EP 030 Nick Gicinto Security Insider: Intelligence Insights from a CIA Veteran

Show Notes

Nick Gicinto is an executive security leader and veteran of the Central Intelligence Agency (CIA), Tesla, and Uber as an insider threat, intelligence and security specialist.  He is currently the Executive Vice President at Red Five Security in Arlington, VA.

 

Nick was recruited into the CIA during graduate school and spent 10 years in the Agency amassing five promotions and 14 exceptional performance awards as an Operations Officer. His role as an OO was to collect raw foreign intelligence which was eventually briefed to senior U.S. policymakers, including in the U.S. President’s Daily Briefing.  During his CIA tenure, Nick focused on state-actor level threats and worked both counterintelligence and counterterrorism operations in the U.S. and abroad.

 

After leaving the CIA, Nick joined Uber’s Threat Operations team helping the company build a global intelligence capability in 40+ countries designed to keep Uber’s riders and drivers safe in addition to investigating leaks of intellectual property.  He was recruited by Tesla to build the Global Security Response team, focusing on strategic and protective intelligence, as well as digital forensics tied to insider threat and investigations into leaked information.  GSR’s investigations lead to multiple civil lawsuits vs. competitors and former employees, as well as law enforcement referrals and convictions.

 

Nick moved to RiskIQ (now a Microsoft company) as a Vice President to build the Incident, Investigation, and Intelligence (i3) team, RiskIQ’s managed intelligence services (MIS) capability tied to its cybersecurity SAAS product.  After growing the team to close to 40 members, Nick joined Chainlink Lab’s as the VP of Security Intelligence, helping the web3 company develop its world class security program from scratch.

 

Nick holds a M.S. in Defense & Strategic Studies from Missouri State University, and he has a B.A. in Political Science from William Jewell College where he is now an Adjunct Professor of Political Science.  He has been a guest on numerous podcasts, and subject of many articles, and has published his own article in Cybersecurity Insiders Online.  He has guest lectured for SET University in Ukraine, and helps to train missionaries in overseas security awareness prior to deployment into hostile areas.

Security Circle ⭕️  is an IFPOD production for IFPO the International Foundation of Protection Officers

Transcript

Yoyo 0:28

hi, this is Yolanda. Welcome. Welcome to the Security Circle podcast. Ifpo is the International Foundation for Protection Officers, and we want to thank all of our listeners around the world. Thank you for listening. Whatever you are doing, running should be working, just chilling out at home. We're glad you're listening. We are dedicated at ifpo to providing meaningful education and certification for all levels of security personnel and make a difference to our members mental health and wellbeing. So don't hesitate to get in touch with me today. I have a very special guest. He is an executive security leader and veteran of the Central Intelligence Agency, the cia, to, he's also worked for Tesla and Uber as an insider threat, intelligence, and security specialist. I wondered if he put that on his business card. He successfully developed Uber, Tesla and Chainlink Lab's. First, global intelligence collections, investigations, and insider threat programs from the ground up. Nick, what can I say? Nick Jacinto, great to have you on the Security Circle podcast. Thanks, yoyo.

Nick 1:38

It's a pleasure to be here with you.

Yoyo 1:41

Did they give you business cards in the cio?

Nick 1:44

Yes, actually they did. Was

Yoyo 1:46

it say you work at a

Nick 1:47

museum or something? Yeah, I use department of fuzzy bunnies and kittens. I think. So

Yoyo 1:53

listen, I know from the pre-chat and the initial Spanish Inquisition. That I had with you that you are from Kansas. How does a Kansas boy make his way into the CIA?

Nick 2:08

Well, believe it or not, I think the US government is capable of making a mistake from time to time. I can only imagine, what clerical error occurred in the process of of pushing my application through. But I was hired post nine 11 hiring surge. And so I know I, I always tell young folks I talk to now who have aspirations of making it into the agency or in the intelligence community that I doubt I would be competitive now that hiring has tightened up a bit. But my story was was really just. Deeply inspired by the events of nine 11 when I was in college, felt that I had a responsibility to serve. So, even me growing up in Kansas City a small private liberal arts college of about 1100 students had an amazing mentor, professor advisor who pulled me aside and said, look military awesome. You can do a lot of great things there, but I really think you're made for this intelligence field. it hadn't occurred to me. I had seen all the movies like everybody else and thought, had the very Hollywood idea of what the agency looked like. And once I really broke it down and once he pulled me aside and helped me understand why I maybe had some skills that would be valuable. I went for it. I took a shot and and I was fortunate enough to make it through.

Yoyo 3:29

I have to ask you, because you mentioned that you were identified as having a certain aptitude, and can you remember what the aptitude was that made somebody quite experience say, this is an area, the intelligence area is definitely something that, would work well for you?

Nick 3:45

So I directly, I, like, I remember why he pulled me aside and it was it was based on a scenario, a practicum that we did in my national security policy class, my junior year of college where we were simulating, and this was pre the Prera war, right? So we were simulating actually the events that could lead up to a war with the US and Iraq and I was on the US team. There were other teams, Iraq, Iran Turkey, I think Kuwait. But I think I, I went above and beyond what his expectation was for the scenario. Each group had objectives and those objectives were mutually exclusive. And but I managed to achieve our objectives and convince others why it was better not to achieve their objectives. And and so, through that I demonstrated some of the characteristics of a human intelligence collector developing relationships and honing in someone's motivations and ultimately using those to achieve my objectives. And I think that's what he really saw in me was was that ability to connect with someone one-on-one and. And move that relationship forward to an objective. Some people might call that manipulation, and there is an element of that for sure. That's what occurs in human intelligence relationships and recruitments of spies to, to acquire sworn intelligence. That's, would be not in that person's best interest to engage in that relationship. It's not rational if you think about it. They're risking their lives or their family's lives or a lot. But to get somebody to a point where they're comfortable providing that information to you does take an element of manipulation. Some people have a negative connotation with that word, but I always tell people, have you ever planned a surprise birthday party for a friend? How did you get'em there? Right?

Yoyo 5:41

So I think that was. Did you get rumbled? Cuz that would make you a really crap spy?

Nick 5:46

I don't know what rumbled means, but but found out. Oh, found out. Got it. No. No I did not. Thank you.

Yoyo 5:55

No, I mean, I mean, in the birthday scenario, if you've the only way to relate, obviously it's a huge veil of secrecy, but if you get found out planning a secret birthday party, you're not gonna be a good spy.

Nick 6:07

No, that's a, that is probably is a good litmus test. You're right. So yeah, I've successfully planned many surprise birthday parties, which gave me a lot of confidence that I could survive in the agency.

Yoyo 6:16

Before joining the police, I was at this crossroads and I wasn't sure what I wanted to do. And I was in the hospital just, recuperating from a very standard routine, everyday operation. And the nurses came round to my bed and they looked a little concerned and they said, oh, I wonder if you can help us. We're looking for the lady at the end of the ward. She's gone missing and we are really a bit. perplexed, we dunno where she is. And I said, oh, do you mean the lady with the brown hair, with the purple fluffy dressing down a white ankle slippers? And she said, oh yeah, is that what she was wearing? I said, yeah, she left about 40 minutes ago, so I dunno how far she's got. And sometime happened and they came back to me sometime later and they just came over and they were so grateful. And they just said, we're so glad you remembered what she was wearing. We put out an alert to security and she'd collapsed in some lady's toilet somewhere. And the information I provided was really critical to them being able to identify her. And I remember sitting back in my bed kind of glowing after the little bit of appreciation I'd had, thinking I need to do something with this special skill I have.

Nick 7:28

How can I use my powers for good? Right?

Yoyo 7:31

Of course not for evil. I'm, I just don't ever think I could be a bad person. And then nine 11 happened whilst I was at home recuperating. And then the decision was made. I made the decision then and there I'm gonna join the police. And nine 11. It's interesting. It was a crazy time, wasn't it? And it was a very paranoid time. What do you think? And I'm aware of watching sort of some documentaries and how and how controversial the FBI and the CIA's involvement or lack of involvement and cooperation prior to nine 11 was certainly contributory to a very negative outcome in New York. But the CIA at that time, heavy recruiting campaign, same as policing in here in the UK and Europe and around the world. What changed then for the C I A do you think do you remember what any of the kind of general objectives were about Homeland Security?

Nick 8:24

Well, I, boy. Thinking back to that particular time. And I remember that the agency had really scaled back. Its hiring this is prior to nine 11. And a lot of that can be budgetary. Some of that's foreign policy related and just how, the government processes its requirements and such. But, after that the floodgates really opened after nine 11, the floodgates really opened. And I think it, I came in a couple of years after, right? A few years after. So I didn't start until getting through the process 2006. But by that time, that the agency had really ramped up in the Middle East, understandably. That was a big focus. And but I also had experiences in my 10 years there of a lot of joint cooperation with other government agencies. I never felt. Directly, at least the stove piping or the lack of information sharing. I had multiple joint operations with, F B I and another, a number of other US entities. So I, I th I just, I think what changed was they I, there was an appreciation for the value of intelligence, first of all, because there was a tremendous investment in it that hadn't occurred prior to nine 11, at least on that scale. And it really did open up the aperture for the need for creativity, the need for new ways of thinking about intelligence, because we had enemies and targets that required different tactics. It was not traditional embassy out of embassy types of recruitments that were required. And I think if you're gonna go after new targets and new areas with new ways, you have to branch out, and you have to be more inclusive because you cannot do it on your own.

Yoyo 10:14

That criminal terrorist element is, has a lot of time and money, doesn't it, at the end of the day to reinvent the wheel from their end. They're not restricted by budgetary and political constraints or red tapes. They have none of that. They can be agile, they can work, find, work around to something that they want to achieve. And that's why I think the struggle is always gonna be very real, isn't

Nick 10:38

it? Well, I think that's any threat we face really. I've always looked at this as a cat and mouse game. I think it was Patton who said, there you, there's no wall that you could build that, that, man can't find a way over, under, around, I'm paraphrasing, but you know, that's really what this I find that to be especially true in cyber. Operations. I mean, the number of threat vectors in cyber considering state actors do not necessarily possess the preeminent skills in that particular area. Is it's astounding. I mean, you have everyone from a foreign government and they're highly funded on operations to some dude eating Cheetos in his grandma's basement in Belgium. Right. They can all be formidable threats. And when, anytime you have someone or an entity that doesn't play by the rules it know, it's gonna create that situation of of having to combat in the unknown.

Yoyo 11:35

Protecting the guilty. Tell me about your worst day or your best day.

Nick 11:40

Oh, at the agency? Wow. Worst day was probably the day that I left. Leaving a mission that I cared tremendously about. Leaving, trade craft and skillset and a career that I had built was really the only job that I knew. And I worked as a kid, I worked through high school and college, so I'm not talking about those. I'm just, this was my after graduation. This was my first job and I got my dream job at 24. So walking away was the hardest hardest thing to do. And I had great reasons to do it. And those reasons ultimately are more important to me and who I am thinking about, what I needed to do for my family, it was the right decision. But, I. My heart was there. My heart was there, and it still is in many ways my best day. Oh gosh. There were a lot of great days. It was probably I think about when I finished my certification to become an operations officer. I just, I recently attended graduation at the University of Kansas, and it's outdoors at their football stadium. Thousands and thousands, tens of thousands of people there and all these students out on the football field. And so they, each dean of the university stood up and acknowledged their particular departments, and those young people would stand up and they would cheer when they got to the med students. Who graduated and their degrees were conferred upon them, all of them in one block stood up and they all popped champagne bottles. And champagne just went everywhere, all over themselves, each other people, the field. I mean, I can only imagine how sticky that whole situation was, particularly in the heat and in their graduation gowns and caps. But that was the feeling that I had when I finished that grueling certification course that I always described to people as the most fun I've ever had that I'll never, ever wanna have to do again. So that was a good day when I found out that I passed and that I could, I could get on with the mission rather than just training for the mission.

Yoyo 13:59

When I look back and reflect on my seven years in the police, and five of those were in the functionality of a detective role. I look back and I know that I made a difference. And even if it wasn't to the overall, peacekeeping of the city that I was there protecting. I know that there were certain people that I interacted with, certainly victims of crime, certain ways that I was able to go a little bit above and beyond. And I know that I made a positive difference. And that's important because I don't think any one person can change something that's so institutionally flawed. What gave you the feeling that all of that time you spent in a very isolating and lonely role away from family what is it that made you realize that actually it was worthwhile?

Nick 14:48

I love that part of the job knowing that I was the only person in the whole of the US government that was going to get to that meeting that day and meet that person and get that information. And if I didn't make it then we would have a gap. A gap in our knowledge, a gap in, in, in our information, our perspective that would enable our policymakers to make good decisions. And, there's a lot of case officers that really enjoy like the recruitment aspect because that's hard. It is hard to get to that point where someone feels comfortable enough to provide you that information. And a lot of people look at that as the, that's the end all for me. It was never that for me, it was getting the information that I knew had an opportunity to go sit on the president's desk the next day. And after I had a few of those go up to that level, it was like a drug. It was just, that was the thing that I loved. And I loved having it on my shoulders, knowing that if I didn't make it, we wouldn't have it. And it motivated me to go out and do what I hoped was an exceptional job. And. And that was, it was also an amazing feeling to have that much trust placed on me. Trust by my, by my, certainly my supervisor, but the agency itself, the people in the US right? Who ultimately we worked for. And and also, that person who was putting their trust in me to keep them safe.

Yoyo 16:14

as I'm listening to you, I'm putting myself in your shoes, I'm thinking, yeah, there's real purpose in that. There's real purpose in having that responsibility and ability to do a task where, ultimately the end game is to get that in front of the president of the United States, right? What purpose? And so for people who are very driven by purpose, that must have been incredibly fulfilling. So thank you for sharing that. Oh, my pleasure. And I get it. Look, I. I think it's got to be incredibly isolating. I know that, for example, when I was in the police, that there was some restrictions. So for example, when I was in the police, we weren't really allowed to take our warrant cards to Northern Ireland. We had to be fairly discreet about our identification and especially with social media being fairly paranoid and an unknown entity. And there were places I would go, for example, if I was out socially, I wouldn't tell any men that I met that what I did for a living, I would make up a another career. And most of the time, as we all know, through watching great tv it's best to lie with the truth. Yeah. So I always used to say I was a lawyer because I was able to lie enough and be convincing enough to know enough to talk my way through, but. I was just doing that for one night and it was fun. But I obviously, I appreciate that. If that was gonna be something I was gonna seriously continue, I was digging myself a great big hole, especially in relation to trust. And where'd you go from there when you started something off with a lie? So it's, it is, it's not an easy situation, but I actually found I was quite good at it. What's, it's a huge difference though, doing it for one night and doing it year in, year out with friends, family, people who just generally like you, sound bloke, wanna get to know you more. How do you deal

Nick 18:08

with that? Well, it does take, it can take a lot out of you. I can tell you that. I remember, I think it was Mark Twain who said, when you tell the truth, you don't have to remember anything. And to your point, right, the lie is something that you have to keep and get right. And it was, look, it was part of the job and I understood that, acknowledged it, knew that going into it. So there's really is nothing for me to complain about. I understood fully what I was get, getting myself into, I think where some of the unintended consequences of that were my own personal relationships and friends and family people that I was close to that knew me and wouldn't have really ever bought this story because it just, it wasn't who I was. It's like, really? That's what you're doing? You really, huh? Huh. so what I did instead of lying to them was I just distanced myself from them. And so over time in a career, people that I was close to in college or in high school, I wasn't really close to them anymore. And that was easier for me than lying to them people I cared about. I never told my mom what I did. And that was really because I didn't wanna burden her, burdening her with the knowledge that she had to get my lie right. For me, every time and when I'm nowhere around was just, I knew she wasn't gonna be able to handle it first and foremost. I, cause I remember she knew that I was applying. And I had to travel. I traveled to Chicago for my first interview and she knew what was going on because I was a deeply poor graduate student at that time. And for me to get to Chicago and and make that happen for a couple days, she was like, yeah, okay. I know what's going on. But she was she was ill at the time. She was in the hospital, and I remember coming back and I immediately come back home and I go to, to see her and the nurse walks in to take, her readings or whatever, and says, how was your interview with the c I A like, I'm sure I probably like, I probably needed my readings checked at that point in time. I think I just like, was frozen and like frustrated and, but then I knew like, yeah I cannot, I could not continue, to have her think that was a possibility. So, when I left, 10 years after the fact. It's like you look around and where are your close friendships and relationships and they're gone. Most of my close friendships were colleagues in the agency and now I'm out and, you could still have association, but the thing about the, the agency lifestyle is that you're always coming and going. Yeah you're at headquarters, you're in Virginia for a while, and then you're out to the field, then you're back and you see somebody, you pick up right where you left off. Except that now I was moving away from where I would have that reconnection. And so yeah, I kind of had to start life over again.

Yoyo 21:15

To your point about no one believing you. There's this really good line in the movie, the Sum of All Fears with Ben Affleck, Morgan Freeman and Morgan Freeman plays the president and he convinces Ben Affleck's character to jump on Air Force One spur the moment, which means he has to break a date with his lady. Oh yeah, there's a smashing actress and Morgan Freeman says, why don't you just tell her the truth? So Ben Affleck's on this Air Force one mobile phone going, darning, listen, I haven't told you this, but I work for the CIA and I've got to go to with the president. We, I'm within, now we're in Air Force one. And she's like, like of all the excuses to break a date. Yep. And you just made me think of that.

Nick 21:55

Well, that was the thing. Most of my friends and family would've believed that if I told them so trying to tell'em something else, cuz it was just me and I, I don't know why necessarily, but I think they knew what I aspired to do. They knew what was important to me, how motivated and driven I was. And so coming up short of that goal just didn't, and anybody can fail at anything. So I'm not saying I'm above that, I'm just saying. The direction that I had to tell them I was going just wasn't necessarily gonna work. Yeah.

Yoyo 22:29

So you, you've made the decision and you've put your family first and you've said, okay, I have to pick something else. And did you realize at that time that you had a very good sort of ip, intellectual property survey of offering that would make you very desirable in corporate business? Or was that just a realization over a period of

Nick 22:52

time? It definitely was not something I realized initially. In fact, it was quite the opposite. I thought, boy, I'm so niche. I am, I, who, who would ever need my skills and services? Right. That just doesn't I don't know. I don't know what I'm gonna do, where I'm gonna go. Thinking about like, even applying to places. It was an arduous task. It was because I didn't really know how to sell myself, which is super ironic because I've been doing that for 10 years successfully. Right. And then all of a sudden you turn outward to, to, to looking at a new job or a new role. And I really didn't know the first place to look. Not to mention at that time there weren't so many like me yet out in the private sector. And so there was nothing to really compare to and say, Hey, see that program over there? We I can help you build that thing. Yeah. And really for me and it is this way for a lot of intelligence professionals. Cause I talked to dozens and I've hired dozens and I've talked to so many folks just to try and get them advice, but the network is really everything for us because we can't adequately sell ourselves to a company. And you need someone who can connect on the inside and help them see the value.

Yoyo 24:12

Yeah. And it's not like you can back then go straight to LinkedIn and say, you've just left the cia, there's a huge vulnerability there, isn't there really about maybe your safety, for example. A hundred

Nick 24:26

percent. And I didn't even create a LinkedIn account until my third company in the private sector. Wow. And I continued to do myself a bit of an injustice in that I treated my roles where I went with as much privacy and and as small a profile as I possibly could cuz I didn't ever have to rely on a network before. I mean, that just wasn't an issue for me. And I think I did myself in the long run a disservice in that I didn't really, particularly when I was at companies like Uber and Tesla, people tend to want to connect with folks who are in those roles, in those companies and doing that type of work. And I just wasn't, I never made myself available or accessible. I might

Yoyo 25:11

need to, I might need to put you in touch with somebody. I I have somebody in my network who works for the equivalent of our British security services, and they are just in a situation where they want to look at a different career direction, but they can't even have a LinkedIn profile. Yeah. They can't even promote themselves. They can't network externally. They're also feeling very isolated. Not many people to talk to and share, common feelings with. And I really worry about this person, I worry that they don't have the support structure. One of the things that, and that's the power of having a great network. Right. But it really worries me, especially when you look at mental health and you look at the feeling of isolation and how destructive that can be and the powerlessness of not being able to be in charge of your own destiny. What you were saying there to me really resonated with this colleague of mine and I just thought there needs to be some sort of support structure doesn't there for individuals cuz there is for people leaving the military, you can have careers advice and guidance and you can do courses and things. Were any of those sorts of things on the table for you? No.

Nick 26:19

And really because the, the agency. Doesn't want you to leave, so why they're not gonna make it easy for you to Now I think maybe some of those things are changing. I don't know. But most of the people that I encountered at the agency were, had already been on a 30 year trajectory career, or they were on that, right? Like that's, most people stayed their whole career and they retired. I mean, the benefits are awesome, don't get me wrong. But people who go they go and they stay. And it's a mission thing that maybe about halfway in my time or a little after my, my last tour, I was a recruiter. So I got to talk to a lot of young people looking to go into the agency and I think I actually helped United Airlines more than I helped the agency, talking to Well, well because you talk to these folks and you say, you know what? Why do you wanna join? Well, I wanna travel and I wanna see all these places and I wanna live abroad. I'm like, here is United Airlines website to apply. You should go be a pi.

Yoyo 27:20

Yeah. Be a pilot.

Nick 27:22

So if, somebody, I'm sure is looking at the numbers like, we have a surge going on right now and I'm not really understanding why exactly. Are we marketing more? No. Well, it's actually this guy who works at the CIA and he's referring all these candidates to us. But that's, I mean, that's really the truth. The motivation to join has to be something much more intrinsic than just wanting to poke around abroad. But my, I guess my point is that I saw starting to see less and less, People thinking about a 30 year career and more or less thinking about, well, this is good for the next five years for me to do this, what the agency was looking for necessarily, what we've evolved into. Right?

Yoyo 27:59

And this is a really nice segue into inside a threat because I should imagine, and it makes absolute sense, that if you have a transient workforce within the C I A, you have more risk. And therefore, keeping people there for decades of their entirety of their career, everyone becomes a bit of a captive audience for want of a better word now. You, let's talk about Uber because that's a hell of a company and there's no doubt about it. Uber has had a history of a number of controversial issues, but they seem to be right now working very hard to get a lot of those sort of old historic issues buried in the past for sure. There's definitely some positive steps there. But while you were at Uber, there was a need wasn't there to build an intelligence program. What can you tell us about the kind of insider threats that Uber bearing in mind? The controversies they were going through at the time? What insider threats did they believe they had? Were they right? And were you able to educate them on what the real threats were?

Nick 29:08

No, that's a good question. And yeah they definitely seem like they're coming, coming a long way. I, I didn't necessarily go there to start an insider threat program. I went there to build an intelligence program because the security component was still relatively young. Most of them had come from Facebook over, and they were building out things from scratch, which occurs with a lot of companies, and particularly in the startup and tech space. They focus a lot on the software or the widget or whatever it is and don't invest a lot in security to protect the widget. And until there's a problem and an issue occurs, and then they, oh, they dump a lot of money into it. But in many cases, the damage is already done. So, yeah didn't go there to create insider threat, but what I built was a capability that was able to respond to it. So, building an intelligence program, the only way I knew how, which is kind of modeling after where I had come from, gave us the tools, gave us the the resources and the personnel to be able to investigate insider threats and issues combined with a lot of really deep and brilliant technical expertise that already existed there because it's a tech company. And so that just sort of organically happened, but it was really because of the leaks to the press that were occurring on a fairly regular basis that, we were asked to start to look into these things and ultimately we were successful and successful fairly quickly. Because most people. Who leak information, or most people who are insider threats, they're not professional criminals and so they don't use or they're not former spies where they employ like the strictest of trade craft. And so, particularly in those days, it wasn't hard to necessarily connect the dots. And so we had some success. I suspect it's, I mean, it's a little more difficult now because things like, encrypted messaging apps and burner phones are more commonplace. That was less common back then. So that I, I think that, the transient nature and of a lot of these companies and Silicon Valley companies are no strangers to having, one year and done like, grab my equity and bounce to the next kind of place or whatever. Not to mention there's a lot of strong opinions in some of these companies. I think that creates a bit of a perfect storm. In some cases.

Yoyo 31:34

Yeah. And I think that's another perfect segue. It's almost like, Nick, you expect, you know what question I'm gonna ask you next. I have a pal who has a very senior position within a very big branded organization. And this pal and I were talking about our workplace challenges. And, I was talking about motivation and how certainly where I've operated motivating individuals is a pretty tough challenge. And then motivating people who don't want to be motivated is incredibly challenging. And then looking at the reasons why people don't want to be motivated is the intelligence intelligent way of looking at it. And this pal of mine implied that because most of the people that work with them are mba. Disciplined that they don't seem to have an issue in these individuals turning up to work every day and being motivated to the purpose in hand. And I kind of looked at my pal with a frown just said, knowing that the next job they want to do is to be a C E O, right? Very ambitious, very successful, very bright. And I said, with respect, if you are gonna be the c e o in your next career step it's important for you to know and understand what motivates people across the business you are the c e o of, just because, they won't all have MBAs and be disciplined because they've done, x number of years in academia and there was a kind of light bulb moment there. And I realized that yes, it's a great privilege working with people who have MBAs and are very disciplined with academia and, they're just gonna work very hard, but, When the scope is to manage generations, and we're talking about, the boomers to the Gen Z, the motivations behind each of those generations are becoming more and more clearer as certainly in relation to insider threat. So tell me that's a nice little way in. What are you discovering that the insider threat changes are across all of our generations? This week if polo launches a new app called club. And it's to mark international security officers day. We're launching this new app this week to support members as they prepare for their CPO certification. It was designed in collaboration with urine. The company behind protect UK app. Which has had over 1 million downloads and won lots of awards.

34:14

This new app called club. Offers access to the CPO textbook. Almost 200 sample questions along with many other resources and documents. I know. Cause that was my job to upload them. So don't forget to take a look at the F PO club app. Especially if you're thinking about doing the, if post CPO certification. Good luck I

Yoyo 34:49

So tell me that's a nice little way in. What are you discovering that the insider threat changes are across all of our generations?

Nick 35:01

I think that's a, it's a really good question, but ultimately because you've hit the nail on the head, motivation is really, it's the key to understanding anybody, any generation that I think what I'm sort of seeing now are less internal, and I'm talking about like internal to the self, to the person, less internal controls. On their desire to express themselves relative to what motivates them. And that's where a bit of the challenge is. So I'll give you, I'll give you an example of what I'm talking about. Most of the insider threat cases that I've investigated relative to leaks to the press are because someone, the individual in this case, the leaker, failed to find a way to communicate their frustrations in a healthy way. Or they interpreted their attempts at communicating to be rebuffed by their boss, their employer, the system, ever. And rather than just leaving it at that saying, well, I tried. I'm an employee, I work here. It's not my call. Maybe I don't have all the information. Maybe somebody has a really good reason, but I can't see the whole picture cuz I'm at my level. It's just not appropriate to communicate it rather than coming to that conclusion or also just saying, well look, if it doesn't work for me, then I should find something else. They like, they just have to get it out that the information has to go somewhere because the change that they wanted to see didn't happen and therefore, they needed to push it to an outside entity. That's n that's, that hasn't really changed in terms of, my, my work in the private sector and what motivated or drove people, even back as early as 2016 all the way to now. And I've seen cases of this very recently where information is communicated externally outside of the company because somebody was frustrated. And, I think that is a motivator isn't necessarily unique to a generation, but what is different is that it just seems to be more pervasive as an acceptable sort of method of conveying frustration. And so may maybe that is generational. I don't know. But I also think from a motivation and perspective, I find that mission just is not necessarily the motivating factor like it used to be. And when mission is the motivation, right? You think about, well, taking this externally to the press harms the mission, right? That's not compatible with what truly is motivating me. And I think that check is gone now, or it exists to a much lesser degree than it

Yoyo 38:05

used to. in the pre-chat, we talked about how the younger generations have more loyalty to the each other in the workplace than the organization they're working for. Yeah. Some discoveries that are coming up in, in the kind of work that you are doing, that's quite critical, isn't it? If one is a security professional and thinking, okay, if my Gen Z aren't motivated and happy, are they gonna protect my business? Or are they gonna protect each other first? And there's another insider threat capability there. If that's not, if people aren't aware that just the way individuals are thinking and processing and their values are so different that somebody who owns a business isn't necessarily going to appreciate the difference between somebody who is very loyal. To employers. I'm a Gen X. Probably similar to you and I I've always been incredibly loyal to my employers, to my own detriment. Yeah. This misplaced loyalty. I don't know where I get it from, but I've always been like really grateful. I'll give you classic example. We got given a pay rise in one of my previous jobs, and it was a really good pay rise. It was a healthy pay rise. It was a 3% and 2% the following year. And I was like, well guys, typical Gen X. This is great. I've never had a pay rise before. Make sure everyone, anyone got any questions, queries, blah, blah, blah. This is great. Woohoo. And then I had the Gen Z going 3%. Is that all? And I couldn't relate to that mindset of lack of gratitude and appreciation. And I think this is systemic in business now.

Nick 39:56

I think there's something to that definitely. I also, working, having worked in Silicon Valley companies, there is an emphasis on perks and benefits that are thrown at people to ultimately, whether they realize it or not, to get them to spend more time in the workplace. I always remember this about Facebook, right? Where they had dry cleaners on premises. Oh. And they had, sushi chefs and all kinds of, just so many perks and benefits

Yoyo 40:24

on, Hey, let me add ice cream parlors, sleeping pods, sanitary towels, and all sorts of products in the ladies. Certainly disposable toothbrushes, anything you need to stay there permanently and work through the night even. I mean, I used to work, I worked there for a short while, but it wasn't my culture. So that's why I say short while. Yeah. And that's why they provide three meals a day to keep you there. And the choices were amazing. And I had to deal with a disciplinary matter once because one of my staff kicked up a bit of a fuss because there was no spinach and it, he just had such a bad attitude, but it was, again, it was Gen Z or, why isn't there any spinach? And I'd be sitting there thinking, what

Nick 41:09

this food is free. Yeah. Yep. I think that's, I think there's something to that, right? Where I think expectations have not been managed for a number of folks coming into the workforce. And you hear about these things and but I also find that the benefits aren't necessarily why people are, Stay or really enjoy or love where they're working. I mean, so I, although I did hear there a statistic, and I won't have it on the nose but companies who offer pet insurance, apparently that is, that's quite the factor in retaining number of people these days. And so, that's something we should all look into. But

Yoyo 41:44

It's an out the box idea, isn't it? That I would never have thought of in medical. Yes, certainly in America. But what do you discover now front end about insider threats, Nick?

Nick 41:55

so fundamentally it doesn't really change, right? Because we're talking about human motivations and vulnerabilities and, there's only so many ways you can. You can skin a cat. And so those things fundamentally at their core are the same. I think where you have to look for them or where you have to lean in to prevent them is different than what you used to maybe have to consider. And so I think you're right. I mean, I think, gen Z, if they're particularly more apt to be loyal to each other as, as a team rather than the company, I think it's incumbent upon the company to help them see where those two things are not mutually exclusive. And that, harming the company, harms the people within it. I, I e your team, your teammates and that that's where I think companies have to lean in. Insider threat has always, from my perspective, been about education training, employee awareness, cultural engagement. It's so preventable. When you have the right things in place in a company, and I don't know that a lot of companies, they may not have the personality, the experience to realize some of those things. But it doesn't take somebody from the c i A to create one of these programs for you. It just, it really is, it's a lot of, it's an HR function and having really high quality, not transactional hr, but a really quality, sort of leadership development, growth investment, strategic investment in the people to prevent some of these things. Cause you can have all the tools in the world, right? But protect something after it's occurred or as it's occurring, rather than stopping it in the first place. To

Yoyo 43:36

your point about transactional hr, all too common. And I think a lot of people who are listening would say, they wish that HR were more progressive, more there's, there needs to be more leadership behind hr. And just to give you an example, I worked for a business, which I shall not mention because we'd all like to continue working. And during covid one of the focuses was downloadable content being mainly illicit on individuals working laptops. And the biggest output of that really was that individuals who were working from home didn't have the privacy that they would've had normally to view downloadable illicit content, whereas they were then having to revert to using their work devices because their other personal devices were in a common room that wasn't, that didn't afford the flexibility. So there was a huge shift there where on, on the numbers were high, the numbers were so high that HR got really nervous and they just didn't wanna assert in this manner. The organization took this very sort of lean back approach, but from a security perspective, they were missing the key element that this elicits downloadable content. Presented a risk to the business because it was put putting extraordinary pressure on, the secure connectability of all of those devices and spreading malware, for example. And then where you had individuals operating potentially without the VPNs on their home wifi, downloading, illicit content with God knows what else was attached to it, presented an extraordinary risk to the cybersecurity threats across the business. But then if you've only got a transactional HR and not an HR, that's going to understand real threats. And why would they understand cybersecurity threats? Because they just understand litigation threats, right? And how to mitigate against those tough call because, I, I still wasn't satisfied with the outcome or with the apathy that was around that, and the lack of education and training.

Nick 45:44

Well, you can't, HR can't do it alone. And so one of the first things that I've always done is establish an insider threat working group at any of the companies that I've, where I've been charged with that particular mission and getting the right people in the room and communicating is, it does, it takes a village right. To stop insider threat. But it's so interesting you brought up the example of the list of material. I have two stories that I can share with you. One, and I won't name the companies I was at, but in one case there was a significant concern about a competitor interfering with our continuity business operations. And and it, so an investigation was done over the course of the investigation. You pull network logs, you do all the things you do technically to look into, and you actually found that one of the people that we were looking at was the number one acquire or viewer of illicit material in the entire company. And I'm talking lot of people, right? Record. This was not in the government, so private

Yoyo 46:44

good.

Nick 46:46

Right, right. But y it actually comically amongst the security team sort of prompted this idea of, well, we're gonna create like a dashboard where we can like watch the leaderboard of who's surfing porn in the company now, the, now the

Yoyo 47:00

most amount of time in a working day.

Nick 47:02

Exactly. And so, interestingly, right, like we were honing in on this particular individual for other things. And I remember that the investigator on our team went out, traveled all the way out to meet this person, sat them down and basically said, look, we've got you. We know that you've been doing this and the person, and but didn't say what it was. The person totally rolled over on all the illicit content saying, oh my gosh, I lived with my mom. I don't have it on my own computer. You gotta understand. Like, I'm really sorry, but you know, woe is me. And and I thought, okay, that's really interesting. But he adamantly denied the other stuff and actually we believed him because he so easily just confessed Yeah. To, to the illicit material. And he honestly thought that's why he brought in. So talk about, guilt weighing on someone's conscious. But so that was super interesting to me that sort of popped up when really, we didn't care about that. you're right from a security perspective we do care. But you know, you can put certain institutional controls in your, into your your system to prevent that transference of malware or, blacklist sites or things. But the other case in another company where I was asked to build an insider threat program, I had somebody on the InfoSec team say, look, we don't want you to implement technology and put endpoint monitoring on our systems because we're scared that you're going to catch us watching porn. What how am I even having this conversation? Yeah. And ultimately, yeah, we didn't do it. Cuz you can't, unless you have InfoSec. On board and part of your team. But, I care so little about what people are doing in that respect. I care about protecting information, the secret sauce, the ip, and to be so far so far off on objectives with somebody on, an InfoSec, a leader in InfoSec around that core function because they were concerned about catching their own people. Using the work systems was just mind blowing to me. And I don't know, I don't know that I could ever reconcile that one, but

Yoyo 49:11

I find it mind blowing that so many people don't care when ultimately they're being paid to go to work, not to sit and watch elicit content all day. Yeah. By the way, I have to ask you, cuz I know I'll get asked this later on, what was the top ranking for time spent viewing porn in that top table that you had? Can you remember?

Nick 49:33

It was more or less we were tracking clicks, right? We were tracking on going to those web pages and sites, and I think the top was something around 3000 a month.

Yoyo 49:48

Oh my gosh. And yet clearly not busy enough.

Nick 49:52

I mean, unless you're just staying up all night, perhaps. I don't know. But yeah, it was definitely, yeah, it was disturbing to see that for sure. But you know what, most people, I don't think realize is that while company shouldn't permit it I'm not saying that they should, or, well, frankly, I shouldn't say where they should or shouldn't. It's up to the company and their decision. Right. But most of the time, right, the security team doesn't frankly care. They're not looking like no one is ever in my entire career. Instructed me to launch a crackdown on illicit sites at, on, on their systems. It's always been, we discovered that as a result of another investigation. And then, oh, by the way, yes, HR has to say, stop doing that, please. It's in our acceptable use policy and whatever, but it's not really the biggest concern that companies have when they bump up against

Yoyo 50:46

this sort of thing. And a happy force is a busy force. Right? Yeah. So a happy workforce. Yeah, A happy workforce is a busy workforce. I know that everyone talks about cybersecurity. We talk about state actors and threats like that. What do you consider to be the gravest kind of, threat to businesses right now?

Nick 51:10

I think hands down, and I don't have to think about this. It's their own lack of awareness, education, and ability to adapt a hundred percent.

Yoyo 51:19

Agreed. Yes. If you put the people process, technology first, people definitely needs 85% of the attention, I think. Okay. And just finally we talked in the pre-chat about Harry Truman. There's a super cool quote that you told me you really like. What is it?

Nick 51:39

Yeah, I share it with all my teams. And it was Truman saying that it's amazing what you can accomplish when you don't care who gets the credit.

Yoyo 51:47

Yeah. Wow.

Nick 51:49

And to me, that's what mission is about. That's what teamwork and looking after your colleagues is about is working together to, to enable everyone to be successful because. The team and the mission is successful. And that was one of the things that I think differentiated me and some of the teams, well not just me, but my, the teams that I was a part of and helped to build their organizations is that, when you staff from former federal law enforcement, local law enforcement, intelligence agencies, military you're building a team of individual contributors that understand that they have a role to play in achieving the mission as a team. And, we never focused on individual, ratings, reviews. We always just measured our success based on how the team was successful. And we always did very well, but we sometimes stood apart. And in part can create some friction. And I had to learn, I didn't intuitively understand this because I believe when I got to the private sector that everybody was on the same team and we all were working towards the mission. Right. I how dumb and naive I was. But it took some hard lessons to learn that you, when you come in and build a group of individuals that look different from everyone else comes with that, comes with some interesting relational challenges with your colleagues.

Yoyo 53:04

Look, just very quickly we haven't really covered off Tesla. I used to say in the police, it was the best of times, the worst of times. What's it like working for Tesla and did you actually meet Elon?

Nick 53:15

Yuon was yeah, he was my de facto boss for the most part. Right? So I reported to the head of security. But after I successfully investigated the biggest leak case in Tesla's history, I found myself on Elon's radar quite a bit. So I had, I did have a fair amount of personal interaction with him. And and yeah, he was, because he was very interested, he was very interested in security, he was very interested in protecting El intellectual property, and he invested, accordingly to do so, which was great for me. To, to be, to work in a program that was well supported now extremely demanding and high expectations. But that's Elon on everything, right? But, so while I never directly reported to him I definitely had his number in my phone and I would've to sleep with one eye open at night in case I got a text message at two in the morning. And there were times when I would get a text saying it, it's 1:00 AM I need you here for a meeting at 10 o'clock in the morning. So I would go on my app and book my flight and get up at three and pack and leave. And then there were times I would land from being on a trip and I'd turn on my phone and a text would pop up saying, we need you to turn around and come back. And so I loved working there. The mission was awesome. Again, mission for me. It was there. I could find a home there, but it started to become my home instead of my actual home. It's again, I had to make another decision in my career that for my family's sake and probably for my marriage sake I needed to move on to something that was a little less demanding. Yeah. Yeah. I was traveling 90% of the time and that was certainly my choice, not to relocate out there for the role, but after, a career. A 10 year career in the agency. My family had moved quite a bit already,

Yoyo 55:03

so Yeah, cuz you didn't leave that behind with a quick decision and to go into something that was equally as draining. Yeah, but look, I don't want I don't want you to think that I'm down on Gen Z. There's one thing Gen Z teach us and that is work-life balance, isn't it? They teach us workaholics

Nick 55:23

They look at it vastly different than you or I have looked at it and, maybe I aspire to be a little more like, like some of those folks in that respect. I certainly don't make apologies about prioritizing my family anymore. Yeah. For my health for that matter because I've absolutely have neglected both in per in pursuit of being a good employee and doing a good job. One of, one of the things I've been talking with the folks at my own company about is, the difference between a contract and a social contract with a company, right? We all have contracts. The company will pay you for doing work. Okay. Yeah. Do the work and you'll adhere to the requirements of the company. Some of those are things like confidentiality, some of those things are, obviously about maintaining a standard performance. That's our contract. The social contract is what we've been digging in a little bit more and trying to better understand the expectations of a company and an employee from a social contract standpoint. And the two are very different. And, I don't have enough data yet to really tell you what my conclusion is about that, other than I think there's something to those conversations particularly with with a workforce these days coming out of college and perhaps it's their first job is the social contract is really where I think you have to manage the expectations and

Yoyo 56:41

I think you're absolutely right. I think you're absolutely right. And my three nieces are all Gen Z, and one of them said to me, she said auntie Yoyo, there's just no excuse for not knowing anything these days. You can find everything you need to know online. If only we, if only Gen X had the internet, Google

Nick 57:05

what an amazing, powerful tool at our disposal. But yeah. Right. Having to roll up your sleeves and go figure things out

Yoyo 57:11

and yeah. Empowerment,

Nick 57:12

talk to people. Yeah, there, there was a different, just a different set of tools that we had to work with. Sure.

Yoyo 57:19

And it's true. I even learned how to build my shed workbench by watching loads of Americans building shed benches on YouTube.

Nick 57:30

Darn right. But you know, before then, us American, all we had was Bob Villa and his his little, encyclopedias of home improvement to go on. Folks today have no idea, yeah. How, yeah. Things are, but yeah, like I think there's tremendous power and potential with this younger workforce, this newer workforce the creativity and the ingenuity, and I think just this expectation that they have a freedom to fail. And we can embrace that is Yeah, I think awesome. I think it, companies have to recognize that the freedom to fail is what they're expecting. And if we don't, if we don't provide that, then we're going to ultimately have a lot of conflict in managing those expectations. Right? Yep. You have that conflict, particularly with this group and obviously I'm generalizing and such it can create a number of challenges inside your company. So yeah, I think it's an area we have to lean in and invest. And companies have to be willing to

Yoyo 58:34

listen. Plex. Yeah, 100%. And thank you. I mean, Nick Jacinto, what an ear opening podcast. Thank you so much for joining us and it was super cool. Appreciate your time. My pleasure. Let's do it again.