Careers in operational technology: What does a security risk assessor do?

Chris Sienko: 0:00

Okay, today on Cyber Work, we continue our deep dive into industrial control systems and operational technology security by talking with Donovan Tindall of Denexus. Now I'm just going to come out and say it. Donovan's episode is like a cybersecurity career seminar in a box and it is a must-not-miss if you're interested in not just ICS and OT security but specifically the realm of risk assessment within those spaces. Donovan brought slides and literally lays out his entire career for us to see, including the highs and even some of the lows. Very, very honest about all this and what he learned from each of them. He explains the fuzzy distinctions between ICS security and the act of determining risk for said systems. He gives us a 60-year history of the increasing attack surface and the number of risk types associated with operational technology and gives us tons of great career advice and ways to get started. All of that and Donovan's best piece of personal career advice today on CyberWork.

Donovan Tindill: 0:57

Hello and welcome to this week's episode of the CyberWork with InfoSec podcast.

Chris Sienko: 1:01

Each week we talk to the different industry thought leader about cybersecurity trends, the way those trends affect the work of infosec professionals, while offering tips for breaking in or moving up the ladder in the cybersecurity industry. My guest today, donovan Tindall, is the director of OT cybersecurity at Denexis and has over 20 years of experience dedicated to industrial control systems operations technology cybersecurity. He spent over 17 years customer facing as a control systems cybersecurity consultant in Canada, training and mentoring the technical team, leading major projects and driving consulting services, growth and innovation. Donovan advances industrial cybersecurity globally by volunteering to teach, contribute to standards, support conferences and thought leadership. He was a former ISA 9962-443 trainer, a working group co-chair and contributor. He is on the steering team for both USCISA, ics, jwg as vice chair, and Public Safety Canada ICS symposium, helping to select speakers, drive awareness and knowledge about ICS and OT cybersecurity.

Chris Sienko: 2:01

So, as you all know, we've been going through a manufacturing, it and infrastructure security renaissance here on the show and I'm looking forward to getting Donovan's take on this because he's done so many different things in the space. So, donovan, thank you for joining me today and welcome to CyberWork. Thank you so much, glad to be here. Okay, well, donovan, to help our listeners get a better sense of who you are and how you're connected to this field I mean, it's obviously very storied and goes back Can you tell us about your early interests, first of all in computers and tech and security? Was there something that initially hooked you, whether it was playing games on a computer or something happened in school or just a lifelong tech head?

Donovan Tindill: 2:42

It definitely started with gaming. It definitely started with gaming With math, munchers and Oregon Trail and running to the lab for the green screens and playing that in school. It definitely started there. Years later we had a computer at home and then it just spiraled to dial up with friends. Point to point, we got a second computer. I figured out how to connect them together with a serial null modem, so you know, playing Doom and 1v1 against my friends in high school, and then we even snuck software into the computer lab and then, you know, you could have 16 players playing together.

Donovan Tindill: 3:20

So that's it actually was that networking in the school lab and a summer job where I was going throughout the school division. We were resetting all the computers in the labs and so you would do a massive disk right, kind of like a disk image, and we would do across the network. They would write all the drives at once. It was like the disk image was being multicast and that was inspiring to me and it actually led me to go into network engineering in college, straight out of high school. So that was Linux, unix, pix, firewalls, routing, switching servers, windows NT. So that's where I got my career started.

Chris Sienko: 4:05

Yeah, that's a great flashpoint because a lot of people just say, well, I was interested, I bought a book or I did a thing or I had a friend. But it's interesting that this one summer job really kind of steered the direction of your life's interests.

Donovan Tindill: 4:18

Yeah, definitely. Even today I don't know if I could find that piece of software they used to mass write all those hard drives.

Chris Sienko: 4:26

It was mind blowing at the time, for sure.

Chris Sienko: 4:29

So, yeah, I like to start my research on my guest by doing a deep dive into your LinkedIn portfolios, especially your experience sections, and yours is really, really interesting, and you know I think I've said this before, but listeners would do well to browse the experiences pages of some of their LinkedIn connections, because you get a great sense of how to describe your accomplishments in a way that makes you desirable to hiring managers, and also just the way that people's passions and growing and rising up through the ladder of a company called Metricon, where you started on the help desk and then went through Metricon's acquisition by Honeywell and then your leave of absence to further your education, then your strategy for coming back with a new focus on ICS technology, carrying your skills further after Metricon's acquisition by Honeywell it's basically like a whole career in one job there.

Chris Sienko: 5:30

So in many cases, I ask my guests to tell me how their various roles and experiences shape their current work. But that story unfolds here. It feels like it would almost be like a career strategy book. So can you talk a little bit about some of your career roles and I see you have a flowchart here, so let's go through it.

Donovan Tindill: 5:45

Yeah, it was not the first time I've been asked and it's probably the easiest way, so it started with the network engineering and from that I was in internal IT and that's actually what I thought I was going to spend my entire career. And I almost got fired right away because I was the one guy in the company that actually clicked on the I love you and I was like what.

Donovan Tindill: 6:08

Yeah, right, and this is in. This is still in 1999. That virus was running around through email and actually got spread and the IT manager had to cover for me because I wasn't the only one. So you know, that was my first. I call it butterfly moment in my career, when you almost get fired there's a couple of those that everybody has but because I knew quite a bit about Linux, unix, networking, fiber optics, etc. I actually got pulled out by another team and I ended up moving to a customer facing role. Pulled out by another team and I ended up moving to a customer facing role. So that's, it was actually not by my choice and actually I didn't at the time. I was actually quite resistive to it as well. Why was that? Because I was actually so loyal. I just enjoyed the team I was with and the IT help desk and I was being told you need to go work on this project and I was like, well, I don't want to work on that project. You know I like what I'm doing, but it actually that was the turning point that actually pointed me from IT to industrial cybersecurity and, looking back, it was actually the best move that was made for me in my career.

Donovan Tindill: 7:20

So I spent the next two and a half years designing networks, connecting control systems and the business network back, you know, back, you know indie domains, picks, firewalls, you know, for getting data back and forth for a number of years and I actually had, like there was kind of this perceived glass ceiling that I felt I was like, you know, this is the best I can do. So I quit. So I went back to school, bumped it up to a bachelor degree, because I've always had this plan of learning business skills and running my own business and so a diploma wasn't going to get me there. I needed to learn more about finance and income and making money you know all of that stuff. So I felt that bachelor degree was the way to get there. And making money you know all of that stuff. So I felt that bachelor degree was the way to get there, and the bachelor degree would maybe be a step to MBA.

Donovan Tindill: 8:10

I didn't plan on going back, but I ended up back at the same company, but this time in a sales role in 03 and trying to grow, like I at the time I saw, like you know, blaster and Sasser had come through. They had spread through networks. They had some of our customers. Their plants had been shut, a refinery had been shut down because of the power outage, and so I saw I'm like there's a growth area here, there's a risk. And I was passionate, hungry, innovative, ambitious, but I was decades ahead of the market so I actually missed my sales quota and almost got fired.

Donovan Tindill: 8:47

And then moved back into consulting and kind of stuck with it for a good 15 years building up the team, getting my CISSP, becoming a 62443 trainer and contributor and some of these things. I would recommend anybody else that wants to get into cyber or industrial cyber, um to do this. The CISP CISSP I highly value, uh, the 62443 training and the concepts they teach, not just being knowing what's in the documents but knowing how to apply them. And then the GICSP from SANS, which gives you an introduction to the terminology. So I obtained those through the years. But then my roles from team leader, project manager, supervisor, global team lead and actually even principal consultant amongst the team. So I went from being that contributor to a team leader, and that's an important transition that people make when you go from contributor to leading others and you're measured more on the performance of the group rather than yourself, and that was in this frame.

Donovan Tindill: 9:52

When I made that transition in my career, I felt kind of constrained. We had been acquired at that time, my scope had gone from global to just Canada and I was like that's just not enough. I have ideas about. You know, we could offer OT pen testing, we could do managed detection and response like a managed security service, and the only way to make that happen is I had to move into product management and then marketing and then that's really where I got more involved in the steering committees like sisa, public safety, canada, um, and the marketing was just better for me. So that's kind of um how I got to where I'm at um and kind of my journey through the years. Um, yeah, that's that's.

Chris Sienko: 10:42

That's. That's great stuff. I wanted you you covered it beautifully and and I really appreciate that we we don't always get people who are willing to sort of go so granularly through their, their career like that but I wanted to ask you you mentioned what an important thing it is to to go from contributor on a team to team leader and what a big jump that is. Can you talk about, like, what some of the growing pains might've been involved in that, or whether that was something you were really biting at the bit to do and it just took a while? Like, what's the big change in terms of mindset or the work you do, or the scope or whatever that makes that such a huge hurdle?

Donovan Tindill: 11:21

Looking back. So at the time I actually didn't like supervising others because what I found was my the bar I set for the quality of work, attention to detail, and that I actually found struggled to find others that could uphold that bar. So actually leading others I would often be disappointed. I'm like, well, you know you're not, you could do better. You could. You know, like you know, and I was actually very prescriptive on the approach because I thought that's how it. You know I would do it this way. I should give you guidance on how to do it that way.

Donovan Tindill: 11:53

And I later learned that is the total wrong approach, that everybody has to learn on their own, um, that my way of solving a problem is not always the right way, and that you give guidance and bumpers and you help people to learn on their own, because it's the only way people learn. That was the biggest difference. So early in my career I avoided supervising others for a period and I chose to take the technical track in my career and then later, once I learned you know these skills of like how to you know work, you know how to allow others to learn on their own, to do it their own way and guide them in bumpers. Then I was like wait, this is actually quite fun, because then I come back to that and said okay, now that I understand what is good leadership versus my approach, which was bad, then that was, the big difference is just how to guide others. You just let them learn on their own.

Chris Sienko: 12:51

Yeah, yeah and for all you know, like you said, when you, when you came up with this process and you're like this is the way to do it and here's how to do it, and then you showed everyone how to do it, like it's possible that these people who are learning on their own might come up with another process that like even blast past that, and you're like, okay, I just needed you to sort of find that on your own and not have me kind of crowbar you into what I think is the correct answer yeah, yeah, really definitely um, so yeah, that's, that was a great overview of of your, um, your career to this point.

Chris Sienko: 13:19

So, uh, going to your current role, uh, for the listeners who are kind of window shopping their future careers and finding out what different roles are, can you talk me through an average day or week or whatever in your current role as director of OT cybersecurity at Denexus?

Donovan Tindill: 13:34

Yeah, so with my background in industrial cybersecurity as a consultant, I'm embedded as an industry expert in the product team. I'm embedded as an industry expert in the product team. So anytime the product team has questions about what would work in this industry or what type of data or what's real cybersecurity or what's applicable, I help bring that connection to the real customer when we can't always talk directly to the customer. So that's my role. There's a couple of parts. One is inside data. So we'll connect directly to IDS, vulnerability scanners, network infrastructure systems and we will pull data out of those systems and then use data to make an assessment on the posture of their program. So I help automate that and help the product teams decide well, which data is relevant out of a vulnerability scanner that would say they're doing a bad or a great job of vulnerability management. What data would you look for in that system to make that determination of bad to great? So that's one. Another one is outside data or like open source, intel, threat, intel, um, you know, and looking at how the threat landscape is changing. So you have internal data that's telling us what our program is and how we're doing. And then you need another aspect, which is what's what's happening out in the threat landscape, right? What are the bad guys going after? What are the vulnerabilities, what industries, what targets, what regions, what ports, what you know, and then what are the vulnerabilities, what industries, what targets, what regions, what ports and then gathering that data, where do we get it? Helping with that.

Donovan Tindill: 15:14

And the last part is kind of vertical specific.

Donovan Tindill: 15:26

When you are trying to quantify the financial loss of a cyber event like estimate, what would ransomware cost in a power generating facility or what would that same ransomware cost in a manufacturing facility or an airport, you need industry specific financial models.

Donovan Tindill: 15:36

So I help lead the team and facilitate working with you know, consultants and experts in specific verticals to uncover and reveal what's unique. So, for example, manufacturing has this aspect of waste material, if you you know it could be paint, it could be plastic that's hardens in a machine, it could be glue. Well, that doesn't apply to power generation and in airports it's about flow of airports and people and baggage, and so that's another part of my job, and so what's cool about it is that you take a cyber event like ransomware and then you say, okay, what would happen in one of these sectors and what would that cost and that's that kind of the intersection of the technical world of cyber and the business or financial world that the executives are interested in. You know, so it can help. You know you want to do a cyber investment, what would be the loss that it could reduce? Like that's what it's kind of where it sits.

Chris Sienko: 16:39

Yeah, no, that's. That answers a question that I ask a lot. When, when people get to a management level, I ask them if they regret, you know, if they, if they're unhappy with not getting to sort of get into the weeds and get their hands dirty and and really like pulling the guts of the machine and stuff by moving to a leadership role. But this sounds like this has kind of elements of of all of that like you're like, are you still doing like active research in your role or are you sort of synthesizing research that you're getting, because you said you're sort of collaborating with the engineers and stuff towards solutions or, you know, vetting their solution ideas or whatever. Are you still doing that research yourself? Or are you sort of and if so, like what is your research into this kind of stuff? Look like?

Donovan Tindill: 17:24

And if so, like what? What is your research into this kind of stuff? Look like, um, so no, I haven't had the total, like technical lobotomy. I still have to, you know, dive in and get to think hard.

Donovan Tindill: 17:34

Um, and some of that research is, like, you know, as mentioned, the, the losses in an industry, or even trying to understand, like, um, how does a particular industry make or lose money, right? So you, actually you have to go into some of your financial, you know one-on-one that you learned, and be like, okay, what's an income statement, what's an expense, what are the, what are, what are those line items and could a cyber event touch those? Yes, and so you get to dig into those and that's that's been fun. Other ones have been, you know, popping open and digging more into cybersecurity maturity and how does maturity of a security control, like vulnerability management or network segmentation, how can that lead to better effectiveness or reducing risk, right? So, yes, um, I still get to, uh, invent, I still get to research, um, which is the part that I still that I love about my job. So I don't, you know, not just total leadership.

Chris Sienko: 18:39

Yeah, that's, that's awesome. Now I want to move sideways from that because since the end of 2018, you've been an industry advisor for the ICS Security Symposium Advisory Committee for Public Safety Canada, as well as a public speaker and panelist on a volunteer basis for 22 years. So, as you said in your LinkedIn profile quote when I choose to speak at a conference, it is not the sell, it is to teach and share experiences, to create debates, share insights, out-of-the-box thinking and how to simplify and solve complicated cyber problems. So, to that end, what does your work with Public Safety Canada involve and can you talk about both of these roles both public speaker and advisory committee member and the way in general that, like volunteerism kind of can play in the cybersecurity industry as a whole?

Donovan Tindill: 19:22

Yeah, so I, early on, you know, I admired some of the leaders in the OT and industrial cyberspace and I knew I needed to build my own brand because if I was going to build my brand, that was kind of the stepping stone to build and have my own company or consultancy. So my first public speaking was in around 2003, and it was on social engineering in cybersecurity and how to bypass that. It forced me to do a couple of things. I wanted to know more about social engineering. It forced me to do a couple of things. I wanted to know more about social engineering. Two, prepare slides. Three, submit an abstract and then force myself to get up in front of an audience to speak publicly and that helps build your brand. So I always encourage others to take a topic you're passionate about that you believe others want to know, and you create an abstract about that and if the conference organizers think it matches, then they're going to accept it. And then you, as long as you focus on learning or teaching others what you've learned, that are the type that everybody's looking for Lessons learned and a lot of it was around my consulting work.

Donovan Tindill: 20:33

So I did one through the years which was on active directory pardoning. We were deploying these for customers. We had one pen tested. We pen tested it ourselves. We found gaps and issues and we created a plan on how to mitigate that. And then I said other people need to know how to do this. So I actually created a talk about how to do it and it was dirty detail. Um, you know, small fonts and lots of references, yes, but um, even 10. I did that talk in 2014 and even 10 years later, I still get people that say I found your talk. It helped me so much. We've hardened our environment, we got a long way to go, but like that's, that's what that's, that was the most fun.

Chris Sienko: 21:17

Um, and had the longest uh tail in terms of benefit.

Donovan Tindill: 21:23

It sounds like oh yeah, definitely, definitely um contributing to different um like isa 99 and 62443. Because of my work there, I was actually nominated by peers to be on the steering team for sysas, ics, gwg, the joint working group. Okay, and because of some of that group um and what I'd learned, I was speaking to the organizer at public safety canada and I said you know, an industry working group would help you create a better conference. Because if you're wondering like, what would what should be in your conference and what does industry want, instead of making that decision on your own, create an advisory board. So it took about a year to incubate, but then they created the committee and so I've been on these, both for the U CISA, ics, gwg until it um retired only in the last couple of months, and public safety Canada for five to seven years. And so you um, I would take I would encourage customers that had something cool or had done something innovative and I would say you should talk about this and I will help you create your abstract, I will help you create your slides, but I want you on the top, I want you on the stage.

Donovan Tindill: 22:40

So I help bring content to the stage. Or when abstracts come in, you pick score and say this is what we believe industry wants, and so that's my role. Know my role on both, you know, as a public speaker and on these advisory committees.

Chris Sienko: 22:57

Love it. Now you said that people still come up to you 10 years later regarding your 2014 talk on hardening Active Directory. Is that and they still find it years later? Is that something that's publicly available? How, if people are intrigued by this, how would they? How would they see that presentation If?

Donovan Tindill: 23:14

people are intrigued by this. How would they see that presentation? I think if you searched my name in Active Directory, I think it would show up in a slide share or something. Somebody had put it up in there at one of the conferences, and there's others as well. I've done through the years, but that one hit the mark for a lot of people.

Chris Sienko: 23:43

That's awesome, all right, well, listeners, you've got your assignment. Now this is the extra for this particular class. So, donovan, as I said a little bit before the show, when it rains, it pours, and I've been speaking to a number of great ICS and OT cybersecurity experts recently and OT cybersecurity experts recently, and I'm really excited to get your insights on this, because it sounds like you have a long experience, but also some different insights, into these things. So, to just get our listeners up to speed, donovan, can you talk about some of the current challenges we face in a set of increasingly connected operational technology environments?

Donovan Tindill: 24:10

Yeah. So there's two things that come. So with OT they're increasingly connected and they're facing the same threats as IT infrastructure. And there's two reasons for this, like ransomware, etc. The convergence of the technology. So when industrial, when control systems were originally built back in the 70s and then in the 80s, what started to happen is they're like okay, we just we need memory, we need compute, we need storage. Wait a minute, let's not build our own motherboard, let's build this on top of pcs and then use the, a linux operating system or a Microsoft operating system, use those resources, but we're going to use it for compute, storage and memory related around a control system. So you start seeing this convergence or the use of IT technologies in the control system Ethernet databases, sql Server, iis, all of that convergence. And now you're seeing it with virtualization, et cetera. And with that comes the exposure or the footprint that a vulnerability that exists in the IT space is now available in both.

Donovan Tindill: 25:29

And convergence isn't new, it's been going on for 40 years. The other is the integration isn't new, it's been going on for 40 years. The other is the integration. So you're connecting a traditionally an air-gapped environment to get historian data, production quality and then get it up into the erp and you need to connect the networks together in order to send the data up and look at reports. And if you have engineers that are configuring the system, they need to get back inside, perhaps from home over remote access or from headquarters to a remote facility to administer, maintain and troubleshoot. So it's that connection, the convergence of the technologies. Those are the big ones, um.

Donovan Tindill: 26:21

The other challenge is when you add this together, um, it'll just is kind of this collision of the decades. So you have automation systems that have changed over the years from being nomadic, analog, digital, all of this convergent, microsoft, and then you start seeing like internet, connected cloud, connected machine learning, ai, but these systems were designed for a different kind of threat landscape and when you it takes maybe five years to bring one of these to market because the reliability requirements are so high. Like this is not you high. This is running a refinery with high pressure. This is a very different level. So there's a lot more validation and verification that goes into it.

Donovan Tindill: 27:04

But then what you have coming up is all these other cyber threats that have come along, but it's actually the offset. So what you have is you have technology designed to deploy it in the 2000s, facing threats from the 2010s, and the technology of the 2010s is facing the threat of today, right, so there's always because of this it's a lagging it lags for the technology to be deployed and then it's in operation for 10 or 15 years. Meanwhile the cyber threat landscape is still moving and so this is what creates the biggest headache. So, because, in order to only way to get ahead of this is you're actually planning OT cyber risk 10, 20 years in advance, because if you want that system to be, uh, to be able to, but there's a cost factor that comes with that. So that's, um, one of the challenges that come with control systems, the connectivity, the convergence and kind of this offset between what the technology was built for and the threat landscape that exists today and that holds up patching, it holds up upgrades, it holds up the cost of upgrading, technical debt, etc.

Chris Sienko: 28:31

Yeah, no, I'd never heard that quite expressed that way, especially in terms of the sort of long tail of how you know, and my guest this morning, my previous guest talked about how you know. A lot of these industrial systems or these OT systems are built and then untouched, basically for 20 years. You know, and that's at odds with the constant patching, the constant vulnerability management of IT and cybersecurity, but and yet they have to learn how to get along in one way or another at odds with the constant patching, the constant vulnerability management of IT and cybersecurity but and yet they have to learn how to get along in one way or another.

Donovan Tindill: 29:06

Yes, and you're starting to see the concept of continuous evolution starting to appear. So the life's trying to shorten that refresh life cycle in the control system. So, instead of waiting 20 years and be faced with having to rip and replace, the whole thing is to have smaller. Let's do the network, let's do the. You know, you know small portions of the infrastructure at a time, so it's spread out rather than all at once.

Chris Sienko: 29:26

Yes, yeah, and I I want to come back to that when we get to, uh, certain job roles and the and the work that people do around that kind of thing. But uh, it or you talked about it in detail. You know your work with Denexis is in large part involved with, like you said, the risk. You know risk assessment of various aspects of OT and ICS. So to start with, to sort of frame this part of the conversation, you noted that the Securities and Exchange Commission has issued newly implemented rules on cyber risk within the manufacturing sector. To start, can you talk about what some of these rules are, what they entail and what problems they're meant to correct, and your thoughts on them?

Donovan Tindill: 30:09

Yeah, so the new SEC regulations. There's two main areas. One of them is the disclosure of a material cyber incident within four days. So four days is the same time interval that SEC has used for other types of material events. That way investors are informed and are able to use that information that might affect their investment. So that's one. So the number one is the disclosure. They use existing definition of what is material, but I do foresee that there'll be guidance that comes in the future as to maybe this here's some bumpers as to what is a material cyber event, maybe one that affects financial losses greater than a percentage of revenue.

Donovan Tindill: 31:03

And the second portion of the SEC regulation is going to be I got it just on one slide here is the risk management strategy. So what this affects are the annual requirements. So even if you haven't had a cyber event, they're adding disclosures that you need to include in annual reports and other kinds of filings. So one is the processes used for assessing, identifying and managing this risk and is it integrated into the overall risk management. So a lot of organizations might have one for maintenance risk, third-party risk, you know, corrosion, health, safety, environmental. But now cyber needs to have a place. And if they use third parties, disclosures that may be around third party risks, and then if and how it affects the business strategy, operations which might be manufacturing, generation, all of those outputs of the organization, or the financial condition because of them. It requires the board of directors to have oversight. So now it's bringing that up to a board of directors level, which is a good thing, that's actually a good thing to bring it up to that governance, so then they are more informed, more trained, they learn the terminology and they can have more of an open conversation.

Donovan Tindill: 32:34

And then there's also requirements about management's role in assessing, in managing, so they actually, on at least an annual basis, assess the cyber risk, take steps to manage it and then report that up to the board so that it could also be reported out. And so there's also some shoulds hiding in there. Who is responsible? A bit of their expertise, do they have any background in cybersecurity? But that's not really.

Donovan Tindill: 33:02

It's a should, not a must the details of the process, how you go about it, and then if management reports up to the board, right, so that we have today the there was a second part to that, ah, yes, and once again, the goal is that, the ultimate goal that the SEC wants is that they want the investment community, or those investors that are, you know, trading or have shares in this public organization, let them decide whether this is a sufficient risk for them or not, so to inform them with. Is there a, you know, a cyber liability or exposure? Is it quite large for this organization? And let the investment community decide. Is this something that they're willing to have in within their portfolio as well?

Chris Sienko: 33:54

Yeah, no, that's a man. What a, what a great rollout of of of of what was going on there with the SEC. Now I mean speaking as in sort of an editorial standpoint. What are your thoughts on these directives? Do you think it goes far enough? Would you have done anything different if you had the magic gavel, or Um, the there's, always there's.

Donovan Tindill: 34:20

I've read the um, the, the proposed rulings and how the SEC has gone back and forth with the comments and what they're trying to find is that balance between um disclosure, uh, reporting time frames that are maybe, you know, a bit excessive, like maybe 24 hours that's really hard to do, settling in on four hours and then finding that happy medium. And then also, when it comes to the content of that disclosure, that it doesn't contain information that maybe other threat actors could use to target them. So that's the balance they're forced to play, although I would like to see more details on the type of or the detail of the losses. I can understand that there's that you don't want to put too much out into the public domain that could be used against the organization. You want to make sure that it's enough that the investment community has enough to make their decision about that cyber risk.

Chris Sienko: 35:24

Yeah, yeah, that makes a lot of sense.

Chris Sienko: 35:27

So I want to move from the sort of in the news type aspect of the story here to the actual work that you do, especially in the risk space.

Chris Sienko: 35:37

But obviously the goal of CyberWork is to help students and new cybersecurity professionals sharpen their skills needed to enter the cybersecurity industry or those looking to change careers to cybersecurity later in life. So for those who want to make a mark doing this kind of either OT, ics, security work or specifically in the risk assessment and risk management realm because we've had a lot of people talk about like the tech of it and the engineering, maybe background and the you know the IT background but for, like people who want to do the risk management, what are some important skills or experiences or projects or trainings or learning paths that they would need to do to get very rapidly up to speed with this kind of thing? Like you know, we talk about risk assessment. Is it something that you would sort of like start your career learning or is it something you kind of learn osmotically along the way and then it, your your knowledge, sort of like coalesces into this, this different aspect of the same thing that you do later on?

Donovan Tindill: 36:31

Um, for getting into the industrial side of cybersecurity. So obviously you know you, you build great skills in whatever technology. You always start with a foundation and servers, software development, um, networking, um, databases, whatever. And then once you've dominated that technology, then you start looking at how do I make it, how do I harden it, how do I protect it? And then that becomes kind of that cybersecurity. I harden it, how do I protect it, and then that becomes kind of that cybersecurity the master's portion of, say, your technology, where you get the special training. Now you have a bit of paranoia and then that hunger to learn.

Donovan Tindill: 37:12

When you go into control systems, then what you're adding is that control system automation and engineering. And there's a couple of programs that I. One of them from the US CISA is the 210W. It's about 16 hours of free training hosted by the US government and it talks about different concepts and introduction to industrial control system cybersecurity, which is a very niche space and I encourage others to get into them. So you see these stats here like these are older stats from 2020 and 2021 from ISC squared. They do a career workforce survey in cyber. This is only growing bigger and in the niche area of industrial control systems or cyber, physical. It's an even wider gap and even more niche, because now not only do you need to know it, plus cyber security, you also need to understand the uniqueness of uh control systems, environments.

Donovan Tindill: 38:15

Um, and then you know, because you know these facilities, you don't dress up in a you know, a fancy blazer, you're putting on coveralls and you have to have safety training and your priority shifts. When you, you know, when you perform work, you know you might submit it into a IT help desk ticket system facility. You go to the control room or the work permit office, you submit a permit, they do a safety assessment PHA or HAZOP and they determine at that point have you taken steps to reduce the risk that could cause these consequences? You can't even log in as admin and do work until you've gone through all of these health and safety kind of checks in some of these types of environments. Then, as you transition to risk management, then you're starting to connect to, you know, harmonize it against other business risks, right? So you know the control system is getting old, it needs upgraded. A manufacturing line may have an old painting unit and you know your, your act, the company has to compete. They're like do we improve the painting unit, which improves production, or do we spend more on cyber security?

Donovan Tindill: 39:30

And that's when the risk management starts to happen, because now you have to start thinking dollars for dollars, like there's only so much money in the pocket, and being able to show that financial benefit of a cyber investment which might be in the form of excuse me, the reduction of a loss. I'll give you an example. Right, so if you were improved detection response, backup, you know the reduction of a loss. I'll give you an example. Right, so if you were improved detection response, backup and recovery, you could potentially take a ransomware incident from 10 days of downtime to maybe five, three, two, maybe even half a day of downtime and there is a distinct financial cost to that. And you balance that ROI against the cost of that investment. Like that's where the financial risk management is evolving and that's kind of where I see the future of cyber investment and decision making going.

Chris Sienko: 40:34

That's yeah. Well, that feathers into my next question very nicely, because I was hearing other sort of types of skills that might be required in there that we don't talk about. But in your opinion, donovan, where are the biggest skills gaps among people who are trying to get into these types of OT, ics, risk management positions and careers? Are there certain things that do you need, like some degree of like econ or budgeting or like? Are there things that you wouldn't think of that are causing a skills mismatch of people who are trying to get into this industry?

Donovan Tindill: 41:08

Yeah, one of them is it's definitely basic communication 101. And as technical individuals we're very good. We learn technical writing right and it's to the point and spit it out as quick and simple as possible. But it's also based on you know, maybe our own. You know like a technical person can come up with a logical excuse for anything, but when you're when you're trying to communicate cybersecurity risk, you need to step outside of the tendency to say, well, we have 2,000 vulnerabilities and we have 10,000 security events that are being hit, log events that are happening every single day. And those are not the variables that resonate with leadership.

Chris Sienko: 41:59

Yes.

Donovan Tindill: 42:00

Right, not the, the variables that resonate with leadership? Yes, right, so the ones that do are you know, if we improve this training, we can reduce click rates. If we um improve, maybe, the endpoint protection, we gain visibility into an area that we were entirely blind. So we're actually reducing uncertainty. So it's going from a dark, a black zone to that we were entirely blind, so we're actually reducing uncertainty. So it's going from a dark, a black zone to that we have no knowledge to having more information. So it actually comes down to excuse me, a lot of it being the communication and how you spin the message that goes with um. That that's, that's the number one, right off the top, and I've learned that myself as well.

Chris Sienko: 42:44

Oh yeah, now for listeners who might be listening to this and maybe still unsure about whether this is type of work that might be for them. You've given some. You know things to watch out for and challenges and stuff but can you talk about some of your favorite parts of the work that you do?

Donovan Tindill: 43:10

Um, the part that I still love is the inventing and experimenting, right.

Donovan Tindill: 43:16

So, inventing, um, a way of using data to determine, like, like going into the firewall, what I used to do is I would get the firewall rules and I would download the text-based configuration and you know when I drop it. You know, use the ui or the text, or I'd find other ways. Or, in the back of my mind, I would have rules in my head of what I'm looking for IP, any protocol, overly expansive rules. But the invention is when that I get to do is, okay, let's create logic and rules that do some of those things I used to do as a professional, but let's automate that at scale for a wide, large number of systems and let's repeat this regularly, maybe continuously or weekly or whatever. And so I get to do some of that inventing and then experiment with ideas that may or may not work. It's like, okay, let's create a rule that says let's look for all the anything with IP, any in the rule set, and is that the right way to go about this? And we find out they're like well, that doesn't quite work, right. So that's the experimentation side for me and it's always driven the kind of initiatives or the career choices, is being kind of at the head ahead of the curve.

Donovan Tindill: 44:45

Kind of at the head ahead of the curve, you know, either, um, being on a part of a working group or helping and develop an industry standard to solve a problem that nobody else has solved before. Um, that's where I want to be right, and so that's even why you know it made me go out, you know, to join the nexus, because they're they're solving a problem that I feel that I struggled with um and I feel that you know the industry needs to be solved, and the other one, for me, is just making a difference right. So that's, um, when you choose, when you invent, when you experiment and you're trying to be ahead of the curve, you're solving actual, real problems. And that's where the the fun comes in. And like that old Active Directory slide deck which I thought everybody needed, and then you're like, wow, years later, people are still finding this useful. It's actually so rewarding too. You're like, wow, it's also sad that 10 years later, people are still needing this type of information.

Chris Sienko: 45:36

Oh for sure. Yeah, no, that's boy, that's a. That's a constant refrain. We've been doing this podcast for about five years now, and six years at this point and yeah, that's the constant refrain is not. A lot has changed in certain places, and the same lessons need to be repeated over and over, so to date out of it. I mean, you've given our listeners so many great pieces of career advice. Can you tell us the best piece of career advice that you ever received?

Donovan Tindill: 46:03

It was probably one of my early managers and he actually had a. He had gone to school and he had taken philosophy and psychology. Well, that didn't pay off and then he had to go back into school to go into technology. But what he learned and shared with me is that is how you spin an idea right. So your objective might be how you know to get funding or to get an initiative, and with that is, you know, you empathize with the individual you're speaking to and you really want to view the world from their not from their seat or their lens or their shoes, but actually their experience. How do they view the world If they have no cybersecurity knowledge at all? Or what little they have? How would they interpret that world? And then you need to speak to that language. And so when you spin the idea, you're speaking from the common language, something that is familiar to them, it resonates, it connects, it helps you.

Donovan Tindill: 47:05

You find that kind of win-win relationship or you build the win-win which is like, okay, if we solve this problem together, we're going to go forward to this cybersecurity initiative, but at the same time, I can solve one of your problems at this. At the same time there's that win-win. Um, spinning it was always called the spin, so you can always you know, I do with my children as well it's like, okay, you need to eat, you know you need to eat this or you need to do your dishes because I said so. But you're like, no, no, you spin it in a way that, okay, um, let's get through dinner and then afterward we'll head off to the playground. Right, you found the win, right? Like?

Chris Sienko: 47:47

you don't it's non-confrontational.

Donovan Tindill: 47:49

All of a sudden they're motivated to get it done. Yeah, when it comes to like chores, it's like okay, rather than do it because I say so, it's like okay, let's get this done, um, and then you know you, then you know we'll, we'll go do something together or I'll leave you alone, which is more what my teenagers want. You get that done and I'll leave you alone and you can go have your. You know it's. It's that spin which I find makes has helped.

Chris Sienko: 48:22

Yeah, yeah, that's just yeah. Yeah, that's a must in terms of trying to convince your, your board, that you need more or less or different money, or more or less or different emphasis on what they think is the important thing. I suppose you need to be able to figure that spin out. So, yeah, we talked a little bit about Denexus at the top of the show Donovan, but as we wrap up, tell us about Denexus and the work that you do to protect manufacturing, industrial control and crucial infrastructure.

Donovan Tindill: 48:38

Yeah, so I'll start with a story of how I used to do it as a consultant. So I was asked to do an OT risk assessment for a large gas and electric company. They had about 4,500 endpoints gas pipelines, gas generation, electrical and transmission lines, electrical generation and all of it needed to be assessed. And so when I did all the detailed gathering for all of these different systems and then it was done, the best I could do was prioritize all of these technical findings and then pick the top ones and put them into an executive report, and what I was left with was you've got three highs, three mediums and some greens, and what ends up happening is, you know like people still do this today? They take the three top ones. They say, okay, let's get a task force going, those mediums will maybe do that next year, and so then that's that I faced that over and over again is how to how to how to justify this cyber, cyber risk.

Donovan Tindill: 49:42

So what the nexus is doing is that we're enabling cyber teams to quantify cyber risk and not quantify as in like qualitative, quantitative. Okay, want to quantify in terms of financial dollars that cyber risk, and then you can use the estimated loss of your, if your organization, based on its current cybersecurity program, were to face a cyber event, what would be that estimated loss? And let's say the number's up here, it's $10 million. Up here it's $10 million. Now you want to bring that down, either because cyber insurance is at maybe somewhere down here and so you have a gap. What do you do about that? If you were to have an event, how are you going to pay for that? So then we help them make that choice of what investments would help bring down that risk. So if you spend up excuse me, you know you got three different projects, a hundred thousand each. Which one's going to bring down that estimated loss?

Donovan Tindill: 50:49

Right which one is going to bring down that estimated loss of the event the most. So then you can look at those three different projects and you can say, okay, well, this one will reduce the potential loss by this much, this much, this wait a minute this one has the greatest ROI and it's because the loss is coming down by spending this money, and so we're helping understand the value at risk that you know technical debt, the liability that this cyber event could have on the organization. The financial leaders can make decisions and say is this a risk worth spending more money on? Do we buy down, do we transfer risk, or have we hit that spot where we are perfectly acceptable? We've got money in the bank, we will cover that event, that's okay. We're going to go ahead with our cybersecurity program, and so what we're doing with our cyber risk quantification is we're enabling CISOs and CFOs to optimize their cyber budgets, including risk transfer, cyber insurance, buying down the risk. They're able to actually make those decisions using the dollars associated with their cybersecurity program security program.

Chris Sienko: 52:22

Man, based on all the things you told me about your areas of passion and interest, I feel like you literally built a product around the things that you're most interested in. It's so great because you've been talking about all of those aspects and how important they are, and then it's like well, as it also turns out, we've made something that can solve all these problems. So I'm going to let you go for the day here, but before we go, if our listeners want to learn more about you Donovan, tyndall or Denexis where should they look online?

Donovan Tindill: 52:46

My background. I'm the easiest to find through my LinkedIn Yep. From there you can find Denexis, or even through their website, denexisio, and then from there we'll be in touch.

Chris Sienko: 53:01

Well, I say we hit, we've, uh, we've. We've hidden a bunch of easter eggs in this episode. People are going to have to look for your slide decks and some of your past presentations and stuff. So, uh, uh, cyborg, uh, listeners, uh, get to it. But uh, donovan, thank you for so much for joining me today. This was absolutely next level and I super appreciate your time thank you so much, I appreciate it my pleasure too.

Chris Sienko: 53:22

So, and thank you to everyone who watches and listens and writes into the podcast with feedback. Um, as always, if you have any topics you'd like us to cover or guests you'd like to see on the show, drop them in the comments below. Uh, before we go, don't forget infosecinstitutecom slash free, where you can get a whole bunch of free and exclusive stuff for cyborg listeners, including work bites, our scripted and hilarious acted set of videos in which a very strange office staffed by a pirate, a zombie, an alien, a fairy princess, a vampire and others navigate their way through the age-old struggles of security awareness. Go, check out the trailer on our site. It's hilarious.

Chris Sienko: 53:56

Infosecinstitutecom slash free is still your best place to go for your free cybersecurity talent development ebook, where you'll find our in-depth training plans for the 12 most common security roles, including SOC analyst, pen tester, cloud security engineer, information risk analyst, privacy manager, secure coder, ics professional and more so one more time, infosecinstitutecom slash free, and you can find the link in the description below. One more time, thank you again to donovan tindall and d nexus, and thank you all for watching and listening until next week. This is chris senko signing off, saying happy learning.