Christian Espinosa: Episode 604

Transcript

[0:00:44] DA: Cyber-attack. It’s an ominous word that strikes fear in the hearts of nearly everyone, but especially business owners, CEOs, and executives. With cyber attacks resulting in often devastating results, it’s no wonder executives hire the best and brightest of the IT world for protection. But is that enough and do you understand your risks and what if the brightest aren’t always the best choice for your company? In Christian Espinosa’s new book, The Smartest Person in the Room, he shows you how to leverage your company’s smartest minds to your benefit and theirs. Learn from Christian’s own journey from cybersecurity engineer to company CEO. He describes why a high IQ is a lost superpower when effective communication, true intelligence and self-confidence are not embraced. With his seven-step methodology and stories from the field. Christian aims to help develop your team’s technical minds so that they become better humans and strong leaders who excel in every role. This book provides an enlightening perspective of how to turn your biggest unknown weakness into your strongest defense. Hey listeners, my name is Drew Applebaum and I’m excited to be here today with Christian Espinosa, author of The Smartest Person in the Room: The Root Cause and New Solution for Cybersecurity. Christian, thank you for joining, welcome to The Author Hour Podcast.

[0:01:59] Christian Espinosa: Thanks for having me, Drew.

[0:02:02] DA: Let’s kick this off. Can you give us a rundown of your professional background?

[0:02:07] Christian Espinosa: Yeah, I can give a quick overview. I started in cybersecurity when I graduated from the Air Force Academy. My first assignment was in the military at Brooks Air Force base in 1993. I’ve been doing cybersecurity really since 1993. Part of it has been in the military, the Air Force, then I was a defense contractor for several years after that. And then I was a freelancer for about six years and then I started Alpine Security, my company in late 2014. Throughout my career with the Department of Defense, commercial sector, military, I have been involved with cybersecurity along that whole route.

[0:02:53] DA: Now, why was now the time to write this book? You know, besides a large Russian hacking that happened recently. Was it because you had more free time on your hands or did you have this inspirational, maybe an “aha” moment recently where you said, “I need to put this down on paper.”

[0:03:10] Christian Espinosa: Yeah, well I definitely did not have more free time, I just decided to make it happen. What happened was, I don’t know if it’s about — it’s probably about four years ago, you know, since I started my own company. I’m responsible for figuring pretty much everything out. There’s nobody else to turn to. About four years ago, I was at a Zoom meeting, getting debriefed from my team about how a report review session went with a client and one of my lead engineers, he kept saying on that debriefing that the client just didn’t get it. Meaning, the client didn’t understand what my highly technical person was trying to convey to them. I had heard this many times before in my career but for some reason, maybe it’s because it’s my business, these are my clients, this is — revenue was at stake here. I’m not sure what was different but it just struck me differently, then all these dots started connecting. And I realized that this is something that is a global problem in my industry. And I need to take some steps to figure it out from my own organization and through that journey of figuring those things out for my own organization. I figured this — is some stuff I’ve had to learn the hard way and we’re currently losing the cyber security war like, incredibly. So I figured, something needs to change and I’ve gone through this journey with my own organization and made improvements in how our clients are able to improve their security. I thought, now is the time to contribute to the industry, contribute something to my fellow cyber security leaders and put down my lessons in a book.

[0:05:03] DA: Now, while you’re writing the book, did you have any major learnings or breakthroughs? Maybe through during some research or just by looking back at your experience and your journey?

[0:05:17] Christian Espinosa: Yes, writing the book was very challenging and I had to do a lot of reflection while I was writing the book. And some of that reflection was, you know, seeing myself in these scenarios like 15 years ago, even 10 years ago. I was one of the people that was highly technical with the same mindset that the client just doesn’t get it. I saw myself in a lot of the stories and a lot of the things I was writing about, I saw like an older version of myself before I sort of like gained the awareness of this problem in a different mindset.

[0:06:03] DA: Now, who is this book for?

[0:06:07] Christian Espinosa: Yeah, the book is really for three primary audiences. The first one is, anyone that is a leader of highly technical people, that’s the primary audience. Someone that is a COO, an IT manager, information insurance director, a CISO, somebody that has a technical team they lead and they’re trying to get the most out of their team and improve their internal organization or a client organization’s ability to protect their data. That’s the primary audience. The secondary audience are highly technical individuals in cyber security that might be struggling with, you know, how to communicate with clients, how to communicate with management, how to have more emotional intelligence. They would be like the secondary audience. And then the third audience is really, anybody that wants some insight into kind of a peak behind the curtain of what cybersecurity is like and what the personality types in cybersecurity tend to be like as well. Then also why we have a lot of challenges in cybersecurity, why we are not doing as good a job as we should be doing at protecting client data and you know, devices from being hacked.

[0:07:38] DA: Let’s start from the basics. What’s with people not being able to protect their own passwords? Is this an actual threat at the highest levels? And I remember that George Bush got hacked from his password and we all see him painting in a tub.

[0:07:59] Christian Espinosa: Right. These tie together. You can have a super secure, 20-character password with, you know, all uppercase, lowercase, all these other things. But if that password is stolen from a data breach, then it doesn’t really matter how secure that password is. We’re talking in the book here, a little more, not so much from an awareness perspective of how to secure your passwords, how to develop more complex passwords but this is a larger issue which is, “How do we, as cyber security leaders, help our people perform at a higher level so they can protect the database of passwords from being stolen?” Because what happens is, like I said, it doesn’t matter how secure your password is. If it’s stolen in a breach, let’s say LinkedIn is compromised and somebody figures out your password. If you use that same super complex password on hundreds of other systems on the internet, then you’re at risk yourself, same thing with a company.

[0:09:06] DA: Now, how much of an issue are cyber thieves? I like that you call them cyber thieves because sometimes, people hear the word hacker and they can’t really relate to it and cybersecurity sometimes think, “That’s above my pay grade.” But everybody knows a thief and everybody knows they don’t like thieves.

[0:09:27] Christian Espinosa: Yeah, it’s a big issue, it’s no different than typical criminals or thieves but right now, we’ve got a lot of people that have shifted their revenue, criminal revenue making model from more traditional attacks to cybercrime because cybercrime can be more lucrative. It can be hard to get caught and it’s relatively simple to get a big return on your investment.

[0:10:00] DA: Now, what does protection against these thieves look like? Can you give us your definition of cybersecurity?

[0:10:09] Christian Espinosa: Cybersecurity from my definition point of view is reducing the risk to an acceptable level that somebody can alter your data, steal your data, or create an outage for your customers. The reality is, we’re never going to reach a point where your data is 100% protected. It’s about reducing the risk to an acceptable level, really.

[0:10:38] DA: Now, why do you say that cybersecurity measures as a whole are not nearly good enough right now?

[0:10:46] Christian Espinosa: Well, I don’t think you have to take my word for it. If you listen to the news or read the newspaper or anything, there’s a different data breach pretty much every single day. We just had one a couple of weeks ago that affected the most secret areas of the government supposedly, and many corporations, the SolarWinds breach. These things happen on a routine basis and it forces, at least me, it always makes me think “If we’re so good at what we’re doing, then why are these things still occurring on a daily basis and on a massive scale.” It’s almost like, just when we think the biggest breach has ever happened, a week later, there’s a bigger one with you know, more users compromised and more data compromised. What we currently have been doing has not been working is really the challenge we have.

[0:11:46] DA: Now, you take an interesting turn in the book and you say that the software itself is pretty good, but the people and their egos are at the nexus of the industry’s failings. Can you talk about that?

[0:12:02] Christian Espinosa: Yeah, there’s a lot of emphasis in cybersecurity on technology and on process and some on people. The bottom line is, in the industry, we keep looking for the silver bullet from a technology perspective, this new firewall or artificial intelligence, intrusion detection system that’s going to solve everything but that’s not the case. The people and their egos are at the nexus dimension. Primarily because, from my experience, the personality type that are attracted to the industry tend to want to be the smartest person in the room which is you know, why I titled the book the title I titled it as. What that prevents is some open communication that prevents somebody from saying they just don’t understand something. It prevents simple solutions because some people would think if the solution is too simple, you know, they’re not smart enough to come up with a more complex solution. But really, if we were to analyze, like, most of the most recent breaches, it’s typically because of a misconfiguration or an unpatched system. It’s not some super complex way somebody got into the environment.

[0:13:26] DA: When you're hiring, are there some techniques that you have used to make sure that you’re getting the right people in your organization?

[0:13:36] Christian Espinosa: Yes and that this is not a perfect process, some of the techniques that we’ve used that we’ve had success with is to look for someone’s motivation and behavioral characteristics first, to see if they’re a good fit culturally. And a good fit for the position. This could be something like a disc assessment or a TriMetrix HD assessment but looking at the person from a more holistic perspective. Instead of just, you know, their technical skills and in the industry with cybersecurity, there’s a lot of organizations that make hiring decisions purely on someone’s college degree or certifications which don’t necessarily equate to how effective that person may or may not be at the role that they’re going to be put into.

[0:14:29] DA: Now, specifically for one of the top roles, the chief information security officer, what should companies look for when hiring for that role, and in terms of what you’ve seen with other companies, have they been doing a good job with these hirings?

[0:14:46] Christian Espinosa: So, what people should look with, look for, for a CISO role is — not somebody extremely technical is the easiest way to put it. That role is really a C-level role, a chief role that primarily interfaces with the board or CEO. For that role, they need to understand cybersecurity in terms of the overall business and how cybersecurity can mature with the business. It is more of a leadership-type role so that I wouldn’t say being able to, like, go configure a firewall or have hands on the keyboard type-skills as a requirement for a CISO role. It’s more how to communicate effectively, how to understand strategy and how to implement that strategy that aligns with the business goals.

[0:15:42] DA: Now one of the cool things about your book is that you don’t just write about, you know, a how-to on various topics. You actually bring a lot of yourself and your career into the book. And you had a successful career in cybersecurity with the military and then at the public collaboration, you know, you went on your own for a while and then you decided to leave a pretty comfortable job and start your own firm. What caused this decision for you?

[0:16:08] Christian Espinosa: Good question. I had a job where I was the VP of the company. I was making, you know, a good salary and kind of like was living the American Dream as some people would say. I had met my — the definition of success according to a lot of people but I wasn’t feeling fulfilled. There was some misalignment between my view and the CEO’s view. And I just felt like there was more that I could be doing, so I decided to leave that job and it was the first job I had left without having something else lined up. I just decided, “You know what? I’ve had enough.” Like something just sort of snapped and you know, for me and I just decided, “I’ll figure this out without having the job lined up but I’ve had enough of this.” And I just felt like that job and what I was doing had a lot of merit but it wasn’t really congruent with who I felt I was. Yeah, I just decided to quit. And after I quit that job, I started a freelance career. And worked all my contacts. And after five or six years of that, I decided that the freelance work was easy. I was making a lot of money but I didn’t feel like I was growing as an individual. I thought, “What other way to grow besides start a company? So, I have to grow so that the company can grow. And then I can hire people and contribute, you know jobs to society.” Contribute on a higher level.

[0:17:46] DA: Now when you went off on your own, like you said, you did a lot of hiring and to make sure you did the right hiring — it’s not perfect but you created the secure methodology and a method to show you exactly how to boost your technical staff’s people skills so you could have open, honest, and effective communication. Can you tell us a little bit about the secure methodology and some of the steps involved?

[0:18:12] Christian Espinosa: Yeah, so the secure methodology is what I ultimately ended up creating with my own company. I had, kind of through trial and error, and a lot of testing, implemented and trained my people on various aspects of this methodology. And then when I started writing the book, it became more and more clear that this methodology really had seven major steps to it and the steps go in order really. The first step is awareness and with awareness, you know, if you’re not aware of your interactions in the world. Your blind spots, your world view, then it is going to be hard to change. So that’s why that’s step one. And in cybersecurity — because I tie all of these steps to the industry as well, we talk a lot about, you know, this is what I coined this term “uninformed optimism.” You know, it’s almost better to have, like, your head in the sand and not know how badly your security posture is. That’s a mindset a lot of people have but when you have informed realism, then you’re in a position to change and a position to improve but you have to be comfortable with that informed realism. Then the second step in methodology is mindset. Without having a growth mindset, then you’re not going to want to take the other steps in the methodology. And the growth mindset is really realizing that you know, if I have a high IQ, for instance, I can also develop my EQ skills. They’re not mutually exclusive. A lot of people like to use that as an excuse to not develop people skills, basically. The third step in the methodology is acknowledgement. And this is something I struggled with in the past, is acknowledging the work I’ve done to get to where I currently am. And with highly technical people, it is a challenge to get to develop the technical skill. Although, they should acknowledge for where they’ve gotten to from a technical perspective and the skills they have. The fourth step is communication. Communication is a, you know, a massive topic within itself. Within the world of cybersecurity though, communication is extremely important. And there’s a lot of speaking over people’s heads in cybersecurity. And there’s a lot of poor listening and if you’re trying to explain a problem. If a highly technical person is trying to explain a problem to a board of directors and the board of directors is not receiving the message, then the communication is not effective. I am a big fan of the saying that “A way to measure how effective your communication is, is by the response you get.” If your clients or your board of directors or your management or your girlfriend or anybody is not responding the way you intend to, to communication — then your communication is part of the problem. The fifth step, the fifth step I have in there is mono-tasking. So I am a big fan of mono-tasking. In the world today, we like to talk a lot about multi-tasking. But the reality is, with multi-tasking we end up doing a lot of things but getting nothing done. I talk about mono-tasking in the book because in order to move the needle with cyber security and to be a better communicator, we need to mono-task and be present when we are listening to somebody. Because if we are trying to communicate and we’re multi-tasking, our mind is not there and we are going to miss what the person is asking of us. I talk a lot about mono-tasking from the point of view of how to be more effective with your time and also how it affects, you know, being present with people you’re working with. Then the sixth step is empathy. One of the challenges with highly technical staff is empathy. And in our world today, we focus a lot on our differences rather than what we have in common or our similarities. It’s hard to have empathy with people when you purely focus on the differences like in cybersecurity, you know there’s the engineers also known as the nerds sometimes or the geeks and then there’s management, then there’s the customers. There’s all these like groups and the reality is they’re all just humans with a different role or different job to do and if you look at the similarities, it makes it easier to communicate and to understand the world from that person’s point of view. The seventh step is Kaizen. Kaizen is just a Japanese word for constant and never-ending improvement. When we’re looking at the secure methodology, it’s really a journey to improve your team’s ability to win the cybersecurity war and also improve their ability to be better human beings. It’s not a panacea, it’s a journey and that the journey is going to be different for everybody. It is important to understand you’re not going to master these skills from day one. You know, like, for awareness for instance, we can always become more aware and you know, mastery is a journey and it’s important to take the baby steps and realize this is not going to be an easy journey but as long as you’re improving that’s all that we can shoot for.

[0:24:03] DA: Now what is the balance in these steps? Can you pick and choose the ones that you think are just ‘catch your eye’ in the beginning or is this something where you really need to go through the steps one by one as they build on each other?

[0:24:18] Christian Espinosa: You can look at it both ways. Realistically, you need to go through them, at least from my point of view, in the order I have laid out. But you can take any step, read that step and learn something from that step and implement it immediately. If you’re used to multi-tasking and you read the chapter on mono-tasking, where I talk about, you know, how to schedule your day using time blocks, for instance. That is something you can implement immediately. And get some return on the investment from it. But if you just read mindset without looking at awareness, it is hard to have the proper mindset for instance unless you have some awareness of your own blind spots. Some of them, you know they all build on each other but some of them where each of them you can take individually and apply as well.

[0:25:14] DA: Now you also offer a lot of resources along the way in the book. Can you talk about some of the resources found inside of it?

[0:25:23] Christian Espinosa: Yeah, I offer — I don’t remember how many different resources there are but I feel like as you are going through the book, I want to give people at least point them in the direction towards resources to help them improve their ability. And some of the resources are as simple as another book to read or an exercise to do such as, like, ‘The Seven Levels Deep’ exercise, which is really about finding your underlying root reason for doing things. I give exercises like that and I tie in my own experience where applicable because I wanted the book to be not theoretical. I want it to be, you know, a book that has — you can apply and is tangible. That was one of the requirements I have when I wrote the book is, I wanted people to not just read this and think, “Oh that’s cool. You know that’s something that sounds interesting.” I wanted them to read it but if they wanted to really improve in these areas, I wanted there to be enough information from me as well as additional resources to help them connect the dots as necessary.

[0:26:39] DA: Yeah, it’s very much where you lay the groundwork but if you do use those resources, you can tailor it to your individual situation, which is really great.

[0:26:48] Christian Espinosa: Yeah, exactly.

[0:26:49] DA: Christian, I just want to say writing a book especially like this one that’s going to help so many business professionals out there is no small feat, so congratulations on finishing, writing, publishing and everything.

[0:27:01] Christian Espinosa: Well, thank you.

[0:27:02] DA: Now one last question, if readers could takeaway only one thing from the book, what would you want it to be?

[0:27:10] Christian Espinosa: That’s a good question. There are a lot of nuggets in the book. If I had to narrow it down to one thing, I would focus on the ego and there’s a saying I have in the book that “your ego is not your amigo.” Because ultimately, when we go through life and our ego shows up in lots of different ways that can negatively impact your life and we don’t even realize it because we are trying to protect this identity, our ego is that we don’t necessarily need to protect. This is important to me because when I was in college, my grandfather had a heart attack and you know, over Christmas break and I was there in the waiting room and for some reason, you know he was basically dying and for some reason, I couldn’t even hold his hand or tell him I loved him. It’s like, my ego because there’s people around, nurses and staff and I felt embarrassed. But you know I basically denied my grandfather something that I should have told him and it was because the ego. It’s because my ego is in the way and I felt horrible about it ever since.

[0:28:21] DA: This has been a pleasure and I am really excited for people to check out this book and we just scratched the surface here. Everyone, the book is called, The Smartest Person in the Room, and you could find it on Amazon. Christian besides checking out the book, where can people connect with you?

[0:28:36] Christian Espinosa: They can go to my website. It’s christianespinosa.com, they can connect with me there or on LinkedIn, Twitter, d, you know the normal social media channels.

[0:28:48] DA: Thank you so much for coming on the show today Christian and best of luck with the book.

[0:28:52] Christian Espinosa: Thank you, I appreciate it.

[0:28:56] DA: Thanks for joining us for this episode of Author Hour. You can get Christian Espinosa’s new book, The Smartest Person in the Room, on Amazon. Also, you can also find a transcript of this episode and all of our other episodes on our website at authorhour.co. For more Author Hour, subscribe to this podcast on your favorite subscription service. Thank you for joining us, we’ll see you next time. Same place, different author.