Being Ready For Anything with Dan Lohrmann

Dan Lohrmann: I mean, it's always about the communication and how you communicate. Who's going to talk to who? When? What do you do first? In what order? How do you do it? Are you prepared? How do your playbooks work out? You bring to those exercises, those tabletops, those full scale exercises, your playbooks to really almost practice makes perfect, right?

Dan Lohrmann: And so, just like a fire team would practice putting out fires, you don't want somebody first time they ever put on the suit to come to your house when your house is burning down, you want them to know what they're doing and know where to go, and what to do, and how to do it based on different situations.

Speaker 2: Hello, and welcome to Security Visionaries hosted by Jason Clark, CSO at Netskope. You just heard from today's guest, Dan Lohrmann, field chief information security officer of Presidio.

Speaker 2: The idea of being ready for anything doesn't happen magically overnight, it takes practice, repetition, and diligence. And bad actors will always be there, with new ways to test just how prepared you are. As security leaders, it's our job to be ready for even the most unexpected challenges. Just as a firefighter wouldn't run into a burning building without proper preparation, security leaders need to view digital fires in much the same way. Putting yourself in the mind of the hacker takes training and role playing, aim to be multiple steps ahead at all times, because no company wants to be caught in their first fire without ever having tried on the suit. So before we dive into Dan's interview, here's a brief word from our sponsor.

Speaker 3: The Security Visionaries podcast is powered by the team at Netskope. Netskope is the SASE leader, offering everything you need to provide a fast data centric and cloud smart user experience at the speed of business today, learn more at netskope.com.

Speaker 2: Without further ado, please enjoy episode of six Security Visionaries with Dan Lohrmann, field chief information security officer of Presidio, and your host, Jason Clark.

Jason Clark: Welcome to Security Visionaries. I am your host, Jason Clark, chief strategy and security officer at Netskope. Today I'm joined by a very special guest, Dan Lohrmann. Dan, how are you?

Dan Lohrmann: I'm doing wonderful. Thanks, Jason.

Jason Clark: I think you and I we've probably known each other for about 15 years.

Dan Lohrmann: Exactly. I remember first meeting you back in Websense days. And back when I was Michigan chief information security officer, and you were a great customer focused executive back then, I know you are still today, so it's great to be on with you.

Jason Clark: That's one thing I love about doing all these podcasts, it's just kind of reconnecting with everybody. And especially during the crazy times of the pandemic. And so, we're going to start with kind of, what was your first job in cybersecurity, Dan?

Dan Lohrmann: So I went out of college with the Valparaiso University, got a degree in computer science and started at the National Security Agency. The old cliche we use is, if I tell you what I did, I'd have to kill you. But I was in computer networks and this is on call unclassified, but my first job back in the late '80s was really working with a variety of different vendors, interoperability.

Dan Lohrmann: So back in those days it wasn't all TCP/IP or IP version four, IP version six and all the mumbo jumbo. But it was like S&A, and we had DECnet, and we had all those different. So basically, getting networks to each other from IBM to DEC, to digital, to Sun SPARCstations and all those kinds of things. And I was running that lab. And were deploying networks all over the world really before there was an internet, which was pretty cool.

Jason Clark: That sounds a lot like my job when I kind of started in the army. It was just all about getting networks to talk. It was a heavy banian tree. And then we were kind of converting to NT 4.O and active directory. And it was a lot of fun. It's so different when you're managing the tech from being a CSO. There's days you probably miss it, I'm sure. You tell it what to do and it doesn't.

Dan Lohrmann: I agree. And a hands on piece, I missed that. But we went to England after that, I won't tell the whole story there, but just how all hands on networks and some crazy stories about how we almost brought down a satellite. And that was pretty scary stuff, but it was all good. And I love of the hands on stuff as well, I do miss some of that.

Jason Clark: I saw the news on the new role at Presidio. So, I'd definitely love to hear about that.

Dan Lohrmann: Yeah. Thanks. I'm the field chief information security officer really focusing on public sector. So, as you know, I've done a lot of different roles in CSO roles in Michigan government, and CTO in Michigan government. Last six, seven years I was with Security Mentor as a chief security officer.

Dan Lohrmann: So this role really Presidio partners with Netskope and a variety of other companies providing really guidance to C-suite mainly focused on SLED, state, local, government education, but I had some work with other governments as well. And really just hearing what their issues are, and providing solutions, working with partners to provide an end to end solution to their cyber needs.

Dan Lohrmann: And so, I'm really excited. I'm drinking from a fire hose right now. I've only been here for about five weeks, but just loving the job, loving the people, and learning a lot already. So, yeah. It's pretty cool.

Jason Clark: So governments, especially SLED has historically always been known as kind of moving a lot slower in adopting tech and transformation. What does that look like right now? How is that changing, especially with kind of some of the new executive orders around cybersecurity, just in general, I'd just love to get your perspective.

Dan Lohrmann: Yeah. I mean, just like everyone else they're getting, first of all, the threat landscape is just going crazy. So, just getting hit hard with ransomware and other things like that, and cyber attacks. And it is exciting, the good news. I mean, we don't get a lot of good news in cyber. But the good news is we just got the new dedicated cyber grants to state and local governments, it was a billion dollars over five years. I think that's really going to help a lot of state and local governments.

Dan Lohrmann: Honestly right now, what the biggest issue killing it's this bleeding state and local government, they can't keep people talent. And that's where they cross the board. We're seeing that in the private sector as well. But I'm hearing CSO say, "Dan, we just can't."

Dan Lohrmann: I mean, one team I know, big state lost half their people on the cyber team since the beginning of this year. So that's just a huge challenge. I think they're getting it, they're to really understand because with the Colonial Pipeline, all the different things have been happening this year, it's so front and center and the digital transformation that we've seen during COVID has just been so huge.

Dan Lohrmann: So, the need is there, the move to work from home is there, all of that is there, it's still just a really, really difficult challenge at the moment.

Jason Clark: So when we talk about the billion dollars, right? When you look at SLED and just the federal government in general, what do you think the biggest vulnerability that they have that they're not aware of right now? It's a kind of two part question, either they're not aware of, or where should they be putting the most of those dollars?

Dan Lohrmann: I think visibility. The old cliche we used to say at NSA all the time, you don't know what you don't know. And so, knowing there's been a huge move to the cloud, which has been great, and everything's going to the cloud now.

Dan Lohrmann: I mean, the resistance to the cloud is just not anything like it was a decade ago. I mean, everything's going to the cloud and that's great. It's just, I think the challenges are not knowing where all their data is. So the visibility in the data, not knowing all the different kind of end to end pieces of that journey. And I think people want to do zero trust. They want to do SASE. They want to do that. And I can say, I think the challenges they're facing at the moment are around the people side of it. It's always people processing technology. It is it's always that.

Dan Lohrmann: But as you know very well for what you do, just saying, "We're going to stick it in the cloud and we're going to give it over to Microsoft. We're going to give it over to AWS." Doesn't solve the problem. It's like, I hear that a lot. Well, I know AWS or Microsoft, and these are good companies. I'm not knocking anybody. I'm just saying. They think, well, they're bigger and they're more powerful so they can do it better than us, and maybe they can, but you really got to think about the configurations. You really got to think end to end. You really got to think about the whole, the end points and of course, identity management, the whole end to end piece. And I think that's really where the challenges are. And some are doing it well, there's always kind of leaders, followers and laggards. There's three groups. There's some people doing really well, and there's some people that are really struggling.

Jason Clark: Yeah. I mean, like you just said, you just talked about the big companies as we're going cloud. There is this weird, like sometimes you get the CIO is what I call. Well, we just assume they got the security, right? Versus, no, you're the one responsible for your data. They don't take responsibility for your data security, as an example for your configurations.

Jason Clark: And I think there's so more awareness that needs to be driven around that. So hopefully a lot of the, like you said, it's visibility. It's getting the full visibility, especially as things move to the cloud.

Jason Clark: How much of the effort is focused on the people though? Of that billion dollars, is anything directed towards, well, let's pay people more, or let's help you outsource more? I mean, like you said, it's the number one problem. So, how is the billion dollars going towards that?

Dan Lohrmann: Well, and I think the guidance is coming. The one thing what the law says, the act that was signed by the president says is you have to have a plan. Which is good. A lot of people don't have plans. And so, it's not clear is that going to be every state has to have a plan and then municipals can feed up into the state plan, or does every city, every county, every township have to have their own plan. That's still not clear yet from DHS and CSA, that's still coming down.

Dan Lohrmann: I think it is going to be based on outcomes. And I think part of it is going to be divvied out by population, and there's going to be lists of things you can spend the money on, and things that are eligible and things that aren't. And there's going to be a competitive pieces of this to say, "Okay, the state that has the best plan to do X, Y, Z, can get more cash."

Dan Lohrmann: So, I think a lot of those details are going to be coming. I applaud it. Because it's dedicated to cyber. And I know in the past other grants through the years could be used for cyber, but many states couldn't get that money. It was used for other things. I also think it's really a down payment, Jason, because I think this is going to be, I'll say a decade long, probably the rest of our lives, it's the problem. It's going to be out there, and the states and the locals are going to have to contribute part of that as well. They're going to have to have 90, 10, 80, 20 match every year. It goes up 10% how much the locals have to give in.

Dan Lohrmann: But also it's not going to really do an operational piece to pay for that after the new stuff gets installed. So I think it's going to help. I think it's going to move the ball down the football field. It's probably not going to be the whole thing.

Jason Clark: Switching gears a little bit, Dan. I want to talk about something that's exciting for you, and that's your new book. And that just came out in November with Wiley. And it's called Cyber Mayday and the Day After. I love the name. I'm definitely going to read it. I have not yet. I'm going to do audible version, like we talked about. But I just want to just kind of get your perspective on what's it about, and why everybody should read it.

Dan Lohrmann: Yeah. Thanks so much. And I am just so stoked about this. It's Cyber Mayday and the Day After, and then the second part, the small print title's, A Leader's Guide to Preparing, Managing, and Recovering from Inevitable Business Disruptions.

Dan Lohrmann: And so just real quick background of the book. I'm a co-author with Shamane Tan. Shamane is actually in Sydney, Australia. She's really Cyber Woman of the Year star. She just won again, another award in Australia for cyber leadership. And she started cyber meetups all over Australia, Japan and Singapore. So she's really big in Asia. And she wrote her first book. I contributed to that, a bunch of stories from my CSO days. And she said, "Dan, let's work on something together."

Dan Lohrmann: So about a year ago, actually it was August 20, right in the middle of COVID. She reached out. We talked about, but this is before SolarWinds hit, this is before Colonial Pipeline hit, before JBS meats. What do we want to write about? And what we thought was really missing even at that time with all the ransomware attacks, the cyber attacks, is true stories of, what really happens, not just to the CSOs, the security executives or CTOs, technology executives, but the business leaders C-suite? What happens when you get hit by ransomware, when you have a cyber attack, when you're in the middle?

Dan Lohrmann: So there's a lot of checklists out there. There's a lot of free resources. We actually reference all of those at the end of the book. Not all of them. I can't say all. A lot of the big ones that are out there, so free resources. And there's a lot of great checklist and guides and white papers. We try and reference as many of those as we can and point you in the right direction.

Dan Lohrmann: But we thought really the idea here is to marry up three parts before, during and after an incident. So what can you do before? Four chapters of the book is about preparing, and everything from having playbooks and doing exercises, tabletop exercises and real true stories. What people learned and the good, the bad ugly.

Dan Lohrmann: Then during incidents, in the middle, real stories about that. And then at the end, what about afterwards? Like the last chapter is turning cyber lemons into organizational lemonade. So really the idea of, how can we take what we learned and then roll it back into our plan, into our playbooks, into our scenarios, and get better and improve? And the goal was really to help people learn from what other people have experienced 35 true stories from all over the world about half of them are government, half of them are private sector, small, medium, large organizations. And really the goal is to really help people kind of walk a mile on someone else's shoes, if you will, but really little snippets of what happened when you were hit?

Jason Clark: That's amazing. Well, of all the organizations out there, right? Let's just call it any that's large. What percent, if you were to just shoot from the hip, what percent of them do you think are well prepared?

Dan Lohrmann: Well prepared. Wow. It's a really hard... And this a large organization, or is this all?

Jason Clark: I'd say any organization over 5,000 people.

Dan Lohrmann: I'm just going to say half, shooting from the hip.

Jason Clark: I would think it's less. I actually probably think it's even less than that.

Dan Lohrmann: Well, it depends on also what you mean by well prepared too, because you think you're ready, but you're never ready for exactly what happens. And there's so many stories of... I even tell the story, a couple of the stories are mine personally. Like I go way back and most of them are more recent. But even going back to the blackout of 2003, and what happened when I was in Michigan government, I think you and I have talked about that in the past.

Dan Lohrmann: But in the Northeast lost all of its power and that wasn't a cyber attack. Although there was a lot of cyber components to that. And where we went, what we did, we had our Y2K plans, we had this plan, we had done some tabletop exercises. So at the end of it, we ended up coming out of it pretty well, that wasn't like we got hit by ransomware. That was different. But there was good, bad and ugly. So I think some organizations are more ready than others. So maybe it's less than 50%.

Jason Clark: Maybe give another example of one of your favorite stories.

Dan Lohrmann: Let me read one to you. Because I want to just read you one section. And this is from chapter five, I'll just read you two pages real quick. I'll try and read fast. But the chapter title is, Where Were You When The Sirens Went Off? But this is from a true story.

Dan Lohrmann: "Your network has been locked. You need to pay 30 million us dollars now!" The following was an actual real life negotiation between ransomware gang and a 15 billion US victim company that was hit with a 28.75 million dollar ransom demand in January 2021.

Dan Lohrmann: After a few rounds, the victim company counted with 2.25 million, which was met with a scorn for response by the ransomware criminals. Paraphrase here, and it is very funny to watch a few of your admins trying to install Ms Exchange server in three days and can't do it. We have encrypted 5,000 of the 6,000 of your servers, if we do some of the simple calculations, your expenditure is like, say $50 per hour, or maybe you are even generous $65 per hour. So 24 hours spent to restore one server multiply by the number of servers encrypted by us, that is like 10 million dollars in just only on labor expenditure alone.

Dan Lohrmann: It's interesting to note how these ransomware gangs have been found an effective way to communicate the financial impact of business interruption caused by the cyber attacks and demonstrate how their victims will cut their losses by adhering to their demands. They continued, but don't forget that you spent all the time on installation. Oops, you can't even restore any of your data. Can you? Because it's gone for the next thousand years. They added the time factor pressure at the end of the message, but also showed some mercy at the same time.

Dan Lohrmann: The timer is ticking, and in the next eight hours, your price tag will go up to 60 million dollars. So either you take our generous offer and pay us to 28.75 billion, or invest in quantum computing to expedite the decryption process. When the company asked for additional time, the crooks counted by running back, I don't think so, you weren't poor and you aren't children. If you're effed up, you'll have to meet the consequences.

Dan Lohrmann: A day later, when the company finally managed to get the authority to pay 4.75 million, the extortionist agreed to lower their demand to 12 million. The condition that the remaining amount be paid within 72 hours. After a few additional message, they came to an agreement where the criminals promised four quick things. The hackers would not launch any new attacks. The company would get the tools to fully decrypt the data. The hackers would completely leave the network and never target them again. The hackers would give the company access to data to delete themselves. Data would never be published or resold. And the hackers would provide a full report on their actions, how they got into the network, how the attack was carried now, including tips on improving the security of the organization and against penetration of other hackers. The company ultimately paid 11 million dollar ransom." We'll stop there. But that's one story, it goes on and goes into some more details. But yeah.

Jason Clark: I had a meeting recently with a CIO of travel, I'm going to deal with two specific, travel and leisure company. And they got ransomware in the middle, and they're big, in the middle of the pandemic. You're talking like May, June last year. And they asked them for 20 million dollars, the response from the CIO was, "We have zero revenue right now, with no projections of any revenue for the future. We have nothing to lose right now. We have no money. We have no customers."

Jason Clark: So it was more a system lockup than it was confidential information. It wasn't PII. But yeah, they ended up paying like 10 grand because of COVID. But I love, I mean, I think bringing those stories to life, it's one of those things where you don't want just security people and CSOs to read, you want business leaders to read this thing.

Dan Lohrmann: This is really written for C-suite, but also any business leader. If you're in a small business, I mean, you could own... My brother, Steve got hit by ransomware a few years back. He's got a copy of the book now. He has 20 properties in Ocean City, Maryland that he's got 10 employees, he got hit by ransomware. And thankfully at that time it was the early days. And he had to pay $1,200. That was about three, four years ago.

Dan Lohrmann: I mean, the point is, this can happen to anyone. And this is really written for the business community as well as the technology and the security community.

Jason Clark: So how long did this book take you to write?

Dan Lohrmann: So, we started it, we wrote the proposal. We agreed we were going to do it last October. We each wrote a chapter, put the proposal together. Both of us had written books before. So this is my third book. We had the proposal done in the wintertime, shopped it around, had three publishers that wanted to do it. Wiley. We had agreement with Wiley, and we had the book completed really first draft May 1st. And the Colonial Pipeline hit. Edits came in yada, yada. Final manuscript was done July 1.

Dan Lohrmann: So, most of it we wrote in about three months. But really the whole process was about nine months. And we kind of updated it up through really the JBS meats and Colonial Pipeline and SolarWinds, but kind of the cutoff was July of this year.

Jason Clark: I mean, it makes it extremely relevant for everybody right now.

Dan Lohrmann: Oh, it goes right through Colonial, right through JBS and Solar Winds and few others. The thing is, Jason, people don't realize the congressional testimony just said more ransomware in 2021, the last 10 years combined, which seems crazy to me. That's not in the book by the way, that just came out a couple weeks ago in congressional testimony. Those numbers just blow my mind, because I know how big 19 was and how big 20 was. And they were big years for ransomware. And it's just getting worse at the moment. Unfortunately, in addition to that the ransoms are going up, and they're asking for more. It's certainly a big problem organizations are facing.

Jason Clark: I mean, this is a bank robberies, right? This is just drive by bank robberies, just reinvented now. So, switching gears slightly on the same topic and you talk about this, so why are tabletop exercises and even like full scale kind of cyber exercises so important than to plan and execute this?

Dan Lohrmann: I mean, first of all, getting everyone involved. Because the big part of this is certainly you have the technical pieces, you've got the big one and all of that. But I mean, the bigger issue is really communication. And how do you communicate across the C-suite? How do you communicate across the company? How do you communicate up, down, sideways, everything to your investors, to the community, to the public. How you communicate, and I'll tell you, that goes back 20 years, and anybody's been in this emergency management for fire, floods, tornadoes, people would say hundreds of years. I mean, it's always about the communication, and how you communicate. Who's going to talk to who? When? What do you do first? In what order? How do you do it? Are you prepared? How do your playbooks work out?

Dan Lohrmann: You bring to those exercises, those tabletops and those full scale exercises, your playbooks to really almost practice makes perfect, right? And so, just like a fire team would practice putting out fires, you don't want somebody first time they ever put on the suit to come to your house when your house is burning down, you want them to know what they're doing and know where to go, and what to do, and how to do it based on different situations and different scenarios, and injects and all of that. That's what you really need to be doing.

Dan Lohrmann: And so many people think, oh, we have our data backed up. One quick story I'll tell you that, yeah, but it was going to take them six weeks to restore it, because they didn't have the bandwidth, they didn't have the connections. So they ended up having to pay the ransom, because they hadn't really thought end to end. They thought they had a solution, but they hadn't really ever gone through the full kind of process. And they just didn't know what they didn't know.

Jason Clark: What percent of companies do you think pay versus don't?

Dan Lohrmann: I think more than 50% pay now. The thing that's so hard about that Jason, is the ones that don't report.

Jason Clark: Which is most.

Dan Lohrmann: Exactly. And I'm saying the ones the FBI... The numbers we have, like when you see all these reports coming out, and all the technical magazines, and Forbes, and all the rest of it, how many ransomware attacks, you're going to see end of the year reports. I do my annual prediction blog. And all these end of the year numbers, they're based on what we know. But if a small business pays a ransom for $20,000 and never reports it to the law enforcement, it's not even counted. And so, that raises that number to well over 50%. I mean, I think 70, 80%, because of the ones we don't know about.

Jason Clark: And just like you talked about the 2021 numbers are going to blow away 10X more than ever before. I think it's significantly higher.

Dan Lohrmann: It's higher than what we know.

Jason Clark: Just a little bit wrapping right on that. Because you just mentioned your predictions. So what's your top out favorite predictions for next year?

Dan Lohrmann: I mean, I can give you so many. I'm going through them all right now. So just as you know, as you and I have talked about this a couple years in a row, but first of all, these aren't Dan Lohrmann's predictions. I compile what I consider the top prediction reports from all the top companies. So from the Trend Micros, and the FireEyes, and I'm not saying these.

Dan Lohrmann: There's certain companies that put out really great prediction reports that spend literally tens and hundreds of thousands of dollars on these reports, and they're really well done. And it's not just like sticking your hand in your ear and guessing that it might snow tomorrow. I mean, they really do research and they really kind of try and connect the dots and say, "I mean, clearly there's going to be more data breaches. Clearly there's going to be more ransomware. Clearly we're going to have more critical infrastructure attacked." Every year there's always predictions of major cyber 9/11, and people want to hear about spectacular.

Dan Lohrmann: That's been kind of toned down the last few years, because nobody wants to hear the whole Internet's going to go down, or thousands of people are going to die in some hospital. Because, well, I think we're going to talk about later, CSOs, just the fad message is not a successful message. I mean, we like to get a little more specific about what kind of targeted attacks are coming at you. So a lot of the reports, and my favorite predictions right now are around like, how artificial intelligence and the bad actors are using machine learning, artificial intelligence to really go after in very sophisticated ways, these enterprises, and target in different ways. And specifics I won't go into right now from a technology perspective.

Dan Lohrmann: But looking for those vulnerabilities, looking for known zero days, looking for known problems, and then just scouring the internet, just like looking, we may say it's a diamond in the rough, or looking for that needle in the haystack. But if you've got the right tools from a machine learning and an artificial intelligence perspective, they're very, very effective.

Dan Lohrmann: So, attacks are becoming more targeted, more specific. People are doing their homework, and it's not just kind of like it's a long way from where it was a decade ago when I first met you, kind of like spam the world and hope somebody clicks. There's some of that's still going, some of that's still working. But a lot of it is much more targeted. And I just heard recently, like the dark web's full of passwords, credentials, people still not using two factor authentication, which is crazy, or multifactor authentication, MFA. And then they're not even hacking, they're just logging in with the credentials, which is crazy, but it's happening. Future

Jason Clark: And anybody listening, I mean, every single app you have should be multifactor, period.

Dan Lohrmann: Absolutely.

Jason Clark: Honestly, as of security, you're not doing your job.

Dan Lohrmann Correct.

Jason Clark: In that period. Because that is a-

Dan Lohrmann: Well said. That's totally right.

Jason Clark: And you're right. It exists. There are lots of products that are lots of SaaS apps out there that don't even support MFA still. Because they're early, they're young, they've got 28 employees that created an HR app, let's say, but they're serving very large companies. Because it is really kind of all driven by shadow IT, and then finally security finds out and it's like, "Dude, we're cutting you off unless you can go build this functionality." It has to be integrated to our solution like Okta paying, et cetera. Right?

Dan Lohrmann: Totally. And to that same point, I remember a year ago I was with a... I'm not going to name the bank. I was with a bank that I literally went up the chain. I want to do multifactor, they did not have multifactor authentication at a bank. And I went all the way to the CSO and I ended up getting actually added to their pilot. And actually I'm still with that. They now have MFA across the board. But if you have any financial institution insurance, any kind of financial accounts, or trading, and it's not to multifactor, find somebody else.

Jason Clark: Now I'm just going to transition a little bit more like dug into IR. You've done a lot of different things. You've worked on every kind of every part of security. What's your favorite domain? Because you did a lot around security awareness as well. What's your favorite domain in cybersecurity?

Dan Lohrmann: I did like security awareness a lot. I was in that for seven years. And Security Mentor is a great company, and little side message there. But I still love them, they're a great company. What I liked about it was that it was very practical for everyday users. People at my church, and people in my community, and people I met at Christmas parties, I could talk to them about, what are three things I could do right now? I mean, a multifactor authentication, turn on 2FA for Facebook and for Gmail.

Dan Lohrmann: And so, I did like that because it was relevant for a hundred percent of society where you start talking about a lot of the things you guys do great work at Netskope, and the companies I'm working with right now at Presidio, and Netskope's one of them, but certainly AWS, and CrowdStrike, and different people, Okta and others. And the real is explaining that to people is harder in a lay person perspective. What I like about my current role, and ask me in a year or two, but is it's broader. And it's really, I get back to the ability of kind of full scope-

Jason Clark: Full solutions set.

Dan Lohrmann: Yeah, exactly.

Jason Clark: You can help people with everything. You got a problem, I can solve it, right?

Dan Lohrmann: That's it. Exactly. And I love that. Listen, I just love having honest conversations with CSOs and CIOs. And I have to tell you, I've been for better or for worse, people say I'm crazy because there's probably a lot more money, and there is in the private sector.

Dan Lohrmann: But I've been both from my NSA days all the way through even in England with Lockheed and ManTech, and then with State of Michigan, I really focus a lot on government, and I have a love for government and helping. I mean, just the passion to help improve society. And so, for me, they're under resourced, they're underdogs in a lot of ways, but having honest, open conversations with public sector and government, I have to tell you, I'm passionate about that as well. Because I mean, they're heroes out there in the front lines right now. And it's hard. It's rough. And they're working a long seven hour, seven days a week, 14, 16 hour days, and they're sweating. And I feel for them. It's a hard job.

Jason Clark: It's a very hard job, which is why they generally don't last multiple years, and they change jobs a lot. And the stress is immense. It is. Like you can't find people, the threat's evolving so fast, the business is moving to the cloud, but you still have to protect on prem. And so now you've got double the attack, surface triple the attack, but not triple and double the budget. I mean, is a very, very, very hard job, and there's no doubt about it.

Dan Lohrmann: It is. And then you lose your best people. You put together a team and you're like, "This team is..." And then we were able to, I still love my, it was glory days, but 14 years ago when I wrote my first book. We had a team in Michigan government, it was a very different economy, very different cyber world back in those days. I know we had a great team because all those 10 people I could think I could name are all CSOs now around the world doing great things.

Dan Lohrmann: So it's like, you can't keep a team like that together anymore. I mean, just can't do it because they're just going to have offers right and left. And especially in government, it's a really hard, you have to be a motivator as well. You got to be a cheerleader and a motivator.

Jason Clark: That's actually known to go after talent from the government, and from the state as well. I hired Jonathan Troll from Colorado, because it he is brilliant, and you can always afford them that first time.

Jason Clark: So speaking of kind of talent, right? And like you're a crater of CSOs as we just talked about. It was one of the biggest, I think things that as a measure of personal success sometimes is how many people go and become executives right after working for you, right? That's one of our jobs, is to grow the talent base and help people in their careers. But what would be your number one top advice for a first time CSO?

Dan Lohrmann: Find a mentor. To exactly what you just said, Jason, find a mentor who you can hopefully outside of your current organization, but somebody who you can trust, who you can, not trying to sell you something. I mean, I'm not talking about a mentor who's, hopefully at least if they are a salesperson, they can step outside of that role and just give you some speak into your life, and speak into you. You just kind of lay it on the line, because they've walked a mile in your shoes. They know what it's like. There's politics involved. There's office politics. I'm not talking about Republican and Democratic. I mean, that comes into play too sometimes. But I mean, just any organization, it's got politics.

Jason Clark: Every company has politics, period. By the way, I think that's like one of the number one things all CSO struggle with, is the political side of the things. Because you do have to put friction on the business, so you can't just like have frictionless. They're going to just go do anything. And so, having that balance. There's many CSOs I talk to where they're like, "Oh yeah, I walk down the hall and people are like, turn around and will start walking the other way because they're scared of me." I was like, "That's not a good thing."

Dan Lohrmann: Yeah. And that would be the second thing. I mean, I'll give you four or five. But I mean, relationships, relationships, relationships. I mean, it's the importance of that. Our original sock in Michigan, it was called the Batcave. Don't just hang out in the Batcave all the time. This guy's, "That's great. I'm in the Batcave."

Dan Lohrmann: But you got to have relationships 360. So you're going to be judged on how you work with your people, how you work with your peers, how you work with your management of course, but how you work with the vendor community, and how you work with the customers. And so, those relationships are key.

Dan Lohrmann: And it's hard. I mean, there aren't many CSOs. And I struggled at times. And I know it's hard to have good relationships with everybody, just like anything in your life, you can't be friends with everybody. But having good relationships 360 is another thing. And it's easy to say, everyone says it, but it's hard to do. And it's very hard to do well. And it takes years. It takes experience.

Dan Lohrmann: You don't walk into a new job as a CSO and you're not a five year veteran, because you haven't been through five budget cycles, and you haven't been through five Christmases, and end of the year award ceremonies. I mean, you learn good, bad and ugly, you learn. And just hopefully you get the time to really grow into your role.

Dan Lohrmann: But that's where a mentor can help. A mentor can help walk you through kind of the swamp, because you're going to do some things well, there's things most CSOs do well initially, but there's some things that they usually struggle with.

Jason Clark: What would you do differently if you can go back in time?

Dan Lohrmann: So there's one story that goes back to about 2004 when I was CSO in the State of Michigan, and Teri Takai was my boss. And Teri was a CIO in Michigan. She went on to become CIO in California. Then she went on to become the CIO for the US Department of Defense. So very famous. Worked for a lot of governors, Arnold Schwarzenegger, and Jennifer Granholm who's now secretary of energy.

Dan Lohrmann: Anyway, they say in any new CSO relationship, you always have kind of the forming, storming, norming, performing kind of thing, right? Well, this was our storming face. So anyway, Teri and I to kind of tell you the ending, we ended up becoming good friends.

Dan Lohrmann: But anyway. In the middle of this, so Teri wanted me to put Wi-Fi in all of our state conference rooms. And I was against Wi-Fi. I'm the NSA guy. And I had all these white papers. I'd done all my homework. And I'd gone to CIA, NSA, FBI. I had all these white papers. Wi-Fi's bad idea. We're driving, people were breaking in the Home Depot-

Jason Clark: [crosstalk 00:38:10].

Dan Lohrmann: All that stuff. So anyway, bottom line, I went into this meeting. Teri's like, "Okay, Dan..." There was like 10 people around this big government conference room. It's Teri staff meeting about 20 minutes into this conference room, weekly staff meeting. And we got the agenda item forum. And she says, "Dan, so how are we going to do this?" And I said, "Well, Teri, this is a bad idea. We're going to cancel this project." And so, I handed these sheets of paper out and passed them around the room. And I said, "I've got all these white papers here to back this up. I just want to summarize why this is not something we should be doing."

Dan Lohrmann: So Teri says, "Stop. I want everybody to leave the room, but Dan." So, everybody gets up and runs out of the room. I've never seen the government [inaudible 00:38:55] exit so quickly. Anyway, long story short, she looks at me in the eye and she says, "Dan, if that's your answer, you can't be the CSO in Michigan." And I said, "Well, wait a minute, Teri, let me explain." She said, "No, no, no stop." She said, "We know you're smart. You got a master's degree yada, yada from NSA, we get all that." She said, "But I've been to Dow Ford, Chrysler and GM, and they all have Wi-Fi in their conference rooms. What do they know that you don't know?"

Dan Lohrmann: She said, "I'm giving you one week to find out, or i want your resignation." And that was a shocking moment for me. I mean, it was a life changing moment. I mean, my career was like flashing before my eyes. Of course, we went back, we talked to Dow Ford, Chrysler, GM. We got Wi-Fi at all the state conference rooms. Two years later, we win the award for top security Wi-Fi in government nationwide, yada yada, yada. But the bigger lesson for me was, you got to get to a yes but, or a yes and, you got to look at options. You got to give gold, silver, bronze. And it's not just about Wi-Fi obviously, this could be cloud. This could be-

Jason Clark: There's always a way.

Dan Lohrmann: Exactly. It's cloud, or IoT or AI, whatever the new hot topic is. The security answer is always no. And you've got to figure out what other people know that you don't know. The answer may sometimes need be no, Jason, we talked about that before. But the point is that you've got to really... And it really changed my mindset. How can I be an enabler? From that time on, I was right articles. O5 one word. How do you change cultures to have an enabling cybersecurity? And I know Netskope does that too. How do you enable people to do cloud securely?

Jason Clark: Great advice, Dan. So, that's all that we have time for today. Dan, this has been awesome. And thank you. And I feel like we could have easily done this for many, many more hours. But before I let you go, one, where can people find you and get your book? And also, anything else you want to leave anybody with?

Dan Lohrmann: Sure. Well, thanks so much. And Jason, again, thank you. Thank Netskope. Thanks for having me, really, it's an honor to be on your program. And you're a true thought leader and an expert in the industry. So, huge admirer of you and what you've done.

Dan Lohrmann: Cyber Mayday and the Day After is the name of the book. You can get it on Amazon. It's out there. Also I write for government technology magazines. So I have a weekly blog. It's up every Sunday and Monday. It's the lead story on Monday mornings for Government Technology magazine. You can see me there Lohrmann on cybersecurity. Also @govcso in Twitter. G-O-V-C-S-O, @govcso is my Twitter handle.

Dan Lohrmann: And you can also just connect with me on LinkedIn because I love to connect with pros in the industry, and even new people in the industry. Can't mentor everybody. I get a lot of requests to mentor people. I do mentor a few people, but I'd love to connect with you. So please feel free to reach out on LinkedIn, Dan Lohrmann.

Jason Clark: Yes. Listen, everybody, you definitely connect with Dan. All he wants to do is he just wants to help people. He wants to make this industry better and help the communities. So that's one thing that I love about Dan. It's all about the community. So thanks, Dan. And I'll see you all in a week.

Dan Lohrmann: Thanks so much, Jason. I appreciate it.

Speaker 3: The Security Visionaries podcast is powered by the team at Netskope. Looking for the right cloud security platform to enable your digital transformation journey, the Netskope security cloud helps you safely and quickly connect users directly to the internet, from any device to any application. Learn more at netskope.com.

Speaker 2: Thank you for listening to Security Visionaries. Please take a moment to rate and review the show, and share it with someone you know who might enjoy. Stay tuned for episodes releasing every other week. And we'll see you in the next one.