062: Cybersecurity Attacks and Terrorism – How to Reduce Your Risk with Tom Kirkham

[00:00:23] Zach White: I have no, no doubt about that from the first, communication we had, there’s been more, more brain to pick than time, to pick it. And I’m super excited about this and dig in. Tom set the stage for us a bit. in the preview, we talked about your bio and your incredible experience in history with technology, with cybersecurity and your company, iron tech security.

[00:00:43] But can you just take us back to the beginning? What got you into this space and maybe tell the story a bit of how we got to your expertise today. 

[00:00:52] Tom Kirkham: Oh, wow. This is, uh, this is going to be interesting, especially since engineers, have college degrees, but I went to college for economics 

[00:01:01] Zach White: uhoh. Hold on.

[00:01:01] We’re gonna have to cancel the interview, Tom economics. What, how is a cyber security guy? An economic. I’m just, that’s interesting. So econ, where at will. 

[00:01:09] Tom Kirkham: Yeah. So Econo actually economics it made me a great macro investor. Okay. Okay. And so then the decades that I’ve been a nerd and been involved in technology and in either management or entrepreneurial or both.

[00:01:24] Uh, and we’re talking about 40 years roughly. I specifically concentrated on the macro approach to investing in technology. So I went through the.com days and to this day that I’ve dabbled in other markets and I am totally abysmal at it, but I have been very successful at technology investing, but 

[00:01:45] My first real job was in management at a software company. So we had a whole, I managed teams of software engineers, literally all over the world. In fact, one team was in Ukraine in, in, Keve not had another team in Rochester, New York. And then I had a local team and a few other scattered here and there.

[00:02:03] but I was a designer. I wasn’t a programmer. So it was my job to make the software visually appealing, easy to use, cut down the number, just make it really efficient for the user. So I, I got exposed real early on to the customer experience. as they use the product and what’s their hiccups and really watching ways where I could identify.

[00:02:25] Tom Kirkham: things that need to be streamlined or things that need to be made more obvious, you know, it’s about creating a, good graphical user enter, right? Yeah. 

[00:02:35] Zach White: And can you tell us what that first product was that you were designing 

[00:02:39] Tom Kirkham: retail management software. we were the first ones to even really think about putting it on the windows platform.

[00:02:46] If that doesn’t date me, I don’t know what that’s. So we were going, we were going into the, in, we had a dos product, but we were going into the industry on, international basis. And we had no competitors that were anywhere near where we. And actually putting it on the windows platform. So I did a lot of speaking about, yeah, you need to move this way and no, no, no.

[00:03:09] It already works on dos. We don’t need graphical user interfaces. Right. Mm. And of course, obviously that, didn’t play out. But during that period of time, I won some awards for, software design, even though I wasn’t an engineer, I didn’t kind of. And, uh, the.com days caused that company to basically lay off practically everyone me included.

[00:03:35] so I started my own, it management services, you know, these days, it’s called a managed service provider. and then about 10 years ago was when I really started thinking about cyber security, because one of my quirky is I have this interest in thinking like a criminal, you know, it’s not like I want to be one, like any good attorney knows how to bribe a.

[00:03:59] Tom Kirkham: But they don’t do it. Right. That’s what makes ’em a really good attorney. That’s being able to think like that. And so I was always thinking about how would I get away with robbing the bank across the street? Or how would I penetrate this company from a technology perspective? So I, I always had that knack, so I was driving our company to get more and more into security.

[00:04:19] And then in 2015, I was visited by an FBI agent. That walked into the office and said, I’m looking for Tom Kirkham. I’m so and so with the FBI held his badge up and he says, you’re in trouble, but it’s not with us. And he began to tell me that I am named. on an ISIS kill list.

[00:04:46] Now you may remember around 2015, there were a number of ISIS kill lists that came out. Most of ’em were politicians, law enforcement, military, New York city, Metro area, Washington. Right. There was one list during that time that was random across the whole nation. And it was because of a data breach. an American in Georgia Augusta had breached this data base.

[00:05:13] she, she had breached that database and she. Part of the United United cyber caliphate, which is at the time was ISIS’s, national security administration or us cyber command.

[00:05:26] Tom Kirkham: And they were highly skilled, but she sent that in and said, make this a new kill list. And so that’s what they did. Okay. Hold on. So hold on. it really increased my passion for going into cyber security. No kidding. 

[00:05:39] Zach White: Just a li a little bit, Tom, take me to. That moment. So you’re just, it’s like another day at work.

[00:05:46] You’re in the office, not expecting this at all. And an FBI agent walks in the door, right. Hu. In their badge, What are you thinking initially in that moment? I mean, can you remember like your, the first thing, like, what happened right there in that, 

[00:06:01] Tom Kirkham: right.

[00:06:01] Right. it was in July. I may have said may, but it was, it was actually happened in July and it was right around July 4th. And I can’t remember what day of the week it fell on that year, it might have been a Saturday and the whole office was closed except for me.

[00:06:14] And one other person who is our president now. and it was just me and him. So, you know, it would’ve been, nobody would’ve believed me if I didn’t have an eye witness to all this stuff, but he comes in and, and he’s going, yeah. And he’s in a polo shirt and blue jeans and he’s like 30 ish, you know? I would say it didn’t really click, it didn’t begin clicking until about 30 or 45 minutes into the discussion. And so I said, Hey, I’ve never met an FBI. Can I look at your badge and, you know, and see all that again, you know? Cause I knew I had the right to right.

[00:06:45] So, oh yeah, sure. So I said it and I, I handed it back and we’re just. You know what, what’s the name of this caliphate thing and all of that. and so finally I said, so what does this mean? they’re gonna, you know, try to hack into my bank account or, whatever. And he goes, no, they’ve designated you to be killed.

[00:07:06] they want you assassinated murder. Okay. And that’s when the gravity of the situation really, uh, sunk in. And of course, when you really start thinking about it, not only you have personal protection, but you gotta think anybody around you could become a possible target.

[00:07:20] Tom Kirkham: So immediately I said, well, I’ve gotta notify family and friends and colleagues that I’m on an ISIS kill list. And, just understand that the likelihood of anything happening to me is extremely slim. Right. And it’s not like I gotta worry about someone coming over from the middle east to kill me.

[00:07:40] What they really were doing. One of the things they were doing was, recruiting, lone wolves, other Americans that are sympathetic, they wanna be a part of ISIS. And we just happen to have a couple living here in my town And they eventually ended up getting arrested just before. What I think was an imminent attack on a shopping.

[00:08:00] so I had to worry about that, you know? And so I didn’t talk to anybody except those that needed to know for a couple of years. Wow. Wow. Wow. But I’ve survived it so far. And ISIS doesn’t have nearly the power that they did, so I’m not too awful worried about it, but I, you know, who knows they may gain strength again someday, 

[00:08:21] It was a pivotal moment. Yes. In my entire life where it wakes you up to your mortality. I’d survived a couple of cancers, a spinal infection, and now I’m on an ISIS kill list. It was like the capper for what’s been happening to me for the three years prior.

[00:08:36] And you really start reflecting thinking about philosophical issues around mortality and the kind of life you wanna lead. Totally. And, and all of this. And so I spent a lot of time traveling around the world for probably a couple of years and then I got more focused. And when I reengaged with iron tech, I went back and joined the company.

[00:09:00] Fortunately I’d put the right people in place while I was gone, did a fantastic job. And it allowed me to step back and quit being a network administrator or software designer or whatever it may be. And to really reflect is what do I want this culture to.

[00:09:20] I want everyone to be happy. What kind of culture do I establish to where we don’t have tension? No one hates to come in every day. Stress is minimized mm-hmm and I spent a lot of time thinking about that and reading management and leadership books and understanding the differences between a Steve jobs and an Elon Musk.

[00:09:43] I know the engineering leader listening is probably still reeling from the fact that the FBI barges in and, and Tom’s on a ISIS kill list.

[00:09:50] Zach White: So you don’t hear this every day, but you mentioned this kind of two year window, you’re in an, a time of deep exploration of your own mortality And you’re traveling and sort of searching. I’m kind of curious, Tom, what were you really after, during that time?

[00:10:08] Or, or what did you find or discover about yourself in the context of your own mortality during those two years? Is there anything that stands out as like, this is how that time changed me? 

[00:10:21] purpose in. how do I want to live the rest of my life? Where I can at least minimize the regrets.

[00:10:31] Tom Kirkham: Every single person has regrets. you are in denial. If you don’t have regrets. and furthermore, if you don’t learn from those regrets and minimize your mistakes every day is about learning and growing as a human. I continue to do that to this day. God knows I’ve got plenty of vulnerabilities and weaknesses and, and all of that.

[00:10:53] So one of the things about being a good manager and a good leader is identifying your own gaps, audit yourself. you know, really what are. Your strengths and weaknesses and, other deficiencies, because there’s a very good chance.

[00:11:08] You can add people to your team to compliment those and to, and to make that weakness as a leader, a strength for the company, that’ll make it better for everyone, Was there any moment, like your traveling in the Himalayas or something happened where, where that purpose.

[00:11:23] Zach White: Clicked or became really clear for you. And you mentioned you kind of came back with that renewed passion. Is there anything you remember during that window of time where you really felt purpose become clear and crystallized for you? Wow. 

[00:11:38] geez, that’s a good question, man.

[00:11:42] I think it became clear on my trip to Venice. I think I went to Barcelona and Venice on that trip. And I think the sheer beauty of Venice, and of course you get to Marvel engineering of the, the bridge over the grand canal.

[00:11:57] Tom Kirkham: Alta, I think is what the name of it is. and just get Marvel at that and how the city functions with there’s literally no cars on the island. There’s no roads and everywhere you walk there’s steps because you’re walking across canals. So when you get off the bus at the north end of the island, and you’re.

[00:12:15] Hotel is on the other side of the island. Guess what? You’re dragging your roll around. Start walking up and down steps across canals, probably 10 times just to get to the hotel. So it becomes a lot of work, and the people there fascinated me. They’re from all walks of life, you can tell it’s one of those places that is better off because of people from all over the world live there.

[00:12:38] And, and I love being in those environments. And those are special whenever you get a chance to. , you know what you think these are my people, right? You realize there there’s really no difference in people, but everyone knows what I’m saying. You know, there there’s a group, your group of friends, your peers, you spend time with, you’re on some sort of intellectual or spiritual connection, or you have common interests that you can talk about for hours.

[00:13:04] Mm-hmm . And I, I think it was right there. the, the short answer to your question, there was no specific thing, that I had an aha Mo it was an evolution. I’m a slow learner. I’m one of these people that I learned from Elon Musk, cuz to approach things from my first principal standpoint.

[00:13:23] And so because of that, and I never knew why I was a slow learner. I’m not joking about that. I’m a very slow learner, but it’s because I always went back to, to first principles myself. I said, wait a minute, I don’t understand why this is even relevant, you know, and on and on and on. So, you know, now I’m ended up back in philosophy from 3000 years ago.

[00:13:43] Zach White: I love that though. Yeah, just the, the willingness to have a nonlinear path to your own learning and discovery. there’s no flash bang purpose became crystal clear. It was just an evolution for you. I think that’s, it’s good for people to hear. Sometimes we expect these.

[00:14:01] Brilliant aha moments. You hear testimonies from other, you know, amazing leaders on our show or other places. And it’s like, oh, I haven’t had that experience. And so I just, it’s really cool, Tom, to hear you say, you know what? It just required me to walk the journey a bit and it happened, you know, I just, I realized here, here it is.

[00:14:19] So maybe that’s a good transition, Tom. You, the first principles you came back with this renewed vigor. The importance of cybersecurity as a, a victim of a, breach and really changed your life. So where did that take you? And, and what is the, you know, things we need to start digging into around cybersecurity today.

[00:14:40] Well, I, I put that CEO mindset in place, you know, already. Okay. I’ve got a, a decent handle on what my weaknesses are and strengths as a leader, and I’m the majority shareholder. So yeah, I’m the boss until such time as somebody that’s better than me can do it. Right. That’s good. So I said, what would I do to address these strengths and weaknesses?

[00:15:02] Tom Kirkham: I already had a. Strategy and a great vision of where I wanted the company to go to. That was that’s one of my gifts of the few. and so I started constructing that and thinking about certain roles in the organization that may not today, but we need to get to where there’s, a person or a solution for that issue or that.

[00:15:25] that we need to put in place 2, 3, 5 years down the road. And I started growing the company with that intention at the same time is, is reestablishing the culture and making it, I hate to use the word proceduralized or formal. I knew I wanted it to be a little bit more professional, but I didn’t want to lose I hate to say the word family, because that is so cliche, but, and I didn’t want it to be like that. I just wanted everybody to be comfortable and happy while they’re working there. Now that doesn’t mean that that’s their end goal. I just wanted it to be a place, you know, that you don’t mind coming in and all of that.

[00:16:02] So I began working it that way and it’s really started to jail. I’d. In the last three years or so, it’s really starting to come into play. I’ve actually reached a point where we don’t have any serious missing roles. Now. We still got a lot of work to do. , but there’s not any serious roles that are missing and we’re addressing a lot of things, we’re super client focused.

[00:16:26] ethical of course, if you’re in this business, you gotta be ethical and all of that. we continuously run client surveys and they’re all 99, 90 8% positive. in my whole. Retail management all the way through today. retail management software, I’m talking to small, to medium sized business owners.

[00:16:45] Tom Kirkham: So I’ve seen a lot of different scenarios. You know, you could probably walk into an engineering firm Z and you can just feel the vibe, oh, this is a good vibe. This is a bad vibe. Mm-hmm, , there’s a lot of tension around here. You sense those things and you pick up on ’em and I really started thinking about that, over the years.

[00:17:03] So 

[00:17:03] Zach White: this is really interesting we framed this, like, you know, Tom’s this got a zone of genius around cyber security and you came back from your trip. And my first impression, like, if I was gonna guess what you would say is like, well, I started, digging in and studying and developing new tech around cyber security and such and such, but everything that you’re talking about so far revolves around setting the culture and leadership and this piece.

[00:17:26] And. That’s awesome, but it’s also unexpected for the technical focused engineering mind in me. It’s like, huh? Well, what’s going on there? So connect the dots then. How did you find such an important connection between what the leader at the top is doing versus the actual work and impact that your organization is making in the world right now with cybersecurity and te.

[00:17:53] Well, I, I was never out on the bleeding edge of technology, like rein, you know, taking code and making it do something that’s never been done before. Like big data, like, Splunk or friend of mine, CEO of Cribble, that’s a big, huge data company. He’s got that genius in the technological component.

[00:18:12] Tom Kirkham: My experience has always been, I can find good network engineers. I can find good software engineers, my role. is more of a strategic role, right? That, technical component is an operational role. And the, one of the reasons why you establish a really great culture and less tension is you make them Excel their role in that technical role as an engineer or whatever it may be that nurtures that, that resource.

[00:18:47] and, and, and of course it’s a person or, you know, whatever it may be, but it nurtures that resource and you’re setting the scenario. You’re setting everything in place to where it’s not as a leader. It’s not my fault if it doesn’t succeed. and sometimes it is, I have to go back and say, what, went wrong here, but I can tell you that as a long term strategy and you have to work at it every day, you’ve gotta walk the talk.

[00:19:15] Set the tone at the top, you will get the best outta your people and they will be the happiest for it. You know, what, what do engineers want to do? They wanna build stuff or they want to engineer software or, you know, mechanical engineering and they, and it’s, it’s a, it’s got an art to itself, right? Mm-hmm , you know, you ever, you can do the mathematical calculations on whether this beam can handle this load and all of that kind of stuff.

[00:19:41] But, but when you put it all together, it’s really a thing of beauty. And if you’ve taken all the stress and the tension and, and it’s well managed, it, it just, that gives them the, the yeah. Ability to be free. I guess it’s a little bit like going to Venice for a week. Right. There you 

[00:19:59] Zach White: go. I love that. Yeah.

[00:20:00] Yeah. Do you think Tom, that your ability in this way has, uh, benefited by not being an engineer and your original training and degree, and being able to be separate from the technology in some capacity? Or would you say, you know what, it’s really not about that. Anybody. Develop and be the kind of leader that you are.

[00:20:23] Tom Kirkham: I think anybody can get the training. I don’t, I don’t, I, I think it’s a big mistake. Not to think that you can develop the skills to be a good leader or especially a good manager. I think managing is much easier for engineers and I, I draw that distinction on purpose because you know, a good manager may not be a part, you know, may not be thinking about culture, but he is making the business, the right business operation moves.

[00:20:47] Right. And hiring the best people and things like that. Uh, it gets back to operate really, and truly management is operations and leadership is strategy. And I kind of forgot what your question was. So, 

[00:21:00] Zach White: no, I’m just curious if, you know, you have that economics degree that we right out of the case, like, didn’t start as a software developer, you know?

[00:21:07] And so I was just curious, like, is there something there that you think gave you an advantage or you’d say, no, it really isn’t about. 

[00:21:15] Tom Kirkham: Maybe because it’s a dismal science, it, except my expectation so low that I couldn’t help but that’s, you know, do something else with, you know, just wondering about stuff.

[00:21:28] I, you know, I don’t know. I, I really regret it. I went back to school three times my business got in the way my job got in the way and I never, never was able to complete that degree. I’d still love to be writing economics books. And, uh, I was fortunate. Enough to be exposed to, uh, some instructors from the Chicago school.

[00:21:48] And so I, I mean, these, these were very talented. Uh, probably we went on to win Nobel prizes, but, um, yeah, that’s amazing. Certainly Chicago did, you know so 

[00:21:56] Zach White: well, so before we were recording today, you said something that I thought was really, I important. I wanna make sure that we give you a chance to share it with the engineering leaders out there, listening about how.

[00:22:07] This aspect that you’ve been describing, how you came back and focused on really leading the strategy, becoming the, the culture driver, the true CEO, the visionary, and how that type of leadership is essential in cyber security decisions and the outcomes that happen in our organizations. so now for every engineering leader out there, it’s like, this is why it’s so important to become this person in or.

[00:22:35] Encourage your leadership in your organization. So would you describe that relationship that you shared with me earlier and why it’s, you know, ultimately the leader’s responsibility. to protect the organization when it comes to these cybersecurity issues. 

[00:22:50] Tom Kirkham: Yeah. Okay. First of all, the vast majority of the population vastly underestimates their risk of being attacked.

[00:23:00] And some of these attacks are catastrophic. You know, they can put your firm out of business, you could have a week of lost productivity. And so that’s my main role in the company is educat. public, the public, through my book and webinars and podcast interviews, all of that. And what I frequently see is, you know, it, it’s real easy to make a management decision to say, okay, I’m convinced we do need to up our cybersecurity game, but then in certain industries, because we cover more than engineering in certain industries.

[00:23:42] I see the head guy or the, the, the top three partners in an engineering firm. They just exempt themselves their exceptions to the security rules. And they’re not setting the tone at the top, right? Mm they’re. Going through the motions. So that was a great management decision. and this is where companies they really end.

[00:24:05] Implementing halfway measures. But when you realize that over 90% of the breaches is because of a non-malicious employee, let the hackers into the organization, it’s not a technical problem to be solved. You know, we can put all these wonderful new technologies on there to get you to where it’s a, you know, 0.0, 0% chance.

[00:24:31] You’ll have an. and everybody’s got their own risk profile, but when you understand that 90% of breaches are a people problem, and you’re not setting the tone at the top. You’re not really addressing. what the vulnerability is. that’s the difference between a good leadership and a good manager.

[00:24:49] One of the many, many things. Sure. And that Dan that’s, I just see it fail so many times that an owner just says, okay, we’ve gotta get better. Cyber security, they’ll go to their it guy, which that is. That’s like going to a cardiologist, if you need brain surgery. Okay. They’re both highly skilled.

[00:25:09] but they got their specialty. I’m not going to go to a mechanical engineer to build a highway for 50 miles. Right. Or design a highway for 50 miles. Okay. Yes. So you need to think that way ver cybersecurity versus it. They truly, truly are two different specialties and there’s a lot of nuances even within those two high level groups.

[00:25:30] so what do you do? You know, you, you, you get a cancer diagnosis. Or you are just gonna do whatever the GP says, you know, your primary care provider. No, you’re gonna go to an oncologist. I hope, or some other specialist that’s familiar with that. and that’s what makes you a good leader.

[00:25:46] Tom Kirkham: Once again, it goes back to understanding, in most cases, you don’t know what you don’t know. And by consulting with skilled people that know it, at least you know, more about it, and you can understand what the risk to your firm is and the risk to all of your stakeholders. You know, if you get breached, it’s not just your firm, it might personally affect your employees, especially if you go outta business.

[00:26:10] But what if their medical records get stolen? you may be a threat vector for whoever you’re working for who the vendor is. You know, if you work for state or federal government or fortune 500 company, whatever it may be, you could end up causing them a problem. Mm-hmm and it’s really just the cost of doing business, but more importantly, it’s just the right thing to do.

[00:26:31] you have to think. And, and if there’s another thing, that I like to talk about stakeholder capitalism. things have changed in the last 20, 30 years. This society always does. Sometimes it stays the same too, but, um, you know, it’s really more of a stakeholder capitalism environment.

[00:26:50] Tom Kirkham: It’s no longer shareholder capitalism. It’s not about. The shareholders and that’s the, the number one thing, like who who’s at risk here you 

[00:27:00] Zach White: don’t wanna forget anything. Interesting perspective. you mentioned, Hey, we grossly underestimate the risk and we’re, you’re hitting on some of the things that can happen if a breach does occur.

[00:27:11] And I think, especially for engineering leaders, we can wrap our heads around that. But would you just share a little bit about this underestimating? Like what, what is. The real risk. I don’t know if you know, stats are just explaining how to reframe really what’s happening out there when it comes to data breaches and or other forms of cyber security attacks.

[00:27:31] Like what is 

[00:27:32] Tom Kirkham: the risk? you have to understand there’s thousands and thousands of cyber attacks on the United States every single day. and, and the vast majority of attacks are not targeted attack. Colonial pipeline. That was a targeted attack, JBS. That was a targeted attack, but the majority of them and probably most of the listeners, but it doesn’t matter if you’re a fortune 10 company.

[00:27:56] Okay. Ford motor company, JBS, they’re all vulnerable. and they’re more to a targeted attack, but the majority of ’em are done by bots and they’re done at scale. it’s a one to many con they’re blasting out a hundred thousand fishing emails. we do a lot of work with law firms. They’re blasting out a hundred thousand fishing emails to everybody.

[00:28:21] That’s a member of the New York state bar association. Okay. All they’re thinking about is conversion rates. Wow, man, if just 1% pays a ransom of, uh, average of $10,000. That’s a 10 million payday, just 1% conversion rate. They never even know or care who’s paying the ransom at no point, the whole systems are Mon are automated.

[00:28:47] so when you really understand the scale of it and the randomness of it, and then you add the whole cyber warfare component, the nation state. Issue to it. it makes you realize that it doesn’t matter who or where or what size you are. It can happen to you. We know that when I do webinars on average, about 20% of the people respond positively to the question.

[00:29:11] Tom Kirkham: Have you or someone, you know, personally been a victim of a ransomware attack about 20% always answer? Yes. Wow. Sometimes it’s 10, sometimes it’s 30, but that’s usually true across all in. So it goes vastly under reported number one. Yes. and then I just see it all the time. I can’t tell you how many people that we’ve brought on as clients.

[00:29:32] That’s been a ransomware victim to. Three times and they’re, just then convinced, even if they’ve heard me speak oh, wow. After doing it three times, they are then convinced that they need to get serious 

[00:29:47] Zach White: about it, do something that’s amazing. Yeah. So, most engineering leaders are familiar with the general idea of cyber security and what’s going on here, but I don’t think it’s been focal point to your point, the oncologist versus the, you know, cardiologist kind of conversation.

[00:30:00] So. Knowing. I mean, I wish we could go all day on, really get into the details. You’re kind of geeking me out. We’re just now getting into the juicy technology bits here, but tell us, where would we begin? You know, maybe I’m not the CEO, I’m not the leader making the sweeping decisions for the organization, but what are the first building blocks that we all need to take into account as we look at this problem and how to.

[00:30:22] in our companies and in our 

[00:30:23] Tom Kirkham: lives. Well, Zach, you mentioned that you’re not the CEO, so, but I wa I do wanna say that if you are the CEO, you have to get this basics of knowledge of the true scope of the risk. You’ve gotta understand what the risk to the firm is because when the, you know, the six o’clock news comes knocking on the door, wondering why this.

[00:30:44] 500 million engineering firm suffered a major breach. That’s building some sort of 10 billion project. You’re the guy that’s gonna have to explain it now. we deal with CIOs and it directors because they understand they don’t have the skills and the expertise. And they’re not really familiar with the dark parts of the.

[00:31:05] And all of the different ways that you can be exploited and conned and manipulated engineered socially engineered, right. Mm-hmm . and they don’t have time to learn it because they’ve gotta keep everything running. They’ve got an it job and they just treat it as a role. right, now as an individual, be more cognizant of, just little simple things like don’t reuse credentials, 90% of the population uses the same set of credentials on their emails they use on their bank account as they use on Facebook.

[00:31:37] Well, if any, one of those gets hacked, they’re all compromised potentially. Yeah, because the first. A criminal hacker that specializes in that a, that hack, the first thing they do when they get a set of credentials for anybody. And this is all done at scale and automated too, by the way, is they start hitting chase bank, CI bank.

[00:32:00] it may be an email, a set of email credentials, but they automate these attacks on chase to see if they can get into the bank account or to get into Facebook. Or vice versa. We’re seeing a big increase in business, email compromises, where they’ve gotten into your email and they can impersonate you know, and say, you’re sending an invoice out for $150,000.

[00:32:20] Tom Kirkham: Here’s the banking information. They will intercept that email change the bank account and routing number, and the money will end up going to the wrong place. And now they’re it. And, and that’s a bad place to be in if you’re a business and you’ve accidentally wired it to the. account number and wrong bank.

[00:32:37] Zach White: Yeah. Big time. So, I mean time is if somebody’s feeling like I’m feeling like, Hey, okay, I’m hungry to get some information here. Like where do we begin? What’s the, places, the resources to, you know, maybe we’re not gonna become cyber security gurus overnight. But, uh, what would you encourage someone to do first, if they wanna take action on what you’ve shared with us here?

[00:32:57] Tom Kirkham: Well, I, I, I don’t have any intentions of becoming a civil engineer overnight either. you just don’t know, one person has the ability to be an expert in everything. The more you learn, unless, you know, hopefully you feel that way. The more you, the more you learn, the less, you know, true story. And, uh, I mean, if you’re gonna get serious, you really need to.

[00:33:20] Like an iron tech company, a managed security services provider. Don’t think the it firm, if you’re outsourcing your it to a, say an MSP or even your, your own staff. don’t think that they fully comprehend things like a N cybersecurity framework. They don’t know the latest EDRs and I know I’m throwing out acronyms that you may not know, but these are the, these are the tell tale.

[00:33:45] This is how I, when I talk to an it staff, I go, what are the top two EDRs and why, or have you ever done AIST compliance assessment? Generally speaking, no, they just don’t work in that part of the industry enough to even understand it. it’s not do it yourself any longer. Yeah. I mean, it’s just not, you’ve gotta go to the experts to really understand it and, and you can just engage ’em with advice.

[00:34:08] You can get a vulnerability scan done on your network. you can cut your risk in. To your entire firm, if you implement continuous cyber security awareness for everyone in the firm, that’ll cut your risk in half. Wow. 50% of your risk is gone. 

[00:34:26] Zach White: That’s awesome. Yeah. I like it’s good.

[00:34:28] Connects to what you said earlier. What 90% of these breaches are people problems, not technology problems. So that makes a ton of sense. Yeah. 

[00:34:36] Tom Kirkham: But then you gotta remember you’ve still got the people problem. The these guys that do the psychological manipulation, they’re good.

[00:34:44] You know, the days of broken English, misspelled words, bad graphics on these emails. I get a chuckle when I see one, because they’re so rare anymore. I mean, they can fool me. you know, we simulate phishing attacks in our company every week and there’s only one person that’s got a hundred percent score and I’m not him or her.

[00:35:02] Oh, wow. I’ve been fooled. And it’s something that just. I’ll be working on my Google security settings. And it just so happens that I get one of these simulated phishing emails that saying, Hey, your Google security settings changed and I’ll click on it. And the next thing I’ve got a two minute training video on why I fail for it.

[00:35:23] Oh, my 

[00:35:23] Zach White: goodness. I’m, I’m inspired by that. and truly if you know, humbled by the reality, like here’s, Tom is operating in his zone of genius at cyber security and still falls for the attack. So I think we all need to take that seriously. And I’ll, I’ll say it, you know, you shameless plug for iron tech and, and Tom’s organization.

[00:35:42] You do engage with a professional for the engineering leader out there, or ask your CIO, your leaders to make sure that they’re taking the appropriate action with the appropriate specialists in this way. That’s amazing, Tom. I know if we, we could go all day, you have a, a wealth of both wisdom and, and experience to share with us, but to wrap it up for now until next time, you know, I always end in the same place.

[00:36:08] what you’ve shared really aligns with the fact that, you know, great engineering, great coaching, great leadership has in common that we wanna ask better questions. If we wanna get better answers in life. So let’s ask great questions. And I’m curious for you, if that engineering leader who’s been hearing this conversation, you know, really does wanna lead well, make a big impact and you know, make great decisions.

[00:36:34] Zach White: What would be the, the question you would lead them with today? 

[00:36:39] Tom Kirkham: I think you gotta look backwards too. You’ve gotta do a, what we call in the industry, a post Mor. and what went wrong? What were the defense mechanisms that failed? And all 90% is gonna be a human that failed, but then there may be technical, defensive controls, or maybe the response by the security team could have been better.

[00:37:03] And then to learn from those mistakes, because you’re, constantly uncovering weaknesses in your own organization and maybe even others that you can help them with. What went wrong? whenever something does go wrong and it always does. you spend time and reflect on what went wrong and fix it.

[00:37:26] Zach White: That’s it’s powerful. I love that time cuz it’s not just for our cybersecurity issues. That’s a anything in life question. 

[00:37:34] Tom Kirkham: What? Yeah. And I, and I’ll tell you this, if you’re, if you ask that question to your team and they get defensive about it, you’ve got two things wrong. You’ve got whatever it is that you’re talking about.

[00:37:46] But your culture and your tone is not set. Right? because you’re not the, the culture itself is not going to be able to, honestly, appra the situation and say, this was my failure, or we didn’t have the right procedures over here. Or it was an external vendor. I mean, and you don’t want to do it with excuses, it’s real easy to say, oh, it was an external vendor.

[00:38:08] Well, why didn’t we intercept? it’s like a plane crash. There’s there’s seven or 10 or 15 different things that all conspired together to crash the plane. there’s always a chain that can always be improved. 

[00:38:20] Zach White: I love it, Tom. Thanks so much for this. And I know the engineering leaders out there who’ve been listening are gonna wanna connect with you and get more information, maybe reach out to iron tech.

[00:38:29] So where can we, where can we go? If we wanna understand more about you and the amazing work you. 

[00:38:35] Tom Kirkham: Uh, well, the website’s real easy iron tech security.com. Just like it sounds all one word. Uh, my personal website is Tom kirkham.com and I do speaking engagements and keynotes and things like that. If you guys, any of you are part of an engineering society and, uh, you can sign up to be notified of, my books.

[00:38:56] but yeah, if cyber security is your deal, go to iron tech security.com, there’s tons and tons of resources you can implement today at no cost that are best. These are industry standards, international standards, ISO, and COVID five and CIS and all these other standards out there.

[00:39:14] Tom Kirkham: This protecting organizations is not a mystery to. because there are best practices and it’s not, because I say you need to do this it’s because N or, or ISO standards or whatever, it may be just like it is an engineering. 

[00:39:29] Zach White: Awesome. I hope everybody will take action on that quickly. Go out, check out, Tom, check out iron tech and their work Tom’s books, et cetera.

[00:39:37] All those links will be in the show notes. You know where to find those, you can click there, uh, on your device or go to the happy engineer podcast.com. Tom. Thanks again for making time for this. It’s been awesome. 

[00:39:48] Tom Kirkham: Yeah. Thank you, Zach. Uh, I really enjoyed it. You do an excellent job and uh, just keep it up. .