SecDataOps Emerging: Information Security Engineering & Architecture Data Trends
March 27, 2024
For the last 20+ years, the infosec community has sought to analyze more security data in order to ferret-out attackers earlier and more accurately. The result of these efforts is now data sprawl with security teams inundated with data of all sorts.
Thus, we need to get a better feel for how security teams handle all this data and how they address the challenges in managing it, adapting security processes to leverage it, and adopting tech in order to make the data usable.
Don’t forget about the cost impact of aggregating and analyzing all of this data!
00:00:23:08 - 00:00:51:15
Matt Eberhart
Hello, everyone. Hi. I'm Matt Eberhart from Query. Great to see everyone again. We've been trying a few different things with the series recently and I appreciate everyone's feedback and some of the feedback was to bring some more expertise to the table. And so I am super excited today to be joined by Mike Rothman, who I feel like probably needs no introduction, but I'm going to introduce him anyway.
00:00:51:15 - 00:00:54:16
Matt Eberhart
So Mike, great, great to see you.
00:00:54:18 - 00:00:56:16
Mike Rothman
Good to be here, my friend.
00:00:56:18 - 00:01:30:21
Matt Eberhart
So, Mike and I go way back. So we're both based in Atlanta. I would say we met in probably like 2001 all the way back in 2001, quite a while ago. But Mike has an incredible amount of security experience, both as a practitioner working at cybersecurity companies, doing research and serving as an analyst, founding a cloud security company, to building and delivering a lot of training.
00:01:30:23 - 00:01:58:03
Matt Eberhart
The list goes on and on. We only have 45 minutes, so I'll probably cut it there, but I’m really excited for the, for the conversation today. And I first met Mike when I was actually a customer of a company that he was working at and they asked me to do some webinars and some work with them. And Mike, you gave me some tremendous tips on just how to represent myself better, not talk so much, be a little more cautious.
00:01:58:04 - 00:01:59:17
Matt Eberhart
So I appreciate.
00:01:59:19 - 00:02:17:13
Mike Rothman
That. Well, if you learned something out of that, Matt, that's all good. So as you were going through that whole thing, the only thing that kept resonating in my head was, God, you're old. I mean, God, you know, I've known you for over 20 years and it's just like I've done this, that and the other thing.
00:02:17:13 - 00:02:37:02
Mike Rothman
It's like, man, I'm tired, right? That just makes me feel tired. You know, how much stuff we've done and really how the industry has changed. So I'm excited for the discussion to really kind of talk about, you know, the role of security data and how we get our arms around that and really just where a lot of the trends and directions in the market are going.
00:02:37:04 - 00:03:01:15
Matt Eberhart
Yeah. No, I think I think that that's great. And that's really what I was hoping to dig into today with you is you've been watching this movie for a long time. You've been seeing how security operations has evolved, both the technology, the process, our approach to people. And, you know, I think it's interesting. It's one of those stories that I feel like a lot has changed and nothing has changed.
00:03:01:17 - 00:03:24:03
Matt Eberhart
And so I'm curious, as we were as I was kind of thinking about where to start the conversation with you, I kept going back to the first time I think we like really professionally worked together. You had produced a study and this was back in like 2007 that looked at like the effectiveness of security logging from quite a few angles.
00:03:24:03 - 00:03:48:01
Matt Eberhart
It looked at the what logs to store, how to store them, what technology, what the process should look like, the jobs to be done around it. And I was I had a similar response to you. I'm like, wow, that 2007, that was a long time ago. But, you know, a lot has changed. But maybe nothing has changed. So I'm curious what how you remember that.
00:03:48:03 - 00:04:09:00
Mike Rothman
Yeah, you know, it's funny because back at that point in time, there was a lot of focus on like workplace factors, right? You know, kind of what are people doing? How are they spending their time? How do we optimize that? How do we really, you know, improve efficiency was kind of what a lot of the focus of that was.
00:04:09:00 - 00:04:29:22
Mike Rothman
So we started, you know, looking at basically the process of security monitoring. We didn’t call it that back then, just logging. Yeah, that but it was really kind of to decompose that process into all of its different fundamental aspects. So you could really get a sense of, you know, what what it was costing you and how do you really, you know, try to optimize that.
00:04:29:22 - 00:04:51:12
Mike Rothman
And obviously the company you were with at the time, they had a vested interest in trying to, you know, kind of discuss leverage and how much, you know, kind of aggregation and leverage, you know, really led to that. But but it is interesting that little nuance of, you know, everything is different, but it's still the same. And I really think that's the case.
00:04:51:12 - 00:05:12:08
Mike Rothman
Right. The blocking and tackling that we continue to have to do is pretty much the blocking and tackling. Yeah. Is there more stuff? You bet. Right. Is it just, you know, kind of distributed all over the place? 100%. Right. Cloud wasn't a thing back in in 2007 and now we've got data all over the place. But listen, at the end of the day, we got to understand what it is that we have.
00:05:12:13 - 00:05:45:24
Mike Rothman
We got to understand, you know, how it's being used. We got to understand, you know, when it's possibly being misused and we got to understand, you know, how to address some of those potential misuse types of activity. So the pieces on the playbooks have gotten more detailed. They've gotten, you know, bigger. But ultimately, the outcome that we were looking for has remained remarkably consistent, which is try to find the adversaries and the bad actors in your environment and try to do that before they make off with all your stuff.
00:05:46:01 - 00:06:20:01
Matt Eberhart
Yeah, exactly right. Like you said, it's gotten more complex. There's certainly more pieces and parts these days. But, you know, I think that there's something in there that I'll pull on a little bit. I think there's an element of hygiene underneath all of that, and we continue to see that those that are good, with the basics, as you said, that that serves you, serves very well, like if you're able to really, you know, do some of what seems like simple things, but they're often not simple because you have to do them across…
00:06:20:06 - 00:06:29:13
Matt Eberhart
…now this increasing amount of technology, increasing amount of complexity. So what do you what do you think about that when it pertains to security operations?
00:06:29:18 - 00:07:00:00
Mike Rothman
Well, you know, I can certainly tell you that it is a far more complicated environment today that we're dealing with. There's a lot of moving pieces, but more importantly, a lot of those pieces are not within our control. Right. So so this idea of monitoring, this idea of trying to get a handle on what's actually happening in your environment, even though it may not be something that you totally control, becomes absolutely paramount or I think you're just typical.
00:07:00:03 - 00:07:18:03
Mike Rothman
I mean, most enterprises of scale, right? You know, they're doing a whole bunch of Microsoft 365 now, whether they like it or not. So you've got a whole bunch of stuff which your most critical data is out there somewhere where you don't really know where it is. So you have to really think about, okay, what telemetry is available to me.
00:07:18:06 - 00:07:40:08
Mike Rothman
How do I and, you know, basically ingest it into whatever system of music, how do I figure out what's legit, what's not legit, What kind of rules do I put in place in order to make, you know, that kind of stuff happen a lot. And again, a lot of it just gets back to we have more things to manage, but what we're trying to do, continues to be again, remarkably consistent.
00:07:40:11 - 00:08:00:05
Mike Rothman
We just have to do it at much higher scale. And that's something that, you know, again, creates very significant challenges. And I really don't want to trivialize the fact that hygiene is manageable. Right? You know, I do a bunch of work with a company with about 15 people, you know, Now, that's what that's one of the places I spend a lot of my time.
00:08:00:08 - 00:08:34:13
Mike Rothman
And you know what? It's a hassle to enforce hygiene, you know, kind of to make sure everybody’s doing the right stuff. But it's manageable, right? If I got 15,000 or 150,000. Right. Those problems are totally different. So hygiene at scale is a lot harder analyzing all this data at scale is a lot harder. So, you know, the bigger you are, the more you have to really rely on that data, The more you have to rely on the tools and really the detections to understand what's really happening in your environment.
00:08:34:16 - 00:08:59:23
Mike Rothman
And that's really where we have moved the ball, right. Is it good enough? Of course not, right? But have we really made a lot of progress in terms of being able to aggregate data at scale? Yes, Analyze that data at scale. Yes. Provide, you know, again, consistency in terms of those policies and enforcement with some measure of operation…operations and automation.
00:09:00:02 - 00:09:19:01
Mike Rothman
Yes. Right? It's not still not good enough because the the adversaries continue to get better, the applications continue to do stuff. And by the way, the other thing that we all have to deal with is the fact that we still have users and they will continue to click on things regardless of what it is that we tell them not to do.
00:09:19:03 - 00:09:48:24
Matt Eberhart
Yeah, no, for sure. There's an interesting cycle that repeats in security and in a lot of industries where things get more and more complex as you're solving a problem, until it gets to a point where it's drastically simplified. And then that's often when you start to see significant adoption and really problems being solved, then I, I've actually been thinking about some, a series on how to simplify the complex and how those things happen, but we'll leave that for another day.
00:09:49:05 - 00:10:14:15
Matt Eberhart
You, you opened up an interesting door that I that I want to push open and you know, over the last five or maybe even ten years, I'm not very good at a sense of time these days. But nonetheless, there's been trends in the security market where it kind of felt like particularly from the marketing and conferences that the market was pushing toward, like one platform to rule them all.
00:10:14:17 - 00:10:36:14
Matt Eberhart
And, you know, I know I'm pretty close to the market in security ops. And so I may be seeing things that, you know, are starting to emerge, but it feels to me going and talking to lots of large enterprise and mid enterprise security teams that there's kind of this realization that security platforms are actually now almost like all around us.
00:10:36:14 - 00:10:55:24
Matt Eberhart
To your point earlier, you're going to have two or three at least a lot of people have more than that. You add in the I.T platforms and other platforms and it gets to be into the, you know, almost a dozen range. And so you said earlier like you've got to still be able to prevent, detect, respond, you've got to do the hygiene.
00:10:56:01 - 00:11:02:16
Matt Eberhart
How do you think about this emerging platform everywhere trend?
00:11:02:16 - 00:11:23:09
Mike Rothman
So so it's I think plural right. Platforms everywhere and that and that's the thing that you talk there. And I've got a network security platform and you know again, regardless of who you use, they've got enough different solutions that you know, they fancy themselves to be platforms. You've got an endpoint platform in terms of how do you deal with all those devices that you have.
00:11:23:09 - 00:11:57:00
Mike Rothman
You have a cloud platform in terms of actually probably multiple platforms, right? Because everybody's cloud. So and that's just three or four or five right there. Right. And that's not even getting into application layer stuff or database and platform as a service, you know, layer stuff. So you've got really things that are all over the place and and when you go into that kind of overwhelm the indication and really the inclination is to simplify it, shut it down, just put everything in one place and then I know where it is and I can, you know, start to analyze that.
00:11:57:03 - 00:12:20:13
Mike Rothman
And that works great until you get to scale, right? Then you start thinking about, wow, this is actually a lot of data. Holy smokes. I you know, and it's not even the compute to deal with all that data. It's the storage. Right. The storage of that data is going to kill you, you know, So and again, we have to start thinking about in terms of let's remember what the outcome is, right?
00:12:20:13 - 00:12:41:16
Mike Rothman
We need to be able to detect bad actors in our environment before they do damage. And we can have a response. We can know about it. But, you know, ultimately that's the crux of what the security professional has to do. And again, so then I got to start thinking, what's the most effective way to do that? A way to do that is to aggregate all this data.
00:12:41:19 - 00:13:08:01
Mike Rothman
But I think what we've proven is even though the back end data models can now support a massive amount of scale, just because you can doesn't mean you should. Yes, right. And again, and a lot of it just gets back to what am I really gaining from aggregating all this data besides a huge ass cloud storage bill, if you're using, you know, cloud storage from that front.
00:13:08:01 - 00:13:37:18
Mike Rothman
So it's really one of the interesting things about what you guys are doing. Matt, is really kind of challenging that assumption, which is can I get you to the outcome without having to actually move all of that data and its associated storage and transport and and, you know, really management costs around that. And I think that's really a question that everybody needs to start to ask, which is, yes, I've had this model since, you know, 2008.
00:13:37:18 - 00:13:52:21
Mike Rothman
Right. When early, you know, kind of ArcSight, you know, started showing up. You know, let's just put all the stuff there. And I think we really have to challenge that now because I don't think it's feasible to do that at scale, given all the different pieces that are there nowadays.
00:13:52:23 - 00:14:19:20
Matt Eberhart
Yeah, for sure. I mean, that's largely how we aim to query and the things that we're doing right, as we saw these pains around accessing, searching and understanding data that's all around us. And you know, we don't pretend to be, you know, a silver bullet or the one solution to rule them all, like there's still reasons when you might want to screen it, you might want to have some centralized data, you mentioned detections and things like that.
00:14:19:20 - 00:14:50:20
Matt Eberhart
So, yes, you know, absolutely. But the ability to be able to understand what's happening inside of all of these platforms and all the places that your data lives, like it's crazy how complex that's gotten. I mean, we've gone from security operators having to not only like understand all these different platforms that they have, but now, you know, they're being asked to learn SQL and KQL and all these other languages, like the list just keeps growing and growing and growing.
00:14:50:22 - 00:15:12:09
Mike Rothman
Yeah. At the end of the day, it's really a fairly fundamental idea, right? Your security practitioners are going to ask questions and they need to understand how they can get the answer to those questions right. And sometimes those questions can be answered because I've got all the data centralized and that's great. Sometimes you're not. So, you know, do I decentralize that data?
00:15:12:09 - 00:15:34:05
Mike Rothman
Do I federate that data? So these are the discussions that security architects really have to start thinking about because the way we're going, it ain't going to scale, right, is not to the degree that we need to. Everybody's running for the same thing. I don't care who your back end provider is, you're all getting challenged by finance in terms of, you know, how much money can we continue to spend on that stuff.
00:15:34:09 - 00:15:54:23
Mike Rothman
You're getting continually challenged by the responders and the ops folks in terms of I need better response time, I need more data in this thing. At some point you’re just like I can’t do it. Let me curate the data. Right. Well, that's just saying what you know, I'm going to minimize the amount of stuff I'm putting into the back end so I don't have that to analyze.
00:15:55:02 - 00:16:14:16
Mike Rothman
So the model at some point falls over, right? So the question is, what's there out of the ashes that to really rise? And again, I think that there's a lot to be said about, you know, kind of what Query is doing relative to, you know, on a federated search on that, because it's about the question, right. How do I answer that question?
00:16:14:16 - 00:16:29:08
Mike Rothman
Because there's going to be multiple data sources that I need in order to get a comprehensive, complete answer. You know, those specific questions. And again, I think that's what folks really need to be, you know, starting to think about.
00:16:29:10 - 00:16:48:18
Matt Eberhart
Well, thank you for that. The team here is very passionate about helping people get answers to their to their questions. You you said about being outcome driven. And we get the opportunity, which I tell you has just been so much fun the last couple of years. But we get the opportunity to work with some really forward thinking companies and their security programs.
00:16:48:18 - 00:17:12:11
Matt Eberhart
And one of the things that I've noticed that seems to be different about some of these security programs is that they are very mission driven when they're thinking about bringing in a new piece of technology or they're thinking about adopting a new platform or whatever it is really thinking through, like how and where are we going to use this and what problem does it really solve?
00:17:12:16 - 00:17:35:14
Matt Eberhart
Like almost the introduction of any new technology, including Query like changes the process around how teams work. And so really thinking through how all of that comes together I think is is is something that I've noticed that it seems like there's some maturity kind of coming in our industry around that, at least how some teams approach it. And I think that's a big step.
00:17:35:14 - 00:17:37:16
Matt Eberhart
And in a positive direction.
00:17:37:18 - 00:17:57:11
Mike Rothman
Yeah, you know, my my business partner Rich Mogull, you know, kind of says, you know, the future is here. It's just unevenly distributed. And I think he stole that from Heinlein or, you know, one of the sci fi authors. So I guess I shouldn't credit Rich with that because he he stole it from somebody. But it's true, right?
00:17:57:11 - 00:18:22:18
Mike Rothman
And the fact is, yes, there are some folks that really have taken what I'll call a playbook centric approach to their security ops, which is their design being how they want their environment to work. They're not just letting it happen. They're not just strapping the fire extinguisher to their back when they wake up in the morning and, you know, figure out what's on fire from from that standpoint.
00:18:22:20 - 00:18:45:06
Mike Rothman
So so they've got, you know, again, a perspective that this is how I want the environment to work. These are the specific triggers where this situation happens. This is where I want the, you know, set of activities to actually happen, you know, kind of on the back end of that. The I guess really the sad truth of that is, Matt? It's not enough people, right?
00:18:45:06 - 00:19:06:05
Mike Rothman
It's just not enough people. So most folks just, you know, kind of muddle through their day. They deal with the alerts as they come in. Not enough of them. Right. When something is proven to be an incident, all hell breaks loose and they get consumed by that and they wash, rinse and repeat because they're never able to get out ahead of that and be, you know, much more strategic from that perspective.
00:19:06:05 - 00:19:34:18
Mike Rothman
So, you know, this idea of building these playbooks, this idea of understanding the data, you need to trigger those playbooks. And the context that's required in order to truly remediate a lot of these activities. That's where it all becomes, you know, really kind of a codependent environment, because most folks are just like, hey, we throw the alert over to the SOC, the SOC’s got to deal with it, and then the responders go in there, you know, and I just wash my hands of it right Once the alert fires.
00:19:34:22 - 00:19:56:04
Mike Rothman
Well, no, Right. If you can't complete the swing, which is something that you tell me, you know, all the time, like we got to complete the swing. If you can't complete the swing in terms of really taking something from detection all the way through, you know, validation, you know, kind of response and then ultimately remediation, you know, you're no better off than you were before, right?
00:19:56:04 - 00:20:16:05
Mike Rothman
So all this stuff really kind of works together. But, you know, again, the good news is a lot of organization has pioneered how to do this. So it's not, you know, this mysterious, you know, kind of art of magic anymore, Right? I mean, we know how to do this. The question is just are you going to put forth the effort?
00:20:16:10 - 00:20:37:09
Mike Rothman
Do you take the time? Are you going to get the funding and really the attention internally? To, you know, turn your what had been a very reactive security operations environment to I'm not going to say proactive. Right. But once much more orchestrated is probably a better way to to to phrase that.
00:20:37:11 - 00:20:51:15
Matt Eberhart
Yeah. No I think that's great. That's great. Well in the interest of giving credit for stealing things, the complete the swing I stole from Kevin Haines, who joined us a couple of weeks ago on the show, so is one of my favorite Kevin sayings.
00:20:51:15 - 00:21:11:04
Mike Rothman
We all steal of them. We all steal from everybody, so we've got to be careful with attribution. But but I'm sure that is something, you know, all the years we've been friends, that's the one thing that I keep. You know, every time I think of all this stuff I've left on the floor half done, right, you know, just like Matt would, like, kick my butt on that one I do to just totally right.
00:21:11:06 - 00:21:37:09
Matt Eberhart
I love it. I love it. Well, so there's a couple of questions from the audience. They kind of push into the, into the combination of using data and A.I.. So before I get to the questions, I just I'll ask you AI and security. Do you think it's helpful or do you think it's hype? And I'll maybe put a little bit of parameters around how you answer.
00:21:37:09 - 00:21:55:20
Matt Eberhart
Like, I'd love to hear your thoughts on help or hype for like right now, you know, we're getting ready. A lot of us are getting ready to go to RSA, a fun game to go around the RSA showroom floor is to kind of figure out what the buzz word of the year is going to be. It's almost most certainly going to be AI and LLMs in particular this year.
00:21:55:22 - 00:22:02:00
Matt Eberhart
But I'm curious, like playing in right now, do you think it's help or hype and maybe into the future? What do you think?
00:22:02:04 - 00:22:26:21
Mike Rothman
Yeah, so the answer is yes, right? You know, for all of the above. But let's separate it out. Right. Machine learning…, That aspect of of AI has been something that has been prevalent within security products and security capabilities for 7 to 10 years, right? I mean, any kind of detection engine has been built and trained on, you know, kind of machine learning models.
00:22:26:21 - 00:22:47:18
Mike Rothman
And that's a form of A.I. really, where we get into, you know, kind of the interesting stuff is when we start talking about generative A.I., right? And the ability to, you know, take information, analyze that information, and then based upon how the model is being trained, you know, get some kind of answer to, again, a question that you're asking from that standpoint.
00:22:47:18 - 00:23:07:18
Mike Rothman
And I think that, you know, even today generative AI is having a significant impact on security operations in terms of just context. Right. I mean, how much time do we spend, you know, saying, hey, I got this specific error message, but what the hell does that mean, right? You know, I'll go Google it and then, you know, trying to read 50 crappy links.
00:23:07:18 - 00:23:40:03
Mike Rothman
And then before you find the thing that you that you really want, well, pump in that making an API call to, you know, your favorite LLM you know you end up with what's a reasonably decent, you know contextual answer to a lot of the stuff that shows up in our interfaces and that's available today. Right? You know, we're starting to see things like, like Microsoft Security Copilot show up and that's, you know, getting and analyzing some of the data, you know, kind of using that to develop some trends and give you a sense of of what's really happening.
00:23:40:07 - 00:24:09:14
Mike Rothman
And that is, you know, really scratching the surface. I know CrowdStrike has one that works as part of their platform as well. I forget what the hell they named it in LISA or something, you know, kind of cutesy like that, you know. So we're starting to see how generative A.I. is really going to streamline the process for experienced people and up-level the capabilities of not experienced people.
00:24:09:14 - 00:24:28:20
Mike Rothman
When we think about, you know, kind of the real impact that we need to happen in this environment of security operations, it really is both making sure that the folks that know what they're doing can do more of that and take the folks that don't really know what they're doing and up-level them to the point where they're somewhat functional.
00:24:29:00 - 00:24:43:10
Mike Rothman
Because we'd always make jokes, right. You know, if security folks are coming, but they're just awful at their job for the first four or five years, right? Because they just don't know enough. It's not how smart they are. It's not, you know, kind of the capabilities that they come with. It's not, you know, the training that they've had.
00:24:43:13 - 00:25:04:21
Mike Rothman
It's just the world of experience that you need in order to be an effective security professional. And if generative AI can really help us accelerate that process, it's going to be huge. Right. And that's not even talking about the ability to analyze, you know, large amounts of data and find patterns that, you know, you didn't know actually existed.
00:25:04:21 - 00:25:29:19
Mike Rothman
It's really just giving me some context of what's happening in my environment. Unbelievable. And as we move towards really this code based universe, right, where everything's in cloud, everything’s encoded, infrastructure’s encoded, all this other stuff, you know, the ability for generative AI to actually build code is going to make a huge difference. And I saw a demo of this at last year's RSA, right?
00:25:29:19 - 00:25:45:23
Mike Rothman
So a year ago I saw a demo of this one of the CSPMs or somebody had, you know, something where on alert things, it says, hey, you know, kind of click this button and you got code for how to remediate each of those issues on four or five different platforms.
00:25:46:00 - 00:25:46:07
Matt Eberhart
Yeah.
00:25:46:10 - 00:26:06:04
Mike Rothman
You know, a year ago, I'm like, my God, somebody is actually going to use that code run, right? But now a year later, you know, you're starting to see the effectiveness of, you know, kind of some of these tools and how they've matured a year from now. It's probably going to write decent code, right? Yeah, for sure.
00:26:06:06 - 00:26:20:11
Mike Rothman
Double check it, make sure it goes through a process, you know, QA it, run it through your pipeline as you need to, but at the end of the day, that's going to make such a huge difference in terms of how you do security ops, I mean, it's very exciting.
00:26:20:13 - 00:26:51:11
Matt Eberhart
I agree. I agree. I think if we borrow some of what we're seeing in the engineering world where the, you know, AI powered Copilots are really helping the skilled engineers do things faster, Right. Be more effective, be more efficient. Like I think we're seeing some some gains there. I think, you know, to your point, it is, you know, back to what we were talking about earlier with complexity becoming a cyber security analyst or operator, it's it's a it's a big lift like our CISO…
00:26:51:11 - 00:27:11:06
Matt Eberhart
…Neil Bridges runs a great community, Cyber Insecurity, and he helps people break in to the field. And I think that's one of the things that I have noticed that I'll hear people that he talks to that have done it. They've broken in to security and then they're going back and giving tips. They're almost always saying, you know, learn as much as you can be constantly alert.
00:27:11:07 - 00:27:13:24
Matt Eberhart
Like it's just it's it's a lot. And so I do think.
00:27:14:00 - 00:27:30:21
Mike Rothman
I, I love the fact to use the term break in because it just reminds me like somebody okay I broke into the security and you're like, crap, do I even want to really be here? And the cops are about to come here and I'm just like, you know, it's just like it's really apropos because a lot of folks think, my God, it's, you know, it's it's great.
00:27:30:21 - 00:27:36:06
Mike Rothman
And there's so many jobs and all this other stuff. And then they get here and they're like, What have I gotten myself into?
00:27:36:09 - 00:27:45:19
Matt Eberhart
But I mean, it's a tough it's a tough industry, I would say you can tell. I mean, Mike's only 32 years old and it's so hard that his hair is all white.
00:27:45:21 - 00:27:53:07
Mike Rothman
So unfortunately, I have t shirts that are 32 years old that pay for it. You know.
00:27:53:09 - 00:28:20:04
Matt Eberhart
So I will I'll pivot to to you open the door to this. And I go in in a slightly different direction because I do think this is an interesting topic. Like, you know, if you think about the imagery associated with our industry, like there are lots of hoodies and kind of hacker images for a while and, you know, now when I see a lot of people talking about security, I even saw something on CNBC the other day.
00:28:20:10 - 00:28:45:04
Matt Eberhart
They were basically representing the entirety of the security industry is like super stressed out, like just like everybody was one step away from having to pay a Bitcoin ransom and, you know, losing their mind. And so I think there is a lot of stress in cyber. But, you know, I think as I've worked with you over the years, I mean, I kind of remember you as being more stressed out years ago.
00:28:45:04 - 00:28:58:14
Matt Eberhart
Like you you're you're kind of like my picture of Zen these days. So I'm curious, what do you think about managing stress and cyber and maybe how do you maybe you share a little on how you do it personally and how you see the trends in the industry now?
00:28:58:16 - 00:29:19:05
Mike Rothman
One, not having an operational job anymore really helps. So I'll I'll I'll say that now. Obviously that's not an option for for everybody from that perspective. So I'll be honest with you. Right. You know, kind of probably, you know, I guess it was close to 10, 12 years ago at this point. I personally got to the breaking point.
00:29:19:05 - 00:29:43:00
Mike Rothman
I was just, you know, just very, very unhappy in everything that I was doing. I was questioning all of the decisions that I'd made. You know, throughout my life. I was really leaving no stone unturned. And I'll say and this may sound trite and it may sound, you know, just kind of recycled because it's been, you know, the subject of a lot of discussion.
00:29:43:02 - 00:30:05:11
Mike Rothman
But I'll tell you, a mindfulness practice made all the world of difference to me. Right? And actually, in 2014, signed a colleague of mine named Jennifer Manila. We did a presentation at the RSA conference that way about we called it neuro, you know, kind of science and, you know, really how to get on top of it. Burnout, you know, within the security environment.
00:30:05:11 - 00:30:21:07
Mike Rothman
And a lot of it got back to, you know, basic, you know, fair, mindful practice. And I don't care what they are, right? If you want to sit on a on a on a pillow for, you know, 10 minutes or 15 minutes or 20 minutes today, that's great. If it's being out in nature, taking a walk and just, you know, kind of shut things down, that's fine.
00:30:21:10 - 00:30:40:24
Mike Rothman
I mean, nowadays I become a big, you know, kind of indoor rower. So I sit on my rower for 45 minutes. I don't have podcasts on. I don't I just hear the swish swish swish of of kind of the water. And that's my, you know, kind of a personal meditation now. But it's it what it does is it gives you the ability to separate from the environment, right.
00:30:40:24 - 00:31:02:13
Mike Rothman
And when you're in the fight every day, right, when you're you know, kind of again, the to do list, you can't possibly get through and then somebody goes, it screws something up, and then you're in a response situation. You're working all weekend and late at night. And and if you can't separate out from that situation, you just consume yourself, right?
00:31:02:13 - 00:31:23:08
Mike Rothman
So it's really critical that you have whatever practice it is that you you have go to the gym, right? Go for a run. I don't care. It doesn't matter. The specifics don't matter. The fact that you have and you take time for yourself and you protect that time. Because I'll tell you, regardless of what you do in security, it's going to consume you.
00:31:23:08 - 00:31:40:05
Mike Rothman
And you can work 20 hours a day if you want to, and only 4 hours a day, because I'm assuming you need to sleep at some point, right? If you if you don't, it'll take that too. Right. So you have to build in to your, you know, kind of work flow and your day to day activity time for yourself.
00:31:40:10 - 00:32:10:05
Mike Rothman
Because if you don't, you will not last long in this business and you'll, you know, kind of say they're all crazy. I don't understand how these people do it. Well, they do it because they're able to take a step back and not kind of totally identify themselves with the situation. And, you know, when you start taking it personally, because some knucklehead clicks on the wrong thing and ends up, you know, kind of inflicting, you know, some type of incident and situation in your environment, you start taking that stuff personally.
00:32:10:05 - 00:32:13:03
Mike Rothman
And and again, there's there's no winning that game.
00:32:13:04 - 00:32:19:02
Matt Eberhart
It really feels like that always happens at 4:00 on a Friday. Doesn't it? I don't know. Yeah, I.
00:32:19:02 - 00:32:34:05
Mike Rothman
Bet it's usually, you know, two in the afternoon on a Sunday of a holiday weekend. So Yeah, exactly. That's a lovely. Evidently the adversaries are bad actors don't take out kind of Labor Day or Memorial Day or any of those other, you know, holidays that we really enjoy. You know, the nerve of them.
00:32:34:07 - 00:32:55:09
Matt Eberhart
That's right. That's right. Well, I know I, I have been able to attend a number of your sessions over the years. And that one you're talking about RSA for, I think you said 2014. I was that taught me a lot. And I know a lot of people in the industry, in fact I was talking to one literally this morning that referenced that as kind of a turning point for them.
00:32:55:09 - 00:33:22:22
Matt Eberhart
So you've contributed a lot over the years. But I think it's not just on technical and architecture, it's, you know, taking care of each other and taking care of each other starts with taking care of yourself. Right. So, yeah. Thank you. Thank you for that. Well, this has been great, Mike. I really I really appreciate it. I will say, you know, I'm a big believer in having what I call a personal board of advisors or personal, you know, board of directors.
00:33:22:22 - 00:33:43:06
Matt Eberhart
And you're definitely have been one for me for many years. You definitely help keep me sane. You talked me off the ledge. I love that you push on me when I am not doing or thinking about things right. So thank you very much for that. Thank you for all your contributions to the industry. And it was really great and a lot of fun to talk to you today.
00:33:43:08 - 00:34:00:00
Mike Rothman
I'm flattered, but, you know, I do have to say I learn from every interaction that I have. So it really is a two way street. And yeah, I'm an old guy and I've been there, done that, screwed it up, have, you know, 40 T-shirts that tell me how I’ve, you know, screwed all this stuff up. But that's really what it is.
00:34:00:00 - 00:34:20:17
Mike Rothman
It's resilience, right? It's the ability to make mistakes, to move forward and to learn from that. And that's the message I try to impart to my kids. That's the message I try to impart to, you know, all the people that I've been, you know, again, gracious and grateful enough to to work with. And that's how I try to live my own life.
00:34:20:19 - 00:34:42:03
Mike Rothman
Right? So, security is a game that you can't win ultimately, right? It it's like going to the casino and thinking that you're going to win every single time, it just doesn't work that way, right? Security. So so what you have to do is really kind of get your arms around the reality that it is about doing the best you can with what you have at this given time.
00:34:42:05 - 00:34:59:22
Mike Rothman
Learning from what doesn’t go right and moving forward. It's it's really as simple as that. And again, it took me decades to figure that out, you know, kind of in my career. So if anybody out there can get a little bit of a value from from that, then then my work is done.
00:34:59:24 - 00:35:18:05
Matt Eberhart
No, it's great. I mean, well said. Right? I mean, resilience and adaptability. I mean, that's kind of what it's all about. And I'd say, you know, the last five years or so, it certainly has has has taught me a lot about resilience and adaptability and, you know, trying to just get a little bit better each and every day.
00:35:18:06 - 00:35:30:15
Matt Eberhart
You can get just a little bit better and it adds up. So. Well, thank you very much, Mike. Really appreciate that. We will post the link. I think that the RSA talk that you mentioned, I think it's on YouTube.
00:35:30:21 - 00:35:34:03
Mike Rothman
It is. It is. I'll get I'll get you to link if you don't have it, because I.
00:35:34:04 - 00:35:44:23
Matt Eberhart
We’ll post it on the Query website. Is it? It really is. It's a great one on that. We'll post it on the Query LinkedIn page. So awesome. Well, thank you, Mike. Appreciate it. Thank you, everyone. See you later.