CyberWire Daily - NACD Accelerate, Ian Furr’s Volunteer Work, & Bidemi (Bid) Ologunde Member Spotlight [RH-ISAC Podcast]
Episode Date: December 27, 2023In this episode of the Retail & Hospitality ISAC podcast, host Luke Vander Linden is joined by John Scrimsher, chief information security officer (CISO) at Kontoor Brands, Inc., and Marcel Bucsescu, s...enior director of credentialing and strategic engagement at NACD, to expand upon the NACD Accelerate program. Then Ian Furr, security integration engineer at RH-ISAC, talks about his volunteer work with the Information Technology Disaster Resource Center (ITDRC) and the Fairfax County Fire and Rescue Department. Finally, Luke chats with Bidemi (Bid) Ologunde, intelligence analyst at Expedia Group, about his own podcast, The Bid Picture, background, and the trajectory of cybersecurity. Thank you to Fortinet for their sponsorship of the Retail & Hospitality ISAC podcast. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Good morning, good afternoon, good local time.
I'm Luke Vanderlinden, Vice President of Membership at the Retail and Hospitality Information Sharing and Analysis Center,
and this is the RHI SAC Podcast.
We do our best to try to be on trend here at the RHI SAC.
Just over the past week or so, there have been numerous articles in both niche and mainstream publications citing the need for cybersecurity expertise on corporate boards of directors.
We identified this need a while ago, but from our little corner of the world, what could we do about it? Well, our members represent thousands of cybersecurity professionals
who have exactly the kind of knowledge boards need, including hundreds of CISOs and other
leadership-level professionals. Some may be perfect board material, but either just need to be pointed
in the right direction or may need a little training on the other stuff you need to know
to be a successful corporate board member. Luckily, there's an organization for that.
Last year, we partnered with the National Association of Corporate Directors
and recruited some of our member CISOs for their Accelerate program,
which trains and certifies individuals on everything board members need to know and do.
Our first cohort is making its way through the two-year program,
and the first member of that group has been officially certified.
I will be joined by John Scrimshaw, CISO of Contour Brands,
to talk about his experiences and outlook as a prospective corporate board member.
I'll also be joined by Marcel Bukshisku from the National Association of Corporate Directors
to talk about their efforts to create competent, successful board members.
If that's not enough for one episode,
I'll also be joined by one of my colleagues here at the RHI SAC, Ian Furr.
Ian is in our security engineering and integrations team.
He and I work together on onboarding members, getting them set up to share on our platforms.
But Ian has quite a robust life outside of work, volunteering with some organizations and at events to, what else? Keep people safe.
So it doesn't stray too far from his professional work with us,
but I'll let him tell us all about it. And finally, we have a member spotlight.
Intelligence analyst Bademi Olugunde from Expedia will join me to talk about how he got into cyber,
what he does at Expedia, and his outlook for the future. So a pretty packed episode. As always,
we welcome your thoughts about the podcast or anything else.
Shoot us an email at podcast at rhisac.org, or if you're a member, hit me up on Slack or member
exchange. All right, now I'm joined by John Skrimsher, CISO from Contour Brands, and Marcel Bukshisku, the
Senior Director of Credentialing and Strategic Engagement from the National Association of
Corporate Directors.
Thank you both for joining us.
Thank you for having me.
Likewise.
Glad to be here.
Excellent.
So we're going to talk today about how there's a lack of knowledge of cybersecurity on many
corporate boards and how both our organization
and NACD are doing a little bit to try to solve that problem, do what we can from our little
perches in the world. But just for the sake of setting the scene, John, why don't you tell us
a little about yourself and your background and how you got to where you are today at Contour Brands?
Oh, well, I think like many people, I've been very fortunate to have
been in the right place at the right time at just enough times throughout my life to help build a
career. I've been working in cybersecurity and IT for about 30 years now through some very large
companies, very well-known brands, and across multiple different industries. So it's helped me to understand security engineering,
security architecture, security management,
and then business management,
making all of the partnerships
that I've made throughout my career
to help me understand how the businesses operate
and how I can better secure them.
So it's just been a great run.
That's great.
And so how would you say that your varied experience has shaped your professional life,
your personal life, and certainly what you do at Contour?
One thing it's taught me is that security is not industry specific.
And a lot of times you'll hear people say, oh, you don't have a medical experience.
You can't be a CISO for a hospital.
You don't have financial experience. You can't be a CISO at a finance company. And that's really not true.
So what I've learned over time is that security is about understanding the business. And you
understand the business by getting into the business and meeting with all of your business
partners, talking with your CEO, talking with your executive leadership team, talking with your board and understanding what their concerns are,
and then tailoring the security to fit that
and really kind of driving it from that risk management perspective.
And that really kind of led to me wanting to grow my career more
and moving out of engineering into management and eventually becoming a CISO.
And it's really made me appreciate all of my business partners even more.
That's great. So while the threats may often be sector-specific, the person doesn't have to be.
And I'm glad you brought up boards because obviously that's what we're talking about here.
So in the interest, again, of scene setting here, Marcel, can you give us a little more depth about the role of the board, the role of an individual board member or director?
Yeah, no, and thanks again.
This is an important discussion.
And as you alluded to, an active, ongoing one in the board space, namely the need for the kind of technical expertise, security expertise that John was talking about.
But if we step back and think about the board of directors, I think a lot of folks don't necessarily have a view into what happens in
the boardroom, who these directors are and the roles they play. And I think it's important to
set the stage there, as you said, on what that role is. At its core, directors are responsible
for the success of a company, right? They have something called a fiduciary duty, which in fact,
executives have as well, but they have a fiduciary duty, which in fact executives have as well. But they have a fiduciary duty,
which comprises of a few specific duties, the duties of care, the duty of loyalty.
And those duties are to the corporations. They have to oversee the corporation and make sure
that management has an effective strategy in place, is managing the risks appropriately,
is allocating the capital and other resources in the right way to continue to grow the
company. And that's a really specific legal mandate, but also a very broad business one.
And so when you heard John kind of share his background and how he approaches his work,
understanding the business is really what being a director is about and helping management navigate all of the dynamics of business today.
So in that sense, it's both a very exciting role, a very interesting place to be,
but also a fairly complex one and one that comes with a large amount of responsibility,
including, by the way, personal liability, which I'm sure many of you folks are more than familiar with given their
roles. So I often don't talk about this unless someone asks, and frankly, they don't have to ask.
But in a past role, I worked in corporate governance at one of your sister organizations,
the Society for Corporate Governance. So I've seen from that perspective, the world of governance,
which includes boards of directors, change quite a bit over the last couple of years from A being pale, stale, and male, which is the same guys being on
lots of different boards. But then also this huge focus a couple of years ago on ESG. And now we're
seeing this renewed focus on cybersecurity as sometimes it's framed as part of ESG, but sometimes
it's just framed as being good governance.
So maybe you could talk a little bit, Marcel,
about how being a board member has changed drastically
over the past couple, just couple years.
Yeah, well, I mean, so cybersecurity isn't new in many respects.
It certainly feels like it's accelerated a lot.
But you pile that on top of what we went through in the pandemic,
the changing dynamics and relationships with the workforce and human capital.
I mean, the cybersecurity space is a prime example.
I mean, you two would know better the number of open roles we can't fill
because we don't have the skills.
Think about that across our businesses.
You know, having to manage through an increasingly complex economic environment,
having to manage through
an increasingly complex geopolitical environment.
And so the perspectives, the experiences,
the ability to connect dots, see around corners,
all of that happens in the boardroom
with management and the board,
with these directors that have unique experiences from different backgrounds, see around corners, all of that happens in the boardroom with management and the board with
these directors that have unique experiences from different backgrounds, different parts of the
world, different points in the kind of continuum of business. And so all that comes together in
the boardroom, and it feels almost like it's all colliding right now at the same time.
And in that sense, it's elevating all this stuff, requiring these new skill sets that
frankly haven't been there, and really forcing directors and boards to take a hard look at
who's in the boardroom, what are the specific skills, experiences, business judgment they're
bringing, and how are they contributing to the good of the corporation. And so that's all happening
right now in the context of that ESG debate,
et cetera. It's an interesting time. It is. And I think you described it well by saying it seems
to all be colliding right now. So a couple of years ago, NACD started a certification program.
It's the Accelerate program. It's a while we're here to discuss today. And it's great because
not only it trains and certifies potential or prospective board members to be board members, to teach them all these things, all the responsibilities and what the role is about.
Could you tell us a little more about the history of this program?
Yeah, I'd be happy to.
I'm sure we'd learn a lot more, frankly, from John.
So NACD launched the NACD directorship certification back in December of 2019.
And it's a certification in the true sense of the word. So I think many of your listeners are
probably familiar with other technical certifications they may have. There's lots in our world.
Right. I've seen the letters. We've contributed our own to the list. But it's a certification that
is developed by sitting board members. And what I mean by that is the first part of the
certification is an exam that checks your knowledge. That exam is based on a survey
of over a thousand directors that told us what their role is, how they spend their time,
how important that activity in their role is. And then we had another set of directors write the exam questions and a third set assess the kind of the threshold, the quality of the
responses needed to pass. So that's the exam piece. And then there's the continuing education
portion, which is 32 credits over two years of continuing education. I would argue that's really
the more important part because of all the dynamics we talked about before, right? You guys know you're out of a role
and pretty soon your knowledge base is stale. The world's just moving so quickly. So whether it's a
technical role or a business role, the same is true. And we have nearly 1,500 certified directors.
It's for both aspiring and sitting directors. It's actually intended for folks that hold the role. And they represent the full range of the U.S. economy from Fortune 50 to startups,
nonprofits, private companies, everything in between. That's great. And so obviously for us,
it was recruiting amongst our thousands of cybersecurity professionals and hundreds of CISOs, the folks who might be interested in serving our boards and NACD facilitated that with a group cohort operation where we could recruit several of our CISOs to enter the program at the same time and work together on this.
And John, you were one of the members of the first cohort that we put together.
And in fact, you are the first of that cohort to pass the test and become certified.
So congratulations on that.
But tell us a little bit about what made you want to go into the program.
Well, for me, it was just, once again, expanding my own knowledge.
The continuous education is something that I've been passionate about throughout my whole
career.
I'm actually going back to school currently as well to get another advanced degree.
throughout my whole career. I'm actually going back to school currently as well to get another advanced degree. And so the idea of just kind of expanding on my technical knowledge and my IT
knowledge and getting more relationship to the business was very appealing. And so wanting to
expand into board service is just kind of an appealing thing for the next iteration of my
career. And so when the RHI SAC came and said, hey, we're looking, you know, we're talking with
the NACD about putting together a cohort. We'd like to get, I can't remember exactly how many
of the there were, but you know, seven, 10, something around there. We'd like to get a few
of you to go through this program and see what it's like. I was excited about it.
So how did you find it? Like, what did you, what were you surprised to learn? What did you expect
to learn? What did you learn?
It's not as easy as you think.
You think?
Running major companies isn't as easy as you think?
Yeah.
Well, I mean, just the whole idea of, you know, as a CISO, you report to a board on a regular basis. And I've reported to different boards at different companies.
And every board is different.
And you think that based on your own knowledge that you pretty much know how things are
going. And then you go through, start going through the materials and you start learning that
it's a lot bigger world than what you're seeing in your 15 to 30 minutes with the board.
And so just really kind of getting that understanding, you know, you start with your
first 15 hours of the program where you go through just to kind of get the, I can't remember what they
call it, but the initial staging to verify that you are prepared to actually study for the test
itself. And just that first 15 hours, you get a lot of information and you think, okay, this is
really good. I'm going to be ready for the test. Then you start reading the other materials and
find out you're looking at probably another 50 to 70 hours or more of studying.
And then in my case, it was taking that information and going and speaking once again with other business leaders,
not just at my company, but other companies.
I actually reached out to a board member and said, hey, I'm thinking of going through this.
I'd like to get your thoughts and understand what are the challenges that you face and how should I be thinking about things.
what are the challenges that you face and how should I be thinking about things?
So just kind of going through that entire process, it gave me a lot more respect for the level of service that a board member puts in, the number of hours they put in on an
annual basis for an individual company.
And I know some people who are on five boards at once.
They're typically retired from their career and then doing five boards now is their next
career.
boards at once. They're typically retired from their career and then doing five boards now as their next career. But just the amount of time they put into it and having to have enough knowledge
to ask the right questions to provide that level of oversight to show your duty of care, as Marcel
had mentioned, and recognizing that cybersecurity is part of that duty and understanding that that
is one of the biggest risks that many
corporations face today, because in reality, there really is no business decision that doesn't have
a cybersecurity implication of some sort. So understanding that and incorporating that
question asking into that oversight duty of the board is something that I'm excited about
helping drive. And so I work to
either educate boards or participate on boards myself. So, I mean, this will also help you to
communicate to your own board, I would imagine, as well. Very definitely. I'm able to better
understand probably the background of some of the questions the board may bring to me,
and I'm able to translate the IT language to them a lot better as well,
because I'm able to put it more into the risk and financial terms that they're used to looking at
instead of the IT terms. So Marcel, looking at what now John and others like him who go through
the program or serve on boards can bring to boards now.
What do technology and security executives need to understand about the boardroom in order to be successful?
You know, I think John hit on a number of those points.
One, the breadth of the role, the breadth of issues that the board is thinking about,
and the way they're approaching them, right?
John mentioned that oversight role.
It's a different role in that sense.
If you're a board member, you're not solving issues per se.
You're not managing, you're directing, you're overseeing.
And so they do approach and think about issues in a different way.
And understanding that can be really important,
certainly if you want to serve in the board, but even when you're engaging with your board,
as John alluded to. I think the other thing to remember is that directors, some directors might
be on one board, other directors may be on five, as John noted, though that might be a touchy
subject for some directors. Those in the governance space will know the debate about overboarding.
But these directors are, these days, they're in your company or at your company more frequently,
but they're not there day to day.
And so there is an information gap for them.
You're going to need to do some re-education.
You're going to really think about how you're communicating information to them so it
comes across clearly. I'm not talking about gaming the communication or anything, but really in a way
that's effective so that it provides the important information for the board so the board can
do its analysis, make its decisions. And that can be a real challenge and takes a lot of
thought and care. That's why we see management spending so much time often thinking about what's presented, when, how, etc.
And then the other one is, you know, you do have to help your directors learn this topic.
There is a huge skills and knowledge gap here.
And, you know, it's an opportunity for your members, but it's also a big challenge. And it's a very
real one. Well, I think that's, you know, because we've been focused as part of this program on how
to take someone who knows cybersecurity and educate them at the board. But that's a terrific
point. What should board members know about cybersecurity? How deep do they need to go?
John, I'm sure you had opinions about this for all the boards that you've worked with in the past. So let's not be specific about Contour or any of your past employers. But
now that we've gone through this program and from your experience communicating with boards,
what do you wish board members knew about cybersecurity that would help
their oversight over what you do? I think the big thing is just, and what I've seen them do,
is keeping up with the news themselves of the types of risks
that are happening out there and asking questions about the type of metrics that are being reported
and the effectiveness of the metrics and making sure that the CISO or the CIO or whoever's
reporting those metrics can actually describe how they're addressing the risks that are being faced.
One of the things I do to help educate the board is I always spend probably the first few minutes of the presentation on
the headlines of the past quarter and how do those headlines impact this company or maybe
our competitors or things like that and what are we doing to address that to give them that
confidence that we are doing our job because they're, as I said, they're there for the oversight. We're there to do the job. And so my biggest role is to make sure that I'm
addressing their concerns, avoid fear, but I do avoid uncertainty and doubt. We want to make sure
that we're giving them the right level of information and that they're asking the right
questions to remove that uncertainty as well so that they know that we are doing our jobs.
So one of the best questions I've ever heard,
I haven't done this myself,
but I heard another CISO recommend it,
is one of the best questions to ask your board
as way they can help you
is to ask all the other executives
when they're in executive session,
what are you doing to help your security team?
And so having the board start asking those questions
makes them start thinking about
what can they do about security as well.
I talk about how to incorporate security
into their daily lives.
I use examples.
One time I had a board member ask me
about the quality of a certain metric.
And I said, well, it's kind of like
locking your front door of your house.
It's not going to guarantee nobody's going to break in, but it's something you still always
check. And so just kind of getting them to start thinking in those terms of that cybersecurity is
just like everything else they're doing. And then they can start asking those questions that relate
it more to their life as well. Right. It removes the technical aspect of it because it makes it
more strategic. Marcel, NACD has done a lot of work and a lot of discussion about what boards should know about cybersecurity.
Obviously, you have a 30,000-foot view having access to a lot of boards and helping them out.
What's your view on what directors should know about cybersecurity to be more successful?
This is going to sound overly simplistic, right?
But nobody just wants to do the
bare minimum. That's not why they're serving on boards. But the bare minimum in many ways is much
the same as any other risk management exercise they take at the board level, right? They work
with management to ensure there's a process in place. And then they monitor that and make
adjustments on an ongoing basis. Like that's the floor, pretty low-hanging fruit there.
I mean, after that, I think that one of the interesting kind of areas of study that's
emerging, and this is where I think organizations like yours and other ISACs can be really
impactful, is when you talk about those directors that serve on multiple boards, you start to
see a lot of sharing across organizations to address some of these emerging issues.
And so I think directors being aware, as Sean said, of what address some of these emerging issues. And so I think directors
being aware, as Sean said, of what are some of the latest trends, emerging threats, etc.
And directors aren't prone to sort of hysterics. So they're not going to read a news thing,
hopefully, and call up the CISO and be like, what are we doing to do this, right? That's not it.
But are they thinking about the trends. They're making the connections.
They're thinking about how they can take a learning from one board and perhaps
explore it at another company and vice versa.
They're playing that role like they would on any business issue and
ensuring that we're seeing as broad a picture as we can
and then also making sure they're listening to
the CISO, that they have access to them, that that individual has the resources they need to
be effective, right? This is as much resource allocation as risk management. And so helping
be that role that can connect it from the various different perspectives and aspects is really critical.
So I guess let's think about next steps. John, what advice would you give people who are thinking
about this program or thinking about board service? Or maybe they hadn't thought about it,
but now they're listening and they are thinking about it. Well, I would definitely encourage you
to think about the program. The biggest advice I
have is, once again, just networking and networking with other business leaders outside of IT and
security and understand what the business challenges are, either in your direct business or
maybe in your social circle. You may know other CEOs or CFOs or COOs and understand what are the types of things
that they're thinking about. You don't need to understand their roles completely, but just
understanding what types of things they're thinking about and how you can incorporate those into your
own thought process. So starting to get that thought pattern is really what's going to
probably help you the most as you go through the process. Excellent. And Marcel, any advice for John now that he's completed the certification part of the program?
What are his next steps for maybe potentially even getting invited to be on a board?
Well, I think John actually raised very early in this conversation one of the key ones,
and he said it again, which is reach out to folks you know, talk to them, find a sponsor or mentor, someone that can bring you along. I heard a
saying once that stuck with me. When you're looking for a board, it's not who you know,
it's who knows you at the right time. Board seats come up relatively infrequently. It's a long process. It requires patience. It requires a lot
of self-awareness about having, as John suggested, reflecting on what type of a role you want to,
what type of a board you want to serve on, what you bring to that beyond just your technical
expertise, by the way, right? That broader business experience and view. And take advantage
of many resources out there like NACD and others and your network, because it takes a real
commitment and focus to get there. But it's very rewarding if you want to do this and you follow
it through. It's very rewarding once you get there. Excellent. Well, Marcel Bukshisku
from NACD and John Scrimshaw from Contour Brands, thank you both for joining us on the RHI SAG
podcast. Given us a lot to think about, and congratulations again, John, for your completion
of the certification. By the way, we just launched our second cohort to go through the NACD Accelerate
program. There's still time to be a part of it, though, and we will be bringing in new participants pretty much on a rolling basis for the foreseeable future.
So if you're interested, and if you're an RHI SEC member, please shoot me an email or find me on
Slack or Member Exchange. I'll send you an application, or we can set up a call to give you more info. All right, now I'm happy to be joined by the RHI SAC's own Ian Furr,
who's a security integrations engineer for us. Welcome to the RHI SAC podcast own Ian Furr, who's a security integrations engineer for us.
Welcome to the RHI SAC podcast, Ian.
Hey, everybody. Thanks for having me, Luke.
So many of our members have met you or work with you in setting up their tools to work better with ours,
specifically our cyber threat intelligence tools and data.
So why don't you explain better than I can your role here at the RHI SAC?
So why don't you explain better than I can your role here at the RHI SAC?
For sure.
Yeah.
So like Luke mentioned, I am the security integrations engineer here at the RHI SAC. So it's my job to help our members consume the threat intelligence that is shared within
the RHI SAC community.
So when somebody shares something in any of our platforms, it's my job to, one, help them get that information into whatever
platforms that we're using right now. That is MISP. So getting them to share that information
in a way that's consumable and easy to share into MISP. And then on the reverse side of that,
once that's been published into our MISP instance and processed by our analysts to assist our members in consuming that intel into whatever tools they have in their tool stack, be it their antivirus or EDR or their network tools like a firewall or even into their seams for alerting and analysis and things like that.
seams for alerting and analysis and things like that. That's great because sharing is why we exist. And so we need to facilitate that and make it as seamless as possible. So before you came to
the RHI SAC, what did you do professionally? Yeah. So before I was at the ISAC, I was a
penetration tester with a specialization in purple teams. So my role really helped tie together
red teams and blue teams so that we could want to establish that dialogue between them and ensure that things on one half of the team's radar would make it over to the other side so that everybody could benefit.
That's great. Well, we're very happy that you're with us now.
you're with us now. You and I are on calls often together because we're onboarding or checking in with members and helping make that introduction to what you talked about earlier. One of my
favorite memories of you was just a couple months ago. We had a call schedule. We use Teams,
so we're on video. And when you came on, your camera turned on, you were in the middle of a
field. What was going on there? Yeah, so here at the ISAC, we've
been very accommodating of me and my volunteerism, we'll say. And that day, I happened to be at an
exercise for ITDRC, the Information Technology Disaster Resource Center. So I've been volunteering with them for a little over
two years now. I started out as a regular tech, and now I am the deputy director for all of FEMA's
region three, which is most of the mid-Atlantic states, Pennsylvania, Maryland, Delaware,
Virginia, West Virginia, DC. Yeah, that's all six. So I oversee a lot of the operations in that area. To backtrack a little
bit, I can talk about what ITDRC is because I kind of skipped over that. Please. Yes, I was just about
to ask. So it's the Information Technology Disaster Resource Center. They are a non-profit that
provides no-cost technology solutions to communities in need. The most common instances you'll see them,
if you are, for whatever reason, in a disaster area,
like something like Hurricane Ian,
they sent people and technology assets down there
to help get those communities back online.
So when a disaster comes through and impacts an area's technology,
that really impedes recovery efforts
because we use technology for
everything now, for tracking the forms you need to send to FEMA to get reimbursements or insurance
payouts to the computer-aided dispatch that police and fire and EMS services use. And in disaster
areas, technology is one of the first things to go down and one of
the harder things to bring back up because you lose a lot of that infrastructure. And one of
the things we try and do is bring as much of that in as we can. So we have communications technology,
we have radios, we have laptops that will bring in Wi-Fi to set up at survivor centers, and things like
that. Right, just to enable communication from a personal and professional level for all those
that need it. So when you're in that field, you're with that organization, I assume this was a
practice of some kind? Yeah, so as the deputy director of Region 3, I oversee a lot of the events and deal with some of the more haphazard ones, which is what this ended up being just because of the way it was coordinated.
But this was a search and rescue exercise with the Frederick County Sheriff's Office.
So they have a search and rescue team, as a lot of sheriff's departments do.
And part of that is they need to participate in practice exercises every once in a
while to maintain their certifications. And this is what one of those was. We went out to Camp
Rock Enon in the western part of Virginia, right on the West Virginia border, and set up a search
and rescue exercise. So they stuck clues that marked someone's path through the woods and set up a
scenario where a person has gone missing and they have to find and recover them. Part of
the dependencies for that, we'll say, is some tools that the sheriff's office uses to track
and follow those clues in that path, which require internet access.
And that's what my job out there was, was to provide internet access for those tools,
but also for the drone operators there. So in the background of some of my video of one of the later
calls that day, you could see a drone taking off and hovering right outside my car, which was my
office for the day before it took off and flew out to go
and try and get some imagery of where they thought that missing person might be.
Wow, that's really awesome.
So not a lot of hurricanes hit the Mid-Atlantic,
but where have you been deployed?
Or where have you had to use everything that you're rehearsing for?
Yeah, so I've been deployed a couple times.
The first one was when I was still living up in New York.
We did an exercise in Teganak State Park over Teganak Falls.
Oh, cool.
And we shot Wi-Fi across the gorge there just to simulate things
and to get us used to using some of the equipment.
So we set up some point-to-point stuff and shot it across the falls,
and it was a really beautiful day until it poured on us.
You get to go to some beautiful parts of the country.
Yeah.
Second one was a deployment to Fort Dix, New Jersey.
This was back in September of 21.
We had a large number of Afghan refugees coming over, because this is right after we had pulled
out of Afghanistan.
because this is right after we had pulled out of Afghanistan.
And we were setting up Wi-Fi so that the people that were coming over could get online and talk to their families
because they were living in an area that they were still setting up on base.
They were starting in these giant tents that had power,
but they didn't have much in terms of Wi-Fi or sailor access
because they were, one, using SIM cards from a different country and those don't always transfer.
But they were in the middle of a field in the middle of a military base.
So cell service and Wi-Fi were very spotty.
So we came in and set some of that up.
That way they could talk to their families.
their families. But one of the most rewarding things coming out of that was we were setting up Wi-Fi near a bunch of the kids that were going through a school lesson because they had been here
for a couple weeks at this point. And by the time we'd gotten cleared to go in, they had gotten
classes set up just so that they could learn just basic conversational English.
And we were setting it up. And as we were setting it up, a bunch of the kids were like looking over to us
and trying to figure out what was going on
because we were wearing different shirts
than everybody else.
And through the language barrier,
we were trying to tell them what we were doing
and it wasn't really sticking until we said Wi-Fi.
And as soon as that happened,
a bunch of the other kids' heads whipped around
and you could see a bunch of their faces just
light up. No matter where you are in the world, Wi-Fi, common understanding. And I will say,
probably having two kids myself, they will understand that. And no matter where you are,
that's amazing. So how did you get started with this organization? How'd you find out about them and how'd you get involved? Yeah, I saw a TikTok of all things back
in 2020, I think, that talked about one of the volunteers at SheNetworks on TikTok and a bunch
of the other social medias. And she was talking about how you can get involved and how you can
join up. And I said, wow, that sounds really cool. I've always been a person that loves volunteering.
It's been a big part of my life ever since I was a kid in scouts. And I was like, well,
right now I'm not really doing much. It's the pandemic. I've got a real life adult job now and haven't really settled into anything volunteer wise. So this sounds like a great opportunity
for me to volunteer, but also use the technology skills I have. So I went online to the website itdrc.org,
found the volunteer signup form on there and figured, well, why not? I'll toss my hat in the
ring. Did that. A couple weeks later, started getting approvals and stuff like that. So I joined
up and now it's a couple years later and I'm part of our leadership team.
That's awesome. So this isn't the only group you work with though, is that right? Because I remember a couple months ago, you're also working at the World Games. Yes, that was the same group. So
yeah, we deployed down there to assist the Jefferson County 911. They had a need for some land mobile radios that would work with their system
and also support running a backup emergency operations center.
Great. But do you work with other organizations as your primary outlet?
So I currently am involved with two groups mainly.
ITDRC is the first one, but I'm also involved with the Fairfax County
Fire and Rescue Department. Yeah, so I'm still in the training phase right now, but depending on
when this releases in August, which might be next month, I'll be starting EMT school. So I'm going
to go through that and join up as an EMT with the volunteers there. And then hopefully next year,
go through firefighter school and do that as well.
Wow.
Excellent.
So you clearly have,
you mentioned the scouts,
you clearly have a history of volunteering from,
from an early age.
So,
but it's so great that you're able to use your,
your professional skills now to,
to help where you can.
Yeah.
Being a part of ITDRC has been amazing.
And even just those one-off experiences,
like with the Afghan refugees and getting to help those kids, it really brightens up.
Yeah, what an impactful story.
I mean, that's amazing.
How other ways has that impacted you, volunteering?
So I haven't only deployed out in the field.
I've also done some remote response stuff, be it supporting some of the wildfires or recent tornadoes and things like that that have come through. And getting to
see the stories in these communities of how impactful what we take for granted even minor
technology solutions are in a disaster area is huge. Because it can be life-changing for somebody
if they're able to get back online and talk to
their family. And I mean, in a disaster area, you lose cell coverage and you can't talk to them
anymore. So just letting them know that you're okay is huge. Right, right. We're supporting it.
Other than when you're deployed or if there's an emergency, because obviously you can't predict
that, what's the time commitment like for kind of the normal weeks
or months with this group?
So for me, because I'm on the leadership team,
we have some regularly occurring meetings and status updates
and things like that.
But for your average volunteer, it's as much as you want to get involved.
We're launching some new initiatives now with our remote response team
and some type of situational monitoring people
so that we can get ahead of incidents before they happen
and get ingrained in those communities to pre-stage resources,
but also to get our names out there so that people know,
hey, we're here to help.
And that stuff is hugely impactful and a pretty minimal commitment.
It's going in, getting your training done with ITDRC.
Rolls off the tongue.
Yeah, yeah.
Everything I do is acronyms now, it is.
But getting that training in and getting deployable.
And then after that, unless you're going out to deploy,
it could be maybe a couple hours a month
just to get to know the local emergency community or the local volunteer organizations that are active and say, hey, we're here to help.
Let us know if you need us.
This is what we can do, and this is how we can do it.
And that's something that any of our volunteers, from somebody that's gone out and put a couple hours in to somebody all the way up in the leadership team can do.
That's really great. I'm really glad that the RHI SAC is allowing you to do that and take some time with you.
Honestly, selfishly, it helps out your skill set, it helps out your leadership skills,
and you're able to do good for the world around you.
Is there a need? Obviously, many of our listeners, many of our members have skills that could be helpful in this arena.
Is there a need for more volunteers, both obviously in your zone, but also nationwide?
Absolutely, yeah.
So right now, we're sitting at about 3,700 volunteers, and we're always looking to push that number up.
More volunteers means more people might be able to respond, means more companies have us in their minds, which means that maybe we can stir up a
couple additional donations and things like that. So no matter where you are or what you do,
ITDRC can use your help. Just a couple weeks ago, we had a call for people to go out and climb
towers in Guam because they got hit by a typhoon.
And we're still working out some of the details on that one. So people might go, people might not.
But we use everybody from people that climb towers to people that set up firewalls and routers to people that want to handle the logistics and admin side of things. It takes a lot to coordinate flying volunteers all over the globe to writing grants
to apply to get funding or materials donated
or wrangling all of those materials to begin with.
So no matter what the skill set,
ITDRC can use you for sure.
So if anybody who's listening is interested in helping out,
how should they proceed?
Should they contact you,
or is there a website they can go to, or what's the process? If they want to, they're more than
welcome to contact me, and I can definitely give you a good reference. But the easiest way to do
it is to go to itdrc.org. All right, say the acronym slower. I-I-T-D-R-C dot O-R-G. Okay.
And click on the volunteer tab at the top and it'll pop up a little form
that you can just put in your details.
And once you do that,
you'll get an email that says,
hey, thanks for signing up.
This is what your next steps will be.
And it involves a little bit of training
and just kind of getting to know ITDRCs at work.
And then from there,
you're ready to apply
and excited to see in the field.
That's so cool. And if someone there, you're ready to deploy and excited to see in the field.
That's so cool. And if someone wants to get in contact with you about automating their ingestion or sharing of CTI, what's the best way to go about that?
Yeah, you can find me on the RHISAC Slack. I'm always online there. And if not, you can shoot
me an email at ian.furr at rhisac.org. Excellent. Ian, thanks very much for joining us.
Good to see you in this context,
and I'm sure I'll see you again soon
with a call with one of our members.
Absolutely.
Thanks for having me, Luke.
All right, and now I'm joined by Bidemi Ologunde,
or Bid, you've told us we can call you,
Intel Analyst at Expedia Group.
Welcome to the podcast.
Thank you.
Thank you so much.
Look forward.
Now, I happen to know that you're no stranger to podcasts.
You have your own podcast.
So tell us about that.
Yes.
So thanks very much once again.
My name is Bidemi.
I also go by BID, as a lot of people know.
And that dovetails into the name of my
podcast, actually. So it's called The Bid Picture. And on The Bid Picture, I talk about cybersecurity,
intelligence analysis, the daily implications of cybersecurity. So my audience ranges from
executives to parents to grandparents to basically something for everybody.
So that's what I talk about on the Bait Picture podcast.
Well, a lot of people come on this podcast and they say that they've never been on a podcast before.
And so to be gentle with them, but you're an experienced,
so we're going to expect a lot of great things from you over the next couple of minutes.
So welcome again. So tell us a little bit about your background.
You're in cybersecurity, you work at Expedia Group.
How did you begin your career in cybersecurity
and how'd you get to where you are now?
Thank you, thank you.
So to start off, I just wanted to,
a little caveat before I say anything further,
the opinions and perspectives
I'm going to be sharing on this podcast
are mine alone and do not reflect opinions
and perspectives of Expedia Group.
So to jump into the question, I started in cybersecurity about 15, 20 years ago. So back
in Nigeria, where I'm originally from, I studied electrical engineering for my undergraduate degree.
My research and focus back then was wireless network security. So that is a good transition into the network aspect of cybersecurity,
network security, making sure perimeter firewalls and everything is well secure.
So gradually, when I finished my grad school here in the U.S.,
I was able to just transition naturally, like I said, into cybersecurity,
incident response, SOC operations, a little bit of forensics and
threat intelligence in the latter part of my career so far.
Yeah, so that's, I would say I took an academic route into cybersecurity.
Right, because not everybody does that.
How long have you been at Expedia?
And tell us a little bit about your role there.
So about a year so far at Expedia, basically what my job entails is making sure that all the security teams have the tools and the perspective, the context they need.
So whatever threats we're seeing out there, how would it affect us internally?
So that's my role as an intelligent analyst.
So I basically advise all the security
teams and it's a two-way communication. So what they are seeing, I provide context. What I'm
seeing, they give me context regarding that. So that's kind of the nature of my role as an
intelligent analyst. So what do you see as the biggest challenges right now? Not only, I guess,
you could tell us also your personal challenges in the role, but also the challenges that you and your team face. What do you see it out there?
AI tools. Incidentally, the threat actors, all the bad guys out there, they're also using these same tools to be able to fine-tune their processes, their attack vectors, to be able to get into
networks and devices easily. So the challenges I see is being able to stay one step ahead of
these threat actors, being able to think like them, being able to, I would say, predict how they would use
the same tools we are using to defend,
how would they use these same tools to attack?
So that is the cat and mouse game
that is basically defined for my role on a daily basis.
So ChatGPT came out about November last year.
Everyone has been using it in every industry.
Of course, these three doctors are using it to compose phishing emails.
So now we see phishing emails that don't have grammatical errors.
That is something that keeps people like me up at night.
Right. It used to be so easy for many of us, most of us, to tell a phishing email,
and now it's really much more difficult.
So that's a fairly new tool.
Obviously, it's incredibly powerful.
It's going to be something that is going to be used by everybody for good and bad.
What other tools have you seen like that that are also used for good and bad
that you've had to deal with in your career?
So far, social engineering, which I would say phishing and social engineering,
they kind of go hand in hand because what's social engineering?
It's basically trying to get someone,
manipulate someone or convince someone
to do something they would rather not do.
Phishing is a good example of that.
Another way social engineering is being carried out
is now a lot of people use social media
to share details of their lives online.
Their kid is having some kind of graduation party,
they post it on Facebook, they travel on vacation,
they post pictures of themselves on vacation.
That is all well and good because it brings people closer.
However, thinking again like the bad guy,
I'm using all these social media posts
to gather as much data as I can about my target,
whether it's an executive,
whether it's the lowest level employee in an organization.
People go on LinkedIn, for example,
to post pictures of their badge to say,
oh, this is my first day at this company.
I was fortunate enough to get a job during the pandemic.
Here I am starting my first job.
The picture of that badge is a security risk
because now I know what your badge looks like.
I can go ahead and make a fake copy and get into any of your locations anywhere in the country. So social
media is one example of something that is intentioned well, but then of course, the way
these bad guys think, they can basically use it to mop up data about individuals and organizations.
basically use it to mop up data about individuals and organizations.
We've seen where they use social media to get data about vendors to then get into a larger organization.
So that happens all the time.
Yeah, well, let's talk about that.
I'm glad you brought up vendors because regular listeners of the podcast
know I love to talk about third-party risk.
But in your industry, you are a vendor.
Expedia is a vendor.
You deal with a lot of our other members, which
are hotel properties. You also work with a lot of consumers directly. And you have a multitude,
thousands possibly, of additional vendors. So how do you figure that out? And how do you protect
all of those inputs into what you're trying to defend? Right, right. So let's take a step back and look at this concept from a holistic point of view. So take, you post on social media unless, of course, you have your social media page set to private.
So the best an organization can do, not just even Expedia, any organization, whether you're dealing with an HVAC company or you're dealing with a company that is handling your tax information or you're dealing with whoever it is you're dealing with,
credit card companies and so on,
the best you can do is to make sure
that they have contracts in place
to make sure that you guys handle your data effectively.
We are going to handle our data effectively
so that nobody's calling each one another up at 2 a.m.
Because the best you can do is just,
just like you wouldn't leave your front door open.
You wouldn't park your car in your driveway
and just leave the door open.
You would lock your door, lock your car door
and go to bed at night hoping that
no one's going to come mess with your property.
The same way companies should make sure that
everybody they're doing business with
should make sure they have their data locked down
and all the customer data locked
down because it's easy for one person's data to serve as a jumping point into another person's
data. So that's the best analogy I can come up with. Yeah. It's a great analogy. And frankly,
I have a number of friends who leave their doors unlocked and their cars unlocked at night,
but they're also the same people who are probably reusing their passwords. So it's consistent whether you're talking physical or cyber.
So there seems to be a thread in a lot of what you're saying, social engineering,
human beings trying to engineer your way into their lives. Certainly social media is great
because you don't have to do research for these kinds of targeted attacks anymore. You just have
to go to one site and everybody's just giving you everything you need to know.
Over the course of your career,
have you seen a big change in the way that bad actors operate?
Or is it always,
let's take a technology
that has been developed for good,
well-intentioned, as you said,
and figure out a way to make it bad?
Whatever it is,
the flavor of the month.
Right. Actually, there is a mix of everything.
And trade actors are very enterprising, which is one of my favorite words.
They would look for the easiest way to accomplish the most,
I guess for them, the most good, which for us is the most bad.
If, for example, someone reuses their password, my Gmail
password, for example, if it's the same password I use on some gaming websites that I just forget
about and I'm using the same password. So Gmail is quite secure. It's difficult to, you know,
go hack Gmail. But then if someone lays their hand on that my password from that gaming website
that i don't pay attention to then they try that same password on thousands of websites there is
software to do that and all they need to do is just find one hit maybe it's from my gmail maybe
it's from my costco account maybe it's from my target account now they they are inside. So that's an example of using barest minimum effort
to accomplish the most damage.
Another thing threat actors do, like I said,
is going into social media
and then just looking at people's profiles
and seeing, okay, this is this person's high school.
The name of the high school mascot is whatever,
Teddy the Bear.
And then this person's mother's maiden name is this because there is this event, family reunion, they attended.
And they took pictures and I see the banner from the family reunion and I get the mother's maiden name.
And then on and on and on.
So there's different methods these directors use to just achieve the most bad with the least amount of effort. Another example I gave
earlier was people posting pictures of their badge, work badge on LinkedIn. That is something
for people to rejoice with and people say congratulations, but I'm looking at that
picture differently. I'm not saying congratulations because there's nothing for me to congratulate you
about. I'm trying to get into your company's network. Now I have an insight.
So it keeps evolving, basically.
Well, you know, I can go back to the door analogy that if someone really wants to get into your house
and the door is locked, they could probably still get in,
but they want the least amount of effort, right?
So if it makes it a little difficult for them,
maybe it'll stop them.
And probably that's true amongst most of the directors
in cybersecurity as well.
Yeah, yeah.
And something, I think it was one of the FBI directors
or someone high up in the FBI that said this statement
that if someone wants to get into your network,
having the best security would probably delay them.
If they're really determined,
they would find their way into the network. So
if you reuse your passwords, you're making it easy. If you have two-factor authentication,
you're making it not easy, but then there's so many other ways someone can get into your network,
into your account, and so on. Right. They'll keep trying. You sound very passionate about what you
do. I think you like it a lot, just from talking to you for the last 10 minutes. What advice would you give someone who's considering going into cybersecurity, whether the academic route like you did or on their own, maybe career switching?
What's the best way for someone to break in or develop the passion like you have?
Thanks for that compliment.
And it's something I keep getting this from all kinds of people, my parents, my wife, even my son, who is four years old.
He keeps saying, Daddy, I want to talk into the microphone.
I'm like, oh, okay.
So the best advice I would give is find something you're passionate about and go all in, which is something I would do for myself.
something I would do for myself. When I say go all in, I mean every opportunity for you to learn,
embrace it, whether it's free resources on YouTube, free resources on LinkedIn Learning,
or whatever website that is out there. I don't know all the websites, whether it's just one-on-one meetups or local events, local cybersecurity meetups, or even podcasts like this one that we're on right now.
Every opportunity you can to learn about this field, this cybersecurity field, it's multifaceted.
There is not just one aspect of cybersecurity. I tell a lot of the people I'm mentoring that
whether you're coming from the medical field, whether you're coming from a legal background,
whether you're coming from even carpentry, which a lot of people find fun, you have the skills to pivot into cybersecurity. And it goes way beyond just even being curious
and wanting to learn. It goes beyond having this end goal in mind that I want to be able to
make whatever impact in my little community, or I want to be able to host events at my local public library
to tell kids about cybersecurity.
I want to be able to advise family members of mine
about the benefits of having different passwords.
I want to be able to impact my friends
who just post anyhow on social media
and telling them that they need to log.
Whatever it is that is your why,
which is a cliche by now, find your why,
I would say that would make going all in easier
because there's going to be ups and downs.
There's going to be times when you question,
what am I doing exactly?
That why, that answer to the why,
is what would keep you going.
Right, you can always go back to it.
You know, it's interesting,
in all the kind of threats that we were talking about
in the first half of us talking,
you didn't mention a lot of technical things.
It was social engineering, it was things that are fairly common
like MFA and changing your passwords.
And in all those careers that you said that you see people pivot to cybersecurity,
not all of them are technical either.
Your background happens to be technical.
So there's definitely room for the non-technical folks in cybersecurity.
Yes, yes.
And like I said, it's not even tech.
People think cybersecurity is only for nerds that wear glasses and spend hours on the internet or hours on the computer in the dark basement drinking Red Bull and mounted.
No.
With the hoodie.
By the way, that certainly exists.
That certainly exists.
But it's not everyone.
Right.
I tell a lot of my friends and family members
that there are hackers who wear military uniforms.
There are hackers who wear suits and tie.
There are hackers who wear sweatshirts and sweatpants.
There's all types of people you'll find in cybersecurity.
And on the good side, there are the good guys who wear all those different outfits I mentioned earlier.
You don't need a technical background only to be successful in cybersecurity.
So Expedia is a fairly new member of the RHI SAC.
You're fairly new at Expedia.
Is this your first experience with retail hospitality ISAC or any ISAC in your career? So this is not my first experience with ISACs,
but this is my first experience with the RH ISAC. So like you mentioned, I started at Expedia just
about a year ago. I find ISACs in general a good way to just collaborate and learn. I'm always
active in my previous roles.
I was a member of the FS ISAC,
the financial services ISAC before.
I was always active on those
because I see it as an extension of my curiosity.
I get curious about all kinds of things
and then I just go on ISAC and the Slack channels
or whatever platforms the ISAC is using.
And then I just, you know, collaborate and ask questions.
If there's a question I can answer, I answer. And the best part of ISAC for me personally is that the fact that
there is this guidelines that basically shapes information sharing. So it's not that you just
go on and you're spilling all your company secret. No, there is guidelines both internally and then each company has the way they engage on ISAC.
And then even the RH ISAC itself
and all the previous ISACs I've worked in,
there are guidelines.
You can't just come and post up this TLPs
and traffic light protocols.
There's amber and there's red and there's white and green.
So white and green means, okay,
you guys can share this with everyone else.
It's open source.
Yeah.
Amber is more guarded.
Red is even more guarded.
And then there's strict.
And those guidelines is what I find very, very helpful.
Because me personally, I wouldn't want my company's information to just be exposed,
even if it's on a sharing platform, not to mention just
exposed on the clean edge anyhow.
So the fact that those guidelines are in place and everyone sticks to the guidelines is a
big plus for me.
Well, that's fundamental to creating a trusted environment so that you know you're not just
spilling your company's secrets out there and they could get out there in the wild.
So what do you find yourself using most in the membership?
You talked about the sharing platforms and protecting what people share.
Are you mainly looking at cyber threat intelligence?
Are you involved in any of the working groups?
Just love a little feedback.
Yes, so I'm involved in the dark web working group.
We meet every other Friday.
I'm fairly active on there.
Of course, every other working group I see in the general channels,
I try to join just to get a feel of what's going on there.
Like I said, I'm a fundamentally curious person.
I like research.
I like investigations.
I just like to know things.
My wife will tell you,
I like to know things so much that it gets me in trouble sometimes.
But that's another podcast entirely.
So just-
Yeah, save that for your podcast.
Got it, got it.
So just being curious, trying to, if I see a working group meeting coming up, I look
at my work calendar, if time allows, then I just pop in, I stay quiet, I stay muted,
and then I listen to what's going on.
And then it's just an opportunity for me to learn more, basically.
Excellent. That's great.
So I often ask my guests to predict the future,
to pull out your crystal ball and say,
tell me where cybersecurity is going.
You can focus on any aspect of it you like,
the good guys, the bad guys, just in general regulations,
whatever you've prognosticated in the past,
what's happening in the future?
So I think with the rise of AI,
we're going to see a lot more new,
not exactly new ways of attacks and threat vectors,
but just new methods.
For example, phishing, like I said earlier,
now phishing emails are going to be harder to detect because it's going to look just like a regular email that a particular company sends.
Because it's possible to develop some fancy tool that says, write an email that would look like how Coca-Cola employees communicate with each other.
Maybe that exists already, maybe not. I don't know. But it's not too far-fetched to predict that.
Another thing is social engineering. We see social media becomes increasingly embedded into society, which leaves room for social engineering to become even less detectable. And something else to pay
attention to is the fact that remote work was kind of like an experiment. Now everyone is trying to go back to the office.
We might see some companies still keeping remote work as a fundamental part of their own culture.
Maybe phishing emails come up regarding that kind of setup.
Maybe HR-related phishing emails saying, we have this position.
It's fully remote.
A lot of people want to do fully remote work.
And the whole thing is bogus
just to be able to capture your data through your resume.
People are going to be desperate enough
to not verify the source of an email
before sending a resume
simply because the job is claiming to be fully remote.
So that's just something to pay attention to.
Right, excellent.
Well, this is great, Bid.
I really want to thank you for joining us on the RHI SAC podcast.
This has been a great conversation.
And keep doing your podcast as well.
There's room for all of us out there.
And keep sharing and contributing to our community.
It's been great talking to you and great seeing you out there on the sharing platforms.
Thanks, Luke. Thanks for having me.
Thanks, Luke. Thanks for having me.
A huge thank you to all of my guests today.
John Scrimshaw from Contour Brands and Marcel Bucsiscu from the National Association of Corporate Directors.
Once again, if you're interested in the Accelerate program from the NACD and you're an RHI SEC member, you can be in the next cohort of participants.
Just shoot me an email or find me on Slack or member exchange. I'll send you an application where you can set up a call
to discuss the details. Also, thank you to Bid Ologunde from Expedia and my colleague at the
RHI SAC, Ian Furr, for being on the podcast as well. Please let us know what's on your mind.
Our email is podcast at rhisac.org. As always, thank you to the people who try to make me sound good.
For the RHISAC, Annie Chambliss and Marisa Trusheneki.
And from the Cyber Wire, Jennifer Iben, Trey Hester, and Elliot Peltzman.
Thanks for listening and stay safe out there. Thank you.