Simplifying Cyber

AI & Cybersecurity: Balancing Risk & Innovation

Aaron Pritz, Cody Rivers Season 2 Episode 12

Share episode

This week on Simplifying Cyber, Aaron Pritz and Cody Rivers sit down with Jax Scott — combat veteran, podcast host (Two Cyber Chicks), and VP of Cybersecurity at Pearson — for a conversation that’s equal parts leadership, risk reality, and “why is everyone still confused about BISOs?”

Jax shares her unconventional path into cybersecurity (perfume sales → special operations → NATO cyber strategy → Mandiant → Capital One → consulting → Pearson), then breaks down what BISOs/CISOs do when done right:

  • The “single point of contact” that connects business teams to security outcomes
  • Why risk management is the glue
  • Why the best security leaders aren’t always the most technical (and how technical instincts can backfire)

Then we go headfirst into the AI debate:

  • Where automation helps most in compliance (evidence collection, mapping, reducing manual slog)
  • Where humans stay essential (judgment calls, accountability, trust-building)
  • The uncomfortable truth: if we outsource all thinking to AI, we may literally get worse at thinking

We wrap with practical guidance on:

  • Handling volatile regulatory changes (like DR/IR requirements) with flexible plans + frequent testing
  • The reality of CMMC: why it’s not “new,” why enforcement matters, and why last-minute scrambles burn everyone out
  • How to lead teams through chaos with transparency, empathy, and real talk

And finally: Jax drops a fun fact that honestly explains a lot about her calm energy.

Listen now wherever you get your podcasts.

Key topics covered

  • What a BISO/VISO is (and how to explain it to non-security leaders)
  • Critical thinking + EQ as security superpowers
  • AI in compliance/GRC: automate the boring, keep the human judgment
  • IR/DR planning for shifting rules and requirements
  • CMMC realities for the defense industrial base
  • Leadership during change fatigue

🔗 Connect with Us & Get in Touch

Tune in to Simplifying Cyber wherever you get your podcasts, or watch exclusive video content right here on the channel. Subscribe for hot takes on emerging technologies, tips and tricks for everyone looking to stay secure, and in-depth conversations about complex cybersecurity topics.

No gatekeeping and no BS. We’re here to simplify.

Official Website: www.revealrisk.com

LinkedIn: https://www.linkedin.com/company/reveal-risk

🤘 Stay Secure with Us

If this content helped you understand cybersecurity better, please give it a thumbs up, subscribe to our channel for more expert insights, and hit the notification bell so you don't miss our latest updates.

Reveal Risk delivers cybersecurity results, not just reports.

SPEAKER_02:

Welcome back to Simplifying Cyber. I'm Aaron Pritz. And I'm Cody Rivers. And this week we're joined by combat veteran and vice president of cybersecurity at Pearson. Welcome to the show, Jack Scott.

SPEAKER_00:

Thank you, Aaron. Thank you, Cody. Excited to be here. Glad that Browan finally got us all wrangled in together. I know it was like a couple of attempts to get us all at the same time.

SPEAKER_02:

Absolutely. We're excited. And I don't want to steal any of your thunder. So I'd just love to, you know, combat veteran. You do a lot on social media. You have a podcast, uh, the two cyber checks. So I'd love to just kind of hear your story and get us or go get us oriented to the the Jack's story, and then we'll dive right into a few cool topics.

SPEAKER_00:

Yeah. So the other day, funny. So Saturday, it was like last weekend. I was hanging out with some new friends. I just recently moved to North Carolina for work, been here about a year, and I forget how unique my story is. Like somebody, this woman, she's just floating in the pool. She's a retired attorney, and she's like, Have you always been in technology? And I was like, No. And she and she's like, okay, so explain. And then I'm like, wow, how do I explain the journey? And so I just gave her kind of high-level points. I'm like, well, initially I had my own business at like 19 years old. I sold perfume. Then I joined the military when I was like 20 years old. I then went into the special operations. That's when I got into like doing actual um intelligence and electronic warfare operations. But I was doing my job at the time was IT, but I never actually really did per se IT in the conventional way.

SPEAKER_02:

Was that what was on the office door to kind of be behind the cloak? Yeah. Yeah.

SPEAKER_00:

Soft is really unique. Special ops is really unique. They don't, what I loved about it, because I got out a few years ago, is that you may have a sp a particular job that you go to like school for, but if they know that you're specialized in other things, maybe you're studying AI on the side, or you maybe you're an electrical engineer, whatever that is, they're going to utilize those skills when you're on deployment. And that's what makes them so unique. Yeah, they want to really utilize the person and who you are. So I started doing electronic warfare, doing all these things while at the same time I had my own defense contracting firm and I had my own firearms license. And I was running like a, and we'll probably talk about this. Like I had a company in the defense industrial base. And so I had a defense firm, but I still wasn't really in cybersecurity.

SPEAKER_01:

Yeah.

SPEAKER_00:

I didn't actually break into like cybersecurity until 2019. So like fast forwarding, I got picked up for mobilization with the special ops to support this mission. It's called Atlantic Resolve. And you go out and you support like the European mission and create alliances. And at that time, we didn't have the Ukraine war happening. And I they you couldn't really do electronic warfare in that country country because you didn't have the appropriate permissions and authority. So they were like, well, you need to figure something else out. So I was like, well, I guess I'll do this thing cyber because I had an understanding of technology. I'd been in a IT for about a decade and a half at that time. So I started researching and I started realizing that there was this whole world of cybersecurity. And at that point, I started doing because I was in country. I'm like, what can I do? So I started doing strategy, cyber strategy with NATO and other NATO partners and really helping them build out what that looked like. But then I started leveraging my Intel background and I started falling into OSINT. And then from there, I landed my first job working for Mandiants. And it really took off from there. I started, I got my master's. That's when I really dove into writing a book about it because I was just hungry to learn. So pretty much from like 19 to where I'm at today, I went from like Mandi. I worked at Capital One in a SOC for a while. I then worked as a consultant for a couple of years. And if you guys have worked as consultants, that is like a fire hose of just learning. And then from there, I got the opportunity to become the VP of Pearson to run the business information security team. And it's essentially we're composed of visos. If you're familiar with besos, like many VISOs, yeah, business information security officers. So I have these like highly technical people, and we sit in security, but we work within all of the divisions in the various different businesses. So it's been a literal whirlwind to get to where I'm at. And I never once thought, oh, I want to do cybersecurity. Like it wasn't like a dream to get here, but it was something that I just kept getting pulled into. And then I finally was like, I should really like see what's in this space. And then my curiosity opened up in 2019. Yeah.

SPEAKER_02:

I love that. Wow. And I would love to know. Uh, and actually, this is not a topic we were planning to talk about, but besos um have been around for a bit. And I've seen, especially on the consulting side of the table, after you know, 17 plus years on the corporate side, there's so many different versions of what BISO means to a company. So as you lead that group, I'm curious like, how do you define that? How do you get to business value and how do you help your group uh really conquer that each each department or function that they represent?

SPEAKER_00:

Such a great question because this has been my like lifeblood for the last year and a half working at Pearson. It literally, when I first got there, we were called posture management, which is a coin turned by Microsoft. Yeah. And it's to manage the posture of your organization, the technology posture, the security posture. But a lot of people didn't. That's exactly what people looked at. They were like, is this yoga? Like it's to write then I'm like, I have to rebrand. So I realized you guys are besos. This is essentially what you're doing. And so to your question of like, how did I like really communicate that? It's been a journey. It started with road shows. Um, but as you guys are both aware, not every you can say the same words to one group of people and say the same thing to another group of people and they're not gonna understand it. So it's been a journey again. Um, but what I will say is I've learned a lot as far as what I say and then what my team does. And so teaching my team what the role of a Biso is is really critical. But then the communication piece was around using things that they know, like technology PM. That's one thing I use, or I say mini CISO. Like these individuals are mini CISOs. They're not doing the work, but they're managing the work. Technical PMs also. Um, I don't love that, but that sometimes can get them connected. But I think where it really started to shift and change is where I started refreshing my team with new talent and then getting my team to think differently, reframing themselves in the role. I actually had them read a book too to help them understand what it was to be a leader. Because I think as a beso, you need to understand you have authority in that role. And even if you're a senior manager, your authority is a beso. And it's getting in there and learning how to develop those relationships. And I think once the team started really truly understanding and grasping that, I can talk till I'm blue in the face. But if they're not operating at that level, that was the challenge. And then they started operating at that level and have been. And now it's starting to finally shift and people are starting to understand how to use besos. And essentially they're a single point of contact. That's what I explain. There's a single point of contact for you all, if you're at the business level, to go to a BISO, if you have any challenges with, say, compliance or a new regulation coming out, you essentially can come to the BISO and say, hey, I've got this. What do I do? Help me. They, and they're the glue. They don't do the work, but they connect you with the people, they get things going, they get the ball going, and they make sure things get implemented on time, processes are in place, and they they problem solve for you essentially.

SPEAKER_02:

Yeah, I'm curious. When you rebuilt the team, or you mentioned up front that there's a lot of technical people and technical PMs, did you diversify that skill set? Because I think at the Biso level, sometimes in general in cybersecurity, historically uh individuals have come up through infrastructure or tech. And I think we've started to see more diversity of thought and all sorts of uh types. But like some of the best besos that I recruited came from business areas and they they fell in love with security. And actually, I was just talking with one of them a couple weeks ago that was probably one of the more successful ones that just really understood the business, but got into topics like infoclass and you know, secure handling and insider threat. So curious on your thoughts on that and what makes a good beso.

SPEAKER_00:

Nailing it, Aaron. Uh just this week, I think it was this week or this last week, everything kind of blends together. I was having a conversation with one of my visas, I'm mentoring. He is a technical individual. And so his first response when something happens is, I'm gonna go fix it. Versus, I'm gonna train them, I'm gonna teach them, they're gonna fix it, I'm gonna provide oversight. And he and I were talking, and I said, you know what the challenge is here is that you know how to fix it. If you and I were in a different role, I wouldn't know how to fix it. So I would have to leverage connecting people, talking to people, getting this, like uh managing this uh better, more effectively as a BIC so because that's you don't have to be technical. You need to understand security. Primarily, you really need to understand risk management because that's one of the big primary roles of a BISO is understanding risk management because that glues everything together. But what I've noticed is that when they're technical, their first instinct is immediately to go and fix it. But when you're not technical, you have to problem solve. And so I think one of the most critical skills for a Biso to have is critical thinking. Interpersonal skills are great, but you've got to be a critical thinker. You've got to be able to problem solve, you've got to be able to ask the right questions to be able to drive things and get them done on time and effectively and in this essentially be that enabler for that business. Yeah.

SPEAKER_02:

Oh, that's great.

SPEAKER_03:

Yeah, I agree. I was technically aaron this maybe, but I was at a uh it's like kind of like meetup group where it was a PE firm that was in town and asking questions of some local leaders. And I mentioned Biso just in like passing, and they were like, well, hold on, wait, what was that? What is what is abiso? While while we know it, I don't realize that I didn't realize that it's still not a very common thing outside of like large enterprise. And this is like mid-market and maybe some of the SMB type stuff. But to your point, I think you said posture management and technical PM, but I think even as we know BISO and immatures, it's still relatively new to a lot of markets outside of large enterprise.

SPEAKER_02:

Yeah. So maybe let's let's double click on kind of you you mentioned the soft skills, the critical thinking. Um, what about emotional intelligence and kind of that versus data and technical claims? Both are important in winning over decision makers. But when you're dealing with the business as a Bisso or maybe broaden it as a cyberleader, what are some of the skills that our listeners can um pick up that maybe aren't in their their conventional tool belt?

SPEAKER_00:

Yeah, one thing I've noticed working with because I mean I've got an individual. Um, I think he's been doing cybersecurity for 50 years. So like I don't have, I don't have any Gen Z on my team because Bisa's you've got to have at least a good amount of experience, eight to 10 years, preferably. Like I'd need you in the it's not an entry-level role typically. Um I know they're doing like junior BISA roles now. So what I have found is that you gek these individuals that have really high IQs, but their EQ is maybe not as high. And one of the key things that I've seen challenges with is being able to understand the business unit situation. I think as security leaders, I think it's important to have empathy and understanding of what the business unit is trying to strive and do and not just mandate things to get done. Now, I understand there's frustration when you ask for something, you ask for certain plans, DR plans, or these things to get done, and there's a policy and it hasn't been done, and you've told them and they've given them time. Like that's a whole other thing. I think for to be successful, you've got to develop relationships, be empathetic, be understanding and ask questions, hold space. And one of the things I actually told one of my Bisos today, who was having a challenge with um somebody else in security, but they were trying to do something that would impact a business. I said, let's not try to be right, let's try to win. And your role is to consult. Like on the racy chart, we are the C's. We are there to consult and to guide. If somebody wants to push back and still do something else, that's fine. We recognize that we'll support it. They will own the risk. We will let them know there's a risk. We will provide the guidance, and then we will sit back. And then if it goes awry and it turns into a disaster, we will be there to help guide you. But I feel like in my team, you get these technical experts who are like, but that's not right. It needs to be done this way. It's very black and white. Why isn't this done? And it's trying to get them to shift their mindset to more of like a consultant mindset, like a helper. Let me be there to help you, let me guide you, but I'm not doing the work.

SPEAKER_02:

I formulated a catchphrase when I was in my second role in my career in corporate audit. And it sounds boring, but I got to travel the world, loved it. Cultural learning. But the phrase was you, and obviously in audit, you're finding problems, right? You're not there to suggest things. You have to be independent from that. So there's a an angle of the job that I really enjoy what I'm doing now versus that. But the the phrase that I kind of was using a lot is you can do anything in business pretty much that you want, as long as you have the right control. So I think Jacks, as you're talking about finding the right way to the answer, there's always a way to the answer. It just might not be the first thing that comes to mind or the way that has zero control that they don't want to do.

SPEAKER_03:

Yeah. So also, Jax, I want to hear your opinion on this here. Thinking of BSOs and large enterprise, but for those who don't have a BSO, haven't gotten to that level yet, what are like some like practical tweaks that can help reframe security spend from like peer cost to tangible business value? So the BISO does that. That's kind of their inherent role. But without that, what are some like practical tweaks you think that CISOs and um infosec leaders can can use there?

SPEAKER_00:

I mean, one of the first things that come to my mind for spend, because I know this is what we're pushing, a lot of organizations are pushing this right now, is leaning into and learning a Gen Tech AI. Like it's becoming one of our OKRs for next year.

SPEAKER_01:

Yep.

SPEAKER_00:

And one of our goals this year is, and I think this can be done at any size, is like we're trying to bring in more resources by people that we maybe have in roles that we can either upskill, move on, shift around, and then bring in additional personnel because we've been able to replace those roles by streamlining the process, by bringing in a gentic AI to help help streamline what we're doing. I think that is imperative for organizations to lean into this. Like if you haven't already started leveraging and understanding AI agents, you're already behind. So that I think that is a really critical point for the budget piece. Um, and you asked another point, and I should have written it down, but I forgot it. What was the other point of that?

SPEAKER_03:

Just like kind of practical tweaks there. So like I think sometimes, you know, the Biso's job is to learn the business. And I think sometimes in InfoSec, there's not that connection. So for those who don't have a BISO, what are some other tweaks to help reframe just security spend to kind of tangible business value?

SPEAKER_00:

Um, that's a good question. For and I'm like thinking from the smaller business side, I think it's relationship driven. I think that especially from the smaller side, take the time to meet regularly. Like we meet once a month with the CTOs, which are the risk owners of each of the divisions. I mean, Paris' uh 180 years old. We're massive. We are so unbelievably massive with all the businesses that we have. So once a month we meet with them, uh, we understand their space. So I think for a smaller business, understand those risks, meet with your stakeholders, provide them maybe a monthly bi-weekly call where you go over what is their what is their spin, what do they have something that we've been doing is fraud transactions. That's a huge area that's being impacted. Maybe you're having that, meet with your stakeholders. How can you put in maybe AWS uh tools and controls in place to help draw down some of that expenditure, identify their findings, meet with them, give them plans, next steps on how they can address those. All those things are a cost. So if you can help them reduce their overhead while also supporting them in the business, that's a win-win. I that's essentially, like you said, that's essentially what the BSOs do on a regular basis. We meet with them, we we show them what their risk base is. I think risk, um, risk management and risk assessment is a critical piece to this because you have to understand the environment. And through that, I think mitigations, um, using, oh, using native tools, that's another thing that you can do. A lot of times you try to buy tools externally. Stop and take a moment and look at what you already have in your environment. Yes. Um, see what you have and be able to either use the free tools that you have. I found out just yesterday um, because I'm helping stand up a fraud program, is that AMWS has a native tool to help with some fraud transactions. We're multi-cloud, so that won't entirely fix our problem, but maybe that'll help offset some of the costs. And that's what smaller organizations can do. So look at what the tools you're using now. Microsoft has a ton of security features that people don't know about. See how you can expand on those versus just bringing in another vendor.

SPEAKER_03:

Yeah. Well, and and kind of in that same vein. I mean, you mentioned, you know, AI earlier, which is obviously like an everyone's minor should be. But like as as so you have a lot of, you know, as AI tools kind of flood this GRC space. Um, how do you decide which compliance processes should be automated versus those that should remain human-led?

SPEAKER_02:

Where on the hype curve, are you, Jack?

SPEAKER_00:

Yeah, that's oh my gosh. Erica's gonna love this. My co-host of uh two cyber chicks, because we literally talked about this, her and I, in one of our episodes, um, and she's like anti-AI completely. Um where I I'm like on the fence. Yeah, she's like anti as far as like doing reports and stuff, completely anti. Are you guys for it a little bit? Like automatically.

SPEAKER_02:

We're leaning in, we're leaning in. And yeah, and to me, as cyber practitioners, like the business is gonna go with or without you. And the few comp you know, probably the far too many companies that are just blocking it, it's just squishing the problem somewhere else to a mobile device or whatever. So I don't think any cyber practitioner has the I mean, you can avoid it, but um to me, you want to understand it, even if you still think it's scary. Like, what can you do to enable something in a non-scary way that will help you ease those concerns? And then back to my my young Aaron catchphrase of like you can do anything in business you want with the right controls. Let's figure out those controls. We have to.

SPEAKER_03:

Yeah. Lauren, my thing is like you know, spaghetti against the wall, throw it and see what's fixed, because otherwise I don't want to burn cycles on if it's not valuable. But it's almost like chicken or egg, right? I gotta see what's valuable first, and then if it's valuable, is it worth the controls around it? But then sometimes you gotta have some controls to Aaron's point to then test the value. But I I'm very aggressive on it. Not so much that I think it should be everywhere, but I think we gotta kind of test and see where it's valuable and where it is, focus there, hit those points where it's not, let it sit for a couple of years until it matures or someone else establishes a value. But I I mean, I to Aaron's point, I think it's gonna go there regardless. I think you mentioned earlier, if you're not looking into it, you're behind. But um there is that like kind of testing ground, what's a safe testing ground? And we see a lot of clients right now that have like massive POC environments and they're just like almost backlog because I think to your other point about looking at all the tools. I I often see people that don't define success up front. So then when they get in these demos, they're sold by anything because it's like, well, I had two problems, I got in the demo, and now I'm gonna go solve 15 problems. And you're like, well, you but you forgot you set out to set two.

SPEAKER_02:

So Jax is a fellow podcast co-host. I love how you turned that question around on Cody and I to see what we were feeling. Love it. Yeah, you guys like that. But let's turn it back, and then I want to come back to the what Cody just brought up with the vendors kind of overselling their capabilities because that's a whole different stream of thought that we need to unpack.

SPEAKER_00:

The whole pack of worms. Um, okay, so AI at a high level, it's an enabler and a risk. You know, I think the things, I think you should automate some of it. Like the initial mapping, the initial uh when you're initially going into an environment and you need to initially map, get the evidence collection, things like that. I think you can automate that process because that's so manual. Oh my God, depending on the size of the organization. I remember doing assessment, it just took, I mean, weeks sometimes to get all of the evidence. If you could automate that, like even to automate and get it into folders to be able to sort where the policies, where this, where that, that would be immensely helpful. Um, I think that can be automated. I think that you need the human element when you're getting into the intrinsic information that is about the business that I don't know that AI can really dig into yet. I do think that we're gonna get into a space in the next three to five years after we've tweaked these machine models, uh, because it's just too new right now. I think we can get there, but I don't think like judgment calls should be. I think you need to have a human there to be able to look through what those final scores are. Um, I think that you need to have it for ethics and accountability still. I think that may never go away because that would be scary if we have machines running all of this and we've just negated that portion. Uh, and then it back to, I think there's that element. I was actually talking to a friend about this today of like the human element. If we let machines do everything, you're not gonna have that um relationship building that you get when you're doing these assessments. And I think people forget about that. They're very laborious, but there's also a lot of uh relationships that you get trust in the like being able to build trust with the regulators and the the auditors, even though internal audit can be a pain sometimes. You build relationships through doing these assessments, through reviewing them, um, working with the b business leaders to address them. So I think that's also part of it as well.

SPEAKER_03:

Yeah, what about so beyond the relationship, what about the education piece? I mean, how much education is required and like knowing the back end logic, so you can automate a lot of things. And I think we're kind of in that void of like, we still did the manual way, and this what may sound like I'm when I was a kid, you know, type thing. But you know, to your point about like it's automated, but then the logic and evolving and educating in the relationship, you lose that part, you kind of become stuck and and siloed, and then you don't have the ability to kind of mature it because you've you're kind of relying on a machine or AI to do too much of the work.

SPEAKER_02:

Are you saying we're gonna all become dumber and dumber? I think that's a good thing. Yes, they're proving that.

SPEAKER_00:

They're proving that. Do you have you all read the MIT article that came out?

SPEAKER_02:

I have not. Oh my gosh. So there was the one on 95% of corporate AI projects, the big ones are failures, but then the byline was like all the skunk work stuff is like blowing up and successful.

SPEAKER_00:

Was there another one on the becoming dumber by so like, yeah, and I I just read it and then I watched a podcast. So I'll give you like the the wave link of it. Essentially, they did the report and they had, I think it was 50 plus people were in this uh research study, and one group couldn't have any tools. One could have Google, one had an AI, and they tested your brain and how it functioned, depending on what you're you were supposed to do. You're supposed to write a report, essentially. What they noticed is the individuals that didn't have any tools, they just had books and stuff, their brains lit up, their critical thinking was so engaged. When they went to Google, it was still there, but it would dropped substantially, but it was still there. Um, and then the third one, it was not present at all. Not at all. Um, and then the other thing that they found out is when they asked them, hey, can you tell us about what you wrote? The people that wrote the Chat GPT stuff felt disconnected, couldn't remember what they wrote, didn't even feel like it was part of them. And the people that didn't have any tools at all could like cite their research, cite their paper. So it's like if we automate everything, we are essentially becoming dumber. We are becoming dumber because now we're not critically thinking in the ways that we need to.

SPEAKER_02:

I just watched so maybe it's like everything else in life, it's a balance. How do we find that balance between pushing ourselves further? Just like the internet when it first came out, right? Like, oh, well, you can get all your answers on the internet, you're not going to the encyclopedia. Who has encyclopedias now? We've evolved.

SPEAKER_03:

Yeah, well, the other day I watched with my seven-year-old, I watched uh WALL-I on Disney. Yeah, man, in the end of WALLI, it's like you see like these like humans on this like planet and they're fully automated. Like they get carried, they get everything's food.

SPEAKER_02:

It is.

SPEAKER_03:

And I was like, that was crazy years ago. Now I'm like, this is kind of wild.

SPEAKER_02:

It's kind of like the Jetsons go back to the 60s and like George Jetson had one button to push, and that was his job, right? Like, um, yeah. I forgot about that one.

SPEAKER_00:

George Jetson, yeah, that's a blast in the past, right there. Oh my God.

SPEAKER_02:

Um, so Jax, from your perspective, you're you're at Pearson, you're you're probably managing AI risk and benefits and leaning into it and you know, providing guidance through the visos of areas that are too far off the rails. How how do you guide your teams or your business through resistance and the like we were talking about, the overenthusiasm? Because those are two extremes, and people can be over-enthusiastic and do some bad things, or they can be resistant uh and miss some opportunities. So, how are you helping the balance? How are you helping strike that balance within your business base?

SPEAKER_00:

We so we're building out a risk, uh, AI risk program. We we have it, but it needs we need more people, you know that is. We need more resources. No one really is that it's challenging right now because we're a global company, people can create agents. We don't want to hinder people, but we've also provided guidance, we provided SOPs. Um, we've tried to control some of the agents that are coming out for the security reasons. Um but there is a level of like how much do we try to protect our org without also impeding the growth and being able to use these tools to your point, Aaron, of being able to create uh more streamlining automation of like workflows and increasing, I think they said proper use of AI, you can increase your effectiveness by 50%. So we don't want to impact that. We have internal programs that we use that are specific to us, like PACE is one of them, P-A-A-I-C, and it's what we use. So we have internal tools to our organization that help us with graphics and video and stuff like that. So it keeps keeps people internal without trying to go external and use various different tools. I think that does a great job with reducing a lot of the risk because you're giving them tools. Um, we use copilot a lot, and you guys have all seen the memes. It's getting better. But man, when I started using it a year and a half ago, holy moly, I think the only thing it was good at was doing the meeting minutes, literally. But I'm noticing it's getting immensely better now with summarizing meeting notes. And even I went into Copilot just this week and I said, Hey, summarize what I was out of the office on Thursday and Friday. So on Monday, I said, summarize what I missed on Thursday and Friday and give me a list of tasks. It actually did a pretty decent job. So I think for us, it's that education piece for the Bisos, like educating what is capable, teaching people the safety and why we need to be safe and using these tools and what it means about copying, like doing a control A C and then control V into chat GBT. Why is that bad? Why where does this information go? Because I think people just don't know. I truly try to always say, I think people are trying to do the best they can, but I don't think people are trying to leak. They're trying to just make their jobs easier.

SPEAKER_01:

Yeah.

SPEAKER_00:

And so I think there's an there's that. And I have recently, actually just today, I told my team spend time on a Gentic AI. I need you all to start spending time on it, build agents, learn it, because we can't teach it if we don't understand it. So that's what I've been really I've been teaching myself how to do it because there's an education piece, and I think there's a fear around it too. So we need to educate, teach, and just get out and use it, learn how to use it. Yeah.

SPEAKER_02:

No, that's great. And you can start even before you get into some of the more complex agentic, just writing queries and setting schedules and like threat reports. That's probably the earliest cyber, like do a threat report on a specific client or an internal business unit or an acquisition target, a lot of really cool stuff. And you just having that pop up at 8 a.m. But that's not even agentic, that's just scheduled prompting, right? So uh you can go even further once you do the basics. But yeah, starting small and then and then expanding is the way to go.

SPEAKER_03:

Yeah, and I don't know if you ever want to hear things. It's a total pivot here from AI, but in our in our like free pre uh podcast meeting, Jack, so you have some great knowledge on what I did. Make sure I can we can get this on and get to our viewers, but like in regulation-rich industries, how do you adapt incident response plans to unpredictable rule changes? So we're discussing the rule changes in reporting and everything, but um kind of talk to us now about like some of how that like is shifting and what it means for for a lot of big firms.

SPEAKER_00:

Oh my gosh, yeah. If somebody can figure this out, man, you'll be a billionaire too. Like figure out a technology to help with this. It's volatile, like it's super volatile. We have a provision 29 coming out right now, it'll be enacted in January and it's affecting um UK businesses. And essentially we're a UK business, even though we have a headquarters in the US here in Durham, and it has um disaster recovery, which is part of incident response. You know, after the boom goes off, we've got to go into the uh disaster recovery. And so you've got to have all your applications with a DR plan essentially done so they can do random testing come 2026. And that takes a lot of work. And part of that, I think, for the incident response and disaster recovery, it is gonna always be changing. I think we're gonna see more and more changes, especially with the emergence of AI and more threats that are coming out. I think that we need to find ways to build flexibility into our plans. I think we need to do more testing. Like we're we're implementing more tabletop exercises. Um, provision 29 is actually not only do you have to have a DR plan, but you have to test that. So being able to test, what are you gonna do? Who are you gonna call? Not Ghostbusters. But like literally, people don't have cell phone numbers. What if your teams and everything gets knocked off and all your high value assets are down? You don't, you can't get into computers. Do you have your help desk number on your computer somewhere, like saved on your phone? Do you have your boss's phone number? Do you like how like working through that? I think is really critical for that flexibility piece. And then if possible, have somebody on the team that that is their one of their jobs, is therefore looking at what provisions are going to be coming out? How can we address them? Like these provisions, when they come out, aren't brand new. They've been talked about, like CMNC, they've been talked about for years. And then it's like provision 29's coming out, and then you do research and you're like, oh, this has been talked about for a couple of years. This is new news. Yeah. I think that's really important. It's just being forward-thinking and having somebody because there's a Cody, you know, there's so much information, and how are you supposed to keep up with all of it?

SPEAKER_03:

Well, you're the exact point, and there's always like leverage third parties and tools, and so even the plans, right? The contact sheet may be different, or the you know, the company it was last year, it was this tool, now it's this tool. And my instant response plan, while it may be for one company, it may have 15 parties that need to be alerted to be convened in the thing. And so that's the hard part is it's like I think sometimes they do the minimum once-a-year test, but I think of like if I go on a cruise ship or a hop on an airplane, they do the they do the safety thing every single time. And so it's like it is a wild amount of testing. And sometimes companies do it once a year, and I will do some changes to it, but so much changes in in that course of the year that if you don't do it at least annually, chances are every three to six months your IR plan's out of date.

SPEAKER_01:

Yeah.

SPEAKER_02:

Shooting from the hip for sure. So I know we wanted to talk a little bit about CMMC and Jack's coming, coming out of the military and being, you know, on the other side of the DOD and the various government agencies. Um, how how has CMMC shaped up for you? I know it's a long time in the coming or in the making. Uh, where are we? And uh what's your are you leaning into this?

SPEAKER_00:

I have a CMNC shirt. I actually should have worn it um that Jacob Horn had created during one of his talks many years ago because CMNC has been going on for that long. I was like one of the first adopters, pretty proud of that. I actually became like a CMMC RP or whatever it was called back. I feel like literally it was a decade ago, but it feels it was only like a few years ago when it really got rolled out with the CMMC A B and all that.

SPEAKER_03:

And uh in the the five-level days with three level days.

SPEAKER_00:

Oh god, yes. Yes. Like I was in it. I did the class, I was running rock and roll. That's what I did for like seven months, and then I'm like, this is not going anywhere. This is like 20, what was it, 2020, 2021? I'm like, this isn't going anywhere. I need to get a real job. And I will tell you that I support where it's going. We're in corporate sector. It it'll impact segments of us, but it won't impact like our entire organization. But where it's interesting is that these smaller organizations that have been just self-attestation, um, especially ones that need level two and three now, that are like, oh my gosh, this is gonna cost so much money. I think the big point that's really been pushed out is like, no, it shouldn't cost you any money because you should have been doing this all along. Like again, what we are like on the other thing, these provisions are not new news. Many times they're already being enacted, um, but not on like unofficially. Yeah.

SPEAKER_02:

So this is Unenforced contracts, right?

SPEAKER_00:

Correct. Yes, they've been in there. You've been checking that you've been doing these things. Now it's just being enforced because sometimes we're like toddlers. We have to like put a law and then enforce it, or we're just not gonna, we're just not gonna do it because it is going to add a level of work and resources, extra controls, you know, the 171s, 172s, I think. If I remember all the frameworks, uh NIST frameworks that you've got to do. It's just extra work. It's extra this. It is extra money. You've got to get certified. We don't like to do it, but I'm happy because uh being in the military, and I still serve, I'm in the reserves now, and I still see, and I'm still connected, and I still see how some areas we can be super insecure with our supply chain. And CMMC is intended, I think, a very positive for a defense industrial base to secure our critical infrastructures and be able to bring security through protecting our suppliers and our vendors and everybody it's is connected into us. We need that. I mean, you guys saw what came out recently. Remember what was it with the uh China security people that were like oh the Microsoft thing? Yes, the Microsoft thing. I was like, what general officer thought this was a good idea?

SPEAKER_03:

Like well, well, that's just it to your point. Like, everyone can know everything. So the process is what helps to like bring more people more eyeballs in to like to get that validation. Otherwise, you rely on one person to know it all. So you're you're spot on.

SPEAKER_02:

Well, and Jax, I'll go back to your comment of like it shouldn't cost a lot if they've been doing things along the way. We leaned into it, got got a company RPO, we had some uh consultants that got trained as the I think the registered practitioner portion, which sounds like maybe what you got. Yeah, and uh three years ago there was some momentum, and then when it started to fall apart, everyone was kind of like, well, pencil's down, let's wait and see. Who knows what this is gonna be? So I feel like we've the the country as a whole and the Dib has lost a lot of momentum. Yeah, now it's picking back up, but you know what I what I fear won't be bad for consultants and those that can help. But it's like we're gonna throw a bunch of Hail Marys to work together really quick. And that's not, we've done that beyond this space, like in healthcare as well. And that's not the way to build a sustainable cyber program. You burn people out, you get so much done, and then it falls apart and you have to put it back together again. So I would rather not take a Hail Mary check, which are big are are big checks, and do something in graduated steps over time, because you're gonna feel better about the product, it's gonna be less painful, and the business isn't gonna hate you for it.

SPEAKER_00:

Well, and Jack, I think did you all have a significant cost with doing your CMMC yourselves, like getting it all done and getting it certified? Did you find did you have to get level two certified?

SPEAKER_02:

So since we weren't, I think the C3PAOs had to do the full certification since we were just doing the program building and consulting side, we had to pay the company fee, which was I think five grand, and then individual fees for training. So it wasn't as crazy as kind of the full, but we also weren't storing CUI as part of it. We w work in the customer's environment and very intentionally.

SPEAKER_03:

So one thing I I wanted to mention that I think you talked about earlier was like even when you have like unlimited, say, you know, budget and and people resources, to Aaron's point, the organization can only absorb so much change in a given time. And so I think to your point, these aren't new, but we waited for so long, and like even with the amount of money you try and throw at it, it's still gonna be hard to hit this mark within people not burning out or trying to sustain it. So I I would totally agree there.

SPEAKER_02:

All right. Well, maybe one last question, and then Cody, you have a special question that you always ask all of our guests. So I'll keep that in suspense and and let you ask that uh here in a bit. But maybe kind of going back to the BISO front and kind of the business side, um, how do you keep your teams agile and committed, especially when change fatigue? We talked earlier about budget, you know, budget reductions and IT or cyber being a cost center, you know, new technology coming on. Like what's what is your best way to keep people's hearts and minds focused on that mission?

SPEAKER_00:

Motivational speeches, really, as a leader. You gotta, you gotta talk to your team and you gotta tell them when it sucks, it sucks. And be okay with admitting that to be frank, because sometimes it just sucks and it's okay. Um, be real. I am a very much a real leader, and you know, we have our ups and we have our downs, and I ride the wave both ways, and I'm with them when it's down, and I'm with them when it's up. Like, but my goal is always to let's provide a way out of this down. Like right now, we're getting hit with a lot of last minute requests, and it's kind of been continuous. And we're I've been trying to figure out a way of reducing that because it it is really fatiguing all of us. We're exhausted. Um, and it's requests that are very time consuming but need to be done like in a really short, short period of time, multiple at a time, not just one. It's like multiple. Um, so it's like, how do we? Resolve this? How do we fix this? So, as a leader, my goal is I need to make their lives as less stressful as possible. I need to reduce the chaos and noise as much as possible. And I got to be real with them. Like if we're not operating at the level we need to be, then we need to get to that level. But I also have empathy. So if what we're not operating at that level, is it because we're tired and burnt out? Okay, then I'm going to hold space that we're probably just going to be at that level right now, but we're going to get out of that because I'm going to put things in place to get us out of that. But everybody has to own it because it's a it's a complete team effort. So for me, it really is having one-on-ones with my team, understanding where they're at. If things are not getting done and we're getting drained, figure out why. Maybe there's personal reasons, address those. Everything's a phase, and then be patient and then push through it and talk to them. But you do, I think as a good leader, you gotta motivate your team. You gotta talk to them. And it's not just the rah-rah-re, it's being real with them.

SPEAKER_02:

Yeah, I like that. I like a lot of transparency and authenticity goes a long way.

SPEAKER_00:

Yeah, yeah.

SPEAKER_03:

All right, Jax, are you ready for this question?

SPEAKER_00:

Oh, yeah.

SPEAKER_03:

You have no idea this question is that I mean, this is crazy. Man, Aaron got a little hype. Okay. Here it comes.

SPEAKER_00:

Okay.

SPEAKER_03:

So all right. If this is a new a new audience, so for give us one fact about Jax that no one would probably know about you from just maybe the the interwebs or the general, but we have like a like a fun fact or give us uh give us a fun Jax fact.

SPEAKER_00:

Okay. Um okay, it's a little weird, but it's okay. Everybody thinks I I don't know if it's that weird. Um I moved out of my parents' house at like 17, and that's important because ever since I moved out, and I'm in my early 40s now, I've never owned a TV. Ever. I have no, I've never people have given me TVs. I've sold them. I have no TV in my place here. Um never. So I haven't literally had a TV in over 20 years. That's pretty cool.

SPEAKER_03:

That's pretty good. I think, yeah, very cool. Brawn, you know, on our team's a superstar. I think the other day we were talking, she said the exact same thing. And I was like, no way. But she did.

SPEAKER_00:

So that's awesome. It's interesting dating because um people that have TVs like to play it in the background or like to have just whatever, and it literally like messes with me.

SPEAKER_01:

Jarring for you.

SPEAKER_00:

Yes. And so I'm like, I don't know how this is gonna work. Like, cause they'll come into my place and be like, wow, it's so quiet and calm. And I have Alexa playing like calming lo-fi beats in the other room. Now we're talking about the lo-fi. It's very low, yeah. Yeah, I just think I think you need to be c um cognizant of what you're putting in, and I think you need to filter it. And the only way you can do that is having control and not having your TV just blaring. I think I think watching movies are fun though, occasionally. So I do it sometimes on my iPad.

SPEAKER_03:

Oh, okay. I was gonna say, how do you watch it? Do you do you go out to like little movie theater and it's a popcorn and not shows?

SPEAKER_00:

Or don't ever, Cody, ever ask me a question about anything pop culture, though. I will not, I will have no idea who the actor is, what movie it was. I can't quote anything. I think Brawen did a uh like LinkedIn post today or the other day about like even song quotes. No clue. No, no clue.

SPEAKER_02:

We've got a gentleman on our team that knows three movies, uh, and literally you you'd be in good company because has not seen many movies. He'll know who he is when he hears this.

SPEAKER_03:

That's awesome. That's awesome. Well, Jax, thank you. This is this has been phenomenal. Excellent time hearing your story. Super, super just uh you know, really cool. So um, Aaron, I'll let you wrap us up.

SPEAKER_02:

No, thanks for coming, Jax. Appreciate it. Thanks for your service in the military and your continued service on the reserves and uh giving back to cyber and getting your voice out there. And uh Cody and I follow you. We'll continue to do that and uh we will talk soon.

SPEAKER_00:

Thank you, Cody. Thanks, Aaron. Bronway.

Head Shot

Aaron Pritz

Host
Head Shot

Cody Rivers

Co-host