Security Masterminds
The podcast that brings you the very best in all things, cybersecurity, taking an in-depth look at the most pressing issues and trends across the industry.
Connect with us on our LinkedIn page! - https://www.linkedin.com/company/security-masterminds-podcast/
Security Masterminds
Why a Data-Driven cybersecurity Defense Will Protect Your Organization With Special Guest, Roger Grimes
Loved this episode? Please leave us a review and rating on your favorite podcast platform!
After leaving the CPA industry and becoming a computer trainer, Roger worked his way into the cybersecurity industry, Roger Grimes, a data-driven evangelist, is determined to protect organizations from malicious social engineering attacks, but finds that even his advanced tools are no match for the crafty hackers.
"Organizations need to defend their infrastructure by identifying their critical data to recognize and respond to threats. Utilizing a data driven defense allows you to detect and respond to threats more quickly and accurately than traditional methods." -Roger Grimes
Roger Grimes is a cybersecurity expert and data driven defense evangelist for KnowBe4. He has held a variety of roles throughout his career, and his focus is on fixing the internet and protecting organizations from social engineering attacks.
In this episode, you will learn the following:
1. How did Roger Grimes go from being a CPA to becoming a cybersecurity expert?
2. What was it like to work with John McAfee?
3. How did Roger Grimes successfully bluff his way into the cybersecurity industry?
About Roger Grimes, CPA, CISSP
- LinkedIn: https://www.linkedin.com/in/rogeragrimes/
- eMail: rogerg@knowbe4.com
- Twitter: https://twitter.com/rogeragrimes
Show Notes / Links:
- Cuckoo’s Egg book - https://www.amazon.com/dp/B0083DJXCM?ref_=cm_sw_r_cp_ud_dp_FK52CJS8J6DAJ6JMZJTF
- Data Killers, John McAfee - https://www.amazon.com/dp/031202889X?ref_=cm_sw_r_cp_ud_dp_7N07KYGNG9GGSKMW5Q07
- FidoNet - https://www.fidonet.org/index.html
- Peter Norton’s Guide to the IBM PC - https://www.amazon.com/dp/0136619010?ref_=cm_sw_r_cp_ud_dp_FJ7E13ENVAFXZWR139YD
- CISA’s Known Exploited Vulnerabilities Catalog - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Connect with us:
Website: securitymasterminds.buzzsprout.com
KnowBe4 Resources:
- KnowBe4 Blog: https://blog.knowbe4.com
- Erich Kron - https://www.linkedin.com/in/erichkron
- Jelle Wieringa - https://www.linkedin.com/in/jellewieringa
- James McQuiggan - https://www.linkedin.com/in/jmcquiggan
- Javvad Malik: https://www.linkedin.com/in/javvad
- Music Composed by: Brian Sanyshyn - https://www.briansanyshynmusic.com
- Announcer: Sarah McQuiggan - https://www.sarahmcquiggan.com
This show's sound is edited by ProPodcastSolutions - https://propodcastsolutions.com/
ShowNotes created with Capsho (
I like multifactor authentication, MFA, I think everybody should use it when and where they can to protect valuable data. Uh, with that said, 90, 95% of it is as easy to bypass as a password. I'm Roger Grimes. I'm the Data Driven Defense Evangelist for KnowBe4.
Announcer:Welcome to the Security Masterminds podcast. This podcast brings you the very best in all things cybersecurity. Taking an in-depth look at the most pressing issues and trends across the industry.
Jelle Wieringa:Organizations need to defend their infrastructure by identifying their critical data to recognize and respond to threats. Utilizing a data-driven defense allows you to detect and respond to threats more quickly and accurately than traditional methods.
Erich Kron:Roger has held a variety of roles during his career and now as data-driven evangelist his focus is on fixing the internet and helping protect organizations from social engineering attacks through his books and speaking engagements.
Announcer:This is episode 14, why a Data-driven cybersecurity defense Will Protect your organization With our special guest, Roger Grimes.
Jelle Wieringa:Hello. Hello everyone. And hello Eric. How are you today?
Erich Kron:Doing well and you.
Jelle Wieringa:I am good. I'm good. So I'm Jelle Wieringa and welcome everyone to this podcast. We have a lovely episode for you today. We're interviewing a good friend and colleague of ours, Mr. Roger Grimes. So Roger has been in the industry for a long, long time and he's considered one of the experts, everywhere where he does a talk, there's a warm welcome because the guy just knows so much about cybersecurity. So I'm really looking forward to that one today. Now, let's dive right into it. As with most of our episodes, we start out by asking , how he ended up in this industry and how his journey and experience helped him to grow as a person, a cybersecurity specialist, and a leader.
Roger:Now I actually have a degree in accounting and I actually got a CPA certified public accounting, and I passed that exam. I don't know how I did that, but, I will say that I, I didn't really have a strong interest in computers while growing up at all, but in college, I finally decided to get a computer and this back the days where their hard drives were just being introduced. This is like 19 84, 85, but , finally in like 87, I, I decided I needed a computer at home so that I could write term papers instead of having to go to the labs at the university where I was getting a degree in accounting. And really quickly, what, like within the first six months of having a computer, I really got into fighting hackers and malware. I got into it really early. I read some books. I read a book by Clifford Stoll, The Cuckoos Egg where he tracks down the West German hacker using the honeypot. Oh, I read, a John McAfee book called Data Killers and a, actually, a very early book by Ross Greenberg called Flu Shot. But all three of those books in those years talked about hiding hackers and computer viruses and malware and it literally captured my imagination. And very quickly, between like 87 and 89 I was already professionally fighting hackers and computer Worms and viruses and all that stuff I became a member of the PC antivirus research foundation, disassembling viruses. I disassembled DOS viruses for John McAfee for one or two years. And when I first started taking them apart, John would send me and a couple of other people, maybe one virus every couple of weeks or months. By 1991 when he was, had his virus scan Shareware product going, it ended up being like he'd send us dozens, you know, in a day. And it quickly became apparent that I wasn't gonna be able to disassemble viruses for free for John McAfee, but actually went into accounting, became a CPA quit in a year and it is interesting as so when I was an accountant, I was so bad that I never completed anything that anyone ever gave me. And the accounting partners, the end of that first year said, Roger, we'd like to have a meeting and I knew that they only wanted to have a meeting with you because you're doing something extraordinary and we're gonna be promoted or they want to talk to you about, Hey, we're gonna start this process of firing you. So I remember that morning really being nervous and right when I was waiting to go into that meeting, the phone rang. It was one of the partners that was supposed to be in that meeting and he had gone by to a client's work site and instead of getting a balance sheet statement he deleted it and he said, Roger, can you un delete this spreadsheet or whatever? And I was the guy they were always yelling at, cuz I was always getting in computers. I was always doing computers instead of my real work. Well, I showed up and I got that spreadsheet back and everybody was cheering. They literally had, uh, glasses of champagne when I had it back. And I went home. My wife's like, you smell like alcohol. And I'm like, found my new job. So actually the next day I went and the partner said, had to reschedule the meeting for the next day. And they said, Roger, this computer thing seems like it may be something we'd like to maybe one day create a computer arm. I went, I quit. I'm in the wrong job. I'm giving my two weeks notice. They literally called the building security guard and had him escort me to my desk to pick up my stuff as they hired me without two weeks notice. I had wasted a year of their time doing nothing. And uh, I'm putting my pictures and stuff in my, in my box and the security guards looking at the phone ring. And all of a sudden it was this person from a company called ExecuTrain that did PC training and they were calling for, uh, I told, uh, secretary that had left, uh, the accounting firm that I would give her, you know, a reference. And they called, they gave her the reference and the lady for some reason went, Hey, do you know computers? Would you like to teach computers? I was like, yeah. I literally walked out of that building to ExecuTrain and became one of their instructors, and through that experience, I found out two things. One, I have incredible stage fright. Number two, if I can get past that. I'm a pretty good speaker and I ended up teaching for years and winning all these ExecuTrain awards, which they called a Trainer of the year and all that. And then I became like a PC technician, a network technician. Eventually became like VP of IT, eventually worked for Foundstone, doing penetration testing, a teaching ultimate hacking. Went to Microsoft for 10 years where I was principal security architect. And from there ended up at KnowBe4. and I realized I was doing all these advanced things at Microsoft. I was doing, implementing smart cards and RSA secure ID tokens, all this advanced intrusion detection and stuff and every single client where I installed all the best advanced security stuff, they all still got compromised. How they get compromised? Social engineering and unpatched software. And after recognizing that for years, I realized I'm in the wrong place. I'm fighting the wrong problem. I'm putting in all these advanced security tools, it's not working. I got depressed and I actually intentionally came over to KnowBe4 because KnowBe4 was fighting the biggest problem trying to fight social engineering.
Jelle Wieringa:I didn't know he was a CPA. We've known him for so long. Who would've thought, that It's interesting to hear him talk about how he got into cybersecurity cuz he's been there since the old days. Since the beginning of viruses, it seems.
Erich Kron:Roger is a very interesting guy. His background is so unique with the CPA thing. He was also a paramedic, skydiving, bass jumper, all kinds of interesting things like that. So Roger has definitely seen and done a number of things in his life, which I think that rounds people out and gives us a, an interesting view of things, right? The more we do, the more we experience, the more. We have to draw from.
Jelle Wieringa:One of the things he said actually was he worked for John McAfee and we all know John McAfee as a very interesting person. So we wondered, we asked Roger working with John McCaffey, can you describe what that experience was like?
Roger:So I'm reading the books of you excited about fighting viruses and stuff like that. And I find, I read in a newspaper, that John McAfee, he's starting to get national prominence for fighting computer viruses early on. I, I literally then I run into him on FidoNet and I said, Hey, I want to disassemble viruses for you or, or I want to get in this fighting virus still. And he went, na nan. And I said, can you gimme a virus? He said, no, I can't give you a virus cuz I'll give you a virus. And he spread it, I'll get in trouble. But he said, how much, if you bring me a virus and there's, long as say there was only like four or five viruses during this period of time, you simply, if you bring me a virus, I'll know that you could have spread that, but you brought it to me and so, you know, I'll let you in this virus disassembly forum. And so I sat around and I had no viruses. There's hardly any, literally at this point in time, this is like 88, 89. Viruses were so rare that John Dorvak and PC Magazine said that they're a myth and they don't really exist. Like it really wasn't even confirmed that there's such thing as a computer virus. But I knew they were. But all of a sudden, a friend, I was working at ExecuTrain and a friend of mine says to me, Hey, I heard that, this bank has this computer virus and he told me you wanted get a hold of a virus and maybe you called them up. So I called them up and go, hi, I'm Roger Grimes from the PC Antivirus Research Foundation. It doesn't exist. I make it up. I go to the local OfficeMax, I get letterhead, business cards, a non-disclosure agreement. I gotta put on my best corduroy suit that I think I'd had at the time. And I show up there to help 'em. And what I told 'em was, I hope you get rid of the virus and, but I need to make sure and see if it's a variant or not. It's a variant. I have to report it, you know, that sort of thing. So we can take care of the signature . And I remember I showed up in, there was a big boardroom. Like I, I thought I was gonna meet a, a computer geek guy when I showed up. They put me in the middle of this huge boardroom, the chairs and the senior vice presidents and stuff. And they're like, what should we do? And I'm this young kid that's just bluffing, but you know, I bluff well and I tell 'em, blah, blah, blah, blah, you need to do this and make sure you this clean. Well, you know, whatever I could come up with when I was 19 or 20 years old. And when they handed me that computer virus, I just remember it was like having the, the, the golden ticket for the Willy Wonka factory. And then finally I got through helping them and they went, oh, uh, the local university got a couple computer viruses. So again, there's only like four in existence in the world at this time. And I had one of them in my hands. They said, oh, and they sent me over there and all of a sudden they gave me the, the computer lab was full of computer viruses at Old Dominion University where I had actually graduated from. And I show up and they give me two more. So all of a sudden, out of the four computer viruses that exist, I have three of the four. So I get home and I finally uploaded to John McAfee. I was like, here we go. And I said, I said, okay, how can I be a part of it? He goes, uh, I'm sorry. I can't let you be a part of it or whatever. And I was like, what? I said, listen, you let me be a part of your thing, or I'm gonna make a separate thing and compete against you. I said, I, you know, I know what I'm doing about, and I didn't know crap. And he, he said, he said, you're a cocky little kid. You're remind me of myself. And that's how I got working for John McAfee. I bluffed my way and I try not to be an unethical anymore, but apparently at 19 or 20 I, I was like more flexible about what was ethical and I did a lot of bluffing. And, I actually had to learn assembly language and John said, go read the Peter Norton's guide for IBM disassembly. And I read that book, cover to cover and I learned how to do disassembly. I became really good at dissembling malware over the years. And, uh, but I used to tell people I can disassemble the most advanced malware, but I can't write Notepad. It was a very acquired skill. Yeah. Like, so I was disassembling viruses for him for free for years, and he kept saying, oh, wait till I get this company made and I'll bring you on. Then he formed, the company was making hundreds and millions a dime, and he kept talking about, we're gonna bring you on, bring you on. And all of a sudden me and the other guys found out that he hired some programmers in another country for cents on the dollar and he didn't have room for us on the development team. All of a sudden after years of disassembling viruses for free or another time, at one point a reporter called me years later and said, did John McAfee ever pay anybody for computer viruses? I was like, well, yeah. Back in the days of what was called Fido, there was this, uh, you know, pre-internet days and there was something called a virus bulletin. And John was just getting to the idea that he wanted to make this virus scan program before virus scan came around. If he found a malware program, you'd run a program just for it. Just for the stoned virus and it would find it and then you'd actually have to run a second program that would remove it. Well, he came with an idea I'm gonna make and virus scan early on had something that did all the detecting, another part that did all the removing. And so we still do two different programs, but they could find a lot of the viruses and malware at once. And so he actually put out on the FidoNet, virus bulletin, Hey, uh, do any of y'all have viruses? If so, I'll pay you 25 bucks or something. Cuz he just wanted to get the population of viruses and signatures to put inside the product. The next day there's like 190 brand new viruses. Like he hadn't contemplated that people are gonna save 25 bucks is enough that I'll just code one up and send it your way. So he, he never paid anybody. He didn't mean to do it, but I shared to the reporter, I was like, yeah, he didn't mean to do it. Well this is about the time John McAfee left McAfee Associates and, and it turned into network Associates and Bill Larson his, friend and CFO took it over and he was the monster really even worse than John McAfee and everything. But the Bill Larson's guy sued me, said, we're gonna sue you for saying that John McAfee, paid for computer viruses. And I was like, what? And so I went looking through my emails to, to find it, because I'd kept the emails that had all of that from FidoNet from like 10 years before. And that's when I learned that 5 1/4" floppy disc stored in the back of your hot car trunk don't really exist well. Plus I had, , locked them up with encryption with a pretty good privacy PGP privacy. So it makes it all one blob and one bad sector on the disk makes the whole thing unreadable. So I couldn't find the email and I called all my friends that knew about it and everything. Everybody knew about it. Nobody find the email. So I called John and said, Hey, John, your friend Bill Larson's suing me per se, that you, you know, and I told him the story. I was like, John, can you just call Bill and tell him not to sue? He is like, ah, Roger. Yeah, I just can't get involved. That was John McAfee in a nutshell. Not only did he not pay me for disassembling viruses for years, he felt I was beyond at least too busy flying his ultra lights to call his friend to say, yes, this was a true thing. You, you should not sue him. So I actually had to recant. It was, it was network associates against Roger Grimes about to be filed, and I was like, this 25 year old kid. I was like, I recant. I never saw that. And it was, uh, one of the most embarrassing events of my life because I had to recant and, you know, the reporter was mad. And the, the service that had reprinted it had to recant it. It was, it was a pretty big bill in my life and all because John McAfee was just too busy to help me out. That's, that's John McAfee. Did it benefit John McAfee who helped somebody that had given years of their life in service to him? You know, what's the, what's the difference? Do I owe this guy something? No. The people that liked to invest knew him the least. And with that I could still appreciate who he was, what he was you know, and everything that he brought to the industry and that sort of stuff, you know, I can only say that I watched the Netflix video and I was like, wow, that guy's disturbed the John McAfee, I knew much worse, he was a marketing grifter at all times. he was everything in that video and more. I, I would just say this, his career was of being a partner in somebody's company and them taking a picture and congratulating themselves and then two years later suing him. That was like the trajectory of his career. He was fun to be around. He was very charismatic. I mean, he just, you know, like maybe like a presidential candidate. You really get caught up in what he's doing and what he's thinking, but he doesn't want to pay the bills so much that he wants to sleep with your wife that that was kind of the, a nutshell piece of, him. He, he was a tortured soul.
Jelle Wieringa:It makes me laugh every time cuz Roger and bluffing, I can totally see him do that. Going into a building, standing at the reception desk his default smile there going like, Hey, hi, I'm Roger Grimes. I need something social engineering to the max. He was already doing that when he was 19 or 20 years old and he hasn't changed today. He's really good at it.
Erich Kron:we, We've all kind of been there before where we've had to figure it out on the fly. I mean, e especially in the early days, there was no Google, there was no way to search for stuff like this. You had to figure it out and a lot of times you would go into something not knowing how you're gonna end up resolving whatever the issue is., but that was part of the challenge. The good news was there was rarely anyone else that knew better than you. So it wasn't like you were messing with people by taking on these jobs it, it was a different time back then.
Jelle Wieringa:So talking to Roger, we kind of got the idea that most of his career is well self-taught. So we wanted to know how does he approach this and how does he actually keep up with all of the latest advancements that we see in cybersecurity today?
Roger:What I love about our industry is about every five years you can just completely go into something new, right? So always DOS viruses and then windows viruses and the macro viruses. And you know, I want to get into Quantum. And you know, what I love is that if you want to, you can immerse yourself. There's never been more of a better time. To go online and buy books and read magazines, and that's what I do. Like all of a sudden, I, I just really immerse myself in a subject and that involves buying any books you can get on it. Magazines are great. If you have magazines on it, they're kind of going away. But that the magazines give you the more topical events and then going and hanging on online forums with people a lot smarter. And lemme say when I hang around in quantum physics forums, I quickly realized I was not the smartest guy there. Uh, but you know, you can't help. But if you hang out with them for six months or a year, you're gonna become smarter. And then when you go to talk to people, but don't hang out in quantum forums, you sound like the really smart guy. Right. So that's what I'd say. I love our profession and I'm sure all of us, you know, have moved along and done different things. And if you're interested in something, if you wanna put some effort into it, you can become the expert of that day. Firewalls or viruses or quantum or whatever it might be, social engineering and move yourself into that arena. I do. I, I think that we, we have the hardest profession in the world. I was married to a, a doctor once and she never had to study anything after she got her doctor degree. Right. She, if she had to learn something new, they came and gave her an in-house presentation and you know, took her, taught her at lunch. Me, I'm reading on the toilet, I'm reading in my car, I'm reading what I'm getting my haircut. Like I tell my people to come here. I hope you don't mind, I'm gonna read cuz I have a lot to read and you're just trying to, do I need to know this? Do I need to know that? You know, so we have the most difficult profession in the world because it is so quickly changing. You don't know, is this the next thing that's gonna take off? Is cloud taking off? Is mobile taking off is, you know, whatever it is these days, the way the crypto and NFTs. But the great thing is, and the, the dual-edged sword is that if you want to learn about it and become an expert in it, there's never been a better time to go get that information.
Jelle Wieringa:And I think that's the crux of, of our industry, it's cybersecurity is moving so quickly that you have to keep evolving yourself. You need to keep pushing yourself to get to that next level. And there's plenty of information out there that's, that's definitely the case. Just need to figure out where to get it.
Erich Kron:And I think that's what draws a lot of people into this industry is that there's, there's never a shortage of things to learn. A lot of us tend to be these folks that we're just insatiable learners. we get into these things, we check it out and we learn everything we can, and then it's time for something new. But the beauty of this industry is that's something new. Doesn't have to be outside the industry. It can just be a slightly different direction. And there is so much more to learn about whatever topic it is you choose.
Jelle Wieringa:One of the things that Roger does is he talks on stage a lot. He's a public speaker talking about cybersecurity, and he does that all over the world. And what amazed me was the fact that every time he does that, he gets stage fright still after doing thousands of talks. So we wanted to know, as a professional speaker, how do you deal with that fear? How do you deal with that stage fright?
Roger:Yeah. When I say of stage fright, it's not a little bit, I'm talking about legs shaking, throat dry, throat closing down, head pounding, lightheaded, going to pass out what I'm talking about. Absolute panic. And lemme say I really enjoy speaking. So I don't know why I get panic attacks with it. But I will say that I've come up with different little things to try to fight it and then, uh, you know, people like you and my coworkers give me like James the other day. So Roger, if you're get in panic, ask the audience a question. Give yourself, cuz I was like telling him sometimes my, I start running outta breath cuz I'm speaking too fast I guess. And he said, ask a question, the audience will kick in. And I, that's all what a great crutch to use that actually engages your audience and they'll like to talk better. And I remember in college I had to give the senior speech, I was doing the speech thing, I was scoring really well I was doing good grades and all, but I had to do the senior speech. And I was super, super nervous and I could not get over shaking. So I decided I have this really, uh, smart idea that I was going to drink some alcohol. Cause I knew when I got a little buzzed that I wasn't as nervous. So I snuck in a bottle of wine. I think in my nervousness, I drank the whole bottle of wine. Turns out I got really drunk when you're at school at 9:00 AM drinking a bottle of wine. And I then began to, I was drunk in my senior speech in slurring my words, but the speech went so well. They actually filmed it and they show it to, uh, at least for years to incoming freshman at Old Dominion cuz it was an anti-drug speech or something like that. But I laughed because I'm drunk during that talk. I'm telling kids to make sure they have the abstinence from drugs, alcohol, and sex.
Jelle Wieringa:To be clear, people drinking is never good, but I love James's suggestion. Actually. When I go on stage, I do the same thing. I'm very interactive. That's what I tend to do. That's how I try to engage the audience, and it is a great way to give yourself a little breather now and then. It is a great way to calm yourself down.
Erich Kron:Yeah, that's interesting. Sometimes you just need that little break to get your thoughts back together. And that's a clever way to do that it's a matter of just overcoming them though, and dealing with them the way Roger has. I mean, he is a great speaker, that's for sure.
Jelle Wieringa:And we all have our little tips and tricks. Since we as public speakers are always willing to learn something new, what's the one tip to help us with our public speaking?
Roger:Don't drink alcohol. Probably my, the number one tip I do, and I do this almost every single talk, is I will go talk to a few people in the audience and make them my friends. I mean, for that night, we are close friend. And as I'm giving my talk, I'm really looking out at two or three people in the audience. I have to remind myself to look away from these people so they don't feel like I'm staring them down. But I, I am talking to just a few people that I know that like me and that have trust in me and that I'm continuing the conversation that we, as a matter, matter of fact, the best thing I can do is talk to them and then go walking on stage. I don't wanna wait that two or five minutes in the sideline with the. I wanna be talking to my friends, go off on stage, continue talking to my friends. Well, that's my number one hint is I just talk to a few people in the audience and if I get nervous, I'm just talking to them.
Jelle Wieringa:There you have it. Yep. We all do the same thing, but it really works well. It's, it's one of those little tricks.
Erich Kron:It really does. You, you end up with a little bit of support as you go on stage, and it's just something that if your mind starts to wander, you can look at those people, believe it or not, and it can help you get your, thoughts back on track.
Jelle Wieringa:One of the things that Roger is next to a public speaker. He's a prolific author. He's written thousands of articles by now and, he's working on his 14th book, I believe, and published 13 already. I wanted to know what was his greatest book and what brought him to write. Probably his most famous book is Data-Driven Defense One,
Roger:Without a doubt, like I, I call it, humbling my magnum opus is a data-driven computer defense. At the time when it really hit me, I was at Microsoft, that I would go consulting with all these clients that had been compromised, and we'd be responding to a hacker event. And part of it was, why do we get hacked? And I would find out at the time, most of the people were hacked because of unpacked Java. At one point, Cisco said , in 2005, that 91% of all successful web attacks involved unpatched Java, just one program that if you patched, would get rid of 91% of the risk of internet threats. Pretty big deal. And yet, every company I went to, they'd have unpatched Java. They'd be compromised by unpatched Java. They would be fined people fired. and I'd say, listen, you got a lot of problems. Cause we do a security review, we find 50 things wrong. Right? But I was like, your primary problem is you're not patching Java. You need to patch Java. And everybody say yes, they would be compromised again because of un unpatched Java, never in my career of 20 years did a client where I told them what they needed to do to stop the hackers ever do that thing. And I talked to him again. I was like, why aren't you? I'm like, well, because we patched Java. It breaks everything. I'm like, yeah, but you can't just say no and leave it open. But I'm like, why are they not doing this? So I actually did research for a couple of years and I would ask every single client and I went to from dozens to hundreds of clients a year for 20 years, with Microsoft Foundstone and my private companies. And I would say, why are you not fixing this stuff? I found out this is basically it's just competition for scarce resources and your attention is being pulled into compliance and all these other projects and blah, blah, blah. And people didn't realize that today, social engineering is responsible for 70 to 90% of all attacks. Unpatched software is responsible to about 20 to 40%. Password issues that are related to social engineering. Unpatched software are another 10%, but those three things, social engineering, unpatched software, password issues, are responsible for 99% of the attacks. Yet there's no company that spends 3% of their IT resources to fight those problems. And it's a fundamental misalignment that allows hackers and malware to be so successful. So 18 years ago, I realized that people aren't concentrating on the right thing. So I made up this new, and initially I called it the risk aligning defense, but then I said data driven that hey, you need to figure out what's the most likely way for you to be attacked and then Focus on the ways that you're most likely to be attacked. Like it's weird that I had to write a book to say, fight the ways that you're most likely to be attacked. And I use the allegory of, . Imagine there's two armies fighting and a good army and a bad army, and the bad armys winning for decades, and they're, they're being successful in the right flank of battle. Well, in the real world, that army would have to put more resources on the right flank of battle or else they would lose, right? And it'd be crazy if any person didn't try to fight the right battle. But in the IT world, when they hear that, hey, they're being successful in the right flank of battle, IT is like, okay, let's put more stuff on the left. Let's put more stuff on the center. I've heard that says tactic that could be coming in the future. Let's build up things. Vertically. Like literally they don't ever put any more resources on the right flank of battle. And then the like, someone realizes that and they've fired the general. And the general that comes in to replace keeps putting stuff on the left. Like that. Is it? So it was a big wake up call. I wrote a white paper when I was at Microsoft. They got thousands and thousands of downloads from the moment that I finally figured out this is the number one problem in computer security, that people are not focusing on the ways that they're most likely to be attacked. It became what I live for and what the message that I most want to communicate. So it was a white paper. It became a book. I'm now just getting ready to release the third edition of it and, and my number one goal in my professional life is to significantly fix the internet, to make it far less likely to be used by hackers of malware. That's my number one goal. I'm get 10 years left and I'm gonna try my best to do it. I've been trying to do it for 20 years. I've got another 10 years. I'm actually starting to make some small amount of traction to that end. I'm actually changing national policy at times. I've written 13 books, 12 of them were for the money. The only one I really care about is Data-Drive Defense , and that's because it impacts every other decision. And what's so weird is that we are so hardwired into not thinking the right way, that people will watch me talk about it, read my book and go, man, that's great. That's great. They're so excited. But then immediately the next sentence they say shows me that they are still thinking the old way, I I start by implementing the SANS Top 20. I've looked at the SANS Top 20 and it almost none of it is really gonna protect you against the top three threats. It's like you don't need to do 20 things. You only need to do three things better to significantly protect yourself. Whatever you can do, try to help people not to be tricked by social engineering, patch your software and have different passwords for every site and service. That's it. That's 99% of the risk. And we know it. We have the data. There isn't a computer security survey that doesn't show in social engineers number one. Yet, it's amazing that we have a hard time selling our product. Most companies do training once a year. It's the biggest problem that you could possibly ever fix in your company. Ransomware will lock your company up, destroy your revenues, make you lose customers and data and passwords and your training once a year?
Erich Kron:Ironically, Jelle, I find myself in a lot of my presentations recommending this book by Roger, and it is so fundamental and it is so simple sounding yet missed by so many people.
Jelle Wieringa:I read the book and when I read it, it is a well extremely simple message and, and I think that everybody kind of knows this one, but it's still a wake up call when you read this. And I think that's the power of this book. We, people we're just, what we all know we're horrible at assessing debt at risk, right? Well, if you follow what Roger says, well, you can spend your budget way more wisely. And I, I truly believe that is something that we in the security industry need to be doing more. Looking at where the real threat is, where the real risk for our organization is not just blindly follow media or blindly follow others, but really assess it for ourselves. And based on data, determine where you need to spend your money to be safer.
Erich Kron:Yeah, it is kind of ironic as much as we spend on things, kinda like what Roger was saying, oftentimes I find that it's spent in the wrong way.
Jelle Wieringa:So Roger has written the second version of his data driven defense book. We wanted to know what can we expect in a further edition that's coming.
Roger:Probably the, the biggest change is being able to help people better implement it. So like if you're asked to implement the SANS Top 20 or, the Internet Security Center's Top 10 if you're asked to implement HIPAA, Sarbanes-Oxley, GDPR, whatever it might be, a biggest part of that is how do I take this compliance, which may or may not really help me with security and then drive it using the data so that it drives real security and reduces risk the most, so that the first editions have these little smaller anecdotes of what a person could do, or maybe a smaller team could do. I have chapters dedicated to "this is how you change your entire organization in a real way using the data-driven defense". And even if people don't call it that, you can use it to implement your defenses. And you know, it really is. It's just about being risk aligned. The problem is, is that you're being told, everybody's being told that last year we had over 20,100 vulnerabilities, and the world will tell you that 30% of those are the highest criticality possible. Like they're all Log4 J or something, right? It's not true. Only two to 4% of any announced vulnerability ever gets exploited by a real world hacker against real world target, ever. Two to 4%. And you're like, well, how can we identify which ones are the two to 4%? CISA the Cybersecurity Infrastructure Security Agency has a list called the Non exploited Vulnerabilities Catalog, and it tells you which ones are being exploited. Like you don't even have to guess. You get to ignore the other 96% and have almost no risk of ever being hacked by unpatched software if you better patch the 4%, the two to 4%. So that's what data-driven defense is, and that's what I do. That's exactly what I do on the third edition, is just give people more real world examples of how to implement a data-driven defense given what you're being asked to do in today's IT world.
Jelle Wieringa:I think that's really, that's solid advice right there. I think if a lot of organizations start doing that and start using the CISA known exploited vulnerabilties catalog, they definitely are safer.
Erich Kron:Yeah, I agree. It's, it's a great resource. It's definitely something to keep in mind. You do have to weigh what your individual risks are too, because sometimes those things may not apply to you. if there's a Java patch and you don't use Java, there's no reason to panic about it. and, and go running on. So it's a combination of knowing what you have out there, knowing your network and what your individual threats are. That, and using these resources like the CISA list.
Jelle Wieringa:So I really do believe that data-driven defense is a way forward in our industry. Roger was talking about that organizations only need to focus on just that two to 4% of the non vulnerabilities. We wanted to know more and ask them to explain it a bit more.
Roger:Well, because they work so well. Right? So I think what's interesting about the two to 4% , and lemme say most of the time it's been two closer to 2% now going up to about 4%, is that this is surprising to most people. It's not all Windows exploits. These days it's DVR exploits, web cameras, routers, VPNs. Here's a real good example of my daily driven defense brain. People always say, what do you think about VPNs? And I'm like, they're close to worthless. Like what I thought. We've all been told, I can always see the IT people around me going, no, we just spent two years trying to tell her boys they had the VPNs. There is not a single person compromised by ransomware. It didn't go, man, if I just had a VPN n ransomware, it wouldn't hit us. I mean, the problem is the attacks these days are attacking the endusers and they're getting by your firewall and your antivirus. And your VPNs.
Well, if you look at the data:antivirus firewalls VPNs have provided very little protection. Yeah, sure you need 'em, but they are not your make or break. And what was interesting is over the last two years, one of the number one most unpatched programs or you used to exploit people VPN software. So like by telling people, oh, you gotta have VPNs. They really didn't protect us much and they became one of the new biggest factors to exploit the companies that they were trying to get into. So be careful what you asked for.
Jelle Wieringa:And that's how a lot of organizations work, right? They buy into things because everybody tells you you need them without doing proper research yourself first. And that, I think that's when he talks to VPNs, I believe you need a vpn. I really think you need one. It is one of the extra steps you can take to make it more difficult for hackers to actually breach you. You shouldn't just look into or shouldn't just use one thing and think that's a silver bullet to for everything.
Erich Kron:I would agree with you a hundred percent, and I'm glad you said that. I still do believe that VPNs offer value, but again, we know that or we try to pass it off as the end all be all to things. The fact is the vpn, bad actors know that most people use VPNs and so there's a good chance that, especially from people working from home. Social engineering using the pretext of this is the IT department, we need to check your V P N password. Those attacks work because there's a good chance people are using one. So yeah, it definitely opens it up to everybody or opens it up to, I guess more potential abuse. But with that comes making sure that the people that are using them understand the limitations. Just like mfa, just like those other things, it's not the end all be all but they can be helpful.
Jelle Wieringa:So that brings us to one of my favorite parts of this podcast. I I always love this next question. It's a question we ask everybody. We always want to know from our guest what's the greatest failure or life lesson that they had throughout their career.
Roger:I will tell you this if you know that my number one work goal is to try to better secure the internet, my failure has been in my inability to influence to make that happen. And I've been trying for 25 years, I've written white papers that if you follow the advice in the white paper, will fix the internet. They're literally called fix the internet. And I've had 'em for 25 years and people that read it go, that's a way to fix the internet. So biggest failure challenge error is how do you influence the world? Like I've hard, I can't influence the four y'all to believe everything that I want. I can't influence the people around my dinner table to believe and think in the way that I think it is really hard to influence what you need to to change the internet. So if I was to do anything, I would've started differently in my life. I would've started focusing on trying to figure out how to influence things. Lemme say, and, and I'm 56 years old. I'm starting to finally, in this generation of my life, this part of my life actually start to influence things. If I wanted to be successful fixing the internet, I needed to start that 30 years ago. So that's my biggest mistake. My biggest area is that I thought if I told people, well, here's my brilliant idea, that the world would come to me and say, oh, this is great. It doesn't work. That way you can have the best, best idea in the world, and the world is not gonna be. You know, pathway to your door. So how do you change the world? You know, one person at a time.
Jelle Wieringa:I like that advice. I really do. Because it's, it's, I think it's what we're all trying to do. We're all trying to make the world a little bit safer. And I like the fact that he wants to fix the internet. It wasn't designed for what we're using it for today. There are things we can do better, we can fix about our current internet. So I, I wanted to know from Roger, do you actually think the internet is fixable and if so, how?
Roger:The difficult problem at which the internet is, I have two competing audiences on the the edge cases. I had the, the super privacy advocate people to say, I don't want you to track anything that I do ever, and I want to be able to do anything without you knowing who I am with perfect anonymity, I don't want you knowing nothing about me. And then you have governments and law enforcement, which are like, I want to know everything about everybody. And lemme say the US government has that goal. All police officers have that goal. That's their job. That's what they wanna do, is they wanna stop crime. And to do that, they're to identify people in actions. The United States has this at least bare thing where hey, you're supposed to have freedoms. There are countries like China and over in Asia, and it's increasingly being India that have no quals about we are spying on you about everything. Right? Like there is no. Small veneer protection that you have these illegality or privacy. Like no, we, we, not only do we wanna spy on you, if you won't let us spy on you, we're going to arrest you . Yeah. So imagine you're trying to solve that problem. My solution, the way that I've implemented it, solves that problem. I make both people, both groups of people happy. Even while they're yelling at each other saying, you can't do what you want to do. I still solve it. So how, you know, how do you, I think I've solved the hardest problem I can think of. It's not a rocket science, but I think it's certainly a hard problem. What's interesting to fix the internet is not a technical problem. All the tech, the protocols and all the technical stuff, we need to fix the internet to make it significantly harder for hackers. Malware to propagate has been available for 20 years. We don't have to invent new technology. It, we have everything we. It's a political problem, it's a consensus problem. And that is a tougher problem every single time anyways.
Jelle Wieringa:People have opinions, people have ideas and faults, and they don't always align. And I agree. I think that is part of the problem here, and that's certainly far harder to fix than it is with technology, which is binary. It's a yes and a no. It's, we can manipulate that people though.
Erich Kron:I mean, that's always a dynamic that we have to deal with is the human factor. And this goes down to a lot of different ways. We've already talked a little bit about, uh, getting people to adopt technologies and, and that's much more difficult for some people than others, right? There's people that are comfortable with technology and then there are those people that are not comfortable with technology and we have to plan for all of those. But yeah, the, the internet is fundamentally broken in the identity and access management side and could definitely use some fixing there, but seeing how that goes, yeah, that'll be a challenge.
Jelle Wieringa:Another great question that we're always asking our guests is what they feel the greatest threat to organization is in the next 10 years,
Roger:same as it's been for the last 40 years. Social engineering people are like, what are the new, what are the top new 10 security trends next year? Have to be worried. I don't know.. Let me, let me take a a guess at it. Social engineering, unpatched software and password. Same thing. It's been for the last 40 years. Email phishing is number one.
Jelle Wieringa:And he's definitely right about that one. It's what we see here, know every day, right? It's those three social engineering, unpatched software and passwords. People. Please do something about it.
Erich Kron:Agreed.
Jelle Wieringa:Roger is an extremely interesting person. It was great to have him on the podcast today. Just the importance of being honest about your security posture and your organization and make decisions based on your real risk profile, spend your budget where it really helps best. Those are things that that stick out to me from this talk.
Erich Kron:No, I agree. I I think that message is just so important about looking at what is actually a threat to your organization and using your own data to do it. I'm looking forward to the third edition of his book coming up and, uh, it is very interesting to chat with Roger.
Jelle Wieringa:So that brings us to the end of a Security Masterminds podcast. We thank you for listening and don't forget to share this episode and the whole series with your friends, relatives, and everybody else that wants to hear and needs to hear about this. We thank you. And we'll see you next time. Say goodbye, Eric.
Erich Kron:Goodbye Erich.
Announcer:You've been listening to the Security Masterminds podcast sponsored by KnowBe4. For more information, please visit KnowBe4.com. This podcast is produced by James McQuiggan and Javvad Malik with music by Brian Sanyshyn. We invite you to share this podcast with your friends and colleagues, and of course, you can subscribe to the podcast on your favorite podcasting platform. Come back next month as we bring you another security mastermind, sharing their expertise and knowledge with you from the world of cybersecurity.