A

I've been driving all night My hands wet on the wheel There's a voice in my head that drives my heel My baby calling says I need you here and it's a half past four and I'm shifting gear when she is lonely and the longing gets too much she says we came on coming in from above don't need to bump at all We've got a thing about to hold that I love. All right. Good morning, everybody. Welcome to the party. Got a little, little action today for you on this Friday morning. Today is Friday, April 10, 2026. This is episode 1008, perhaps of Simply Cyber's Daily Cyber Threat Brief. Let's kick that up there. I AM your host, Dr. Gerald Doer, coming to you live from the Buffer OER Flow studio, setting the tone, setting the stage for this Friday morning Simply Cyber Daily Cyber Threat Brief podcast. I will be hosting you today as we go through the top cyber news stories of the day. And I break them down, going beyond the headlines to give you additional insights and value. You are not going to get anywhere else on the interwebs. That's right alongside the Simply Cyber community. Some good music. We're off and running, so get settled, get ready. Not cloud, not loud. Jeep, Good morning from ar Kansas. I know it's Arkansas Sock analyst checking in at the top of the news.

B

Let's go.

A

We got a great show for you. Let's get into it. Yeah. All right. Good morning. We're off and running. So, yes, eight stories, one hour. We're gonna get half an hour of good times, half an hour of instructor LED webinar. That's right. So we have fun here, but we are also doing work, so be sure to get credit for those GP CPEs. I feel like damn. IDK just buffer overflowed me because I saw Good morning, Simply Cyber Family and I saw the G And I said GPE, not CPE. But that's all right. E Lucky's in the chat. Brute 7679, Dennis Keefe. What's cracking, guys? It's been a long week. Great. Simply Cyber firesides last night with Elite Dennis talking social engineering and Oent Dennis Keefe. If you didn't know, like I said, every episode's half a cpe. So it's very simple. Just say what's up in chat, grab a screenshot. Once a year, count up the number of screenshots and divide it by two. Every CPE is one hour. Since we say half an hour per show, half a CPE per screenshot. The Screenshot represents your attendance, right? You can get up to 120 per year of CPEs. If you're here every day, which I don't know why you wouldn't want to be. Now, you can. I don't say this often, but I do want to let everybody know. You can catch this story of this show. Excuse me. This story. You can catch this show on podcasts like Spotify, Spot Podcast platforms like Spotify, Apple Podcasts, right? Wherever you get your podcast, we push it out to all the things. Also, you can catch it on replay. We do stream simultaneously on LinkedIn and YouTube, so you choose your own adventure. If you're sitting at your desk cranking, that's good. If you're at the gym, hitting the elliptical like Nick Barker, you're out for a run, dude. You're getting ready with the family, having breakfast. And you got us on the little TV there in the corner by the toaster, where whatever you're doing, get some credit. Also, hey, quick shout out. It's Friday, so I'm having a little bit of liberties here with the intro. Shout out to Devin Grady. Devin, can I share the news that you shared with me? I think you shared it in a more public forum, but about what's happening on the 16th for you, Devin Grady, let me know. I would love to shout it from the proverbial Simply Cyber buffer. Oer flow, Mountaintop. All right, guys, what do we got? Hey, today's your first episode. Welcome to the party, pal. That's right. We love welcoming our first timers. So no matter what you're doing, if you're here for the first time, whether it's your first time ever finding Simply Cyber, congratulations. We've been here for a minute. I'm glad you found us. Maybe it's your first time live in chat because your schedule changed. You're no longer having to drive into work. You're working remotely. You get that extra time. All right. Hey, check it out. Devin Grady, our very own Simply Cyber Community member, Blue badge long timer, CTF winner. He is going to be speaking at a conference on April 16 here in the low country that I will also be functioning at. I'm. I'm actually facilitating or moderating a panel of three executive health care executives, but Deb and Grady giving a talk. I love to see it. Guys, I'm telling you right now, we're doing the news. We're doing the thing. But if you take one thing for me, I'm telling you, invest in yourself. Step into your uncomfortable area. Submit to Speak to conferences, meet in CTFs, say hello to people at conferences or in your classroom. There's no better time than right now. I heard a really interesting adage yesterday, and it's sticking with me, and I'm going to share with you, and then I'm going to do the ad reads and all that. You guys can be like, all right, enough, you know, philosopher Jerry, you know, enough. Jerry, listen to me. Listen, please. And, and let this run with you, okay? Yana Ivanov, almost full timer and love how supporting this community is. Yes, sir. Thank you. Yana Ivanov. Hey, listen to me really quickly when I say in invest in yourself personal branding, be the person that people want to talk about positively when you're not in the room, right? All these things take time to nurture and cultivate and build. It is not an overnight thing. You don't pay money to get faster access. There's no Disney World speed pass wristband to cut the line. You literally have to build it and invest in yourself. And I'm telling you, the benefits are huge. Here's what I would say. There's no better time to start right now. And here's the little metaphor I heard yesterday. Right now, if you were at a train station, right, or subway, and you got on the wrong subway heading in the wrong direction, okay, you got on a train and it's going in the wrong direction. You want to go downtown, it's heading uptown, you want to go, you know, west, and the train's leaving east. The longer you wait to get off that train and get on the train heading back, the further you are from your destination. You see what I'm saying? Like, you're like, oh, I guess I'll just deal with this. No, like, every moment that you're not getting off at the next stop and getting on and recourse correcting yourself, you're getting further away from what you want. You're burning time. So please take this as a call. Like, it's so valuable. I, I, I can say it repeatedly. You have to take action. But I'm telling you, the people who have taken action, they will tell you as testament what I'm saying is 100% right. And by the way, I'm not even, it's, I'm not selling something. I'm not freaking trying to push product here. I'm just telling you how it is. All right, guys, I love this community. I got the coffee flowing. It is a Friday. So we got some cyber career hotline panel. We got some new panelists today. New, as I promised you guys, as part of the restructuring of the Cyber career hotline programming, we got some new panelists, including potentially a female panelist today. Let's go. All right, guys, this show is not possible without the stream sponsors. You know that, I know that. We've been talking about flare. I got something new to drop on your head about flare. Listen to this. Flare baby. Flare is back with Flare Academy training, the evolution of identity security. Guys, Identity is the new perimeter. I know that that's played out like welcome back, Cotter, but it is true and they are going deep. Never before has flair done this. They're going to do a two part practitioner's guide. They got the background history, how it evolved into modern times and the techniques that make up the most attack vectors for identity. And oh, by the way, can I point out something super sick? Guess who they're doing it with? A little company called Black Hills Information Security Group. Do you see that on the stream right here in collaboration with Black Hills. I told you, I've been telling you guys for years how much I love flaring the flare people. Black Hills is also my kind of people. All right? And now they're collaborating. Wonder twins joined forces. If you would like to check out this training, part one, part two, or both, you can do it for free. Go to Simply Cyber IO Flare. I'm gonna drop it in chat. Go to Simply Cyber IO Flare now and sign up. And as I always say, guys, you can sign up and not go. There's no penalty. You don't. They don't like, not invite you to the next one because you blew this one off. All right, go check it out. I promise you, you will not be disappointed. It will not be a waste of your time. You will get value like an absolute boss. Oh, William Bailey with a little bit of a pop culture reference. How many pieces of flare are you in it Wear wearing the office space reference. Jennifer Aniston. Drink. All right, guys, I also want to say holler to none other than anti siphon training. Anti siphon training is bringing high quality, cutting edge education to everyone, regardless of financial position. And right now, I think there's still time to enroll in Hayden Covington's pay what you can sock detection engineering crash course. Let's just say that your plans change today. Let's say you had a full day of crap to do and now it's been cleared. You know, it could have been an email and then it turned into an email. If you want to get training from an absolute legit Boss in the SoC on detection engineering, which is a little bit more of an advanced skill. But it is a crash course, which means even if you're a junior, you can still pick up skills, add them to your resume, be able to speak to them in a job interview. Because this is practical. Hands on skills. Go now. Check it out. Plus, I can tell you for a fact, Hayden is a great teacher. Okay, I have. And again, I've taken Hayden's courses before. He is a, an educator that cares and he's very good at what he does. He knows exactly what he's talking about. Again, I don't pump or push anything that I haven't experienced myself. I've taken Hayden's course. It's good. In fact, I think I took this course if I'm not mistaken. So it's been a year, so. All right. Also want to hear from threat locker. Threat locker, the company that makes the coffee flow through my body. They also provide application deny by default security for your endpoints and now they've moved to the cloud. Oh my God. Did they tap too blue and counter spell just endpoint malware? No, no, they've, you know, tap two, tap two colorless and they counter malware all the places. Endpoint and cloud. Go check out threat locker right now. Let's hear from them and man, I'm going to melt your face. I want to give some love to the daily cyber threat brief sponsor, Threat locker. Do zero day exploits and supply chain attacks. Keep you up at night. Worry no more. You can harden your security with threat locker. Worldwide companies like jetblue trust threat locker to secure their data and keep their bill business operations flying high. Threat locker takes a deny by default approach to cyber security and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation is fully supported by their U. S based Cyber Hero Support Team. Get a free 30 day trial and learn more about how threat locker can help prevent ransomware and ensure compliance. Visit threatlocker.com dailycyber. Hold on one second, I've got, I've got a problem. God damn. I have a problem. Ah, hold on one second. You know you try to run multiple monitors and, and you just. All right, hey, really quick. Also if you didn't know, later today at 2:00pm Eastern I'm going to be doing a two hour live stream with Tanya Janka. She hacks purple. Talking about application security. Guys, I, I'm sorry. I literally am doing so many things so many times that I forget to tell people about some of the things I'm doing. If you're interested in AppSec, if you're interested in having a good time, a way to start your weekend 2 to 4pm today live on she Hacks Purple. I'll drop a link in chat on that now. I didn't see any first timers. I also sorry, I swore I didn't see any first timers but what I can tell you is I need you. FedEx, Mike, Andrussi, B Dubs, Code Brew. I need you all to do me a favor. I need you to sit back, let that ASMR roll on you. I need you to sit back, I need you to relax and I need you to let the cool sounds of the hot news wash over you in an awesome wave. We are off and running. Let's go.

C

April is trust Month at the csoc. Join us later today for our Super Cyber Friday live stream about hacking.

A

This is not how we start a show.

C

More details at the end of this

D

episode from the CISO series, it's Cyber Security Headlines.

A

I'm gonna have to start scrubbing that.

C

These are the cyber security headlines for Friday, April 10th.

A

Oh really quick. I know, I know we're about to do this and I just kind of like teased it a bit. But can we just really quickly shout out to the mods? I see BAC and Jenny Housley in the chat. The mods are you guys know the mods and know they're here. But I like, I don't want to call them unsung heroes, but they are definitely putting in the work to. They're the glue that makes the machine stick together. So shout out and love to the mods. Thanks guys.

C

2026 I'm Steve Prentiss. Google API Keys in Android Apps Expose Gemini endpoints Researchers from Truffle Security are warning that API keys for public services such as Google Maps can be used to authenticate to the Gemini AI assistant, potentially exposing personal data. This announcement was based on the researchers scanning millions of websites and finding nearly 3,000 Google API keys that quote now also authenticate to Gemini even though they were never intended for it, end quote. This could allow an attacker to access uploaded files, cached data and to charge LLM usage to your account, they said. Additional research from mobile security firm Quokka led to the discovery of over 35,000 unique keys across 250,000 Android applications. Also, Cloudsec says it discovered 32 Google API keys hard coded in 22 popular Android apps, apps that provide unauthorized access to Gemini AI. All right, Acrobat.

A

So I mean these are hard coded keys. I do want to point out that these are not trivial. I mean it's. They're trip. These API keys are kind of baked into the APK files, which is the Android executable file. And APK files are trivial to decompile. You just need the like. I forget what it's called. There's like an Android IDE environment. And in fact in 2026 you can probably use Visual Studio or other and someone in chat let me know. I'm sure you can use like most IDEs or integrated development environments to pull these things apart. And then the API key will just be sitting there as like a value, a variable value. So because of that, once you. An API key is just a credential. Essentially it's like your password, right? So once someone has your API key, they can use it to access Google resources using that key. In this instance, they're talking about Gemini. This definitely sounds like one of those instances where Google made the decision to allow existing API keys into the Google infrastructure to just work with Gemini. And I bet you it was designed as a usability feature or a convenience feature. Do you guys know how Copilot just shows up all over the place? You log into Office 365 and it's like, hi, I'm co pilot. It's like, oh Jesus, Clippy 2.0. Like get out of my face. Or like you accidentally hit the co pilot key on your keyboard. Freaking hate Copilot.

B

So

A

in the world of product and business, right, like, just think about it for a minute. If you're, if you're a business selling product, you want your customer experience to be absolutely frictionless. That's, that's a term you'll hear in business and in sales and whatever, or not sales, but like it's not really sales and marketing. It's more like, you know, onboarding and operations. But you want frictionless experience. You want it full of friction for them to separate from you. That's called vendor lock in, which is a whole other thing. But you want it super slick, like, like level 90, you know, Ky jelly. I mean, like, I don't know. Another thing that could be slicker, okay, you want it super slippery so they can get in. Now, if you make the API keys that already exist interface with Gemini already, you can just basically turn on Gemini and it's going to work for every Google end user there is. Right? So that's why they did it. Unfortunately, they didn't. They didn't think through the downstream impact, which is that those keys can Be got by threat actors and then leveraged. So here's what I would say, Number one. Hold on one second. My only question right now is you, Marcus Kyler, give me something slippery engine oil. Like give me something slippier. Slipper. I mean, that is a, a clinical use thing. Okay? So listen, the only thing I can think of is the only question I have right now in chat. Let me know, is this the API key for the developer? Right. Or is this the API key for the individual user of the program? My belief is it's the developer's API key, which means. Oh, baby oil. Oh, yeah, I should have known. Baby oil, Silicon spray. Thank you, Mike Andruzzi. We got banana peels up in here. Snot. Ew, Brown coyote. Okay, so listen, as, as you. Okay, okay, okay. All right. I've unleashed the crack in here of people. So for me and you, this isn't a problem, right? Because it's not our API key. Like we can still use Google Maps tomorrow and I'm going to use Google, I'm going to use Waze later today to drive to Georgia. So it's not a problem for us. If you are a software vendor, if you are a tech company and you are building Android apps, you may want to investigate or, or educate your developers on how to manage this. And, and by the way, can I just point out one other thing? I think in 2026, with all of these AI tools, and this goes beyond the story, I think you should absolutely have like tripwires and alerts and detection set on your API key usage. So basically to manage spend, right? So if some threat actor gets your API key and they start trying to exploit it by using it to like get free cycles, free compute, you can detect that and revoke that key before the spend gets out of control. That won't protect your secrets. That won't stop them from accessing your files if that key has access to those files. But it's just one, it's one risk to manage because trust me, if you get like, I've, I've heard and seen some stories in the last like month and I'm sure you have also where a business gets like a hundred thousand dollar bill out of nowhere and they're like, oh my God. And it's like, yeah, because your open Claw instance went ham, or because your, your whole enterprise team went ham with, with AI. All right, so Roswell UK is confirming it's the developer's API key, so. Exactly. So just be mindful of this. All right, let's keep Cooking at reader

C

Zero day flaw exploited since December according

A

to by the way, also a good like, you know, independent security research. Go grab an apk. Go grab a binary and reverse it and see if you can find a API key. Hey. All right. Just become best friends. Yep. I love it. Thank. Hold on one second. Let me see Antoine. I love it. Hold on. Can we bring him on? Antoine with a super chat? Antoine's side or Eid? Yeah, Antoine Sidey 2030 super chat. Thanks dude. Appreciate it. Great to have you in the saddle.

C

Computer quote the attacks were discovered by security researcher Haifa Le, the founder of the sandbox based exploit detection platform Expmon, who warned on Tuesday that the attackers are using what he described as a highly sophisticated fingerprinting style PDF exploit to target an undisclosed Adobe Reader security flaw. Lee added that Adobe users have been targeted for at least four months with data being stolen from compromised Systems using privileged APIs and deploying additional exploits. A link to Lee's long list of security vulnerabilities in Microsoft, Google and Adobe software, many of which have been exploited in zero day attacks, is available in the show notes to this episode.

A

This is pretty good. Oh, hold on. Thank you. Thank you. Mods. I didn't realize it was on the screen. Okay, this is pretty good. So, dude, this is a legit zero day. I feel like we haven't seen one of these zero days in a hot minute. This one just requires the victim to open a PDF. There is no patch currently available that. Well, hold on. I should confirm that patch. Yeah. Zero day unpatched. Yep. So Adobe re. Dude. Adobe Reader users are advised not to open PDF documents received from untrusted contacts until a patch is released. Okay, so Adobe, like, thank you very much for this guidance. May I point out that, like, what, what are you supposed to do if you're working hr? Like not open people's resumes. What do you do if you work in Accounts Receivable? Not open invoices? Like, I, I get it, I get it. This, this will in fact fix the problem. However, like, this is like saying, hey, you know, we. You have a high likelihood of getting a hangnail on your big toe, so we're gonna advise you to cut off your foot until we can get this hangnail thing sorted out. You know what I mean? Like, I don't know, man. I mean, like, I don't know. There's a high likelihood you're going to drown in the pool, so we're advising you not to swim until further notice. Like, yes, this is called risk avoidance. Going Back to our, you know, SEC+CISSP days. There is risk avoidance, risk transference, risk acceptance, risk mitigation and remediation. This is straight up avoidance. Like no, thank you Adobe, but no business is going to like not open PDFs. Okay. Now if you work in a very sensitive environment or whatever, I mean, you could come up with alternatives, right? You could open this on like, like a vm, right? Like set up a some type of VM and allow thin client access in so the blast radius is smaller. Realistically, you would hope that Adobe's going to fix this sooner than later. This is a true zero day though. Basically you send the PDF and if someone opens it with a vulnerable version, which sounds like it's all versions of Adobe Reader, you're straight crushed. Also, you could get a different PDF reader application. That would work also. I think Fox is in Fox Reader 1. Oh, we got some squad memberships coming in hot from. Hold on. What is this? Brian Gruss sending out five gifted subs. Brian. Thank you, man. The people's champion, Brian Gruss. All right, we also got Casey Dean becoming a squad member. Has that been on the screen for a minute? I don't know why that hasn't gone away. Oh, there it is. Oh, oh. Everybody's becoming a squad member. This is sick. What a way to celebrate a Friday. All right, TLDR Russia is targeting people with this issue. Yeah, the only other thing I would say is you got to remember this too. Like even with a zero day PDF attack, if Carl and accounting Fox it PDF reader, even if Carl, I. I always want people to think this way. Okay, Please think this way because I think it's the right way. You have your left of boom before bad happens and then you have right of boom. A lot of people focus only on left of boom. Right? Build, building the, the fence, getting in the closet, turning the light off, not making a sound, waiting, right? Hiding. That's protecting. But you got to be able to like respond, right? Someone opens the closet, you got to be able to run out, be like, right? So don't sleep on that. So for an instance like this, with a zero day, you have no defenses. Okay. If it comes in and. And again, like not using Adobe is stupid. No one's going to do that. Okay? So what you need to do is if the machine gets cracked, that doesn't mean bad is fully happen yet. Because threat actor needs to move files off the victim endpoint, threat actor needs to log in or gain persistence, do command and control. There's a lot of Opportunities to detect a compromise of that box before the impact of the compromise is realized. Meaning you could detect. And you'd have to look because once this exploits the Adobe reader, it's got to execute some type of payload, right? Or a shell, you know, some type of like cradle and pull down second stage payloads. Schedule persistence mechanism. Like whatever it is, it's going to happen. And those are opportunities to detect. If you see C2 traffic going out, you can say, okay, this box is compromised, so don't sleep. You need edr, you need detection engineering. Okay, so it's bad, but it's not the end of the world.

C

Microsoft developer chief Julia Lewison departs. Lewisin will resign as president of Microsoft's developer division at the end of June, though she will continue in an advisory role. She has been part of Microsoft's Core AI division, introduced by CEO Satya Nadella in January 2025. She also assumed responsibility for GitHub in August 2025, at which time GitHub became part of Core AI. Liu Sin, who started at Microsoft after graduating in 1992, is credited with leading the effort to make the dot net platform and cross platform cryptocurrency.

A

Yeah, okay, like, I mean this is a big news anytime that remember guys, this is like a Fortune 5 company, okay? Fortune 5 company has, you know, probably billions of dollars of investments. Whenever a, you know, very seasoned senior core pillar executive leaves, they will make a big deal about it. And Microsoft, of all companies is the company, is the group that like handles transition and evolution very clearly. Like they'll tell you like five years before they're going to cancel an operating system version, right? So this is totally on brand for them. Now this woman, Julia Lucen. By the way, this story has about nothing to do with cybersecurity, but let me just tell you, Julia Lucent, she was leading the efforts on the dot net throughout the 90s and 2000s. She recently got put ahead of the AI thing over there, the developer division, Right. So she assumed responsibility for GitHub when the CEO stepped down in August. So 1992, like that's. What is that? 26. 8 is 34. Okay, 34 years. She started when she graduated college. Let's assume she only got an undergrad. That means she's 22 at that time. Plus 34 is 56. Dude, she's 56 years. Here's my take on this one and I'm just being real. She's 56 years old, minimum. Okay? She's minimum 56 years old. She brought Microsoft through the 90s and 2000s when Microsoft exploded the whole dot com wave cloud, Azure. She's been working with developers and now people are leaving. And this happens all the time, by the way. This might be an indicator that it's time for you to switch jobs too. People are leaving. The CEO leaves in August and they're just like, hey, Julia, you're still here. Why don't you take over the AI division too? And she's like, bruh. Or GitHub take over GitHub. And, and she's like, bro. Like, I'm like, she's already like drowning and they throw her an anchor, right? So my opinion is that AI is like the next big. I mean, obviously AI is already here, but AI is the big wave right now. And this woman, if I had to guess, she's probably like, listen, man, I've already rode this ride several times. I don't have it in me to take another, another pass at this, on this, on this boat ride, right? Like, like, I'm good, I'm getting off here. She's probably got infinite money, like, which again, good for her. I don't care one way or the other. I'm just saying, like, what's your incentive? If you've already done this thing and had massive career accomplish it's multiple times, what would be the incentive for her, right? So that's, that's what I think. Again, Julia Lucent did not contact me for comment, so I'm just basing it on my life. Guys, I don't know about you, but most times when I leave a job, it's because I've been straddled with so much responsibility because I'm doing my job well that I have to leave. All right, this is a classic example. You're so good at your job that they promote you. Nice. Congratulations. You get a 10 raise and then they don't take your old job away, even though they say they're going to. Then you get promoted again in two years and they don't take your second job away because you're great at your job. And now you just have three jobs. You're stressed out. People are like, oh, you're the go to person. Like, Jerry knows where the bodies are kept and it's just not fair. So that's my hot take on this foreign

C

company. Bitcoin Depot reports cyber attack. This March 23rd attack resulted in a threat actor gaining control of credentials associated with the company's digital asset settlement account.

A

I don't know, is it straddled with responsibility or saddled responsibility. I guess saddled makes sense. Like they put it on you. But when I think straddled, I don't know, I think someone's like riding me. Like I'm like. But it could be saddled. I'm fine with either.

C

Leading to the theft of almost 51 bitcoin from company controlled wallets. This had a value of about $3.665 million as of the date of the report. Bitcoin Depot believes that the incident was contained to the company's corporate environment and did not affect the company's customer platforms, divisions, system data, or environments. Bitcoin Depot is the, all right, largest cryptocurrency ATM company in the U.S. all

A

right, so obviously Bitcoin Depot is like a great target for a threat actor to hit. They're the largest bitcoin atm. Again, I don't know why people like crypto does not have utility. Like, stop it. Stop. Stop trying to make fetch happen. Cryptocurrency. All right, so they got access to internal IT systems. It looks like bitcoin is saying that it didn't touch the customer stuff. Although it does say that they were able to transfer 50 bitcoins, which is $3 million, out of this, out of the environment. That sounds like it's affecting customers. Oh, customer information wasn't access. Well, that's fine. They didn't get your email address. They just stole your money, bro. So, hey, threat actors are not hacking in, they're logging in. As I continue to say, they gained access to systems by obtaining control of credentials associated with the company's digital Asset settlement accounts. All right, guys, here we go for you right now, for whatever organization you're protecting or if you're gonna go job interview, not all accounts are created equal. Some accounts are privileged. All accounts should have least access, meaning they only need to access the things they need to access. So this digital asset settlement account, sure, it is needed to access the, the crypto money and move money around. That sounds like a very important, very secure, very high profile user account. One that should have multiple factors of authentication on it and not and, and dude have trip wires, alarm bells, detections all over it. The fact that they were able to move $3 million or 50 bitcoins without, you know, necessarily being able to prevent it or stop it or detect it seems a little interesting. But they say the company says that attack won't have an impact on operations. So they're able to just eat $3 million. I don't know, man. This. This to me just screams like a 2026 virtual bank, right? Like criminals go where the money is and they're going to steal Straight cash, homie. Straight cash, homie.

C

Huge thanks to our sponsor, Vanta. Risk and regulation ramping up and customers expect proof of security just to do business. Vanta's automation brings compliance, risk and customer Trust together on one AI powered platform. So whether you're prepping for a SoC2 or running an enterprise GRC program, Vanta keeps you secure and keeps your deals moving. Learn more@vanta.com CISO that is V A N-TA.com CISO.

A

All right, Hala, Holla, holla. All right, so we're at 8:40. I'm gonna be quick about this guys. I, I genuinely appreciate you. Thank you to the stream sponsor, Thread Locker, anti siphon flare. We're at 335 active viewers right now. Again, people reach out to me and say they catch it on Spotify, Apple podcasts. I'm really, really happy and appropriate. Appropriate. I just got buffer overflow. Again, I'm really happy and appreciative of, of all of you and what you guys do. It just. I noticed there's been a decline in headcount. I actually think, and I'd love people's opinions on this. I think it's a reflection of the overall market of people's appetite and emotional like threshold for the cyber industry right now. I might be wrong. I might be reading into it too much. Maybe a bunch of people got jobs and they just have conflict, schedule conflicts, I'm not sure. But what I will tell you is whether you're live with us right now or you are listening on replay. We got jokes for days, guys. Every single day of the week has a special segment. And Fridays is James McQuiggin at 35, 000ft's dad jokes of the week. And I gotta tell you, thank you, itchy beef. I'm gonna pause the music. That way when I cut out the song later, we don't miss James McQuiggin's jokes of the week. All right, here we go. All right guys, so this guy right here, James McQuicken, if you don't know who he is, he's a long time Simply Cyber community member. He emcees track two of Simply CyberCon every year. Go to simply cybercon.org if you want to learn about Simply Cybercon. Also, we have a bunch of activities at Simply Cybercon this year, including a magic tournament that Everybody's competing for. Second place. Okay, hey listen, James McQuiggin brings dad jokes. And today he's got some springtime ones for you. James wants to know why is the letter A like a flower? Why is the letter A? By the way, I don't read these in advance. These are getting first time for me. Okay. Why is the letter A like a flower? Because a B comes after it. Oh, my God. All right, all right. Daniel Lowry, what's up? In chat tech grunt. Good to see you. Steve Young as always. Hey, James McQuiggin wants to know what do you get when you cross a dog and a tulip? What do you get when you cross a dog and a tulip? Did you know very few people know this breed? It's a cauliflower. It's a cauliflower.

D

Okay.

A

And James wants to know if you've been out in the garden doing some gardening, touching grass, as the. The youths like to say. The Youngs. Why was the flower late to school? Why was the flower late to school? Also, why was Justin Gold late to work? The flower was late to school because it decided to stay in bed. It's flower bed. Oh. All right. Thank you, James McQuiggin, for these always relevant, seasonal, holiday esque, very topical jokes that you bring to us every single Friday. We are so fortunate, everybody. I hope you understand that other podcasts don't have Dan Reardon memes of the week, James McQuigan jokes of the week. Like we don't like other people don't get this. We are special. All right. We also get to do the La la la la. I'm gonna pour a little bit out, but not really for Alpha Sierra just become best friends. Yep. All right, let's get our.

E

La la la.

A

La la la la la la. All right, thank you, James. Thanks, everybody. Hopefully you enjoyed those. Marcus Kyler, the drum major, always keeping it real. Let's finish strong, everybody.

C

Breach exposes sensitive LAPD files stored in City Attorney system. The Los Angeles Police Department made an announcement on Tuesday stating that hackers had gained access to a Los Angeles city attorney's office digital storage system containing sensitive police documents. These documents had been turned over in discovery from previously resolved or settled LAPD civil litigation cases. The hackers did not breach any LAPD systems or networks, according to the press release. The statement said the hackers accessed a third party tool used by the city attorney's office to transfer discovery to opposing counsel and litigants.

A

Okay, like that's a really fancy way to say they they a file share service. All right, so this is a one of the stories where, you know Insert. Lapd, Right. Lapd, Los Angeles Police Department. But really, it's some third party file sharing service that literally has nothing to do with the Los Angeles Police Department. This is a file sharing service that allows lawyers to share evidence with other lawyers. Right? So the prosecution is going to bring a bunch of things to crime, I mean, to trial, and the defense has an opportunity to see that evidence in advance so they can prepare their defense. That's like a standard way that the US Judicial system works. Unfortunately, the LAPD is getting smeared in this thing, of course, the LAPD's entire IT infrastructure. And let me just say shout out to every IT person that supports any type of local, state, municipality, IT system, whether you're. Whether you're, you know, j. Crypto, handling water, wastewater, you're, you know, working in the city, mayor's office or the LAPD or whatever. Dude, you are making a dollar out of 15 cents. Like, my heart goes out to you. I understand the budgets are wicked tight. You're asked to do, like, literally work miracles with very little. So definitely appreciate that. Now, the third party tool used by them, how was it breached? That's the question, Right? Sounds like they probably just logged in. All right. Sounds like maybe they just logged in and. And downloaded it. Okay. I don't even know what the value is to these threat actors. I will say that you could argue that there's potential here for compromise of data integrity, meaning, oh, here's, like, you know, whatever. Here's pictures of the O.J. simpson crime scene. But because a hacker downloaded them, these pictures are no longer reliable. The chain of custody has been breached. And with evidence in digital forensics and stuff, chain of custody is important, like if you ever taken a single forensics course or cor. Forensics, anything. Like chain of custody is a big deal. I don't think that's the case here. I think it's just, you know, basically downloading. So, you know, to me, this is a lot of sizzle, not a lot of steak kind of story, but, you know, it is what it is. Although shout out if you want to get. Yeah, exactly. Brown Coyote. I love that Tupac reference. I try to use it as often as I can. I do want to point out really quickly, get your. Your Kool Aid man, your eight bit Kool Aid man going. I will say as soon as it said LAPD files, the first thing I could think of is like, the open investigation for Jeff Lebowski, AKA The Dudes stolen car, looking for the Credence tapes. They've got them working shifts. So I'm sure the, the evidence though, that that note from Big Mike and the boys.

C

Minnesota Governor calls in National Guard after a cyber attack.

A

All right.

C

They followed a ransomware attack on Winona county on Monday which disrupted vital emergency and critical services. Minnesota Governor Tim Waltz issued an executive order on Tuesday saying, unfortunately, the scale and complexity of this incident has exceeded both internal and commercial response capabilities. A specialized cybersecurity and recovery team from the Minnesota National Guard is now in the county supporting the investigation and restoration efforts. There has been no confirmation as to whether this attack is related to the one that the county suffered in January. Intent redirection.

A

All right, so as always, state, local, municipality gets hacked. Emergency services and 911, fire, police, emergency, health, paramedics is not impacted. They're usually on a separate system. So that's fine. The governor sending in the National Guard. I just want to point out from a political, not political, but from like a operational perspective, this decision unlocks federal funds. So like, they may be able to handle this without the National Guard, but it is federal funds. A great example. Like in the state of South Carolina, where I live, like if there's even like a sniff of a hurricane, like two weeks out, like the governor declares an emergency and like all of a sudden we unlock all sorts of like emergency money. You know what I mean? And then like so it, it's, it's part of the decision now it sounds like the governor of Minnesota like actually did a calculation and decided whether or not they could handle this. But, you know, whatever. To me, it's like a playbook. They execute, they are working with FBI, etc, we, we do not know who the threat actor is. But honestly, guys, like, I'm sorry, for Minnesota, Steve Young, our local Minnesota in is our, you know, spokesperson for Minnesota. But here's my thing. State and local municipalities are soft targets. Like that. That's all it is, guys. Like if you're a threat actor. If I was a threat actor, it's who I'd hit. Actually. No, it's not. It wouldn't be my top hit because like they don't have a lot of money, right? My, my top hit would probably, I guess. Here's a question for chat. If you were going to hit like just pretend you're a threat actor, where would you go? Like there's an argument to be made of hitting like lawyer offices and accounting firms to get access to a better pool of targets where you can find sensitive information for extortion or you can find high value targets for financial gain. Also, you know, healthcare, pretty, pretty solid attack manufacturing. They got lean margins, state, local, municipality, though, I mean, it might be a good place to start just because they're soft targets, you know what I mean? They literally have less staff, less money, less all the things. I feel bad for them. So you know what? One of our panelists today would be a great. I'm gonna leave it as a surprise, but I'm gonna bring this up to one of the panelists today, okay?

C

Vulnerability in third party SDK exposes Android wallets Microsoft is warning of a severe intent redirection vulnerability in a widely used third party Android SDK called Engage SDK. Discovered during routine research, this flaw allows apps on the same device to bypass Android security sandbox and gain unauthorized access to private Data. With over 30 million installations of third party crypto wallet applications alone, PII, user credentials and financial data were exposed to risk, the company said. The security blog adds that, quote, Because Android apps frequently depend on external libraries, insecure integrations can introduce attack surfaces into otherwise secure applications. End quote.

A

All right, so this is pretty good. Microsoft has like, way to go Microsoft for being the people's champion here. They're doing research on all sorts of things. They find a massive bug in an Android third party library. Remember, Android is Google's product, right? Android gets forked all over the place, but at the end of the day, it is a Google product which is a competitor to Microsoft. Yet Microsoft doing the Lord's work here and trying to make the world a safer place for everybody. My question is this really gross vulnerability allows essentially unauthorized access to all the sensitive things, including your crypto wallets, your. Your tokens, your. Your keys, all the things, right? So, ooh, it's all right. So an attacker has a malicious app, you have to install the malicious app, which is not unheard of, and then, boom, they get all the things. They own your. They own your phone. All the things on your phone, it's owned. Here's my thing. How do you fix it? That's what I want. Like this, this. I'm gonna link this story. What's up, Berlinda? It's good to see you. I was actually just thinking about you yesterday, Berlinda. I hadn't seen you in a minute. It's good to see you again. All right, hey, guys. Link to story in the chat right now. And if you're listening on replay and you don't have access to the chat, just go to search for Intent Redirection Vulnerability 3rd Party SDK Android from Microsoft and you'll get it, it is a very nice technical deep dive blog. You can see that they are showing ida. I assume this is IDA or Giger or something. It's a disassembly. Actually, this isn't even disassembly. This is Android source code. This is the. Remember earlier where we had the APK file and you could decompile it and get the API keys? That's what they're doing here. You can see that when you decompile Android executables, you get nice, clean, nicely structured. They call it prettified source code, so it's very easy to read. All right, so this is a wicked technical deep dive article, if you're into that, if you're into security research, if you're into looking at Android source code. This is like the most throwaway graphic I've ever seen. Okay. But it does have a caption, so I'll give them. Give him a credit on that one. So here's the thing. Micro, to me, it's like, what do we do about this? Okay, Lauren Torres. Welcome to the party, pal. Welcome to the party, pal. All right, the issue was reported to Engage Lab in April of 2025. So over a year ago, okay, Engage Lab addressed the Vulnan 521 released on November 3, which is six months ago. Okay, so, okay, listen, this is almost like a post mortem retrospective blog post. The chances that you're running a vulnerable version of this Engaged Lab SDK is probably low because it's six months since they updated it. As I said before, Microsoft is an absolute consistent juggernaut in long time horizons on doing things, whether it's responsible, disclosure and working, whether it's sun setting an operating system, whether it is notifying you of an executive leaving, like Julia Linson earlier today, leaving in June, like Microsoft, this is their bag, right? And I'm here for it. I like it. Again, the value to simply cyber community members of this particular story. This is a beautiful deep dive, very technical discovery of a vulnerability in an Android file or an Android executable. So definitely, if that's your bag, check it out. It's a great blog post. It's very elegant, it's very nicely packaged and it's got all the bits and pieces that you would want.

C

New Chaos variant targets misconfigured cloud deployments Researchers at darktrace have identified a new malware variant called Chaos, which can hit misconfigured cloud deployments and consequently expand beyond its traditional focus on routers and edge devices. Chaos is a Cross platform malware capable of targeting Windows and Linux environments. It is assessed to be an evolution of another DDoS malware known as KG Kaiji that has singled out misconfigured Docker instances. Darktrace added, quote, the recent shift in botnets such as Isuru and Chaos to include proxy services as core features demonstrates that denial of service is no longer the only risk that these botnets pose to organizations and their security teams. End quote. Be sure.

A

Sorry, I was getting the, the panelists set up. All right, so two things. One, real quick, just first, gut reaction here. Black Lotus Labs, they seem to be pushing out a lot of like research lately. Like they come out of nowhere. Although they published this In September of 2022, I still hadn't heard of them, but like recently I've been hearing about them a lot. QKB3128, calling out the number of likes that this video doesn't have. If you're getting value from the show, hit, like, I don't really say that often, but why not? All right, so it's a distributed denial of service malware. There's a bunch of Chinese language in the source code, so they think it is what it is. Darktrace is a vendor, right? So this is one of those ones where they have a research arm doing the vendors, a vendor doing the research and blog posts instead of marketing darktrace. You know, I, I haven't used, I know people who have used it. They were one of the very first, like 2015, 2014 AI, EDR or like EDR tools. That AI, from what I've heard, like, it's fine if you don't want to touch it, but if you're a detection engineer, it's incredibly frustrating because it's like, no, I'm AI. You can't configure me. So choose your own adventure on that one. Although they are a Silicon Valley darling, people are dumping money into darktrace. All right, so if you have misconfigured cloud application or cloud infrastructure, sounds like they can get you. Let's see. I'm reading, I'm reading really quickly. I don't research or prep for these shows. Ain't nobody got time for that. All right, so most of this story goes into what, how it works after the compromise happens. My question is, how does the compromise happen? You know what I'm saying? Like, if you could stop the kill chain further up the chain, like it's better. Misconfigured cloud deployments, it's targeting misconfigured cloud deployments. Right? Like once it gets you. It runs a remote shell and drops additional modules. Yes. No kidding. It's looking for misconfigured Hadoop instances. Okay, so the only thing we get as far as indicator of compromise is that or of attack sequences. It makes an HTTP request to create a new application. All right, so unfortunately there isn't a lot of information here for you to use as far as checking your own cloud infrastructure to see if it's been compromised. I will point out if you are running Hadoop clusters, Hadoop is. You would see a Hadoop cluster and in a research area, like Hadoop is like big data database. So you know, think higher education, big think tank research. That's where you're going to find Hadoop clusters. If there is a Hadoop in your environment, you may want to just check to see if it's got any compromises or weird stuff. Like, again, there's no indicator here on what you should be looking for. Like, what does this HTTP request look like? There's a question for the, for the, for the author of this article. All right, final thing I'll say before we go to the segment is, listen, in the world of cyber security, there's really only three ways to attack you. All right? Well, they can attack the person, but like as far as like technical attacks that you're not local to, right? Like, so a threat actor in Cambodia, there's only three things. Zero day, right? Which we saw with the Adobe story today. Zero day, which is like, ooh, next level hack store. Like, show me, show me your black hoodie. Right? Zero day logging in, right? So they steal your credentials. Info stealers, stuff like that. Phishing, social engineering, right? Info just logging in and then misconfigurations. Those, that's it, right? So if you, if you harden those three things, you're winning so hard. All right, this story, unfortunately is not useful to, to us as practitioners. This story is great for scaring people like, oh, potentially Chinese based chaos, distributed denial of service malware. It's, it's coming for you. Hide your wife, hide your kids, hide your husband. Like, okay, what, what, like as a practitioner, what do I do about it? Whoa, whoa, whoa, whoa. We're not answering questions here. All right, hey, really quickly, we got something in chat here. That one cyber guy says, I have an interview set up for a cyber security administrator Monday. I was about to give up on getting into cyber. Well, that one cyber guy, first of all, glad you didn't give up. Second of all, crush that interview. Third of all, third of all, if I may, everybody. And then we're gonna get into the Cyber career hotline. Just yesterday, this has been an ongoing initiative that I've been working on all. But look at this. That one cyber guy and everybody else. Can I zoom in on this? No, that ain't gonna work. Listen, I have a playlist called the cyber interview feedback you deserve. I'm gonna link to this right now. Somehow. Can I get a. How do I share this thing? Whatever. I'll just link this in chat. This is for that one cyber guy and everybody else. If you have a job interview in cyber security, whether it's sock analyst, GRC analyst, or pen tester, literally, this video series goes through common interview questions that you're going to get. And then they have a junior, a mid, and a senior person answer those questions. And then I break down the feedback. Look, there's junior, there's mid, there's senior. And then I am going to break down those questions and tell you what's a good way to respond, What's a. An opportunity to be better at responding. So essentially, what I want you to do is absolutely destroy your cybersecurity job interview. Here I am breaking down her response right there. All right, so don't sleep on that one. Okay. All right, everybody, we are ready to cook. All right, all right, all right, all right. Okay, hold on. We got. We got one in the chat right now. Guys. This is a great day. I genuinely appreciate all of you. Let's see really quickly. We'll do this and we'll do this, and we'll do this. All right. All right, guys, I want to say thank you very much. Stay tuned. We got a panel for Cyber Career Hotline. What is Cyber Career Hotline? Cyber Career hotline is a 30 minute, but on Fridays, we go a little long show where we answer all your questions. Dial in, call in, drop your questions in chat, and we will answer them. We got some new panelists today. Looks like one of them is not available. I don't know, but we got a new one which I'm excited about. And a couple familiar faces. I'm Jerry from Simply Cyber. Thanks for being here for the daily Cyber Threat Brief. Have a great weekend and let us cook on answering your questions. Ever wonder what it takes to break into cyber security? Join us every weekday for Jawjacking, where industry experts answer your burning questions about the cyber security field live, unfiltered, and totally free. Let's level up together. It's time for some Jawjacking. All right, all Right. All right, what's up, everybody? Welcome to Cyber Career Hotline. Call in, get answers. This is Friday, so we've got panels. Hold on. What am I doing? I feel naked without these, without my glasses. I felt like I look like Dr. Gerald. OA, that absolute zero. All right, here we go, guys. We got our panel. Let's introduce them. New to the panel, actually. Let's. Let's do this in a different order, guys. We got a regular coming on. You know him as James McQuiggin at 35,000ft. If you did not like the dad jokes of the week, please take it up with him immediately. Ladies and gentlemen, James the Quicken. Hey, James. Bring it, bring it.

D

Good morning, everybody. How y' all doing?

A

Doing great, man. All right, we've got another panelist coming on, new to the scene. I'm in. I'm excited to introduce you to her. This was part of an effort where I very seldomly go into the women of Simply Cyber channel, but I went in there, I said, hey, who wants to come on and be some. Some career mentoring? And Steph called or took the call, I guess I don't know how to say it, but. Ladies and gentlemen, welcome to the panel. Steph. Steph. There we are. Hey, Steph, how are you?

E

Hello.

A

Steph, can you do us a favor? Can you like, 30 seconds? Like what, like, where do you. Like what. What area do you work in? So when people are asking questions, we can make sure that we get them to you for the best answers?

E

Yeah, I work in grc, so.

A

Yes, yes, yes.

E

I'm like an all hats. My title is junior Information Security Officer, so I work directly under our ciso. He's my boss. And do. I do pretty much every, like, all things grc, so you can think of, like, anything within the spectrum. I also do some, like, really basic sock work. We don't really have a soup like a sock, but I do, like, alert

A

monitoring and fishing, email quarantines and scrubbing through those.

E

Oh, yeah, yeah, yeah. So, like, anything from human risk all the way over to policy, and, like, I'm doing business impact analysis right now and all those things.

A

So very nice. I. I remember early in my career, I was told to do it. Like, my boss hated me, like, at this. Like, I'm not gonna get into all the drama, but she was. She was one of the worst people I've ever met in my life, literally. And she had me do a business impact analysis, but she also forbade me from speaking to anyone in the business. Yeah, exactly. Which by the way, spoiler alert. You can't figure out, like, what is important in the business if you can't speak to the business. It was basically just busy work she wanted to give me. She took my report when I was done and threw it away, like, just to, like, emphasize how much she didn't like me. All right, I did quit that job, or I didn't quit it. I switched roles. And that's a whole story unto itself. But let's get into it. So, guys, if you have questions, we have an amazing panel set up for you. Robert, wait. Stein might be joining us. We had a special guest who is ghosting me right now, so I'm not sure where he is, but we'll figure it out.

D

All right, let's look before we dive in. Jerry, got a question, got a statement for you here. Just a. An on air apology of sorts, but we learned from our mistakes yesterday. Several folks, including a Kathy Chambers, making a phone call to me letting me know that I was still live after I played the final video and thought that I clicked end stream, but I must have misclicked and it came back and I'm like, oh, yeah, there I am.

E

Okay.

D

And I'm checking my phone and my phone rings and there's Kathy Chambers. James, you're still alive. Oh, crap.

A

So, no, it's perfect. At least we know you're not a deep fake. It's not like you, like, you know, you ended and all of a sudden, like, you took your face off.

D

But it gives a valuable lesson. We learned from our mistakes because I assure you that won't happen again.

A

Yeah, absolutely. Thanks, James. And if you. If you didn't know, James has been doing the cyber career hotlines on Thursday. So we got a couple questions coming into chat. Here we go. Not loud. Jeep says when there are no open positions at your job, can you get a job by networking? I'm a soc analyst and I'm ready for more adventure. I also have security engineers looking at my LinkedIn at my company. So, Steph, let's get you. Throw you into the frying pan here. There's no open jobs at their. At his company. So I think the essence of the question is what are your thoughts about kind of like shopping and marketing yourself while you're actively employed? And I would assume not loud. Jeep doesn't want his current employer to be aware of this.

E

Yeah, it's tricky. I. I work for a company that, like, wants you to be happy. I work for a really great company and so they, they like, want you to talk about your goals and stuff. So it's unfortunate when you feel like, and I feel like that's the norm, where you have to hide, like, your aspirations and wanting to move. But I think you always should treat yourself like a business and just, you should go for it. You should network, and if you're interested, you should always shop around. I'm. Even though I'm totally happy at my job, I still, you know, keep my eye on the job market and make sure that I'm looking at sort of anything that might be a good fit or that I might be interested in. Especially because, like, it sets yourself up too, that when you do actually want to make a move, you can, you find something, maybe it's the right fit and it's the right time, and if you weren't looking for it, you would have never known. So I don't think there's any. I have so many guitars.

A

I know, it's awesome. Let it breathe, stay stuff.

E

It's not just guitars. There's a mandolin, violin, a tenor guitar.

A

Okay.

E

Anyway, yeah, so, I mean, it's scary, but I, I. How else are you gonna, like, move if you're not networking and talking to people and trying to put yourself out there? I don't think that means you need to put like the I'm looking for work on your LinkedIn banner or something, but I think you can still talk to people. I don't think they're gonna go to your company and be like, hey, did you know that so and so's whatever his name was Jeep or something to.

A

Yeah, I feel like there, there's a way to, like, have those conversations too, without saying, like, oh, I'm actively employed. Like, be the CEO of you, right? So, like, go to a conference, go to go, whatever, and just kind of be like, this is what I do and this is what I am. And you know, people like will infer, like, you know, like, maybe your, I don't know, your car's not for sale, right? Like, you don't have a sign on it says for sale, but, like, you take wicked good care of it. It's super modded up. You've got all sorts of things and people like, damn, like, I'd love to buy that car. You know what I mean? Like, let's talk. Right? So that's what I would say. We have another panelist come to find out he was not ghosting us. I actually sent him the wrong link, so that would be a layer 8 issue. But, ladies and gentlemen, he is. He's Been on the panel before, it's been a minute, so I hope you can remember him. And welcome Sean Kilburn from High Point and also a great mentor. Sean, come on in here. Where are you? Hey, Sean. Hey.

B

Glad to be in the right spot. I was actually doing time travel, but I was in the past because I know it was like April 9th, and I thought, I don't know, maybe there's a different waiting room for each day.

A

Yeah, I know that that was definitely a. A me issue. Sean, really quickly, because it's been a minute and, you know, the community changes and it's very fluid. Can you just give us 30 seconds on, like, where. What your point of view is so when we get questions, people can appreciate where your answers are coming from?

B

Sure. So last couple years, I've been with a company called High Point, which is a cyber security consulting firm. We do a little bit of everything. And so I lead the global delivery practice for all things cyber. Prior to that, I was a deputy CISO for about three and a half years. And prior to that, various leadership positions and technical positions. Pen tester worked defensively in the private sector, public sector, military contractor. And I got my start about 20 years ago on the Navy Red team, so.

A

All right, so he's got a little bit of everything for everyone. I love it. Quick question for you, Sean. Like, during the show today, the daily Cyber Threat Brief hosted by that nerd, there was a question like, basically, the governor of Minnesota has called in the National Guard. And I said it, you know, it's partially to, like, activate money. Also, like, you know, state and local municipalities are non profit, so they're typically underfunded. Makes them a softer target, not necessarily the most valuable target. If you're a threat actor. If you were gonna become a threat actor. Right. Just real quick, what industry would you target?

B

Ooh, well, it depends what your motivation is. But, you know, if it's money. Yeah, money, I probably wouldn't be going after Minnesota or any state, really.

A

Okay.

B

You know, that's more disruptive and usually politically motivated or just, you know, anti US sentiments, that type of stuff. Like, for example, when I worked with the Strategic Petroleum Reserve, we had nation state actors that were looking to disrupt the oil supply and economy. Right. So I'd be going after somebody who has money. So who has money? Most us successful commercial businesses, obviously, financial institutions, banks, things like that. But they generally have a, you know, they kind of know people are after their money. So probably go after a target that would be like maybe somebody in entertainment or Gaming or something like that, where they're really focused on getting that product out to consumers and they might be leaving some security scraps on the table.

A

All right, there you go, people. Another hot take hitting the entertainment really quick. Just because Steph has an entire string quartet going on in the background there usually. Phil Staffer was saying, we need a bass player for the Simply Cyber Band. I want to point out that Jesse Johnson can play everything with a string, and he did base at Wild West Hack and Fest. Also want to let Everybody know, simply CyberCon 2026, November 8th and 9th, we will have an open mic night. So, you know, you can come play instruments. Steph, if you're coming, I have a guitar. I can bring it. Sean, you play music, don't you?

B

Yeah, predominantly drums.

A

Okay.

B

But I do have a guitar back there, too.

A

All right, see, we got percussion. Like, guys, we're killing it. Like, this is. This show is going to warp into something else. All right, let's keep cooking. James McQuiggin, what do you do with unused PTO? And now S. Cole07 says in the last month of a job. But just, just think about PTO that might expire. Right.

D

Well, one of the things to look at with regards to that is see if they're going to pay you the unused pto. Some organizations will pay you. A lot of organizations now do unlimited PTO so they don't have to pay out the. The leftover PTO tech. From what I understand, they have to pay you if you have been collecting pto. It just depends. Whatever's in your contract or whatever your employee agreement is that you've got. But check with your HR with regards to it. Otherwise you can just take. If they're not going to pay it out, then you just take the. The rest of your time and you walk out the door and you're on PTO for the rest of the time. Doesn't sound very loyal or very, you know, supportive of the organization. But if they're not going to give you the money for the PTO that you've been contractually obligated for, then you take the rest of the time off. That would be. That'd be my perspective. But start with hr. We'll go the friendly route first. Go the high road.

A

Yeah. Always be mindful. I mean, that's part of your compensation. So don't, don't, don't feel bad about taking. I know a lot of. Even in my career, I would just, like work through it like it was almost a badge of honor to have expiring PTO for some perverse reason. But. But yeah. And don't, by the way, if you ever have your PTO canceled by your boss, which, like, does happen, that's a very toxic signal. That. That's a very toxic signal. So just be mindful of that. Steph, any thoughts on PTO expiring? Kind of leaning in there. I'm wondering if you, like, got a thought you're noodling on.

E

I would take it if you can, just. Because ultimately the time that you're getting paid off is worth more than the money that they're gonna give you because you usually don't get hour to hour transfer, but sometimes that's not possible. So. Yeah, I agree with James. Check and make sure. So, like, my company I work for, we do unlimited pto, but they actually. We have to take a minimum of three weeks a year, but we can take more than that.

A

Oh, cool.

E

Yeah, it's actually, yeah, really great.

A

I like, I like. I like companies that, like, require minimum PTO and not from, like the stupid cissp. Like job rotation. Like, oh, we're gonna find that you're an insider threat. It's like, no, like, just. We care about our people. They're not just like cogs in a machine. So I. I do love that space Tacos wants to say that I sound better. Sean, you may not know. I. I'm battling some kind of throat fungus thing. Oh. Yeah. It's gross, dude. I. I've been like. And I ran the last couple days and it's. I had to cut my run short because I'm like. So anyways, thanks, Face. Talk to us. I might sell better.

D

Yeah. The steamer link I sent you.

A

Yeah, I. I mean, I looked at it. I didn't. I. I didn't take action on it. I. I just.

D

I just worked my daughter, who's the actor. She's a singer. She's. You know the Honey Spray? This personal steamer. I did it a couple weeks ago. I. My throat was crap and everything else, and I did the steamer every night before going to bed for a few days, and I was. I was good to go.

E

So was it like the one. It looks like a nebulizer.

D

Yeah, the nebula. Yeah, the nebulizer you put in the mouth. But the steamer covers the whole nose and mouth, and it just gently puts steam in, you know, I mean, you could take a bucket of water, Jerry, and pour hot water and put your head in, not into the water, but just let the steam rise.

E

You put a towel over it.

D

Yeah. Put the towel? Yeah.

A

Depends on who you ask. Some people might want me to put my head under.

D

No, no. You know, a hot steam. A hot steam shower. Steamy shower also works as well, so.

A

Oh, I like that. I love. I love that. Like showers. You're like, I don't want to get in here. And then, like, five seconds later, you're like, I live here now. All right, we got a bunch of great questions coming in. I'm digging this. Hey, panel. Here we go. Bearded Ruckus. Bring the mother truck. And Ruckus. I was recently given the lead analyst role in the sock, and I'm used to doing it. Instead of delegating, how can I transition my brain to a more leadership role? Any recommended resources? Sean, you were hands on keyboard operator, and now you basically lead teams and don't touch keyboards. In fact, you probably have an analyst.

B

I am a master at Microsoft Office man.

A

Yeah.

B

All kinds of tips and tricks now, but no, yeah, I think really it's. So you have to look at it from the standpoint of, obviously somebody trusted you to put you in that position. So congratulations on that. It is definitely a promotion. You really just have to take a step back and say, you know what? I have to now look at being a leader. I have to trust my people, and I have to build that trust with them. It's a mutual trust. Right. So taking and springboarding off of your technical abilities and figuring out big picture things like, okay, who do I want in which position in the SoC, and how can I make this the most effective operation? And really leaning into people's strengths, that's. That's one of the big things there. Right? And I think if you do that and you take a step back, you're either going to feel very rewarded that you're really helping people succeed and reach their goals and reach the organization's goals, or you might be one of the other side of the coin where they say, you know what? I really want to go back to the technical stuff. So it's totally up to you. I mean, just kind of see how it pans out. But as far as resources, there's all kinds of leadership training out there. I know there's free stuff, and then, you know, Sans has a bunch and various corporate, you know, things that you can get sent to for training. So I would check to see if your organization can support any of that.

A

Steph, what do you think about this one? Oh, wait, hold on. You said, do you. I mean, I. I misunderstood your comment because you said, sure, but then you said I agree with him. Do you want to just like 15 seconds.

E

Yeah, I totally agree with what Sean just said. It's exactly that. And I love the. Going to the organization to see if they can support is also a really good way to. For resources coming from like a. I. I started in help desk and built out our IT program at my company. So now we have. We started with an intern and mentoring him and like, it's some. It's really hard to, when you're used to doing it all, to like, stepping back and like, trusting the other that that person's going to be able to do it. But you kind of, you do have to just, you know, like, ease off and check in with them sometimes, but without being like. And that's the balance of leadership. Without being like, overbearing on feeling like you're micromanaging them.

A

Yeah. So I dealt with this. I just want to share one thing. Normally I would just go to the next question, but I feel this is important personally, and this is something that I've never heard anyone talk about, but I know multiple people have experienced this and, and have talked to me in confidence. When you make that transition, it is a very, it is a very spooky canyon that you cross because the, as you get away from your keyboard, those skills start to rust and you become less effective and you, you forget things, but you're still, you're not good at managing and being a leader. So then you enter this weird, uncanny valley where you feel like you suck because, like, you're not good at the thing you used to be good at and you're not good at the thing you're supposed to be good at and you begin, like, imposter syndrome creeps in. So just be mindful of that and just know that like, you're, you're developing professionally and like, you're good to go. So don't, don't get sweaty on it. All right, James, go ahead.

D

Let me throw in real quick. So eight years as a chapter president for the IEC 2 Central Florida, and you're working with volunteers. And so it's even trickier to go from you know, doing the work all by yourself to actually delegating meeting. There is a level of trust. You have to rely on them to do that. And it's a matter of just, you know, if. Give them some small tasks and have them come back to you. And then if, you know, as they're doing more and more, you know, then you can give them more. But in a paid situation, it changes. You know, give Them the outcomes, tell them what the expected outcomes are and, you know, give them the task. Definitely check out Extreme Ownership. That was. That's a book that's really Jocko Willick Willink. Great book on leadership. One of my other really good ones, Simon Sinek. There's the start with why. But one of them, one that's really kind of hit me personally was leadership or, sorry, leaders eat last in the sense of, you know, being able to build up your team and providing great tips. So definitely check out those two. And yeah, good luck.

A

There's the book right there, Extreme Ownership, the one that James is referencing, in case you wanted to pick that up. There we go. So good stuff. We got some GRC questions coming in. So, Steph, get ready to get ready to feel excited. Here we go. Let's see. Oh, my gosh. Where are they? All right, the questions to me, I'll answer quite quickly, but I have your thoughts. I want your thoughts on this. We're talking about GRC Engineering. This is kind of like the new hot thing in grc. It's not just a flash in the pan. I. I'm of the belief that this is the direction we're going. Where are you getting courses for GRC engineering? So some people know over the next two weeks, I'm going to be taking a bunch of training. I'm like halfway through my AI training right now, which I'll be sharing all my notes and what my learning lessons were and all that crap on social media. But I heard anecdotes. AI, which is a vendor, has a GRC Engineering 101 course. I was going to start there. I will let you know how it goes. All the learning I do, I plan on sharing with everybody. Again, trying to demonstrate what I preach. Right. It's not just like, do the thing I say. Like, I'm trying to do it myself. Steph, GRC Engineering. Have you had a chance to explore this side of grc? What are your thoughts about GRC engineering?

E

I really haven't, to be honest. I'm just not there yet. And it's not like a priority like in the company. Like, my learning priority for like 2026 is I want to get my CISO certification because we're doing some. We acquired another product last year that we're going to be putting through Sock 2, and I want to be in a position where I'm going to be able to manage the life cycle of that complete audit once we move to it and also do internal audits. So that's my priority. But I mean it's interesting. I don't disagree that things will with AI most likely move towards a more automated process. But I just don't, I don't know like our processes work for us right now and like we've talked about using like a third party risk management platform or like these different platforms to collect and even stuff for our Sock2 audit and we're like, it would be more work for us to like set this up, continue with what we're doing right now even though it's you know, a more manual kind of process. And our auditor does have a platform that we like upload all of our evidence into and, and they have tools that we use to run for collection evidence, for evidence collection too. So like for me personally it's just not like a priority for me. But I could see it being something that I, when I start moving up because like eventually if I stay at my current job like I will move up into like a, like a more autonomous information security officer where if I'm overseeing anyone or if I'm like overseeing it apart department or anything like that, then automation could definitely be, you know, that engineering piece could be in the cards.

A

But yeah, there you go. So it's, it's, it's an emerging thing. Like you still have time to get in front of it but you can be successful as a professional without knowing it. James, you're a vc, so at Apparent Security. So for those who don't know, James does run his own company where he does do consulting service and you know, education for businesses. Matthew wants to know what criteria is considered when you're determining security maturity for the company. Like is there a matrix that you use or some type of framework perhaps?

D

Yeah, for me a lot of it we're looking at. One of the, one of the baselines is looking at the, the NIST Cyber Security Framework. You know there's, that's one of the, the, you know, kind of the standards that's out there is looking to see how much of they've, how much of those standards and guidelines have they adopted into their organization. There are several audits that you can, you know that are out there. There's the cis, there's those guidelines center for Information Security. You've got NIST and there's, there's a handful of the, I think there's some sigs out there as well. Security. No standards, information and guidelines I think is what it is. But anyway either way we're looking at, you know, aligning them to some sort of framework Already to see how, you know, how far along are they? You know, security awareness training, MFA identity access management, patching, change management, you know, looking at all the different elements and seeing what programs they've got in place, seeing how far along they are, see what's needed and then address the gaps, essentially doing, you know, an audit and address the gaps and then work on a plan on the priorities and have those discussions regularly with leadership and seeing what can be implemented budget wise and, you know, essentially building out a one, two and five year plan.

A

All right, Sean, you do a lot of these in your work. What are your thoughts on this question?

B

Yeah, in fact, we have a few going on right now. The biggest point that I think I would definitely agree with James on here is you have to choose some sort of framework, right? You have to measure against something and whether that be, you know, the cybersecurity maturity model, nist, cis, it's really getting to the same point, which is you have a yardstick in which you can then measure maturity against. And it's really dependent. Some of our clients want nist, some of them want cis, some of them don't really care. They just say, you know, tell me, how does my security posture look? How mature am I? Where are my weak points? And following the framework, make sure that you don't miss steps when you're doing it right. So my consultants will go in and programmatically go through like, cis. You know, they have like, what, the top 18 now? I think it is. Used to be top 20. Yeah, I don't know what happened to the other two, but anyway, so yeah, they just go down the list and measure maturity against each category. And then if you want to get really fancy, you can start mapping those into miss controls and seeing which ones equate to each other. And yeah, lots of fun stuff there.

A

Oh, my God. Yeah, I, I, like, I'm not even gonna respond to this because I, I'll like, I, I would just like take all three of you off stage and then just turn the lights down and spend 45 minutes more monologuing about this. This is, this is the dream right here. Oh, like just breaking it down per control. Yeah. All right, enough, enough. All right. So would a bscsia, which I, I gonna have to Google that be good for someone trying to get into tech in general, but GRC or SOC analyst in general, not official tech experience. I'm done. Some home SIM labs. Is this a bachelor's degree in cyber Security and information Assurance?

B

Yep.

A

Is that what that is?

D

That's it.

A

Yeah. All right, so, okay, so let's. Let's run around the horn here. 30 second responses. Guys, would a bachelor's degree in cyber security be good for someone trying to just get in tech, Right, that, like, does it help tech or is that for cyber only? And they don't have any official tech experience, but they've done some SIM home labs, so it sounds like John is trying to decide whether he should invest four years of his life and probably, you know, 60, 70, $80,000 into getting a bachelor's degree in order to pursue this. Steph, why don't you go first and then we'll go around the horn.

E

I mean, I think it's like, it's hard. I'm. I like education, and I. I'm pro education. I. My background's actually in education. I was a teacher for 13 years. But I will tell you that I'm not seeing a lot of, like, that's what's getting people jobs right now. So. And that's not what got me my job. I have an education degree. I do not have a technical degree. I just was tech savvy. And I think it speaks a lot to just be able to work with technology and learn on your own, and you get certifications that are a lot less expensive than getting a degree. So I would, I don't know, I would weigh some different options if it were me personally, especially for, like, I mean, for cyber. I just don't know if the value is really there in, like, getting a cyber security degree. I'm just not seeing that being, like, a priority for companies. And, like, I moved into it, did help desk, built an IT program, and then moved laterally into grc. And that's what I'm seeing most people doing. Being successful and networking and getting to know people and understanding that soft skills also really play a big part in IT as well.

A

James, you help and mentor a lot of people. Give us 30 seconds on would a bachelor's degree help someone like this, getting a job in tech?

D

So looking at it, you know, certifications and educations kind of gives you that ability to learn and, and apply the knowledge to demonstrate that, yes, I know cyber security or I know whatever that cert deals with. A lot of the time people go into, come in and go to school because they don't know what they want specifically to follow. They think they want to be pen testers. They want to be wearing. Wearing the hoodies in the basement and hacking things. And we know it's far much more than that. But going. And I Had a look at that program west, one of the universities came up in the, in the search and I had a look at their courses and they're offering things from forensics to cryptography to cybersecurity to networking. So they're covering all the bases. So if you really know what you really want to do and have experience or have the ability to get experience in that area, then, then go pursue it. But if you're coming in going, I want to do cyber security, great, let's figure out what area you really want to work in. It took me eight years to figure out that I really wanted to be in education and security awareness and the human aspect of it, even though I was doing network security and compliance and GRC and incident response all before that. So if you're going to get a degree, then go figure out what it is that you want to focus on. On try everything. But if you do know what you want to do, then, then go forth and do it. The degree may not be needed right away. As, as what Steph was saying, we're not seeing a lot of jobs with it. Upper management working your way up, then yeah, get into a job, see if they got tuition reimbursement, take that job and then, you know, go, then you can get this, the company to pay for it, then you still got to stick around for probably a year or two after you get the degree.

A

All right, that was the fastest 30 seconds in cyber. Sean, can you hit me with 30 seconds on how degree since you're a hiring person?

B

Yeah, so I agree with everybody else actually, because in this one, if, if you want to eventually get into a leadership management position, a lot of times it's a check in the box for hr. You got to have a degree. Right. It doesn't matter, as Steph said, what really your degree is, even in a lot of times it's just a check in the box. I personally value education as well, but looking at a lot of people coming into entry level roles that just have a degree without any experience, it's very tough because even a program that's really centric on cybersecurity, it's really tough in that academic environment to treat, you know, actually get those hard core, core technical skills out of it from a course that's, you know, a couple months long. Right. A survey course, you just don't get in depth enough to really get there. So really getting out there, playing with it yourself and getting your hands dirty in the tech, they got a whole bunch of different platforms out there now that are free that you can go to like hack the box and those type of things. Earning certifications, it's the journey is worth just as much as the actual certification.

A

So yeah, 100%. It's a three legged stool. Education experience inserts, but not all three legs are the same length. It's kind of a slanted stool. Sean, Daily Devotionals with Adasua says they're, they're basically an international student and they're getting interviews but then they're having trouble getting past the interview and they have years of experience. Any thoughts on you know, maybe techniques or thoughts around how in international I'm assuming outside the US trying to get a US job. Right. So there's some variables that I'm assuming in this, but what are your, what are your thoughts? Maybe something that Daily Devotionals can do.

B

Well, one thing is try to look for an organization that might have an international presence. Kind of like my organization. We do have an office for example in London. We have another one in the Netherlands. So looking for a US specific role in our company, it's actually probably much easier if you were to say, you know, hey, I'm already here in the EU or uk, I want to go after the, the same role in the U.K. you know, it's, it's probably less, less going against the grain. But in general I would say just keep trying anyway because you know, for every single opportunity that somebody doesn't pick you up, you learn from that. You guilt, you build more experience. You're getting really good at the interview process if you're making it to the last stages. So that's really good. And I just keep trying. I mean eventually somebody's going to say, you know what, I like this person and do it. But also, yeah, look at those international companies as well.

A

All right, there you go. Look at the companies with the international. A simple Google search can help you find that as well. So Nick Dixon says if you're trying to break into grc, today's job requirements, what projects would you build to show employers you can do the job? Steph, you're a GRC mafia card carrying member. What kind of like let's say you open a position right now for junior analysts. Like what, what is some something that if they had it on their resume as a project, you'd be like, huh, that's, that's interesting. Let's double click on that.

E

I think doing like so something I kind of learned as I transitioned out of my like being a teacher was you can. And this I don't know if this is going to sound kind of out of the box or not, but you can create your own freelance company and then do consulting work for friends or like, if you let like, like small non profits or your church or like someone that just needs help and you can get experience doing specific things. So I mean, it's all over the place for me. So I mean, if you wanted to like do phishing awareness and security awareness training for senior citizens or a business, and you go in and you help a small business do it, but they're just giving you like a nice little. What do you call.

A

Call it testimonial.

E

Yeah, there you go. A testimonial at the end. And then you're not like lying that you're like, that you have a job. You're just freelancing or volunteering. And if you like brand it yourself, you can have like your own website where you put up your various projects. I mean, that's what I did when I was thinking about pivoting into instructional design, but then I didn't end up doing that. But that was kind of what I learned from that experience, was you can get that experience by just freelancing and helping out friends, family, and like small businesses.

A

Yeah, I think that's a phenomenal, A phenomenal answer because not only it. This is a great answer because not only are you getting the experience that you can speak to, but your job res. Your resume, your, Your history, like you are already doing the job, which is giving you the experience. Not just, you know, oh, I've done these things, but like, you can say, oh, I worked and did these things. It doesn't matter if you're getting compensated or not. No one is ever going to look at your resume and be like, huh, I see you used to work for Booz Allen. Did they pay you? Like, no one, no one's gonna ask that question, right?

E

Yeah.

A

Solid answer. And you know, Steph brings up a good point. Like, dude, like, educating elderly people on romance scams and elderly abuse, that's a freaking. That's, that's an area that needs to be talked. Not to mention. And I know I'm, I know I'm like, grossly overstating this, but, like, elderly people would love to talk to you. Like, most elderly people are like, thirsty for some, you know, engagement. All right, Taekwond Gong. Thinking about management. How do you know you're good enough, Sean, since you were military, you probably leadership training and now your management. What do you, what do you say?

B

Well, it's always normal to have a little healthy dose of imposter syndrome and wonder, you know, like, am I really here? Like, how did I get here? Am I really doing the right thing? You know, you're good enough. When you start having your, your team, it's, it's kind of an interesting thing. Will actually just, you know, not even on purpose say something maybe about you specifically or your leadership style in a meeting to somebody else and you're like, oh, thanks. You know, you're like, that's, that's really awesome. So you start hearing that and you'll, you'll probably hear it from your leadership as well. At least mine. My, my boss is excellent and provides very good feedback about things. So. But yeah, it's, it's really, it's normal at first to have that imposter, imposter syndrome where you're like, hey, you know, I don't know if I'm really cut out for this. Just stick with it. Really the big thing for me is looking at like, I look at leadership situationally. So every person needs something different at different times. You might need a shoulder to cry on, you might need a cheerleader, you might need that tough, firm coach. It just totally depends on the given scenario and what's going on in the context of things. But generally I try to just give people the leeway to do their job and my job is really to facilitate their success. That's the way I look at my job.

A

So. Oh, excellent. Thank you, Sean. Great answer. Let's see. Panel space tacos, Another GRC mafia card carrying member. How have you all been seeing succession planning handled? Are companies good at preparing someone else to be command or are they bad at sharing info that should be passed along to newbies? All right, we could spend a minute on this. I mean, this is more like. Honestly, I think I, we all have experiences. This is more like an organizational thing, not something that an individual can necessarily do. And if you work in an organization that is not doing succession planning, you can't really. I feel like it's a cultural thing. Like you can't implement this. I mean, you could implement it for yourself, right? So that way you feel good when you quit because you're going to go on to bigger and better, that you're not leaving them in the lurch. As far as my experience, I, I'll give 15 seconds very high, like a quick little audio snippet that we can make a short of. Most businesses don't do succession planning because it's not financially it, it doesn't serve them Financially, in the moment. Right. Like long term, it would be their best practice. But in reality it costs money where like you could just be doing the thing right now and other person should be doing the thing right now. And if we take that other person who's making money and have them kind of like shadow you or whatever, it's not going to be great. Now I've, I've fortunately been, I've been in an organization where like I was doing the CISO's job because the CISO was more interested in like friggin taking pictures with VIPs and, and doing other stuff and not doing his actual job. So that wasn't really, I mean that was succession planning in some degree, but not a formal program panel. Anyone want to chime in on succession planning? Just give me a little head nod maybe. Yeah, okay, James, go ahead. What are you thinking?

D

Yeah, exactly what you said, Jerry. The only success succession planning that usually gets done at organizations is at the top, at the C suite. But for me, for my working with variety of volunteer groups, chapters, one of the first rules of, you know, running a chapter or an association, volunteer association is the minute you get put into that position, your first job is to find somebody to replace you. You know, you might be able to do that in your own work environment. You know, if you end up finding a way to be able to move up that you kind of help and you go, hey, I know somebody on the team that would be good for that. You, you know, there's that perspective. But a lot of the time succession planning mainly happens at the top. There might be times where if they do see you as a leader and they want to move you into the leadership role role, someone's going to offer you classes, courses, training or whatever to get you to move up. But usually it's based on the need. Yeah.

A

Steph, what do you think about this?

E

Yeah, so as this is just sort of interesting, at my company we have to do this at all levels because at five years at the company, every single person gets a five week sabbatical and we get a bonus too. So we have to prepare. That's cool for that. And at 10 years you get 10 weeks. So like we have plans in place that like that we build out knowing that it's coming because you schedule it. You have a year from your five year anniversary to schedule your sabbatical. And then it's like you have to function without that person for five weeks. And so like my boss, the siso, was out for five weeks. So guess who got to do everything while he was out. Yeah, with help. I mean, but management, C suite stuff, department heads are all there helping. And so it's very structured so that secession plans are kind of built out knowing that people are going to leave. And then we also have it built into our incident response like process as well in terms of running and handling our income incident process, which is really, I think, super cool. So in a different capacity than just business itself. It's like what happens if, you know, crap hits the fan and somebody needs to like, lead the helm on facilitating.

A

I love it. I love a 5 week sabatical. I think it's good for the business. I think it's good for the individual. It's a nice, it's a nice carrot too, to, to hang over. And, you know, I'm. I'm coming up on five years at the Citadel, teaching at the Citadel Military College, and I actually am taking next semester off. It's not a program they put in place, but, like, I just need, like, I just need a mo. Like I just need a. A minute. Yeah. So. All right, so Steph, like, let's, let's keep the momentum going with you. You had mentioned earlier on this call that you started on help desk as you made your transition from educator into cyber extraordinaire. Taekwond's worried about being stuck on help desk. How did you get around it and how do you recommend others get around it? Because help desk is a great place to start. Just put it out there. Steph. How do you get out of the help desk?

E

I think it's important that you advocate for yourself and you ask for little bits of work that are outside of probably your like, immediate sphere of work. So, like, what I did because my boss was. Has been the same person the entire time and he's always been the ciso. I would just reach up a little bit and constantly be like, oh, you're doing vendor due diligence. Can I help you with that? Or like, you're doing this. Is there something I can do? You seem really busy. Is there anything that I can do to help you, you know, support you and take some. Something off your plate. And at a bigger organization, it might be just like your manager. But I think it's still important to like, reach up slightly and try to take things that are like, slightly beyond what your normal job description might be, as well as just like being like, really good at your job and having really good, like soft skills. But you have to ask and you have to advocate for yourself to be Able to, you know, like, get anything additional that then when a position comes open at your company, you can be like, hey, like, remember when I did this? And, like, I can do this and this. Look how good I am. I'm good at this. That's how I got my job was my boss was so impressed with my abilities to learn and take things on and just my soft skills and everything, that when he took on more work as a department head and still CISO was like, I need to offload and create this position. Do you want it? I was like, of course I do.

A

So, yeah, yeah, that's 100% right. You know, most people, like, for better or worse, you can be the nicest person, but most people are not. They're thinking about themselves, Right? It's just a human nature. Like, you're trying to serve yourself and do what's right for you. So unless you tell someone that you want to get off the help desk, you know, and do it politically well, and let them know your interest, they're not going to know, so be there. And then there's this technique called the push pull. So if you can make your boss look good and push them up, they are likely to pull you because you're an asset to them in their career. Right? Like, so you want to be that. So, Sean, talking about getting off the help desk and moving up as someone who manages a team, and I've dealt with this, right, because I was a very. I mean, some people would argue I'm not technical anymore, which. But, like, you know, I. I was very technical, and now I've gotten away from that a bit. You know, what are your thoughts on people who don't want to get out of the technical career path? Because a lot of times it's like, oh, you're really good in the sock. You should manage all the sock analysts. It's like, oh, yeah, bruh.

B

Like, yeah, I've been around long enough to understand that there is a difference between those who want to lead and then those who are forced to lead. And the second part of that never actually goes well. You know, that's one of the issues I had with the military. Oh, you've been at this ring for so long. We have to promote them. Well, you know, as I have thoughts on that. But anyway, in this case, I have a full. Like, a whole team full of these exact individuals, and they are technically brilliant, and they have no desire to get into leadership. In fact, one of the guys I'm thinking of, he was a manager for a little bit Years back, decided, I do not want any part of this, and went back into the technical world. So what I like to do is come up with, you know, high tier, like principal level consultants or a principal level engineer. Right. So it gives them that credibility that they can lead technically and still, you know, Excel to that next level without having to put on a title like audit director, manager, supervisor, things like that.

A

So I love it. I love it, I love it, I love it. Thank you. And it is a real problem. James. Miko says, at my current position, I've been asked to start taking on vc. So responsibilities, in addition to overseeing managed service and security gaps, what does Mikko do? Run.

D

Run far away. You know, this kind of bleeds back into the last question, you know, I mean, do you want it? I mean, where are you looking to go? Is this something you're stepping up into? You want to be a visa? You want to be a CISO role? You want that kind of role? Is that part of your plan? If it is, I mean, yeah, then you can look at taking on now.

A

Great.

D

There's the question of how much, you know, of. Of my time is that going to take up. You know, I got so much time in the week, I'm already doing, balancing these other two. I'm throwing in the third. What we've done, you know, you can look at it from a compensation perspective, from a time perspective, from a resource perspective. All right, if I'm going to take that on, who gets the. The, you know, who can I give the managed services and the security op responsibilities to. To lessen the load so I can focus on doing the VCSO role properly? That's a discussion with management, probably one with hr if compensation comes in. But I think from your perspective, and we're not having the conversation, but looking at internally, is this something you want? If it is, great, then move forward and have those conversations. If it's not, now we're back into what Sean was saying with regards to not wanting to move up. It's kind of the pushback. It's like, no, I'm good. I'm happy doing these two. Find somebody else, you know, because they. And if it comes back where it's like, no, we're not going to give you any more money, no, we can't get you any more resources. You got to do all three, or we want you to do all three, then it's a matter of, okay, well, then you got to let me know which ones are which tasks. And all three of these are the priorities. And if they can't answer that question for you. Run.

A

I love it. So speaking of running, I got this queued up for us.

D

Jerry's ready to go.

A

There we go. So. And James ran. He ran so far away. All right, so we're coming up on a couple minutes here before the end of the hour. Daniel Lowry, IRL live stream is going to continue the AMA action. So it's all, dude, like, there's so many of us in this larger ecosystem of cyber security communities that are into helping people and just, you know, like, leveling everybody up. And Daniel Lowry is one of those people, and he's got a show coming up in a hot minute. If you like this vibe, you're gonna love that. He does pour a monster energy drink that's a little asmr. So if you're into that, you can get your. Your kink. But before we go, I do want to give an opportunity for our fine panelists to share, you know, a little bit about themselves, self promote whatever it is where you can get more of them what they're working on. What whatever it is. Let's start with James McQuiggin. Since Sean and Steph didn't know I was going to do this, James, like, share something with us so that the chat can get more James.

D

Certainly out on james fromquiggin.com I'm on LinkedIn. I'm always posting stuff up there. Tomorrow I'm teaching the CISSP workshop.

A

Class.

D

Class for the chapter. Sunday, I go down to Miami for Miami Cyber Safety Summit to present there on AI Maritime and deep fakes. I'm looking forward to that. And then off next, and then next Wednesday down to Tampa, into Sean's neck of the woods and gonna be at elevate it on some panels and chatting with folks next week. So I got a busy week next week. And if you're around, you know where to find me.

A

All right, there you go. So james mcquigan.com james mcquiggin.com is my website.

D

You can.

A

There you go, James. Calm. Get some of that. Sean, what do you got for people in the chat?

B

Yeah, so a lot of my efforts lately have been about building new offerings for our practices at work. We have a new offering called like, Continuous Threat Advisory, which pairs AI automated pen testing with manual pen testing. It's pretty cool. So things like that. And we have been releasing some of our internal podcast episodes that we have within our company. Me and another guy are doing them and we started releasing those publicly. So if you go to High points website, you should be able to track those down. But you can hit me up on LinkedIn as well. Doing a lot of traveling, going to vendor partner events and conferences and things like that. So you could probably find me at one of those big cyber conferences. I'm going to try to make it to Wild West Hack Fest this year. And Jerry, I'll definitely be at yours.

A

I love it. Yeah. Simply cybercon.org Sean, it would be awesome to give you a proper high five. Steph, where can people get some stuff in their Life?

E

I'm on LinkedIn, so Clues is my last name. It's C L E W I S. I should have put it in my

A

thingy, but I forgot, man, I'm gonna bring it up. Is it Steph? Clueless.

E

Clueless. I have a clue.

A

No, I know, it's a. That's a tough name. I mean, you probably hear a joke like your life, right?

E

It's like Lewis with the C on the front. If you just search for me and we're like in the same cyber.

A

Oh, clueless.

E

Yeah. Clueless.

D

Lewis with the C. Yeah.

A

I got, I got it, I got it. Hold on, I'm bringing it up. I, I feel like such a bonehead. It's not even remote. There we go, Steph. Clues. Come on, computer. There we go. Right?

E

There I am.

A

There we go. And we are connected. So go ahead. I'll drop a link to Steph in the chat. Here we go. Boom. Well, let's blow up her connections. There we go.

E

So you can, you know, connect with me on LinkedIn. That's about all I do, like public facing wise. I'm not a YouTuber or I, I just don't have time. I'm trying to study. I keep saying this and then I keep not doing it because things keep happening. But I have a goal to try to get my CISA auditing certification in 2026.

A

Yes, now you have public accountability.

E

Yeah, I know. I said it out loud on live stream. So that's kind of what I'm trying to do personal, like professionally for myself and you know, just keep up with work in general and have life balance. And then I do. I, I would love like I'm trying to plan on go to Wild West Hacking Fest. I went in 2024, so I'm hoping to go this year. I submitted a 15 minute talk and then I'm hoping to submit to Simply Cyber too. It's kind of just going to depend on. I have the funds to travel that much with the. How volatile airfare is at the moment.

A

Oh, my God. Yeah.

E

So we'll see. But yeah, that's me in a nutshell. And I play a lot of music in my spare time, too.

A

No, I love it. I love it. There's, like, definitely, like, a growing sub faction of Simply Cyber community members who can, like, jam for sure. I want to remind everybody that today at 2pm I will be partnering with Tanya Janka on her new book, Alison Bob Learns Secure Coding. So we'll be ripping through chapter one and having a good old time. But what you need to know is Daniel Lowry's IRL talking about Project Glasswing Mythos. Anthropic good times. It's going to be happening in just a hot minute, so we can go over there and raid. I'm gonna drop a link in the chat right now for the raid. Giddy up on that, guys. I want to say holla to this, the panelists. Thank you so very much for being here. Steph, James, Sean, chat. You guys brought the questions. We just brought the answers. It's a. It takes a village. Y' all have a great weekend, everybody. If we don't see you over in the Daniel Lowry irl, and until next time, stay secure.