa like let's do 50.

Matt (16:49.657)
Hmm.

DrZeroTrust (17:05.87)
And of course for them that number was so small they you know almost didn't bother but the good thing was if you got it right at 50 you get it right at 100 you get it right 100 you get it right at 500 you can kind of grow from there so being you know strategic about it being very programmatic about the way you approach the problem and then asking the question of is this really something that is going to intercept the adversary where the adversary lives a lot of security technology especially nowadays is

layered on top of tech that will potentially remove the ability for the adversary to be continually effective. That's probably good enough. You don't have to be perfect here. I've got to survive longer than my neighbor. A rising tide does not lift all ships, but as long as my ship's floating, you know, life is gravy.

Matt (17:53.711)
So where do you, where do you recommend most organizations start? said, you know, don't, don't try to boil the ocean. If you've got a thousand users in your organization, don't try to roll out to a thousand, maybe start with a hundred and a thousand person organization or even 50. Where, where should organizations start from a systems perspective? know a lot of times there's, look at systems like, Hey, these are my business critical systems. How should they start thinking about, you know, okay, let's scope it down as small as possible.

to see if we can get a proof of concept right. Like how do they, should they go about the scoping?

DrZeroTrust (18:26.456)
So this is where John Kindervog, the Godfather himself and myself differ on our opinions. John's opinion is, find the critical stuff, work your way outward and go from there. I'm of the opinion, having been a Red Teamer, figure out where your most likely avenue of compromise is currently and work your way into the system and then apply controls which will enable segmentation. Because in my opinion, you're trying to stop a breach from getting really bad, really fast.

Matt (18:32.079)
Hmm.

DrZeroTrust (18:53.614)
I also find that people, when they try and say, you know, from the original approach of like, let's take care of the data first, define data in your organization for me right now, the second. It's very dynamic. It's very ethereal. It changes something of value to you may not be a value to me. I think that that's a very hard moving target. But if I look at this from the perspective of programmatically, where am I trying to defend? I'm trying to defend my enterprise. Okay. Where are bad guys going to come in from? Well, statistically speaking, over the last 10 years, it's going to be

bad usernames, passwords and people clicking on links and just general unpassed software. Where should I begin to apply my controls and work my way backwards? You're throwing cloud and the infrastructure size gets really, really big really fast. So, you know, that's kind of my approach to it. I'm a fan of technologies that fit into that model. But I also remind people too, like you're in charge of your destiny. No one should be telling you, you know, what is going to work. You probably already have a lot of controls in place.

start figuring out how those are going to benefit you and then work to make sure that they are strategically aligned.

Matt (19:59.691)
Is there, I there's a lot of different frameworks that are out there. There's a zero trust maturity model that came out in the last, think, 12 to 18, 24 months. forget sometime the last two years. There's that model. Is there a model or framework that you recommend that an organization who maybe has an effort around this that you recommend they can start to go through?

DrZeroTrust (20:21.292)
I think really there's kind of a curated approach to this. So like the Zero Trust Extended Ecosystem Framework we published at Forrester does a good job of looking at the market writ large. I think that that's worth looking at. I personally think NIST 800.207 is a really good document to work off of. And then if you look at the Zero Trust Strategy for the DoD, that's a very useful document to start wrapping your head around there as well. So those are big things and people sometimes will go, well I'm a small business. That's, you know, like

Barney Fife with a nuclear weapon. Yeah, but there's tenets and approaches and best practices that you can use and work your way forward from there. And then there's a lot of really smart people like Jason over at Numberline Security and the folks that publish the book on ZT. So there's plenty of material out there. There's no reason not to be educated and informed.

Matt (21:11.523)
One of the things I've heard and I've seen, I've witnessed both in the talks I've done on Zero Trust, I've seen it in LinkedIn threads is Zero Trust doesn't scale. It requires so much detail around system level who needs access. So we talked about starting small. How do you, how do you actually scale it? know from talking to John Kindervag in the past that he has said, when I've asked this question, Hey, I've worked with customers that have, you know, within either department of defense or defense contractors that have rolled this out, but how, how do you actually

how do you actually scale it? Because we're talking about an organization that has really any type of scale. There's a lot of complexity with different applications. And a lot of times, if we're talking about a bank, they've got different business units. They've got application owners that really are the system owners for those. It's not technically centralized. In that kind of model, how do you go from 50 to 100 users? what does that look like?

DrZeroTrust (21:45.454)
you

DrZeroTrust (22:06.67)
Well, I mean it's a difficult thing because that's a moving target and things do shift and I agree with John if the DoD can do it at the level that they're doing it, anybody can? Sorry! And really where we're getting to is that you can start adapting those controls. Policy engines nowadays are big enough that you can begin to you know sort of roll those policies out writ large and most systems also have pretty good learning engines that can help you look at what is good at that scale. I would never recommend anyone try and do this stuff.

in a one-of-one with you know, Ricky the Intern on a spreadsheet. You got to be using tech that's gonna help you do this at scale. You got to have a really good policy engine. That's why I like NIST 800-207. And you've got to be able to tune the controls as you put it in place. And further along that line, if you do hit a space where things aren't playing out, you're well within your rights to accept the risk. I think a lot of people also get their mind around, if I do ZTE it has to be this and I'll never have blah, blah, blah, no.

It's your business. If you're uncomfortable with a ZT control, you can accept the risk. It may not be smart but hey, you can do it. You don't want to drive with your seatbelt on, by all means, go nuts!

Matt (23:19.727)
I that's interesting. And I appreciate that because again, that's probably the biggest comment that I get around zero trust when they talk about the five step model, right? Of this is how you do it. You build the system, know, map the transaction flows, things like that. Um, I think people maybe get caught up in the fact that yeah, there is detailed to building any kind of architecture and they usually get stuck up with just, Hey, that doesn't, I don't see how that would scale. And I think it's mostly because of the models that they were, they were used to that.

We're the exact opposite, right? That we're a trust-based model. remember for a long time, many years prior to zero trust building those very models with trust zones and whatnot. So it is a different approach.

DrZeroTrust (23:58.764)
Well, and you know, that's another point too. It's a really good point, right? Is you didn't wake up on a Tuesday and turn your infrastructure on. It took you years to build it out and to get it where it is. You think it would take years to get to where you want to go if you change the game now? I mean, obviously so.

Matt (24:14.895)
I think it's going to be different for every organization, right? If you're talking about a midsize company, this is something they might be able to do in, I don't know, two years or something like that. Whereas if you're talking to a Fortune 100, this is something that's likely going to take years. Is that normally what you see? And does someone ever get, by the way, to 100 % zero trust? that a real world?

DrZeroTrust (24:36.514)
I don't think you ever get to a hundred percent. I think you can get towards where it's kind of optimal ZT is what I think the DOD calls it and that's where you're trying to get to and I also get a lot of people who go, well there's no such thing as zero. Sure, there's no such thing as zero body fat either you die if you got to zero body fat. You know, bodybuilders try and get low but they never get to zero. So yeah, it's a viable point to make but...

the reality of the space is your goal is to reduce risk and to gain control and visibility and insight and those types of things and you're trying to be better defended than the next poor schmuck down the road and if you can do that then you're winning for you know for the reality of the space and this is where I think having a background in the military is helpful like you're looking at where you can win and where you fight and that's where you begin to apply controls and I tell folks too that one thing we don't talk about enough

is there is a concept in ZT of contested space. You're always going to have contested space and that is going to be where you're, you know, not quite zero, zero trust stuff lives.

Matt (25:31.492)
Hmm.

Matt (25:39.359)
What do you do? This is the first I've heard of this contested space. What do you recommend or how do you see organizations approach that space?

DrZeroTrust (25:48.012)
Your contested space is going to be either if you're going to let your users just run at large on the internet, which I advise against, but if you're not going to put browser isolation or something like that in front of them, that's going to be your contested space because you know, the internet is the Wild Wild West or if you've got those controls in space, your contested space is going to be users and accesses and privileges and those types of things. So you control and manage and maintain but no one as far as I'm aware of and you know, recent history has gotten...

into an enterprise system as an authenticated user and nothing ever changes. Like you wind up getting new accesses, those things. It's continually moving. It's a changing target. It's contested space. Policy engines will help you control that but you've got to be aware that that's going to happen. And that, I think that that is a miscommunication a lot of people don't give enough credit to is like, it's... In warfare, we also have a concept of contested space. The front lines are the front lines for reason.

And you're just gonna have to deal with as long as you don't get flanked or you know, L-shaped ambush you can live.

Matt (26:52.719)
So if I hear you saying that you're there's probably not such a thing as 100 % zero trust in an organization, there's always going to be some, to use your term contested space. There's going to be something that you have to capitulate on for whatever reason. At the end of the day, it's a, it's accepting a business risk. It's a cost of doing business perhaps.

DrZeroTrust (27:10.574)
Yeah, right? I mean you can, you know, that's why it's kind of funny to me when people talk about, what is our risk score? I'm like, I don't know. Your risk is either none or some. That's what it is. How much some do you want?

Matt (27:27.897)
So I want to go back to a piece that we talked about beginning and it was, this is a topic that I think rightly so has come up a lot over the last 18 months in cybersecurity. And that's the whole point of self-care, right? Cyber can be an extremely stressful industry, especially with some of the new sec rules that came in over the last year, if you're a CISO, right? Your job got a bit more, a bit more dangerous. So you, you've touched on the importance of self-care intentionality.

in the LinkedIn post we talked about earlier. I'm curious, what does your personal growth routine look like? Like how do you demand, how do you balance the demands of work with family and whatnot?

DrZeroTrust (28:07.534)
You know, admittedly, I'm not as good as it is. I could be I'm better at it than I was. I actually worked myself into a early onset cardiac event a few years ago and I've learned from that that you know, there's a there's a lot of value in saying no, but at a personal level like I'm gonna get up in the morning. I'm gonna take my time, you know, at least a couple hours to myself without anybody bothering me. I make it a point to study something new every day. Right now I'm doing like Duolingo stuff like that. I try and read two to three books a month.

Usually it's audible so that I can you know read it, but I do the audible while I'm at the gym working out You know I work out four or five days a week sometimes six and then I really like playing golf So for me my wife knows my family knows like when I'm on the golf course Just leave me be you know that Sunday afternoon is my time And I think I think that's something where folks should you know give themselves that ability to kind of? Step back and stay away because we're always so plugged in we're always so on point

If you don't unplug, then it's just going to be a continual stress for you and you know, your physical health matters more than anything. What good is it to, you know, be a see-saw when you can't, you know, eat or sleep or whatever else.

Matt (29:21.837)
I heard someone say once either do the maintenance now or pay for the repairs later. And I feel like, I know for me, I learned best through usually making mistakes, right?

DrZeroTrust (29:27.394)
Mm.

Matt (29:35.119)
It's a mistake I've made. I learned from it. don't, find that I, I learned very little from my successes and it's more from some of those lessons in life. And I hear what you're saying in terms of, know, for you, was, you had a cardiac event, right? And that was a moment you're like, okay, I've got a choice. I've got to make that change. And so I think to those listening, the encouragement there is, know, if possible, don't wait for that event to come in your life. If there's stress that you're having, remember I had a, a previous leader that I worked for who

was involved with a number of different breaches throughout his one tenure as a CISO. And I went out to lunch with him. This was probably about a year after the, one of these very large breaches. And he said, I don't know if I can be a CISO anymore. He's like, I went to see my doctor and things don't look good. And I think there's a case of, you know, someone who is a high capacity leader, but really wasn't taking the time for themselves to be proactive.

DrZeroTrust (30:30.19)
Yeah and I mean you're you know, I think we're also don't give enough value to... we're in a space where if you can and you really look at your health and your time off and whatever else, you're able to manage a lot nowadays. Like it's not as manual as it used to be. So you know, use the tools that are available to you to help. Like that's why I say, I kill two birds with one stone. I listen to an audible book while I'm at the gym. You know, it's just things work together.

Matt (30:57.913)
So two more questions for you. Maybe for those that are just starting into their cybersecurity journey, what advice would you give them?

DrZeroTrust (31:07.342)
Well, I would say understand that you're in a great space and that this is a community of people that will bend over backwards typically to help you. So don't ever hesitate to ask people for help is one and I say that because I'm always one of the worst at asking other people for help. I like to be independent but I think there's a lot of value in reaching out and saying you know, I don't know this, I don't understand this, can you help me work through it? It's a great community, great people and then the other side of it is...

Start really looking at if you want to really be someone that understands cybersecurity and defensive posture, understand what offense looks like. You're not going to be any good to anyone if you've got you know a billion certs behind your name and your alphabet souped up to here and you don't know what it looks like to have bad guys come after your enterprise. Understand what that looks like. Spend time playing with hack the box and Metasploit and those things.

Matt (31:43.439)
Hmm.

DrZeroTrust (32:02.062)
Watch YouTube, you know, get really familiar with it because if you don't know what the actual tactics are, not the Hollywood crap, but the actual tactics of bad guys, you're not understanding what it means to defend from it.

Matt (32:17.517)
Yeah. And that's where I started. I think about when I started playing with computers and networks, you know, way back before the internet was a big thing like it is today. I started on the offensive side and it was, it was literally just playing prior, you know, pre YouTube. So I think there's a great advantage today that people have with YouTube chat, GPT chat, chat, GPT. One of my guests, you know, said this, so I can't claim I came up with this. said it is the most patient tutor, the most patient tutor. You can ask questions to it all day. Now it's not, we all know it's not always right.

But generally speaking, it's directionally correct. And so if you want to learn it, think, you know, using chat GPT as a tutor is such an inexpensive, great way to learn what offensive security looks like. And I think it makes them the defensive side so much easier.

DrZeroTrust (33:03.33)
Well, if you're if anybody tells you that they're not googling and chat GPT and stuff and they're senior they're lying because they are I do it all the time matter of fact in my house like kids come in here and ask me a question first my first responses. Have you looked at it on Google or have you chat GPT then you can come ask me.

Matt (33:19.055)
I love it. I love it, Chase. Well, I've enjoyed our time today. Anything else that I should have asked you?

DrZeroTrust (33:25.454)
Number one, thanks for having me on here. I think this is awesome. Love the stuff that you do and I for those folks that listen, Matt knows his stuff. Like if you've not been one of his sessions, they're great. So I think, I think there's a lot of value and credence to what you're doing. And I would just encourage people to really start looking at the problem realistically and don't get wrapped up in the compliance shenanigans and the Hollywood stuff and whatever. This is a definable, defendable problem. It just takes a change in the approach and we can do this together. I think this is...

Matt (33:37.913)
Thank you.

DrZeroTrust (33:55.038)
of the few times in history where we can be our own heroes but it requires us to do so.

Matt (34:01.091)
Well, thanks, Chase, for coming on the show. This was awesome.

DrZeroTrust (34:03.745)
Thank you, man.