Podcasting: The Ultimate Pandemic Growth Tool, or How I Did it All Wrong

I have seen an uptick in new podcasts since COVID-19 forced us into our homes for an extended period. It isn’t just podcasting though – people have felt compelled to take advantage of the perceived extra free time to take up hobbies, complete housework, learn to play an instrument, perform spring cleaning, and other activities they have been putting on the back burner for years.

As some of you may know, I hosted a podcast for about two years about a very niche subject in information security. I knew very little about insider threat going into it, but I found that:

  1. The problem kept getting brought up in information security conversation, and;
  2. There weren’t any podcasts already dedicated to it.

That was good enough for me and when WannaCry started making industry professionals around the world begin running in circles and flapping their arms, that sounded like as good a time as any to record my first episode.

When I began my journey as a podcaster, I knew almost nothing about it. All I had to compare against were the awesome podcast hosts who have both entertained and enlightened me for years. I wanted to be famous like them. I even wanted to have the option to make money from my content at some point. Podcasting was going to open doors for me and allow for my career to skyrocket very quickly… or so I thought.

Reality was quite the opposite. I spent far more on podcasting than I ever made. Even within the insider threat community and after spending several hours each week on my show, most people have never heard of it.

Podcasting became another job for me. I spent so much time researching and trying to provide content that people would find meaningful that I was burnt out. While it is true that my career and family life got much busier after about two years and I decided to stop making episodes, I was probably looking for an excuse at that point. It couldn’t have been very entertaining listening to me complain about my personal frustrations with the direction that the industry was going, anyway.

It wasn’t until later that I recognized the greatest benefit of podcasting – focused self-education.

Even though my motive for increasing my knowledge of insider threat and staying as current as possible about the subject was to “build my brand”, I can’t deny how much I learned from between my preparations for that first episode to today (a year and a half after hanging up my microphone).

  • After doing plenty of research, I was able to develop a methodology for improving insider threat protections in an organization.
  • I was able to call out the big software manufacturers for sensationalizing malicious insiders (the overwhelming minority in insider threat incidents) and spreading an incorrect narrative.
  • With the help of several others, I created an Insider Threat Protection Framework that companies could use to implement insider threat security controls and reduce risk.
  • Perhaps most importantly, I met some awesome people within the cybersecurity industry.

What if there was a different motivation? What if I hadn’t cared about fame or fortune and I just spent time trying to learn about insider threat and sharing my findings with others? What if I didn’t care whether anyone listened or not?

I wouldn’t have to abide by anyone’s schedule, and I wouldn’t feel compelled to keep the show alive long after the interesting bits came and went.

If podcasting on a specific topic is approached from this mindset, it removes the hardest and most frustrating aspects. We don’t know how long this pandemic is going to last and so many podcasts (like mine) don’t come to a definitive conclusion before they “pod-fade”.

If you are going to start any of these new hobbies or activities, try doing it in a way that reduces work and stays fun. Design your projects so that they can be ended as soon as you are finished, and without any guilt or regret.

All for now.

4 Ways to Sell Security Expenses to Business Executives

image from: corporatementors.in

One of the most challenging parts of being a security administrator is asking for more money, especially when it appears as though everything is working fine. The old adage comes to mind, “If it’s not broken, don’t fix it.”

Unfortunately, this philosophy can be disastrous in the security world. New technology acquisition is often much easier for the CIO than for the CISO for one simple reason: business executives like new, shiny toys. They don’t however, like to invest in technology that they are unable to see and play with.

For this reason, you must always address new security capability procurements in business terms that executive management understands. In other words, you have to show them the money. The following are 4 ways of getting business minded people to see the benefit of making security expenses that they do not fully understand.

1. Create a “What If” Scenario: This suggestion is often the easiest, especially since the most of the associated research is has already been performed if you are an active and aware security professional. Compile a list of the most recent vulnerabilities and exploits, whether they pertain to your organization or not. Then, take the data from your business continuity and disaster recovery plans (hopefully they are up to date and accurate) to calculate the amount of money lost each day when information and information assets are not available. Many times this kind of scare is enough to continue the conversation.

2. Capitalize on Competition: Business executives are always trying to compare their business with similar organizations because they do not want to be driven out of the market. On that same note, they often enjoy a good story about their competition’s shortfalls. Find some similar organizations around the world that have suffered from security incidents, especially those that have lost a considerable amount of money. When you give this presentation and provide a solution, it can easily be seen as a win/win. Not only does it look like you are a better security professional than what the “other guys” have because it did not happen to your organization, but it also gives the executives an opportunity to make a decision that will give them a leg up on other members of the industry. Business people like to think that their company is an industry leader. All you have to do is give them an opportunity.

To put a cherry on top, it might be a good idea to reference the same profit loss data as in the previous suggestion when comparing against the competition.

3. Do Your Research: Nothing turns business people off more than speaking with someone who has no business sense. If you are unable to show a positive return on investment (ROI) for the procurement, they can feel like you have wasted their time. For this, make sure that you don’t just research solution capabilities, but also the associated costs. Another tip is to only suggest solutions that fulfill the current need, along with projected organizational growth and near-term future requirements. It is fine to go up a size or two when buying a winter coat for your child, but it might be a waste of money to splurge on an adult large that they will never grow into.

Make sure you do research and find the best return on investment

4. Role Identification: When all else fails and you are sure you are absolutely right, it might be a good idea to remind your executives that ultimately they are the information owners. You are doing your job by identifying the problems and presenting solutions, but it is their responsibility to approve or disapprove the security measures. It is also their responsibility to protect their information. If a security incident occurs that would have been avoided if they chose to approve your suggested investments, it won’t be your picture on the front page of the newspaper.

This is a bold step, but it has the possibility getting your recommendation funded AND changing the way they look at the security of their organization’s information.

These 4 ways to sell security expenses to business executives could help you make your organization more secure, avoid security incidents, and ultimately keep your job. If you have any suggestions or additional tips for performing this task, please let me know in the comments section down below and I might add them to the list.

Read, Love, Comment, Share!

20 Thoughts of an American Who Cares

1. I think hard workand responsibility should be rewarded.
2. I think that there should be fewer programs for helping people without insurance, jobs, or homes because more likely than not it was their own poor life choices that put them in whatever situation they are in to begin with.
Rob Davies, http://www.redbubble.com

3. I think that if we eliminated or suspended these programs, it would force members of the next generation to make better decisions and plans for their lives.

4. I think the biggest problem in our country is not our government, but our national culture.
5. I think the jealousy that many lower and middle class Americans have for the “Rich” is absurd and discourages ambition.
6. I am not a Republican.
7. I am not a Democrat.
8. I think the two party system of government in our country causes much more harm than any one person ever could.
9. I want to see political candidates who are options because of their leadership abilities, not simply because their party thinks they are most likely to win.
10. I could certainly be wrong, and I welcome that possibility with the hope that whoever is right will succeed.
11. I think social programs should exist, but only after our culture has changed for the better. Otherwise, they will continue to be abused.
12. I think all government benefits should require voter registration, if not also participation.
13. I want change that works and I think that involves a swift kick in the rear for most Americans.
14. I think it is sad that many Americans don’t understand how percentages work when it comes to taxes.

15. I think “facts” I learn on TV are spin until proven to be truth through actual research.

16. I don’t tell my kids that everything will be okay because that won’t be the case if they make poor choices.

17. I don’t like that I am supposed to feel empowered by the fact that I went to public school and my parents didn’t pay for my education, yet my kids will likely be criticized for “having better opportunities”. Whatever happened to creating your own opportunities, like I was forced to do?

18. I am hopeful for my children’s future because I focus on teaching them how to be good, hardworking people. They will automatically have a leg up on their peers.
19. I am not raising good kids. I am creating responsible, successful adults who (with any luck) will care about their community, their country, their children, and the future enough to stay informed.

20. I am afraid that there aren’t many other Americans like me.