What's it like to work in emergency response?

[INTRODUCTION]

[00:00:00] CS: Every week on Cyber Work, listeners ask us the same question. What cyber security skills should I learn? Well try this, go to infosecinstitute.com/free to get your free cybersecurity talent development eBook. It's got in depth training plans for the 12 most common roles including SOC analyst, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder and more. We took notes from employees and the team of subject matter experts to build training plans that align with the most in demand skills. You can use the plans as is or customize them to create a unique training plan that aligns with your own unique career goals. One more time, just go to infosecinstitute.com/free or click the link in the description to get your free training plans plus many more free resources for Cyber Work listeners. Do it. infosecinstitute.com/free. Now, on with the show.

Today on Cyber Work, Christopher Tarantino of Epicenter Innovation tells me all about emergency response and the myriad techniques and skill sets that the term implies. Is there a physical security component? Yes. Is there a cybersecurity component? Big time. Is there an educational element? Absolutely. Find out how disaster planning, preparation, remediation and post event rebuilding and improvement are all opportunities to strengthen your security posture today on Cyber Work.

[INTERVIEW]

[00:01:31] CS: Welcome to this week's episode of the Cyber Work with InfoSec podcast. Each week, we talk with a different industry thought leader about the latest cybersecurity trends, how those trends affect the work of InfoSec professionals while offering tips for breaking in or moving up the ladder in the cybersecurity industry.

Christopher Tarantino is an award-winning entrepreneur, investor and international speaker on resilient innovation. He's worked with thousands of high performing leaders from startups, enterprise and government organizations like Google, FEMA, Cisco, and other recognizable brands across the globe. With past roles at every level of government, as well as growing businesses beyond seven figures, he is sought after by leaders from both the public and private sectors to transform how they leverage team resilience to drive innovation. He previously worked in the information security space as a technical risk communication specialist and his insights have been featured in Inc. Magazine, CBS, NBC, as well as a variety of industry publications.

As the CEO and founder of Epicenter Innovation, awarded number 762 in the Inc. 5,000 list of Fastest Growing Private Companies, Chris leads a team focused on human centered, resilience focused innovation before, during and after disaster incidents. So today, we're going to be talking about disaster preparedness emergency response, and hopefully tying that within the cybersecurity space, although know that there's a lot more components to it than that. So, Chris, thanks for joining me today and welcome to Cyber Work.

[00:02:54] CT: Yeah, thanks for having me, Chris. I'm really excited to be here and excited to talk a little bit about the connections between emergency management and cybersecurity for sure.

[00:03:04] CS: Yeah, these are all sort of recurring topics that bounce from guest to guests. My previous guests, we were talking about industrial control systems and the security issues that can result if someone hacks into an electrical grid or water supply or other such things, and I'm sure that's all stuff that you work with as well. So, I want to start by getting a handle around our terms here. We mostly talk about cybersecurity on this podcast and I've had plenty of guests on the show talk about disaster emergency preparedness, including Michael Figaro, who spoke on tabletop exercises, that simulated cyberattacks and other disasters that might lead to network or online shutdown.

So, when you speak about emergency response with regard to your own company, what is the scope? What are the services and scenarios that you work with?

[00:03:48] CT: Great question. So, most of the time, when our team gets called in, it can be for a variety of different things. We use what we call an all hazards, all threats approach, which means that no matter if it's a natural disaster, or a terrorist attack, or something happening in the cybersecurity realm of things, we use the same or at least a very similar set of tools and frameworks and things like that in order to get things done.

My background actually is in emergency response. But then, obviously, that translates pretty naturally into emergency management. But the reason why Epicenter Innovation, my organization focuses on the innovation and technology side of things is because actually, that all started when I was working in the technology space, and more specifically working in InfoSec for a university some years ago.

[00:04:38] CS: Okay, so to that end, we just mentioned the term is resilience and resilience, innovation. Can you define those terms for me in an emergency response context? What are you doing to bring up the level of preparedness using the sorts of tools and frameworks and concepts?

[00:04:52] CT: Yeah, I love that you're cluing into the vocabulary as well. As a fellow word nerd, I think it's really important to know kind of what we're talking about, and at least in the framework of an individual conversation, right? We do a lot of a training and a lot of coaching and consulting and things like that. And we get in a room and everyone thinks that we're using the same words that mean the same thing, so that you bring a meaning and you think that everybody else has that meaning associated with that word. It just doesn't happen in our industries, right?

[00:05:19] CS: I've been lingoed out of the room so many times by meaning –

[00:05:23] CT: We won’t even get started on acronyms.

[00:05:25] CS: Good acronym did that. Yeah, exactly. You don't want to be the person that's raising your hand, like when there's a thing, or whatever. Okay, so let's talk about what you mean by these things.

[00:05:37] CT: Yeah. So, when we talk about resilience, I think a lot of people think that that means bouncing back after a disaster, and that's not an incorrect definition. But for us, we think of it as kind of an imperfect or an incomplete definition. When I think of resilience, I think of a whole system, whole community total stakeholder engagement, on not just bouncing back, but on making an effort to seize every opportunity presented by whatever incident that it is that we're talking about. So, not just bouncing back, but bouncing forward, as you may have heard in some other spaces.

So, when we talk about resilience, we talk about that. And the phrase resilience innovator is this persona that we've designed over the last couple of years, as we as we went through the country, went around mostly North America, doing our work with coaching and training and tabletop exercises and things like that. I'm a huge exercise nerd, as a master exercise practitioner for GHS. We go around all these places and there's people that are interested in building resilience and enhancing their level of resilience inside the organization or within their community. But they don't want to use the same tools that have always been tried. They want the kind of color outside the lines a little bit, use different tool sets, and borrow from other industries that might not necessarily be directly associated with resilience, building or safety.

We work with a lot of life safety practitioners and professionals. But we also talk about kind of, like I mentioned, the connection between those people and the consequences that might arise from things like cybersecurity, information security lapses, and all the human based systems. And so, what we call it, that whole kind of holistic approach that I'm talking about here, we call it human centered resilience focused innovation, because it starts with people first, and you know this just as well as anybody else from the InfoSec world watching or listening to this, is that human beings are the biggest threat vector that we have. It's not from a malicious standpoint, it's from everything else that goes into these systems that we're talking about. And so, we focused on that, that people side of things.

[00:07:44] CS: Yeah, now, it's speaking about the concept of not bouncing back, but bouncing forward, and so forth. So, it sounds to me like that you've – the part that you've carved out for yourself is that, it's not just enough to bring the electrical backup. It's like, how do we make sure that this same problem doesn't happen again, and then you sort of implement strategies and sort of – like every setback is sort of like a construction or learning experience or a chance to move forward. Am I getting that right?

[00:08:18] CT: Absolutely. Yeah. I think that's where the term innovation has gotten kind of diluted in our world today, where innovation seems to kind of coincide with shiny object syndrome to a certain extent, especially in the tech realm.

[00:08:30] CS: Yeah, hot new thing.

[00:08:32] CT: Yeah. In this realm, I think innovation can be pretty boring, and sometimes unexciting, but can be very, very important. So, when we talk about resilience innovators, it's this persona that transcends industry, it transcends public or private sector, and it's an adopted persona. $No one has the job title of resilience innovator. But when we look around, you could be a cybersecurity professional, and if your job is to enhance the resiliency or the connectivity of your network and make sure that your continuity of operations are all well maintained, then you’re a resilience innovator, whether you know that or not.

[00:09:11] CS: Yeah. Now, without going into specific details, is there any chance you could take maybe like an archetypal past client and sort of like walk through like an incident that happened, and then some of the specific innovation points that you implemented to sort of improve things?

[00:09:29] CT: Yeah. So, we do a lot of work in the higher education space, like I mentioned. I personally, I have a lot of experience there. On our team, we have a lot of people that come from the emergency management realm, the IT and systems engineering realm of things and universities with a specific focus on what we call safety technology. So, we worked with one university in upstate New York, and when we started working with them, they had no emergency manager. They had no real – they had some safety plans, that I think were, maybe Ctrl F’d from a past plan somewhere else. They found they found and replaced a different agency's name and replaced it with their own. I don't say that to be derogatory or to minimize their effort. I think it's just, they didn't have the expertise, they didn't have the knowledge of what they didn't know that they didn't know and they did their best.

So, when we got called in initially, we took that ground floor, that all hazards, all threats approach, and we said, “Alright, let's tune up your plans, your policies, your procedures, the basic stuff, and let's take a step back and do what we call a THIRA. A threatened hazard identification risk assessment, which looks at things like natural disasters, past frequency, historical data, things like that. But it also looks at things that happen on the actual campus. We go back and we look at any sort of safety or security related incidents in the past few years. We go back and we look at their relationship with their IT department and how well their campus security and campus safety folks and their emergency management folks are working with IT, and building relationships that way.

We went through a whole training and exercise program, so tabletop exercises, seminars, full scales, all those types of things, building up capability that could be holistically applied. So, we included various team members that were already on the emergency management team for the university, and then also others from IT, from their library, for example, they had a pretty extensive library network, which no one thought to include in a lot of emergency planning, but they had priceless documents and secure servers that they needed to maintain. And they were largely outside of the conversation.

So, the first step for us is to engage the appropriate parties and make sure that we're exploring the necessary aspects of security and safety and resilience at a foundational level. Take it a step further – so we built that foundation first. Take it a step further, and then we said, one of the biggest things they have going on at their university was their cybersecurity program. They had state and DOD contracts. They had secure servers. They had a whole myriad of different things that they had to maintain access to. They had contractors that needed to be able to play in the sandbox, when necessary. They had a lot of different things going on.

We conducted what we call a safety technology assessment to figure out what their opportunities were around the campus, both from a physical security standpoint, from a cybersecurity standpoint, access control, surveillance, mass notification, all the different systems that are in play, and not just on the digital side, or looking at software, but looking at how that shows up in the physical space as well, and brought their IT and their emergency management people together to have a conversation. So, we conducted the assessment, and then we built a crosswalk between the cybersecurity teams that would operate in the event of an IT disaster incident. The ITDR or business continuity realm, or academic continuity in terms of what this client was really interested in. We brought it together with the emergency management folks which are focused on life safety and property preservation. We showed them that they have a very similar mission, and that they can use the same or very similar structures to operate. And if then, they're trained that way, they can work much more effectively if they ever need to play in the sandbox together.

[00:13:11] CS: Got it. Now, some of the recent disasters or close calls that we follow pretty closely on the show include, of course, the Colonial Pipeline hack, but also the Oldsmar Water Plant hack, and some of the ransomware attacks have taken hospital power grids during critical surgeries. Do you also – I know you work in higher ed. Do you work around any disasters like these? And do you sort of exercises or tabletops around these things that help might mitigate these types of disasters?

[00:13:38] CT: For sure, yeah. So, we work primarily, I'd say, our biggest markets, with our team at Epicenter Innovation. We work with healthcare, higher education, and we call government and quasi government organizations. Anybody that operates like a government, like higher ed and health care, they very much have their own little kind of fiefdom that they operate within lots of systems. They have lots of bureaucracy sometimes that they have to work through. But the cool thing about those types of groups is that they also have a really huge opportunity to make big change in this realm of resilience building and resilience culture enhancement. Because they have their own little environment, they have these little microcosms of the world, they can manipulate their environment, educate their stakeholders, and make major changes much more rapidly, much more effectively than if you're looking at your average municipality or municipal government, for example.

So yeah, we do a lot of that work, and we try to focus on that culture change, the culture building aspect of things as a foundational element, something that transcends our work, whether we're working before, during or after these types of incidents. But cybersecurity and the Water Plant and SCADA system hacks that you're talking about, they’re very much – I wouldn't say they're in vogue in our world, but we have to bring them up to let people know and specially, to let leadership know, the threat environment that they're participating and whether they are aware of it or not.

I think that kind of connectivity and the translation between these two worlds is where we fit most often, and we took a hard look at where we operate and who we talk to and who we train. What we found is most successfully, we're bringing audience A that knows something, usually highly technical or very specific. It could be weather, it could be IT in this case, that we're talking about. We bring it together with the folks that are going to have to fix the, or a set of problems, if their lives are at risk. We let them know that there's something to be learned on either side here. So, the IT folks can learn from emergency managers. The emergency managers can learn from it folks, too. And so, by putting them together, and bringing them through a training and exercise plan, especially one that transcends and works through multiple years, we can build that connectivity and make sure that everyone's on the same page.

[00:15:58] CS: Yeah, now, based on what my initial research, it sounds like, there's a lot more sort of education involved on your side of things than I realized. It's not just mitigation, but it's – and long term at that. So, can you speak to that? You said, you're talking about like education that lasts over several years. Did I hear that right?

[00:16:18] CT: Yeah. So, most of our clients we work with, for multiple years at a time, and that's more so on the pre-disaster side of things. We also have a disaster deployment team, what we call Epicenter Deployment Support Unit. That team comes in after major disasters, and we work through different things with that. That can be usually weeks and months, for example. But pre-disaster is the stage that most of us are in most of the time, and we spend most of our time, so 90% of our time planning for the 10%, which is understandable. In my past life as a firefighter, and EMT, and all those types of things working for FEMA, it makes sense, right? You need to be ready for those worst-case scenarios. However, when we look at the most likely scenario and talking through what are our most prevalent threats are what our most frequent natural hazards that might impact our systems could be, that tends to speak a little bit louder to leadership.

So, we talk a lot about change management, we talk a lot about decision making, and habit building and those types of things, and how an organization lives and breathes to create or to detract from resilience at their core. So, what we try to do is by bringing these people together through the education, through engagement, through training and exercise, those types of things, as we try to just opened the conversation to let them know. It might be sexy to talk about active shooter incidents right now. It seems like it's been that way for a lot of years. You might actually have a much bigger risk to have some sort of cybersecurity incident. And usually, it just takes having the right conversation and framing it that way for big things to happen.

One of our most successful exercises with the university that I mentioned earlier, was actually a recovery exercise. And what we – not sexy at all, right? People don't want to talk about recovery. They want to talk about response, because that's when the lights go off, and you get to play the hero, and understandable, I get that. I get that approach. But recovery is really, really important. It'll make or break whether or not you're around for the next 10 years or around for the next disaster. So, we did this recovery exercise where the instance, the incident in question was actually a water main break. But the issue was not the water. The issue was the placement of this university's server room, which was in a basement located right next to a water main. And this is a very real hazard and to something that some of their leadership was familiar with, but most of them were not familiar with, they didn't know they're at risk for this. So, we started playing this scenario, and they thought it was a flooding exercise, and that they would have to figure out how to navigate the water main break, and those types of things or service interruption for drinking water and meal service and the stuff that comes very obvious to that population. They're like, “Okay, they're immediately going in this direction, which is kind of how we designed the exercise.”

And then we told them that they couldn't build because the server that was in question, there's a few, but one of the main servers that was in question, it was impacted by these fictitious floodwaters from the watermain, was actually their connection to their banking platform and to their financial services. And we placed the exercise right around the same time where they were expecting to take all of their payments for the next semester’s billing. If you know anything about universities, money really speaks to them. Especially now. That really got the eyes open of their president and of their cabinet members that really weren't sure exactly why we were talking about these things before, and now they were like, “Oh, wow. Now, I really understand why we should spend however many tens of thousands of dollars to move these services elsewhere, or put them in the cloud and those types of things, and why there's a cause and effect relationship here that they need to be talking about.

[00:20:17] CS: Yeah, I don't think anyone really likes to admit it, but I think a lot of what we think of in terms of how a disaster and the recovery happens we get from movies. And I think there's that sense of like, the lights are out, the good guy saves the day, the lights go back on, everyone goes, “Ah”, and then everything just sort of resumes as normal. But, yeah, I mean, a disaster isn't just making the disaster stop, the disaster can keep cascading and cascading and I think that's a big part of the sort of difficulty that you get with buying on these types of things is –

[00:20:49] CT: Sure.

[00:20:50] CS: You said that we're always thinking about spending 90%. I'm thinking about the 10%. But unfortunately, I think some people aren't even thinking about that 10% that often, or are imagining that it happened 1% of the time, or what have you. So, to that end, in general, cybersecurity or otherwise, what are the most troubling blind spots that you see in terms of implementation of essential security measures in case of disasters?

[00:21:14] CT: I think you hit the nail on the head. There's a book out there called The Unthinkable by Amanda Ripley. If you're not familiar with it, or if your listeners aren't, I highly, highly recommend it. Actually, I think I might spy it behind you. It looks very similar to one of the books over your right shoulder.

[00:21:30] CS: It’s not. But it will be soon.

[00:21:31] CT: It looks similar. I definitely highly recommend this book. It's kind of exploration of why certain people survived disasters and why other people do not. But it's much less about survival, and much more about the human brain. One of the things that that Amanda Ripley talks about and has been expanded in other research, is this idea of optimism bias. Optimism bias is this human condition that people believe that everything's going to be okay. Even though you and I are both smart people, we both have this predisposition to believe that in terms of a car accident, we know this statistical likelihood that we're both likely to get into a car accident, equally likely, to get into a car accident.

But somehow in our brains, I feel like it's much more likely to happen to you, and you feel like it's much more likely to happen to me. And there's nothing that we can do about that fact, even if we know that it's irrational. That's optimism bias. So, when we think about making change to culture, or communicating the value of cybersecurity, communicating the value of preparedness, just in general, regardless of what the hazard or threat might be, that's our biggest weakness. That's what we're really fighting against. We're not really fighting the hazard, or the threat or the bad actor, or whatever. We could talk about zero trust and we can talk about InfoSec. We can talk about password managers, and all the things that I'm sure you guys talked about, and I've seen in your past episodes that you talk about on the show.

But if we don't address the human propensity to not believe that it could happen to them, it doesn't matter what systems we put in place. It really doesn't. It doesn't matter how prepared the entity may be, or how much of an investment the organization makes in their level of preparedness, or resilience, or whatever word you want to use to call it. It doesn't matter at all, because the people aren't going to be ready, and they're not going to believe that they can be a victim. And then what is explored in that book, the reason why I bring up The Unthinkable is we have this denial that when we are in the scenario, especially if we're personally impacted, or we feel very close to the scenario that's unfolding, this is probably more true in a physical sense, but I'm sure it also mirrors in a cyber sense as well, we have this this period of denial that slows us down and impedes our progress and impedes our ability to manage the incident as quickly and as efficiently as possible. As we know, the faster you respond, the more efficiently you respond, the more muscle memory you employ during that response, the better off you're going to be, and the shorter you're going to have to recover and get back to that normal or, like we talked about, bounce forward into that new normal.

[00:24:11] CS: Yeah. Now, to that end, I mean, obviously, a big focus of our show is the work of cybersecurity, hence, Cyber Work, the title. What I'm hearing and you can expand or correct me if I'm wrong, but it seems like as we sort of delineate all these possible jobs you can do within a cybersecurity space, especially if you're not a person who's spectacularly tech forward and know everything there is to know about TCP/IP, or configuring firewalls or pen testing or whatever, that there's a lot of work to be done in terms of the soft skill of persuasion and the soft skill translating, like the actual real – and obviously, we talked about risk managers and risk analysts and things like that, and it seems like that sort of falls into this space as well. But can you talk about some of the skills and some of the ways that people who might have – are well aware of the crises that are going on right now and want to do something about it? What should they be learning in an attempt to enter this space and lend a hand?

[00:25:18] CT: Sure. I think, the biggest thing that I've learned over the last some years, I've been working in emergency response now for about 17 years, and building resilience in various communities and organizations and things like that, is that you can't build resilience by focusing on a single system. You have to look at the holistic system and all of its parts and all of the people that are engaged in it, in order to really have lasting change. It takes a long time, it takes a lot of effort, and it takes thinking creatively in order to understand what the shared and common ground might be to break through certain walls that maybe you know, or don't know, are there, that are impeding progress. There's a lot of soft skill that goes into all of what we're talking about.

You could be the smartest person in the room, but if you can't communicate your idea, and if you can't make the other person trust you, believe you, and then most importantly, take action on what you're saying, you could have the best solution, but it won't get adopted, or at least it won't get adopted completely. I saw that a lot. At my previous role, where I mentioned, I was a technical risk communication specialist, I was the first person of that title in the office, and my background before that time was actually in marketing. I wanted to start bridging the gap between marketing, communications, PR those types of fields, which is where my more traditional experience came from, and the passion that I had, which was in the emergency response space, and specifically within technology.

So, I went to this office, and I said, “Look, you have all these great programs, you’re pen testing, you're managing your servers.” There are so much that goes into all the people that are listening to this. You guys know, there's so much that goes into your work. The problem is, you can do all of it, and you could do it all 100% well, but all it takes is the bad actor being right one time, and all of it was for nothing. Or for one well intentioned person to share a password or leave it on a sticky note, or get spear fished or whatever the vector might be. All of it falls away. You can do everything right all of the times prior to that, but all it takes is one slip up and it'll go away. You can't do it all by yourself. The fact is that most IT departments and most InfoSec or cybersecurity units are a small, small, small fraction of the overall workforce that we're trying to protect. So, there's many more of them than there are of us.

I went to this office, and I said, “You need to get more creative with how you're approaching those people because they need to be on your team. You can't look at them as being this other worldly group or the stakeholder, this obscure stakeholder that you have to communicate to. But you have to bring them onto your team. You have to inform them and let them know what's going on. You have to humanize your brand. And you have to then let them run with it and let them do what they do.” And you have to believe, that an educated consumer is a motivated one, you have to believe that if you take that same logic that we steal from the business world, that you can then use it to your advantage when you're trying to protect your networks or protect your people or protect your assets.

So, that showed up in a few different ways. We did a lot of like social media campaigning. I designed, actually a playing card deck with tips on every single card face, which was super fun. I did a lot of events and speaking engagements and things like that, and just coordinated this communications campaign the same way that you would as if preparedness was a product. You have to sell the idea of being prepared or building resilience, or securing your laptop, whatever it may be, you have to sell that to the individual. Using things like marketing and sales can help you do that. So, there's this this framework that I use a lot called the hierarchy of effects, and it basically communicates how people adopt things over time, and they go from being aware or unaware of a brand, or a service or a product, to then being aware of it, and then maybe they like or they dislike it.

But then eventually, you go through this whole framework that may take hours, minutes, days, weeks, years, whatever. And eventually, there's a decision that they have to make. They're either going to adopt what you're talking about and take action or they're not. What we've noticed is that you can have marketing messages and sales messages shoved down your throat dozens of times, but until you reach the right message and until you've had it repeated by someone that you care about and trust, you're probably not going to take that action. So, you take that and you apply the same knowledge, the same mindset, to preparedness, to resilience, to security, and now you have many more people on your team.

[00:29:59] CS: Yeah, speaking of more people, can we talk a little bit, when I think about table topping. And again, what I know about this, you could fit in the shop class. But based on past guests and so forth, that there's some aspect of this that is kind of intracommunity or intra –different – like if a chemical attack hits a city, you need to have fast communications, not just with the electrical grid and the water supply, and the IT. Do you do you have anything in terms of being that kind of conduit? Because one thing to say, I've got my company didn't understand the problem, and now we've got it secured. But now, how do you sort of go from that into reaching out into all of the other industries, maybe even business rivals that work with you and say, like, “We're all in this together and we need to sort of get all on the same page at the same time.”

[00:30:58] CT: Yeah. I think what's cool about working in the space that we do is that when you start approaching it from the lens of building a holistic sense of resilience, or a community that's marked by that level of resilience, you start looking at who's around you, and you realize that we are really all on the same team. We really are all trying to accomplish the same things, and while we may be competing in the public sphere, I think healthcare is a great example of this, right? While we may be rival hospitals, or health care systems, I don't want you to go down just as much as you don't want me to go down. We've seen that with ransomware, and a whole bunch of other things where, if you're getting attacked, it's only a matter of time before it's my turn. Or if they're using this method, or this system to attack or to partition files off and things like that, they might use the exact same strategies against us, or our neighbors, or our government counterparts. And so, we have to share that information.

I think that's happening a lot more now, and I think I'm seeing that a lot more in the competitive landscape, also, where it was still a little bit shy about that stuff, where we've created those inroads with these organizations to say, “Yeah, we might be competitors. But at least in this sphere, we don't want anyone to get hurt, and we don't anyone to have their have their lunch money stolen.” I think exercises are a great way to do that. Other things like networking and conferences, of course, just kind of extending the olive branch. There's a saying in the emergency management realm where you don't want to be exchanging business cards at the incident command post. A simple technique is basically, you don't want to be learning someone's first name while they're bleary eyed at three o'clock in the morning, after all the alarms have gone off. It's just not a fun time for that to happen, and it's usually not the most effective way either.

So, when we look at exercises, we look at the different frameworks and styles. I teach, like I mentioned, the Master Exercise Practitioner Program for FEMA and for DHS, and the MEPP credential, basically, is the top credential for designing and delivering exercises. There are two main styles of exercises that we talked about. There's discussion based, and then there's operations based. A lot of times in the leadership realm, they gravitate a lot toward operation space, because they're much more interesting. It makes the lab bang, and you get to see the lights go off, and you got the cops on your campus. It just looks a lot more interesting, there's a lot more opportunity for press.

The problem with operations-based exercises, though, and their interest, the highest level of interest that a lot of leadership teams have in them, is that you don't have learning across the system happening at the same time. And the opportunity with the discussion-based exercise or like even joint learning through seminar and through engaging with each other through gains and functional type things like tabletop exercises, is you actually all get to learn at the same time and experience a disaster through the lens of the other person. When everyone's running around like a chicken with their head cut off after the bad thing has happened, it's much harder to do that. We have systems in place for that to be better after the fact. You'll do hot washes or after action reports and things like that to be like, “Okay, how can we improve this next time?”

But we know, based on again, going back to that human psychology side of things, that once we're out of the environment once the hazard or threat goes away, and this response period is over, our memory of exactly how those events transpired, what we did, what plans we used, or didn't use, pretty much goes out the window. We have no recollection, no accurate recollection of what occurred. So, unless you're logging really effectively in some organization –

[00:34:43] CS: Documentation. Documentation.

[00:34:46] CT: Exactly. So, if you have that, then you at least have a crutch to lean on. But even still, we know you're going to have the best systems for documentation. All it takes is someone getting in the heat of it for a few minutes or let alone a few hours, and now they have to reconstruct what they did over the last some minutes or hours. Now, you don't have a better log. That's if it's a human based logging system, of course. And, of course, if you can automate some of your documentation through your systems, that's obviously better. But then you're still piecing things together.

So, my point is, when you go through a tabletop exercise, and you go through joint training, especially like cross training between different groups, like the incident management team, meeting with the cybersecurity team, and talking about the order of operations, and then okay, yeah, you're thinking about this, I understand that. I'm thinking about this other thing entirely, which may not happen right now. But if it does happen, it's going to be a nightmare for our systems or for our people. Getting to that level of understanding takes some time, and it takes some trust. But it can happen in those types of environments, especially if you have a strong facilitator.

[00:35:50] CS: So, as we start to wrap up today, for people who I want to sort of talk from, like a career pivot perspective, if there are people who are in cybersecurity now doing pen testing, or just security engineer or whatever other kinds of thing, who are intrigued by this, and want to put their specific skill set to use within a larger emergency, either simulation or real time response plan, what are some things that they should be adding on to their skill sets in the moment that would make would –that they might not think of? What should they be sort of checking out, you know, in the evening, after dinner or whatever, like that. What are the things that you need to see on a security person's resume to say that your skills will translate nicely to this space?

[00:36:42] CT: Yeah. I think there's two ways of looking at it, right? I think, especially in the technical space, there's a heavy focus on skills and skill building. When you start getting into the softer side of things, there are soft skills, but I think there's more so soft attributes and being able to groom yourself and train yourself to show up in different ways or to enhance your level of situational awareness, for example, there's a lot of transferable attributes and skills that will apply to those environments. So, I think communications, number one, is the most important thing, and that's not just do you understand communication systems, and do you understand radios, and SaaS systems, stuff like that. But to really be able to understand people and understand how they think, better understand their habits and things like that, why does the 50 something admin in your office refused to use a password manager, even though you know it will be easier on them, right? You know that and you believe that. But she doesn't believe you, or maybe she does, but there's just something else in her way from making that change.

You have to be able to empathize with that person, and not just think about, “Okay, I got to get this done because this was our objective, was to get this whole office on the password manager by the end of the month.” It's to be able to really identify who that person is, what they're going through, and be able to understand what communications methodology and approach is going to work best for them. That will serve you whether you decide to change careers or not. Because you'll be able to communicate more effectively, you'll be able to work better on a team. Those types of things are great.

I’m a Dale Carnegie trainer and Dale Carnegie, the most famous book that he wrote is How to Win Friends and Influence People. It's written almost a hundred years ago. Most of the stuff in that book still holds true today. People just want to be respected, and they want to be heard. If you know how to do that, then you will succeed.

I think on a more specific level, I think understanding the fields of like, I mentioned, marketing, and sales can take that a step further, and that will actually take more training. Empathy is something that you can exercise and that you can modify in yourself and through practice, and through just being aware, you can grow that. I truly believe that anybody can become more empathetic and connect deeper with anybody else that they want to.

[00:39:08] CS: Sort of a practical version of that, I think would also just be the patience of like, because I imagine you get really used to hearing, “Oh, I don't want to use a password manager.” You have to really be able to just, and then explain again, why it's going to make more sense. So, maybe if you can’t get that, it might not be for you.

[00:39:27] CT: Yeah. Approach it as a challenge, I think, too, right? I think the fun thing that I really enjoyed working and still enjoy working with It type folks, is that they approach issues with systems, vulnerabilities, whatever, as a challenge to be solved. You can do that in a negative way with people, where you just kind of shove your idea down their throat. But I think there is a positive way too, where it's like if we keep going with this admin assistant who's refusing use the password manager, well, I've tried this way. I've tried this other way. What if I tried doing this other thing? Or maybe I don't want to, but maybe I show her. Maybe I show her my password manager and how it's set up and how easy it is. Maybe I bring in her neighbor, who she respects and eats lunch with every day. The neighbor has been using the password manager for a while, and we both show her. So, you take more of a champion communication strategy with her.

But approaching it as a challenge to be solved and to appreciate the fact that you have something of value that she needs, whether she knows it or not, whether that whole office may know it or not, I think is the fun of communicating in this environment is because I know that everybody needs to hear the messaging that I have, or from my client’s perspective. They need to be heard by their stakeholders. But how is the best way to do that? It's different every single time. I think that's really, really fun. I lean on the sales and the marketing background that I have to do a lot of that stuff, and that makes the messaging even more fun. Because now, I don't get to think about it just as a thing that I need to share with people, like putting something on a bulletin board. But now, how can I make this more approachable? How can I make this more engaging? And what would make these people want to take my information and use it and take action with it? Rather than just having to glaze over them or watch over them as all the other messages that pass through their ears do on a day to day basis.

[00:41:27] CS: Totally. So, as we wrap up today, Chris, can you tell us about Epicenter Innovation and some of the – you talked a little bit about some of the things you do. But what are some of the big initiatives or projects you're looking forward to working on and unveiling in the second half of 2022?

[00:41:42] CT: Yeah, thanks for asking that. So, Epicenter innovation has been around since 2013. We have three main business areas. We do our emergency management services, which is a lot of pre-disaster training, coaching and things like that. We also have our disaster deployment team, which I told you about, Epicenter Deployment Support Unit, which operates after disasters. We also work on planned events for those types of things, too. So, we'll help make sure that the event is going to be safe and be prepositioned if there is any sort of incident.

And then the third area, we actually work with private sector tech companies to help them better refine and build solutions for the emergency management and resilience, innovation space. So, we actually show them how they can take their existing solutions, make them applicable in the disaster management environment, or at least help them with their messaging to help them show the value that they can bring to these people. But frequently, we are bringing people together that can learn from each other. So, we have an engagement programming, we have a coaching and consulting program that we're really excited about, we just launched this year, that actually pairs a resilience innovator with a coach that will help them enhance the level of resilience within their organization.

What's been fun with that is, when we started the organization, we were by emergency managers, for emergency managers. If there wasn't a life at stake, we usually weren't getting involved. And more specifically, like 10,000 lives at stake is usually the threshold that we work at. We work with lots of large organizations. But what we looked at was that there's so much more value to be shared at these organizations that work on the fringes of life safety. I'm talking like business continuity professionals, cybersecurity professionals are on the list for sure, school resource officers and the types of people that have a reason and an imperative to build resilience and safety in their community. But they may not have the job title of emergency manager or disaster response coordinator, or anything like that. But they are doing some of those jobs.

So, we take emergency management professionals, coach them and work them up to become coaches, to show these individuals how they can use emergency management frameworks and disaster resilience building frameworks to help improve the organization, make it ready for whatever threats or hazards might impact them. We just kind of engage and empower them to do what they need to do. So, we're sharing resources, coaching, consulting, and it's all built around that idea of the resilience innovator, and what that individual or set of individuals can do in the world.

[00:44:08] CS: All right. Well, one last question for all the marbles. If our listeners want to learn more about Christopher Tarantino or Epicenter Innovation, where should they go online?

[00:44:15] CT: Yeah. So, you can visit our website, it's epicenter-innovation.com, or you can visit me on LinkedIn, linkedin.com/in/christophertarantino, more than happy to connect with anybody and talk about any of these things further. This has been a blast, Chris. Thanks so much for having me.

[00:44:32] CS: My pleasure. Christopher, thanks so much for joining me today.

[OUTRO]

[00:44:35] CS: As always, I'd like to thank everyone listening to and supporting our show. New episodes of the Cyber Work Podcast are available every Monday at 1 PM Central, both on video on our YouTube page, and on audio wherever you find podcasts are downloaded.

As always, I want to make sure that you all know and I think you do, that we have a lot more than weekly interviews about cybersecurity careers to offer you. You can actually learn cybersecurity for free on our InfoSec skills platform. Just go to infosecinstitute.com/free and create an account. You can start learning right now. We have 10 free cybersecurity foundation courses, six leadership courses, 11 digital Forensics courses, 11 incident response courses, seven courses on security architecture, DevSecOps, Python, JavaScript, ICS, SCADA security fundamentals and more. Just go to infosecinstitute.com/free and start learning today.

Thank you very much once again to, Christopher Tarantino, and thank you all for watching and listening. We'll speak to you next week.

[END]