Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
1:10
All right . Today on Cyber Work , our deep dive into
1:12
manufacturing and OT cybersecurity brings
1:14
us to the problem of endpoint security . My
1:17
guest , tom Molden , the CIO of
1:19
Global Executive Engagement at Tanium , has
1:21
been grappling with these problems for a while . We
1:23
talk about his early formative tech experiences
1:26
pre-Windows operating system , his transformational
1:28
position , moving from fiscal strategy
1:30
and implementation into his first time as
1:32
Chief Information Officer , and we talk
1:35
about the interlocking problems that come from
1:37
connected manufacturing devices and
1:39
the specific benefits and challenges to be found
1:41
in strategizing around the endpoints
1:43
All of the endpoints , not just the computer
1:45
terminals . All that and some very good
1:48
career advice for teams and for personal growth
1:50
. Today on CyberWork Hello
1:56
and welcome to this week's episode of the CyberWork
1:58
with InfoSec podcast . Each week we
2:00
talk with a different industry thought leader about cybersecurity trends
2:03
, the way those trends affect the work of InfoSec
2:05
professionals , while offering tips for breaking
2:07
in or moving up the ladder in the
2:09
cybersecurity industry . My guest
2:11
today , tom Molden , is the CIO of
2:14
Global Executive Engagement at
2:16
Tanium . Is that Tanium or Tanium ? Sorry
2:18
, tanium , tanium . He
2:20
has over 30 years of leadership experience
2:22
in technology , mainly in manufacturing and high-tech
2:24
industries . Tom has a deep knowledge of how large
2:27
enterprises and manufacturing organizations
2:29
operate . So we've been talking a
2:31
lot about the manufacturing sector
2:34
, the last couple episodes here and the security
2:36
involved with it . Tom had some
2:38
specific insights in our pre-conversations
2:41
around endpoint security and we'll
2:44
cover some of that as well , but we're also just going to get
2:46
a little bit of Tom's whole cybersecurity
2:49
journey . So , tom , thank you for joining me today and welcome
2:51
to CyberWork .
2:52
Thank you , appreciate it , love to be here .
2:54
So , tom , to get our listeners on
2:57
board with what you
2:59
, your interests and connection
3:01
to the field , can you tell us about your early interest in computers
3:03
and tech and security ? Was there an
3:05
initial spark ? Was there a teacher , or
3:08
did you just get kind of get excited on your own and
3:10
learn it in that way ?
3:12
Yeah , happy to share . So I
3:14
got involved with computers in
3:16
the late 80s . I
3:19
did not have an education , a formal education
3:22
. There really wasn't much in the way of that
3:24
. I think I had a basic
3:26
programming course in college at one point , but
3:28
I joined the car
3:30
rental industry when I came out of college
3:32
. I was living in Europe and at the time
3:34
PCs were just starting
3:37
to kind of come out and the
3:39
whole concept of moving
3:41
off of a mainframe and doing things you
3:43
know somewhat more cheaper and efficiently was
3:47
kind of fresh . And I happened to be
3:49
in the right place at the right time and the company
3:51
I was working for was making the
3:53
move to try and start designing
3:56
car rental software for PCs . And we
3:58
experimented
4:00
with a small business unit that I
4:02
was involved with working in , and
4:04
it was really kind of a fluke , more than anything
4:07
else , that I happened to be the guy that they said hey
4:09
, can you go figure out how to deploy
4:11
all these PCs into these car
4:13
rental stations ? And I
4:16
did it and it was a lot of fun . I learned a lot about
4:18
computers and I learned a little bit about software
4:21
and things like this , operating
4:23
systems and such . This is pre-Windows
4:25
, you have to remember , and the one
4:27
thing that really was the spark to your question
4:30
was when I started to figure out
4:32
the power of having data
4:34
right . So , if you can imagine the car rental
4:36
industry how important it is to
4:38
have data at your fingertips about vehicles
4:41
, about customers and such . I
4:46
was sitting in my office , you know , downloading
4:49
data from PCs
4:51
that was being sent to me on disks in the mail
4:54
onto a computer and putting them in a database
4:56
management system and figuring out how to write queries
4:58
and I realized very quickly that there's
5:00
a ton of power here and
5:03
there's a lot of questions I can answer and a lot of insights
5:05
I can derive from this and I kind
5:07
of made a little bit of a career for myself in
5:09
doing so and that was sort of the spark that
5:11
started my interest in technology . That
5:14
was really the power of data Interesting
5:16
.
5:16
Yeah , you kind of alluded to
5:18
it with regards to getting you know floppy sent
5:20
to you and making your own system
5:22
. But like what was ? What was data ? You
5:25
know how ? What was was ? How
5:27
was data used at that point ? Like what were , how
5:30
does it differ from now ? Obviously , now we have
5:32
you know all kinds of fine grain , ways
5:34
of analyzing and stuff .
5:39
But what were people looking for in the data and how was it being used ? If
5:41
you think back to the mainframe days right , where you had data
5:43
being entered into sort of dumb
5:46
terminal or data being created in dumb terminals
5:49
, you
5:54
know people doing sort of data entry into sort of headquarters systems , mainframes
5:56
, and you know waiting for
5:58
some period of time to walk over to
6:00
the printer and get this big pile of green and white
6:02
striped sheets that were coming off there that had
6:04
some sort of data on them , and then you had to figure out
6:06
you know whether it was useful , how to use it right
6:08
. You really had little to no
6:11
insight into the business
6:13
. The main driver was to calculate commissions
6:15
you know commissions for rail stations , for
6:17
example and that was a process
6:20
that would take weeks and weeks and
6:22
weeks at the end of every month and then it
6:25
was never accurate . There was a ton of inefficiencies
6:27
, and so when we were able to start looking at actual
6:31
data that represented actual facts
6:33
in the business , kind
6:36
of day of it changed everything . It made
6:38
a huge difference just from the perspective
6:41
of being able to pay
6:43
commissions to agents working car rental
6:45
stations , for example , and then , beyond
6:48
that , understanding like fleet utilization
6:50
and understanding the performance and
6:53
all the types of things that you would love
6:55
to be able to do , which you couldn't do at the time , became
6:58
possible , and that was a kind of an overnight
7:00
change .
7:01
Wow , yeah , so so
7:03
. So , from going to data to sort
7:05
of the security of data , I mean , you
7:08
know , open , secret one of my ways to
7:11
sort of get to know my guests before they come on , as
7:13
I go through their LinkedIn profile and
7:15
especially their the experiences section
7:17
, their job history , you
7:19
know , and it's very helpful in getting sort
7:21
of a narrative , and especially with yours , with you
7:24
know your positions at a past company , amd
7:26
, because reading between the lines , I felt
7:28
like I saw like a major transition point in your
7:31
career and you can tell me if I'm overthinking
7:33
this or whatever transition point in your career , and you can tell me if I'm
7:35
overthinking this or whatever . But in 1998 , you were hired by
7:37
AMD in the role of senior manager , financial planning and analysis , with roles like capital
7:39
building projects , mergers and finding operating
7:41
efficiencies by consolidating
7:43
financial controlling modules into a single service
7:46
. But , you know , by mid 2000s , you
7:48
started working in overall strategy of the company
7:50
, creating sales and marketing roadmaps and
7:52
overseeing post merger integration of
7:54
AMD's then recent acquisition , a ATI
7:56
, which has more tech but is largely
7:58
for other purposes . And then so we cut to 2008
8:01
, though , and you're now AMD's Director
8:03
of Information Technology and Strategy . So this
8:05
feels based on my limited view and maybe
8:08
different from what you told me there like a transformational
8:10
moment where you moved toward your work
8:12
now as a Chief Information Officer
8:14
. So you noted in , you
8:20
know , the written section of your experiences
8:22
that you were promoted into this position by the previous CIO . So can you tell me about
8:24
this transformational moment ? Am I making too much of it here ?
8:26
No , I think you're
8:28
actually , you're
8:31
accurate , I mean . So I started my
8:33
career , like I mentioned to you , somewhat by fluke
8:35
in technology , always
8:38
have been around technology , I've always had kind
8:40
of a you know , kind
8:42
of a love affair with technology in some way shape
8:44
or form , and the power that
8:47
you know , that you can , that you can bring to
8:49
business outcomes , right , right . And then I
8:53
ended up I was working in Germany for many years
8:55
and I moved back to the States and I went and got a business
8:58
degree , a graduate degree
9:00
, because I felt like I wanted more formal business training
9:02
. And that's how I ended up in the semiconductor
9:05
industry and
9:16
I very specifically wanted to go work in the finance space to understand more about how the business
9:19
runs . And and I guess I just found myself always working on the technology end of the business
9:21
and always in this intersection between the business and
9:23
the technology groups , right and and . So
9:25
I sort of naturally gravitated towards
9:27
, you know , helping
9:30
run these big strategic initiatives
9:32
, because they always have some kind of technology component
9:35
to them . When you buy a company , when you carve out a company
9:37
, when you , you know , do any kind of a transformational
9:39
change
9:42
, there's a technology component to it , right More and
9:44
more . And so , you
9:47
know , the point came at which I was
9:49
very
9:51
much kind of on the on I'll call it the
9:54
, the , the tip of the business
9:56
spear with respect to kind of driving
9:58
the priorities for technology
10:00
investments Right , okay , and then
10:02
what ? What caused the change for me
10:05
was there was a shift really in the strategy
10:07
around , uh , leveraging technology
10:10
in the company and a new CIO hired
10:12
that was given a much broader mandate and much
10:15
bigger , I'll
10:17
say , set of goals around driving business
10:20
value with technology . So , like in many companies
10:22
, there was sort of IT
10:25
as an order taker , cost center
10:27
type department doing
10:29
really sort of basic
10:32
infrastructure work and then maybe running
10:34
an ERP system sort of scenario
10:37
. And then the goal was , ok
10:40
, let's get much more ambitious in terms of how
10:42
we're going to leverage technology in the business . And then so
10:44
I was , I
10:46
would maybe say , plucked out of
10:48
my role and asked to
10:50
go . Sometimes when they offer you a promotion
10:52
, it helps , you know , go
10:55
run strategy on the IT side . So I basically
10:57
switched back over into the technology world
11:00
, really still sitting
11:03
at the intersection between the business and technology
11:05
, just on the other side of the fence , right
11:08
, and you know , and
11:10
I sort of I wandered down
11:12
this sort of you know in-between path
11:14
for quite a while until at some point
11:16
I had to make a decision in my career my you know my
11:18
IT guy or or
11:21
finance and strategy guy , and you
11:23
know I've ended up being in IT . You know
11:25
the rest of the story you know as
11:27
well too . I went on to General Motors to
11:29
help drive the transformation of IT there and such
11:32
, so I've been pretty firmly entrenched now for
11:35
a number of years as an IT and
11:37
a security executive .
11:39
Yeah . So I want to sidestep
11:41
a little bit into that because , as
11:43
I say , your career path gets a little more linear . At that point
11:45
you have the CISO role at General Motors and leading
11:48
to your current role as CIO of Global Executive Engagement
11:51
. Now for clarification
11:53
. A lot of our listeners have
11:56
told us that they're aspiring eventually to be CISOs
11:59
Chief Information Security Officers and
12:01
they may be less familiar with the roles and responsibility
12:04
of a CIO . And I mean I
12:06
understand that those are kind of different
12:08
from position to position . Can you talk about
12:10
how a chief information officer
12:13
differs from a chief information security officer
12:15
and whether the two sort of interact
12:17
, or is it one is one is
12:19
, you know , used in this company and the other is used
12:21
if there's other sort of ?
12:23
requirements . Yeah , sure , I mean , you know
12:25
it differs from company to company
12:27
and industry to industry , and I
12:29
think it's also it's constantly evolving
12:31
, right . I mean , uh , you know , several
12:34
, not too many years ago
12:36
really , you know , the cso role
12:38
wasn't even a given and a
12:40
lot of companies I'm I remember not
12:43
having a cso no one even mentioning that . You
12:45
know the the the term cso
12:47
? Right , we had a security person that worked somewhere
12:49
in a department , somewhere , and
12:51
you know , and and monitor traffic and something
12:53
like that . And obviously
12:56
, as information
12:58
security has become more
13:00
and more important over
13:03
the past , let's say , a couple of decades
13:05
, the
13:08
role has matured and is still maturing
13:10
, I would say . And then , so you'll
13:13
see , in a lot of enterprises where a CISO reports
13:15
to a CIO , it's part of the IT function
13:17
. Other enterprises where , well , no , it's actually not
13:19
, it's got aspects
13:22
to it that are not just IT or information
13:24
security related . There's
13:26
product security , there's cyber
13:28
, physical security , there's all these different types
13:31
of security and things like this . So
13:33
I think it varies , but primarily
13:35
, I would break it down this way If I just
13:37
sort of focus on information security , right
13:40
, the
13:43
CISO , your main charge is to protect
13:45
yes , protect
13:47
the enterprise , protect our IP , protect
13:50
our customers , protect things
13:52
right , yeah , protect our customers , protect you know
13:54
things right . And if you think about the
13:56
role of a CISO and the mandate of , excuse
13:59
me , of a CIO , right , there
14:02
are many more perspectives
14:04
. Right , the CIO has
14:06
to look in different directions , right ? So
14:08
the CIO has a technology state
14:10
that they're entrusted with managing and
14:13
protecting right , and
14:16
that's a job in and of itself , right . Keep the
14:18
lights on , keep the motor
14:20
running , make sure everything's you know
14:22
up and running when we need it to run
14:24
, et cetera , et cetera . Right , and do that all with
14:26
less money than you need , et
14:28
cetera , et cetera . Right . And if you swivel
14:31
the chair around , right , and you take the CIO
14:33
role and you look at the other perspective towards
14:35
, let's just say , the peers , the functional leadership
14:37
peers in the enterprise , you have a mandate
14:39
to enable
14:42
them , to enable them to innovate
14:44
, enable them to drive business
14:46
outcomes , et cetera , et cetera . And you might argue
14:48
that's actually probably the highest pressure part of the
14:50
CIO job , right ? So you have this
14:52
tension that exists naturally
14:54
between , like this pressure to drive
14:57
business outcomes , drive innovation , right
15:00
, versus well , hold on , I got to go manage
15:02
and protect all this stuff as well too . So
15:04
, you know , traditionally
15:06
, when I spent my stint working
15:08
in the , you know , in the information security space
15:11
, you know I was always
15:13
trying to figure out ways to change the perception of security
15:16
from like the boat anchor , you know , I was always trying to figure out ways to change the perception of security from like the boat
15:18
anchor , you know , or the sand
15:20
in the gears right , you're holding us back from innovating
15:22
. Right , and I think you
15:24
know the world has progressed past that
15:26
, right , and
15:29
you know , a lot of times when you
15:31
talk about security today you're talking about securities and
15:33
enabler and things like this , right , and
15:35
DevOps and SecDevOps
15:37
and all these things have evolved to , you know , to kind
15:39
of make it part of the mainstream . But really
15:42
, at the end of the day
15:44
, this tension still does exist
15:46
, right , between like having to like
15:48
have your foot on the brakes and be ready
15:50
to pump the brakes and make smart decisions
15:52
, versus foot on the gas
15:55
, drive innovation , drive business outcomes
15:57
, right , and so the primary difference I would say
15:59
, you know , between the roles
16:01
is that the CIO is kind
16:04
of being pulled in both directions .
16:07
Yeah , beautifully put and it goes
16:09
nicely towards my next question here , because I wanted
16:11
to talk about your current role as
16:13
a CIO Global Executive Engagement
16:15
for Tanium and
16:18
, to quote you , you describe your responsibilities
16:20
like this in this role
16:22
, I have the opportunity to leverage my experience
16:24
as an IT and strategy executive to work with clients
16:27
, industry experts and the partner ecosystem
16:29
on solving some of the most complex problems facing
16:31
manufacturing and industrial companies
16:33
. So you know , a lot of times , like
16:36
you know , a phrase like that can
16:38
feel boilerplate , but that there was something so very
16:40
specific and interesting about that to me in
16:43
yours so I wanted to ask if you could walk me
16:45
through a bare bones
16:47
version of the types of complex problems
16:49
that you're helping manufacturing companies
16:52
solve with this role .
16:55
Yeah , sure . So you know , I
16:57
made a pretty significant
16:59
shift in my career from being an
17:01
executive and a practitioner to
17:04
, you know , being on the vendor side of
17:06
the table and in the software space , right . And
17:14
so the problems that I experienced
17:16
working in the manufacturing
17:19
world had
17:22
a lot to do with what
17:24
I call the convergence of technology domains
17:27
, right , I think there's sort of underlying theme
17:29
. Let's
17:32
just stay with manufacturing . You know
17:34
, in a manufacturing world if I use it very
17:36
broadly , which you know , let's just say the industrial
17:39
world you know
17:41
where you've got technology domains
17:43
that have historically been very
17:46
, very independent , that have grown up independently
17:48
, managed independently , very
17:50
autonomous . You know I'm speaking about IT
17:52
, I'm speaking about industrial
17:54
controls , or OT as
17:57
we refer to it , and then there's also product
17:59
technology , the amount of embedded technology
18:01
and products Automotive
18:04
is the example , of course , that most people
18:07
would relate to right away . These
18:09
are technology domains that are so
18:11
historically
18:13
independent and separate . Right
18:15
the skill sets that
18:17
are in engineering , like
18:19
between IT , software engineering , manufacturing
18:22
, engineering , product engineering . Right the
18:24
technologies . Right the basic
18:27
differences between standard
18:30
operating systems and real-time operating systems
18:32
. Right Proprietary protocols in
18:34
, let's say , industrial environments versus
18:37
more standard , open protocols in IT
18:39
environments . And you know who
18:41
knows in the product space and then
18:43
sort of you know all of the
18:45
advent of IoT and
18:47
sort of . You know this has
18:50
created , you know , a real
18:55
challenge , I think , for manufacturing . That cause there
18:57
are no , there are no solutions
18:59
in the market this is going to be my opinion here
19:02
, of course but uh , with
19:05
which you can sort of manage and protect across
19:07
all of these domains , right , people are trying
19:09
to figure out how to do it and uh , and they're trying different things right . But out
19:11
how to do it , and they're trying different things , right
19:14
. But you know , the fact
19:16
is I always saw this challenge
19:18
and I always saw the the
19:23
lack of the lack of sort of response
19:25
or solution in the market for managing across these
19:27
technology domains . Right , and so you know , when
19:30
I , when I came to tanium and I had new tanium
19:32
before I came to tanium I saw , I
19:34
saw technology , a platform that
19:36
you know , that has potential to
19:38
build a foundation for
19:40
where we're going to be heading , I think all
19:42
collectively , with respect to managing
19:44
and protecting across these technology domains
19:47
. I don't know if that makes sense , but that's sort of
19:49
the fundamental challenge that
19:51
I see in manufacturing . Of course , there's tons
19:54
of other ones .
19:55
Yeah , that's interesting . So , in the
19:57
fact that you're working with vendors
19:59
and your clients and so forth
20:01
, you're having to kind of get
20:03
up to speed with the individual issues
20:06
in a lot of different industries . I
20:08
imagine , then , right , so each new sort
20:10
of case you take on , there's
20:12
a lot of new contingencies . There's
20:16
a different sort of approach to , as
20:18
you said , I imagine , dealing with connected
20:21
cars versus other things that require
20:23
IoT versus other manufacturing
20:26
areas . So is that part of
20:28
the thing that you especially enjoy
20:30
about this ?
20:30
business . Yeah , I mean , yes , this is one
20:32
of the things I really love about this role that I'm
20:35
in is I do , you know , I mean , number
20:37
one . I get to interact with , you
20:40
know , with really smart people and high
20:42
levels of leadership in really interesting
20:44
industries and companies , and that in and
20:46
of itself is fun , yeah , and
20:49
intellectually , you know
20:51
, motivating and meaningful
20:54
. But at the same time
20:56
, you know , I also get to sort of look
20:58
across industries and it's
21:00
almost like having been a practitioner for so
21:02
long but now , getting the view across
21:04
all these different industries , I get to sort of compare
21:06
and contrast how
21:09
things are being . You know , what the challenges
21:11
are then , how they're being managed , and you know it's
21:13
actually pretty interesting how
21:15
much similarity there is between
21:19
the challenges that different industries
21:21
have . And I'll
21:24
come back to what I said about this convergence of
21:27
technology domains . Right , whether you're
21:29
in the medical
21:31
field , you know , trying to figure out
21:34
how to bring
21:36
the cost of health care down , how to deal
21:38
with , like you know , a massive
21:41
consolidation in the industry , the
21:49
industry and uh . Or whether you're an automotive , trying to figure out how to meet regulatory requirements
21:52
across all these connected vehicles , or whether you're in pharma , or whether you're in
21:54
, you know some kind of or say
21:56
, an energy , right , yeah , right
21:59
. The challenge is , if you bring them down to this
22:01
, this sort of point around , converged
22:04
technology domains are kind of similar
22:06
. Okay , right , like
22:09
, how do you get
22:11
end-to-end visibility and control
22:13
across these technology domains ? There
22:16
isn't a platform that does it today , right
22:18
, right .
22:19
Right , but
22:28
it also is that actually the sort of goal is to create the sort of Uber platform to dealber
22:30
platform to deal with that , or or is ? Is it just the realization that each case is going to happen
22:32
.
22:32
Well , I , I think that's where we're headed . That's why
22:35
you think about thought leadership for a second
22:37
. And , like you know where , where's the world headed
22:39
? Right , I , I feel like that's where the world's headed
22:41
. You know , having
22:46
a platform , you know that
22:48
will give you complete visibility and control
22:50
over all of your IT assets . That in and of itself
22:53
, is great . Not
22:56
everyone has that , right , people would
22:58
love to have that right Now . If you extend
23:00
that across other
23:02
classes of assets , right
23:04
, I think you know the bar has been raised in terms of what
23:06
people expect and want now . Right , I think you know the , the , the , the bar has been raised
23:08
in terms of what people expect and want now
23:11
. Right , it's like no , I want to see all my IT
23:14
assets and my industrial assets . And you know what
23:16
I want to see all my product , embedded product assets
23:18
. I want to see them all in the same place . I want to cause . They're
23:21
interdependent , right , my , my , my
23:24
connected vehicle can't
23:26
operate with all of the you
23:28
know IT infrastructure that surrounds it , right
23:31
, neither can my factory , and
23:34
so on and so forth . Right , so
23:36
I think you know where we're headed as an industry
23:38
. And again , if you think about regulatory
23:40
requirements , go look at some of the latest regulatory
23:42
requirements come out . You
23:45
know they require you . The
23:48
latest regulatory requirements come out . You know they require you to be able to build
23:50
controls across these technology domains . Yes , the technology
23:53
to manage and protect
23:55
these things is still catching up
23:57
.
23:57
Right .
23:58
That's how I look at it , yeah .
24:01
So that's that's . That's exactly what I was
24:03
I was hoping to hear , thank you . So I you
24:06
know I said I've had a bunch of great
24:08
recent guests talking about industrial
24:11
control systems and manufacturing
24:13
security challenges and infrastructure
24:16
and that's focused of our talk today as
24:18
well manufacturing security . So to
24:20
go from the interconnectedness and the sort of like
24:23
asset detection of it all , like what are some
24:25
of the big challenges from a security perspective
24:27
right now , Are there certain commonalities
24:30
in terms of where the attacks are coming from , where
24:32
the cracks are in the defense and what type of consequences
24:35
we're seeing ?
24:37
Yeah , I'll share my viewpoint
24:39
on this , I think you know . Let me just start by saying you're
24:42
going to find people with different viewpoints here , you
24:45
know , and there's a lot of people
24:47
with deep expertise in the industrial control
24:50
space and
24:52
, as these two worlds
24:54
of industrial controls and IT are converging
24:57
on one another , there's
25:00
people with differing opinions and different levels of expertise
25:02
in there . I would call myself more of a generalist
25:04
in the middle here . Yeah , um , but
25:06
you know what I'll tell you is , you
25:09
know , the the biggest problem is that
25:11
factories are now connected to the internet I
25:13
mean that's you know , I still have
25:15
conversations with people that say , well
25:18
, why do I worry about my you
25:21
know controls within my factory
25:23
environment ? you know , it's , it's , it's , it's
25:25
, it's , it's completely air gapped and gapped . And I
25:27
don't , and I don't , you know , I don't have a connection anywhere , I'm
25:29
not really worried about it . I was like , well , that's actually
25:31
not true . I
25:34
mean , more and more , you
25:36
know , your factories are connected to the rest of the
25:38
world . Right , and regardless of how
25:40
much you invest
25:42
in , in , in , in sort of retaining
25:45
your moat and drawbridge approach
25:47
to protecting them , the pressure
25:49
is in the other direction . Right , and
25:54
so you know , and if you want
25:56
evidence of like
25:59
, why it matters , all you have to do
26:01
is just go look at ransomware stories , right , I
26:03
mean , you know , shut a factory down and
26:05
you're done . Right , that's the end
26:07
of the road for you for some period of time . And
26:09
so you know , it matters
26:11
, the impact is huge , right , and
26:14
so , and
26:16
you have to address it . And I think there's been
26:20
sort of a journey of bringing people along
26:22
to realize , no , I have to
26:24
address this , and I think some companies , from my observation
26:27
, are further ahead than others on it . Some
26:31
companies have been looking at trying to figure out how to
26:33
bridge this IT and OT for 10
26:35
years now . Others are still
26:37
in the process of trying to figure out what it means
26:40
, and then there's all pieces in between . And
26:42
so , for
26:44
sure , if someone has ransomware at your
26:47
factory , you care about it and
26:49
you're investing in it , right , you
26:51
know , if they haven't and you don't
26:53
really feel like there's much of a threat , maybe you're still investigating
26:56
, right ? I think it's the . At
26:59
the end of the day , the regulatory requirements
27:02
are going to bring everyone , everyone kind
27:04
of to the table , so we're going to bring everyone , everyone
27:06
kind of to the table onto the same page
27:09
there .
27:10
Yeah , yeah , yeah . So I mean , yeah , I think that sort of that
27:13
bouquet of issues that you brought
27:15
up is is kind of what I wanted to
27:17
talk about , because you know , like I said , we've had
27:19
recent guests talk about
27:21
things like increasingly connected
27:23
devices , like video
27:25
product inspection or smarthousing
27:28
, or the added dangers that come with edge
27:30
computing practices with regards
27:32
to collecting data in those places , and
27:34
those are the sorts of things I think you said where it's like , well
27:36
, this isn't air-gapped anymore , like now
27:39
, even the most sort of dumb technology
27:42
is pouring data into
27:44
something central that can be breached
27:46
. So , you know
27:49
, one of the things I like to say is that the fun
27:51
and innovation of cybersecurity is that there's no problem
27:53
has a single solution and
27:56
, no , you know , one type of specialty
27:59
is going to solve all the problems . So , you
28:01
know , I've heard related but different solutions
28:04
to problems in this space . You
28:06
know whether it's , like you said , building the
28:08
moat and drawbridge , or whether
28:10
it's , you know , working right in with the sort
28:12
of like the timing of the systems
28:14
, or sort of seeing , like
28:17
OT systems and sort
28:19
of more monitoring whether they're making changes
28:22
, like with the water filtration , and whether
28:24
there's suddenly you know new , you
28:26
know things coming into it or whatever . But we
28:28
haven't specifically talked to endpoints and that
28:30
was kind of the focus I wanted to have
28:33
with you here . So when we talk about endpoints obviously
28:36
you've said it already a little bit , but we're not just talking about
28:38
user workstations here , we're
28:40
talking about all of the assets . So
28:43
and you said that that's something that
28:45
we're having a hard time coming to
28:47
grips with but can you give me a better sense of the scope
28:49
of endpoint issues that you work with ?
28:52
Yeah , sure , look , I think first
28:55
of all the way I think about
28:57
manufacturing
28:59
and security is in terms of these
29:01
domains , the IT and the OT domain
29:03
. And if you start with
29:05
sort of you know your classic corporate IT domain
29:08
, I think everyone pretty much understands how
29:11
that's structured and how it works right . And
29:13
if you go over to the manufacturing side of the house
29:15
, you know you
29:17
have , if you think about operational
29:20
technology as industrial controls , if I
29:22
just focus there for a minute right . You've got industrial
29:24
control systems that are
29:26
running in factories that have been around forever
29:28
. Right . It is in many cases
29:31
older than IT . Right , and
29:36
very mature processes for managing
29:39
these . Right , but with
29:41
, you know you might say nary a concern for
29:43
security , historically right . And so
29:45
these systems weren't designed with security in mind . They
29:47
weren't , you know , built to be
29:50
, let's say , managed from a protection perspective
29:52
, right . And so you've
29:56
got these industrial control systems right , and
29:58
they are also proprietary
30:00
. Right , there are different protocols depending on which types
30:02
of technology you're using in there . Right
30:04
, there's a number of different vendors that build and service
30:06
, manage these industrial control
30:08
systems , whether they're
30:11
in an oil refinery or a factory
30:13
or , you know , a logistics environment
30:15
or whatever . You know these are not IT
30:17
systems . For the most part they're OT or industrial
30:19
control systems . They run on different operating
30:21
systems with different protocols and such right
30:24
. And so you know it's
30:26
hard to imagine , or
30:28
it's hard to manage , across all those you
30:30
may have , you know , five or six different major types
30:32
of technology in your industrial controls environment
30:34
and how do you
30:36
manage across all of them ? Each vendor is going
30:38
to give you access to managing theirs , right
30:41
. So that's sort of a fundamental challenge . But
30:43
I think really the more important challenge to recognize
30:45
in the manufacturing space is that all of those
30:47
industrial control systems have some sort of a control
30:50
layer to them . Okay , people
30:52
talk about Purdue model a lot in manufacturing
30:54
, where you start looking at sort of the layers of assets
30:56
and device types and such right , that begin
30:59
at the very bottom , with level zero , which are your
31:01
field bus level
31:03
, you know , actuator sensors , things doing
31:05
repetitive work in an environment
31:07
, all the way up to the very top , which is sort of your control
31:10
layers and your corporate systems , right , which could be an
31:12
MES system , right , manufacturing
31:15
execution system , or I could be an ERP system
31:17
that you're communicating with . It could be just
31:20
a basic control system that's managing
31:22
these industrial controls , managing
31:29
these industrial controls . At some point as you go
31:32
up the stack you have IT equipment running industrial controls equipment or governing
31:34
it , managing it , taking outputs from it and sending it somewhere
31:36
, et cetera , right ? So I think the most important
31:38
thing to recognize is that you have
31:40
a bunch of IT in your
31:42
OT , right , and that
31:44
IT is , you know
31:46
, it's endpoints , right , it's endpoints
31:50
running Windows , linux , whatever it might be Right
31:52
, and so you know , and historically
31:54
that class of assets has
31:56
been , I would argue , very much
31:59
undermanaged .
32:01
Oh yeah , that seems to be the consensus of people
32:03
I've talked to so far . Yeah , Right
32:05
.
32:05
So you know your sort of traditional manufacturing
32:08
engineering teams that are focused on these industrial
32:10
controls kind of , you know , acknowledge
32:13
that they need the IT group to maybe
32:15
provide them with network access and some email
32:18
and maybe some storage to put their stuff in , but
32:20
really , other than that , they manage their own Right
32:22
. Yes , sure , and a lot of these types
32:25
of assets and endpoints that you're seeing in a manufacturing
32:27
environment actually vendor managed Right , and
32:29
so so . So there's a complexity
32:31
there , right , yeah , and so for me
32:33
, that is really in
32:36
today's world where I would
32:38
be putting my focus Right Is on how
32:40
do I better , more effectively manage those
32:42
and protect them Right , and that starts
32:44
with things like just visibility what
32:46
are they ? And protect them right ? And that starts with
32:48
things like just visibility what are they Right ? And then you know basic
32:51
things like hygiene patching . You know you
32:56
wouldn't be surprised to go into a manufacturing plant somewhere and find a Windows box
32:58
that hasn't been patched in years , right ? Yeah , yeah , things that have been set up 20
33:00
years ago that couldn't possibly be patched at
33:02
this point , yeah , and at some point
33:04
somebody said I don't ever care about patching
33:06
this thing , no one's ever going to access it . Right , well
33:08
, you know how
33:10
are you ? Because
33:14
you've also got security cameras and this and
33:16
that and all these other things that are running
33:18
in your factory , that are connected to a Windows box
33:20
somewhere , that are sending data in
33:23
and out of your network . And so how
33:25
do you how ? And so to
33:27
me , that really needs to be the
33:30
focal point is to look at how effectively
33:32
am I able to manage and protect that IT
33:35
portion of my
33:37
OT environment ? And
33:41
that really begins with visibility , but also with collaboration
33:44
between manufacturing , engineering teams
33:46
and IT teams , which have historically
33:48
not always worked
33:50
together oh for sure . So
33:53
you have to build that collaborative bridge . You
33:55
have to have a common understanding of what
33:57
we're trying to achieve and the fact that , yes , we do
34:00
need to bring IT
34:02
methods into
34:04
your OT environment and we need to figure
34:06
out how to do it , because you can't copy paste them in
34:08
there . It's not going to work . You
34:11
have to figure out how to do it collaboratively . That , to
34:13
me , is the single most important
34:15
thing to focus on . If
34:18
you think about where breaches are happening
34:20
and you think about where people are getting in to
34:23
sit inside your environment
34:25
and look for an opportunity to shut your factory down , wherever it
34:27
might be , it's through those
34:30
windows boxes
34:32
, if you want to put it that way , right , generally
34:34
speaking , that they're going to come in
34:36
.
34:37
Well , to that end , I mean , you
34:39
know you've sort of laid out a couple of
34:41
different historical
34:43
and modern approaches from a security standpoint
34:45
of what you know how to solve the problem of 20 , security standpoint of of what you know how to solve the
34:47
problem of 20 year old , you know
34:49
, operating technology systems or or
34:52
things that don't necessarily chain
34:54
up well with it . So when
34:57
you're putting , how
34:59
does the response , I guess , to manufacturing security
35:01
issues differ when the focus is
35:03
on endpoint security , like how
35:06
do the signs of a breach show themselves differently
35:09
when you're focusing on endpoints
35:12
? And if something does get through , how does the
35:14
triaging of the situation differ from
35:16
the endpoint side of things versus the sort of Moten
35:19
and Jarvis approach ?
35:20
I'll start by saying this In
35:24
today's world you cannot rely on endpoint
35:26
alone in the manufacturing
35:28
space , right ? This goes back to my very
35:31
starting comments about there's no end-to-end
35:33
solutions . Right , you can't . You
35:36
can't manage devices in
35:38
the industrial controls environments like
35:40
you manage a pc , right
35:43
, you can't put an agent on
35:45
there and interrogate that endpoint and you
35:47
know and command that endpoint . The same way that's
35:49
happening through protocols . You know that
35:52
are built and managed and they're very proprietary
35:54
. You know that are created
35:56
by the vendors of those devices . Right , they've been
35:58
the makers of those devices and so you have
36:00
a challenge . Right , and the way that that's being addressed
36:02
today in the market is people are . You know they're
36:05
listening to network traffic , right , so
36:07
they're identifying
36:09
. You
36:12
know information about devices
36:15
in this environment by tapping into network traffic
36:17
and listening to what these devices are saying
36:19
to each other and how they're identifying themselves and stuff like this . Right
36:21
, so it's a non-invasive approach . We call
36:23
passive scanning , right in in
36:25
some environments , and so that's
36:27
what's available in the market today . You know my , my
36:30
case would be you . You have to have that
36:32
. Plus , you know
36:34
the endpoint approach where you can't , can't actually
36:37
get a hold of , manage and and and control
36:39
and protect the endpoint , right , um
36:41
, because obviously , if you're listening
36:43
to traffic on a network , you can't do anything . You can only
36:45
listen , listen , right
36:47
. And so my first , I guess , guidance
36:50
is you know you have to look at both of these
36:52
in concert , no-transcript
37:10
, so it's almost like an aggregation
37:12
of data you're going to get from your endpoints
37:15
versus what
37:18
you can pull off the network traffic , your
37:20
port spans or whatever you want to call it . And
37:23
so where we're headed
37:25
, I think , in manufacturing
37:28
, is going to be more of a heterogeneous
37:30
management of the assets . We're headed
37:32
into a place , I think , where you're going to find
37:34
platforms that are
37:36
going to be able to see
37:40
everything and
37:42
it's not easy
37:44
because you're dealing with completely
37:46
different technologies , right , but someone's
37:49
going to figure out and I know that people are working
37:51
on figuring it out you know how to make
37:53
these different types of protocols communicate with each
37:55
other and how to get like let's call it , you
37:57
know uniform view over all of these assets
38:00
. And then , I think there'll be a new class
38:02
of new class of solutions that are going
38:04
to emerge . You know either , from
38:07
the one side you know the folks that are doing
38:09
OT security solutions today
38:11
with passive scanning , and from the other side , the
38:14
IT guys that have got the endpoints and such right
38:16
. Somewhere in the middle there'll be
38:18
a solution that evolves . That's kind of my viewpoint
38:20
.
38:22
I think you're right . I think that seems quite
38:24
logical . So I want to
38:26
move to from the
38:29
tech that's coming in the future to the workers
38:31
that are coming in the future . As I mentioned always
38:33
at the top of the show , a goal of CyberWorks to help
38:35
students and new cybersecurity professionals sharpen the
38:37
skills needed to enter the
38:40
cybersecurity industry or maybe people
38:42
later in life changing careers , say engineers
38:45
or or people in you know the sort
38:47
of more mechanical side of manufacturing
38:49
. So for those who are
38:51
wishing to make their mark doing this type of manufacturing
38:53
security work , tom , do
38:56
you have any advice about the most important
38:58
sort of technical skills or experiences
39:00
or training paths or certifications , or just even
39:03
just interpersonal and creative skills that
39:05
they need to sort of get
39:07
up to speed very quickly in sort
39:09
of manufacturing spaces like this ?
39:13
Yeah , I mean this is a tricky one , right ? Because
39:15
you talk to a guy my age and like
39:18
things
39:20
are evolving so fast .
39:23
Yeah , yeah , right .
39:23
It's very hard to keep up , right , I
39:27
think , just fundamentally to
39:29
recognize the
39:33
difference between sort of manufacturing
39:35
engineering or industrial engineering and
39:37
information technology or computer science
39:40
, right , Uh
39:42
, you know , and , and , and , and find
39:45
opportunities to kind of be
39:48
part of building the bridge between these . That
39:51
that's where the future is . Um , you know , the same applies
39:53
for for embedded product technology , right , If you just stay with the automotive
39:55
, you know world that I . For embedded product technology , right
39:57
, If you just stay with the automotive , you
39:59
know world that I'm quite familiar with . Right , If
40:01
you think about vehicle architectures and what
40:03
they call software-defined vehicle architecture . Right
40:06
, I mean , you know more
40:08
and more and more . You know it's
40:10
software , it's computer science , right , yeah
40:13
, yeah , right . And , as opposed
40:15
to you , know product
40:17
engineering right in a vehicle , and so to
40:20
me you know , finding
40:22
opportunities to be on that intersection you know
40:24
where these things are overlapping
40:27
, is probably the most exciting
40:29
place to be , and it's probably also the
40:32
place where , if you can develop skills there you
40:34
know the most , the most opportunities
40:36
will will be .
40:39
Well , on the other side of that coin , are there
40:41
particular skills gaps
40:43
that you're seeing among people who are trying
40:45
to get into these types of positions and careers ? Are there
40:47
certain things that you consistently
40:49
, consistently see lacking in
40:52
job candidates that you might be looking at to hire in
40:54
this , in this space , that you'd like to see more
40:56
emphasized in the future ?
41:05
I'll be maybe a bit more general here , but
41:08
one of the things that I've seen consistently
41:11
throughout my career is is , you know when , when you
41:13
have , like
41:16
, people tend to love people
41:18
with technical skills , right
41:20
, I
41:25
want people to get grouped
41:27
in organizational planning between technical
41:29
and non-technical roles . You want
41:31
a technical person but to
41:34
be in a technical role and
41:36
to be an engineer of some sort , right and
41:38
and to it's
41:41
to become effective in
41:43
a business . If you think about , at the end of the day
41:45
, why we're , why we're all here in business , which
41:47
is to really make a profit , right , right
41:49
, you need to develop some business acumen
41:52
, right , and so so how
41:54
do you develop business acumen in
41:56
a technical career
41:58
path ? Right , that's sort of the
42:01
you know the thing
42:03
that I see some people
42:05
doing effectively but others not , right
42:07
, and or maybe it holds people back
42:09
a little bit , right . And then , if you flip
42:11
it around and look at it conversely or
42:13
inversely , you know people that are in , let's say , non-technical
42:16
roles , governance roles right , in the security
42:18
space , right , you've got all sorts of different GRC-related
42:23
roles that are critical , they're important
42:25
, they're right . But to develop a little bit
42:27
of technical acumen , you
42:30
know , in terms of understanding what
42:33
you're governing , yeah , and some
42:35
of the challenges there , from a technology perspective I
42:38
think , is you know , sort of in the same
42:40
fashion you know important
42:42
and useful to being more effective
42:44
and more you know more , say
42:47
useful to the outcomes of the company
42:49
.
42:49
Yeah , I think in general , good advice
42:52
is don't just learn how to do your
42:54
job , but why the job is being done , because
42:56
once you learn why , you're in
42:58
a better spot to say well , why are we doing
43:00
it just like this ?
43:01
Yeah , I think that's where I would summarize it . I would agree
43:03
with you , yeah .
43:04
Yeah , yeah , yeah , because that's when you can sort of make the
43:06
big changes , is when you see the why
43:08
. Then
43:11
you can say , well
43:13
, what if we tried this and real
43:15
start , you know , starting their career ? Maybe
43:17
they're still students or whatever , but they would want
43:19
to move towards this type of work
43:21
in manufacturing security as their emphasis
43:24
. Uh , where should they be looking
43:26
to get experience or network or get themselves
43:28
on the map ? Do you have any , any thoughts
43:30
on on that sort of like that first step ?
43:33
Yeah , look I , I think . I
43:35
think the world of industrial
43:38
controls is something
43:41
of a mystery to a lot of people
43:44
. Most of us who have kind of I'll say
43:47
kind of grown up in business some
43:50
sort of IT or technical background
43:52
, have been exposed to IT in some way
43:54
, shape or form . Right , the world
43:56
of industrial controls has been , you know , kind
43:59
of somewhere
44:01
over here , managed by some
44:03
people over there for many , many years . Right , so
44:05
, to find opportunities to educate yourself
44:07
on how industrial controls work yes
44:10
, right , because that's what everyone cares about
44:12
right now . Right , the bad guys are
44:14
coming after it . They're going to shut off water supplies
44:16
and electricity and grids and
44:20
to really get an understanding of how those industrial
44:23
control systems work . Right
44:25
, and you can Google it and get
44:27
free classes on it and stuff like this . Right , I think
44:29
there's really an important kind
44:32
of foundation
44:34
to getting into this space
44:37
, because you know for sure
44:39
you cannot take it
44:41
methods and just copy paste
44:43
them over into the industrial controls world
44:45
. Right , you have to understand that world
44:47
yeah , completely , uh
44:50
, yeah , all right .
44:51
So , tom , as we wrap up today , uh
44:53
, I like to ask this of all all our
44:55
guests here what's the best piece of career advice
44:57
you ever received , whether from
44:59
a mentor or a teacher or a colleague , or just on
45:02
the job ?
45:06
Oh , I think I'll give you two things
45:08
, you know . The first
45:10
is advice that
45:13
I have sort of given myself over
45:15
time , or thing . You know , what I've come to realize
45:17
over time is , um
45:20
, not
45:23
to underestimate people , uh
45:25
, right . Uh , you know we
45:28
hear a lot about the importance
45:30
of diversity and the importance of building teams
45:33
with different perspectives and backgrounds and all this stuff
45:35
, right . And so you know , if you're , if you're
45:37
moving on with your career and you're kind of a hard
45:39
charger and trying to get somewhere in life , right
45:41
, you're going to come up against people inevitably
45:43
in any scenario where you're at that
45:46
aren't in your wheelhouse or aren't in
45:48
your same page or wavelength , whatever . It is
45:50
Right . And I think one of the things
45:52
that I've learned over time is not
45:55
to be so much in a rush that you're dismissive of
45:57
people that don't really fit
45:59
with what you're trying to do . You know there's
46:01
a lot of like pause
46:03
and think about how somebody can be useful before
46:05
you brush past them . You know , and
46:07
is really to To
46:11
get to the , you know where you want to go . You're
46:13
not going to get there alone for the most part , and
46:21
so that you know that's sort of a career advice thing , um , in terms of sort of
46:23
advice I've received , um , it's not so much sort of career advice , but
46:25
more sort of tactical advice for how to
46:28
be successful . This
46:30
is something I receive , you know , sort of words
46:32
of wisdom that I remember from earlier on in
46:34
my career with our boss . He
46:36
told me . So you know , one good
46:38
skill set to have is to constantly
46:41
be anticipating right . I mean
46:43
his words were you know what's
46:45
? I'm always thinking what's next , what's coming
46:47
next , what's happening next , right , so as you , as
46:49
you , you know you wake up and you start
46:52
your day , or as you're coming off
46:54
a meeting or you're going from lunch , whatever it might
46:56
be , in your everyday work , it's like what's coming
46:58
next , and anticipating
47:01
, being prepared for it right
47:03
, is going to make you , first of all , much
47:05
more effective at what you're doing . Just being
47:07
mentally prepared for something before
47:09
you do it , and then , secondly , you
47:11
know you're going to , it's going to help you prioritize
47:13
what you're doing , because
47:16
you know the thing that you were thinking about doing next
47:18
might actually not be the thing you should do next
47:20
. Right , if you step back and think
47:22
about what's coming next , right , and that may be a
47:24
bit , you know , mushy
47:27
and philosophical , but , to
47:29
be honest , it's something that served me well throughout my
47:31
career . You know , and I'm doing it constantly-
47:33
yeah , yeah , that seems to
47:35
be .
47:36
you're literally at the sort of
47:38
like the peak of the mountain of what's next
47:41
or whatever . So I imagine that's something
47:43
you've really needed to sort of focus
47:45
on . So , tom , as we wrap
47:47
up today we've talked a little bit about Tanium
47:49
, but tell us more about Tanium
47:52
and the work you do to protect manufacturing
47:54
, industrial control and critical infrastructure
47:56
through endpoint protection .
47:59
Yeah , I mean Tanium is a platform you
48:02
know it's modern technology to
48:05
help companies streamline
48:07
their technology stacks
48:09
right . I mean it starts
48:11
with visibility and control
48:14
over your endpoints at scale right
48:17
, with high fidelity , and then you know from
48:19
there it's how do you streamline
48:22
the
48:25
management and protection of your estate and how do
48:27
you get rid of complexity Right . I think that you
48:29
know the one thing in technology that
48:31
stands in the way of most
48:34
organizations goals , you know
48:36
growth , profits , compliance
48:38
is complexity , right . Complexity
48:40
is the roadblock to all of this in
48:42
technology and Tanium is a platform
48:45
that helps you remove that complexity and
48:48
streamline the way you manage
48:50
and protect your estate right . So , everything
48:53
, from you know fundamental
48:55
asset management all the way up through you know
48:57
the more complex part
49:00
, parts of managing , of protecting your
49:02
state Right From . From you know security
49:04
and compliance Nice , ok
49:08
.
49:08
Love it . So yeah , one last question , and
49:11
then we can say goodbye here . If our listeners want to learn
49:13
more about you , Tom Molden , or learn more about
49:15
Tanium , where should they look at mine ?
49:19
Well , obviously , you know , taniumcom would be a good place to go . I think
49:21
we have a pretty informative and
49:24
useful website . I
49:27
myself don't have
49:29
too much of an online presence
49:31
, but certainly I am in LinkedIn
49:34
and I use LinkedIn , and so if anybody
49:36
wants to reach out and chat to me , I'm happy to connect
49:38
, and
49:40
I rarely turn down an interesting conversation
49:43
.
49:44
Fabulous . Well , I know our listeners
49:46
are good at providing those , so
49:48
I hope you all will connect up real soon
49:50
. But in the meantime , tom , thanks so much for
49:53
joining me today . I really enjoyed your
49:55
take on this fascinating security challenge . I
49:58
appreciate it .
49:58
Yeah , it was a pleasure to be here .
50:00
And thank you , as always , to everyone who watches
50:03
, listens and writes to CyberWork
50:05
with their feedback . If you have any topics you'd like us to
50:07
cover or guests that you'd like to see on the show , drop
50:09
them in the comments below . We will
50:11
do our best to get them . So before we go , I
50:13
always want to ask that you don't forget infosecinstitutecom
50:16
slash free , where you can get a whole bunch of free
50:19
and exclusive stuff for CyberWorks listeners . That
50:21
includes our new security awareness scripted
50:23
training series Work Bites . It's hilarious
50:26
. It's a set of videos in which a very strange
50:28
office staffed by a pirate , a zombie , an alien
50:30
, a fairy princess , a vampire and others navigate
50:32
their way through the age-old struggles of
50:35
yore whether it's not clicking on the treasure
50:37
map someone just emailed you making sure
50:39
your nocturnal vampiric accounting work at the
50:41
hotel is VPN secured and realizing
50:43
that even if you have a face as recognizable as the
50:45
office's terrifying IT guy Boneslicer
50:48
, you still can't buzz you in without your
50:50
key card . So go to the site , check out the trailer
50:52
. I love it . Infosecinstitutecom
50:54
slash free is still the place to go for
50:56
your free cybersecurity talent development
50:58
ebook . These are really useful . We've had a lot
51:00
of good feedback on it . You
51:03
can find in-depth training plans for
51:05
12 most common security roles
51:07
, including SOC analyst , pen tester
51:09
, cloud security engineer , information risk
51:11
analyst , privacy manager , secure coder , ics
51:13
professional and more . Once
51:16
again , infosecinstitutecom . Slash free
51:18
and , as always , the link is in the description
51:20
below . One last time , thank you to
51:22
Tom Molden and Tanium , and thank
51:24
you for watching and listening , and until next
51:27
time . This is Chris Senko signing off , saying happy
51:29
learning .
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More