The Retail & Hospitality ISAC Podcast 7.12.23
Ep 31 | 7.12.23

NACD Accelerate, Ian Furr’s Volunteer Work, & Bidemi (Bid) Ologunde Member Spotlight

Transcript

[ Music ]

Luke Vander Linden: Good morning, good afternoon, good local time. I'm Luke Vander Linden, vice president of membership at the Retail and Hospitality Information Sharing and Analysis Center. And this is the RH-ISAC podcast. We do our best to try to be on trend here at the RH-ISAC, just of the past week or so there have been numerous articles in both niche and mainstream publications citing the need for cybersecurity expertise on corporate boards of directors. We identified this need a while ago, but from our little corner of the world, what could we do about it? Well, our members represent thousands of cybersecurity professionals who have exactly the kind of knowledge boards need, including hundreds of CISOs and other leadership level professionals. Some may be perfect board material, but either just need to be pointed in the right direction or may need a little training on the other stuff you need to know to be a successful corporate board member. Luckily, there's an organization for that. Last year we partnered with the National Association of Corporate Directors and recruited some of our member CISOs for their Accelerate Program, which trains and certifies individuals on everything board members need to know and do. Our first cohort is making its way through the two-year program and the first member of that group has been officially certified. I will be joined by John Scrimsher, CISO of Kontoor Brands, to talk about his experiences and outlook as a prospective corporate board member. I'll also be joined by Marcel Bucsescu from the National Association of Corporate Directors to talk about their efforts to create competent, successful board members. If that's not enough for one episode, I'll also be joined by one of my colleagues here at the RH-ISAC, Ian Furr. Ian is in our security engineering and integrations team. He and I work together on onboarding members, getting them setup to share in our platforms. But Ian has quite a robust life outside of work; volunteering with some organizations and at events to, what else, keep people safe. So it doesn't stray too far from his professional work with us but I'll let him tell us all about it. And finally, we have a member spotlight; intelligence analyst, Bidemi Ologunde from Expedia will join me to talk about how he got into cyber, what he does at Expedia, and his outlook for the future. So, a pretty packed episode. As always, we welcome your thoughts about the podcast or anything else. Shoot us an email at podcast@rhisac.org, or if you're a member, hit me up on Slack or Member Exchange.

[ Music ]

Alright now, I'm joined by John Scrimsher, CISO from Kontoor Brands, and Marcel Bucsescu, the senior director of credentialing and strategic engagement from the National Association of Corporate Directors. Thank you both for joining us.

John Scrimsher: Thank you for having.

Marcel Bucsescu: Likewise, glad to be here.

Luke Vander Linden: Excellent. So we're going to talk today about how there's a lack of knowledge of cybersecurity on many corporate boards and how both our organization and NACD are doing a little bit to try to solve that problem, do what we can from our little perches in the world. But just for the sake of setting the scene, John, why don't you tell us a little about yourself and your background and how you got to where you are today at Kontoor Brands.

John Scrimsher: Oh, well I think like many people, I've been very fortunate to have been in the right place at the right time at just enough times throughout my life, to help build a career. I've been working in cybersecurity and IT for about 30 years now. Through some very large companies, very well-known brands, and across multiple different industries. So, it's helped me to understand security engineering, security architecture, security management, and then business management, making all of the partnerships that I've made throughout my career to help me understand how the businesses operate and how I can better secure them. So just a, it's just been a great run.

Luke Vander Linden: That's great, and so how would you say that your varied experience has shaped your professional life, your personal life, and certainly what you do at Kontoor?

John Scrimsher: Well one thing it's taught me is that security is not industry specific. And a lot of times you'll hear people say, oh, you don't have medical experience so you can't be a CISO for a hospital, you don't have financial experience so you can't be a CISO at a finance company, and that's really not true. So what I've learned over time is that security is about understanding the business. And you understand the business by getting into the business and meeting with all of your business partners. Talking with your CEO, talking with your executive leadership team, talking with your board and understanding what their concerns are. And then it's tailoring the security to fit that and really kind of drive from that risk management perspective. And that really kind of led to me wanting to grow my career and moving out of engineering into management and eventually becoming a CISO and it's really made me appreciate all of my business partners even more.

Luke Vander Linden: That's great, so while the threats may often be sector specific, the person doesn't have to be. And I'm glad you brought up boards, because obviously that's what we're talking about here. So, in the interest, again, of scene setting here, Marcel, can you give us a little more depth about the role the board, the role of an individual board member, director.

Marcel Bucsescu: Yeah, no and thanks again. This is an important discussion and as you alluded to, an active ongoing one in the board space, mainly the need for the kind of technical expertise, security expertise that John was talking about. But if we step back and think about the board of directors, I think a lot of folks don't necessarily have a view into what happens in the boardroom. Who these directors are and the roles they play and I think it's important to set the stage there, as you said, on what that role is. At its core, directors are responsible for the success of a company. Right? They have something called a fiduciary duty, which in fact executives have as well, but they have a fiduciary duty, which comprises of a few specific duties; the duties of care, the duty of loyalty, and those duties are to the corporations, they have to oversee the corporation and make sure that management has an effective strategy in place, is managing the risks appropriately, is allocating the capital and other resources in the right way to continue to grow the company. And that's a really a specific legal mandate, but also a very board business one, and so you know, when you heard John kind of share his background and how he approaches his work, understanding the business is really what being a director is about and helping management navigate all of the dynamics of business today. So in that sense, it's both a very exciting role, a very interesting place to be, but also a fairly complex on and one that comes with a large amount of responsibility, including by the way, personal liability, which I'm sure many of your folks are more than familiar with, given their roles.

Luke Vander Linden: So I often don't talk about this unless someone asks and frankly, they don't have to ask, but in a past role I worked in corporate governance at one of your sister organizations, the Society for Corporate Governance, so I've seen from that perspective, the world of governance which includes boards of directors, change quite a bit over the last couple years from A, being you know, pale, stale, and male, which is you know, the same guys being on lots of different boards, but then also, the huge focus a couple years ago on ESG and now we're seeing this renewed focus on cybersecurity. As sometimes it's framed as part of ESG but sometimes it's just framed as being good governance, so maybe you could talk a little bit, Marcel, about how being a board member has changed drastically over the past couple, just couple years.

Marcel Bucsescu: Yeah, well I mean, so cybersecurity isn't new in many respects, it certainly feels like it's accelerated a lot. But you pile that on top of what we went through in the pandemic, the changing dynamics and relationships with the workforce and human capital, I mean the cybersecurity space is a prime example. I mean you two would know better the number of open roles we can't fill because we don't have the skills. Think about that across our businesses. You know, having to manage through an increasingly complex economic environment. Having to manage through an increasingly, increasingly geopolitical environment. And so, the perspectives, the experiences, the ability to connect dots, see around corners, all of that happens in the boardroom with management and the board with these directors that have unique experiences from different backgrounds, different parts of the world, different points in the kind of continuum of business, and so all that comes together in the boardroom. And it feels almost like it's all colliding right now at the same time. And in that sense it's elevated all the stuff requiring these new skillsets that frankly haven't been there, and really forcing directors and boards to take a hard look at who's in the boardroom, what are the specific skills, experiences, business judgment they're bringing, and how are they contributing to the good of the corporation? And so that's all happening right now, in the context of that ESG debate, et cetera. It's an interesting time.

Luke Vander Linden: It is, and I think you described it well by saying it seems to all be colliding right now. So a couple years ago NACD started a certification program, an accelerated program, it's while we're here to discuss today. And it's great, because it not only, it trains and certifies potential or prospective board members to be board members, to teach them all these things that there, all the responsibilities and what the role is about. Could you tell us a little bit more about the history of this program?

Marcel Bucsescu: Yeah, I'd be happy to, I'm sure we'd learn a lot more, frankly, from John. But so, NACD launched the NACD Directorship Certification back in December of 2019. And it's a certification in the true sense of the word. So I think many of your listeners are probably familiar with other technical certifications they may have [inaudible], right, because I've seen the letters, we've contributed our own to the list. But it's a certification that is developed by sitting board members. And what I mean by that is the first part of the certification is an exam that checks your knowledge. That exam is based on a survey of over a thousand directors that told us what their role is, how they spend their time, how important that activity and their role is. And then we have another set of directors write the exam questions and a third set assess the kind of the threshold, the quality of the responses needed to pass. So that's the exam piece. And then there's the continuing education portion, which is 32 credits over two years of continuing education. I would argue that's really the more important part, because of all the dynamics we talked about before. Right? You guys know you're out of the role and pretty soon your knowledge base is stale. The world's just moving so quickly. So whether it's a technical role or a business role, the same is true. And we have nearly 1,500 certified directors, it's for both aspiring and sitting directors, it's actually intended for folks that hold the role. And they represent the full range of the U.S. economy from Fortune 50 to startups, nonprofits, private companies, everything in between.

Luke Vander Linden: That's great, and so obviously for us it was recruiting amongst our thousands of professional cybersecurity professionals and hundreds of CISOs, the folks who might be interested in serving on boards and NACD facilitated that with kind of a group cohort kind of operation where we could recruit several of our CISOs to enter the program at the same time and work together on this. And John, you were one of the members of the first cohort that we put together and in fact, you are the first of that cohort to pass the test and become certified. So congratulations on that. But tell us a little bit about what made you want to go into the program.

John Scrimsher: Oh, for me it was just, once again, expanding my own knowledge. The continuous education is something that I've been passionate about throughout my whole career. I'm actually going back to school currently as well, so to get another advanced degree. And so, the idea of just kind of expanding on my technical knowledge and my IT knowledge, and getting more relationship to the business was very appealing, and so wanting to expand into board service is just a, is kind of an appealing thing for the next iteration of my career. And so when the RH-ISAC came and said hey, we're looking, you know, we're talking with the NACD about putting together a cohort, we'd like to get, I can't remember exactly how many of us that there were, you know, seven, 10, something around there, we'd like to get a few of you to go through this program and see what it's like, I was excited about it.

Luke Vander Linden: So, how did you find it? Like what did you, what were you surprised to learn? What did you expect to learn? What did you learn?

John Scrimsher: It's not as easy as you think.

Luke Vander Linden: You think, running major companies isn't as easy as you think?

John Scrimsher: Yeah, well I mean just the whole idea of you know, as a CISO you report to a board on a regular basis, and I've reported to different boards at different companies and every board is different. And you think that based on your own knowledge, that you pretty much know how things are going, and then you go through, start going through the materials and you start learning that it's a lot bigger world than what you're seeing in your 15-30 minutes with the board. And so just really kind of getting that understanding, you know, you start with your first 15 hours of the program where you go through just to kind of get the, I can't remember what they call it, but the initial staging to verify that you are prepared to actually study for the test itself. And just that first 15 hours, you get a lot of information and you think, okay, this is really good, I'm going to be ready for the test. Then you start reading the other materials and find out, it's, you're looking at probably another 50-70 hours or more of studying and then in my case, it was taking that information and going and speaking once again with other business leaders. Not just in my company, but other companies. I actually reached out to a board member and said, hey, you know, I'd like to, I'm thinking of going through this, I'd like to get your thoughts and understand what are the challenges that you face and how should I be thinking about things. So just kind of go through that entire process, just it gave me a lot more respect for the level of service that a board member puts in. The number of hours they put in on an annual basis for an individual company. And for some, I know some people who are on five boards at once. They're typically retired from their career and then doing five boards now as their next career. But they've, just the amount of time they put into it. And having to have enough knowledge to ask the right questions, to provide that level of oversight to show your duty of care, as Marcel had mentioned, and recognizing that cybersecurity is part of that duty. And understanding that that is one of the biggest risks that many corporations face today because in reality, there really is no business decision that doesn't have a cybersecurity implication of some sort. So, understanding that and incorporating that question asking into that oversight duty of the board is something that I'm excited about helping drive and so I've worked to either educate boards or participate on boards myself.

Luke Vander Linden: So I mean this will also help you to communicate to your own board I would imagine as well.

John Scrimsher: Very definitely. Yeah, I'm able to better understand what the, probably the background of some of the questions the board may bring to me. And I'm able to translate the IT language to them a lot better as well. Because I'm able to put it more into the risk in financial terms that they're used to looking at instead of the IT terms.

Luke Vander Linden: So, Marcel, looking at what now John and others like him who go through the program or who serve on boards, can bring to boards now, what do technology and security executives need to understand about the boardroom in order to be successful?

Marcel Bucsescu: Yeah, I think John hit on a number of those points. One, the breadth of the role, the breadth of issues that the board is thinking about, and the way they're approaching them, right? John mentioned that oversight role, it's a different role in that sense if you've, you know, if you're a board member, you're not solving issues per se, you're not, you're not managing, you're directing, you're overseeing, and so they do approach and think about issues in a different way and understanding that can be really important. Certainly if you want to serve on the board, but even when you're engaging with your board as John alluded to. I think the other thing to remember is that directors, some directors might be on one board, other directors may be on five, as John noted, though that might be a touchy subject for some directors, those in the governance space know the debate about overboarding. But these directors are, these days they're in your company or at your company more frequently, but they're not there day to day and so there is an information gap for them. You're going to need to do some reeducation, you're going to really think about how you're communicating information to them so it comes across clearly. I'm not talking about gaming the communication or anything, but really in a way that's effective so that it provides the important information for the board so the board can do its analysis, make its decisions, and that can be a real challenge and takes a lot of thought and care. That's why we see management spending so much time often thinking about what's presented, when, how, et cetera. And then the other one is, you know, you do have to help your directors learn this topic. There is a huge skills and knowledge gap here and it's an opportunity for your members, but it's also a big challenge and it's a very real one.

Luke Vander Linden: Well, I think that's, you know, because we wouldn't focus this part of this program on how to take someone who knows cybersecurity and educate them about the board, but that's a traffic point. What should board members know about cybersecurity? How deep do they need to go? John, I'm sure you had opinions about this where for all the boards that you've worked with in the past, so let's not be specific about Kontoor or any of your past employers, but now that you've gone through this program and from your experience communicating with boards, what do you wish board members knew about cybersecurity that would help their oversight over what you do?

John Scrimsher: I think the big thing is just what I've seen them do is keeping up with the news themselves of the types of risks that are happening out there. And asking questions about the type of metrics that are being reported and the effectiveness of the metrics and making sure that the CISO or the CIO or whoever's reporting those metrics can actually describe how they're addressing the risks that are being faced. One of the things I do to help educate the board is I always spend probably the first few minutes of the presentation on the headlines of the past quarter and how do those headlines impact this company or maybe our competitors or things like that, and what are we doing to address that, to give them that confidence that we are doing our job. Because they're, [inaudible], they're there for the oversight, we're there to do the job. And so my biggest role is to make sure that I'm addressing their concerns, avoid fear but I do avoid uncertainty and doubt. We want to make sure that we're giving them the right level of information and that they have, they're asking the right questions to remove that uncertainty as well so that they know that we are doing our job. So one of the best questions I've ever heard, I haven't done this myself, but I heard another CISO recommend it, is one of the best questions to ask your board as why they can help you, is to ask all the other executives when they're in executive session, what are you doing to help your security team? And so having the board start asking those questions makes them start thinking about what can they do about security as well. I talk about how to incorporate security in their daily lives, I use examples you know, one time I had a board member ask me about the quality of a certain metric, and I said well, it's kind of like locking your front door of your house, it's not going to guarantee nobody is going to break in, but it's something you still always check. And so just kind of getting them to start thinking in those terms of that cybersecurity is just like everything else they're doing. And then they can start asking those questions that relate it more to their life as well.

Luke Vander Linden: Right, it removes the technical aspect of it because it makes it more strategic. Marcel, in his city has done a lot of work on, and a lot of discussion about what boards should know about cybersecurity. Obviously you have a 30 thousand foot view, having access to a lot of boards and helping them out. What's your view on what directors should know about cybersecurity to be more successful?

Marcel Bucsescu: Some of, this is going to sound overly simplistic, right, but there's sort of a, nobody just wants to do the bare minimum, that's not why they're serving on boards. But the bare minimum in many ways is much the same as any other risk management exercise they take at the board level, right? They work with management to ensure there's a process in place, and then they monitor that and make adjustments on an ongoing basis. Like that's the floor, pretty low hanging fruit there. I mean after that, I think that one of the interesting kind of areas of study that's emerging, and this is where I think organizations like yours and other ISACs can be really impactful, is when you talk about those directors that serve on multiple boards, you start to see a lot of sharing across organizations to address some of these emerging issues. And so I think directors being aware, as John said, of you know, what are some of the latest trends emerging, threats, et cetera. Not, and directors aren't prone to sort of hysterics so they're not going to read a news thing hopefully and call up the CISO and be like, what are we doing to do this, right? That's not it, but thinking about the trends, they're making the connections, they're thinking about how they can take a learning from one board and perhaps explore it on another company and vice versa. They're playing that role like they would on any business issue, and ensuring that you know, we're seeing as broad a picture as we can, and then also making sure they're listening to the CISO, that they have access to them, that that individual has the resources they need to be effective. Right? This is as much resource allocation as risk management. And so, helping be that role that can connect it from the various different perspectives and aspects is really critical.

Luke Vander Linden: So I guess let's think about next steps. John, what advice would you give people who are thinking about this program or thinking about board service, or maybe they haven't thought about it but now they're listening and they are thinking about it.

John Scrimsher: Well I would definitely encourage you to think about the program. That the biggest advice I have is, once again, just networking. And networking with other business leaders outside of IT and security. And understand what the business challenges are either in your direct business or maybe in your social circle, you know, know other CEOs or CFOs or COOs, and understand what are the types of things that they're thinking about. You don't need to understand their, you know, their roles completely, but just understanding what types of things they're thinking about and how you can incorporate those into your own thought process. So that's, starting to get that thought pattern is really what's going to probably help you the most as you go through the process.

Luke Vander Linden: Excellent. And Marcel, any advice for John now that he's completed the certification part of the program, what are his next steps for maybe potentially even getting invited to be on a board?

Marcel Bucsescu: Well, you know, I think John actually raised very early in this conversation one of the key one, and he said it again, which is reach out to folks you know, talk to them, you know, find a sponsor or mentor, someone that can bring you along. I heard a saying once that stuck with me, when you're looking for a board, it's not who you know, it's who knows you at the right time. Board seats come up relatively infrequently, it's a long process, it requires patience, it requires a lot of self-awareness about you know, having as John suggested, reflecting on what type of a role you want to, what type of a board you want to serve on, what you bring to that beyond just your technical expertise, by the way, right, that broader business experience and view. And take advantage of many resources out there, like NACD and others, and your network, because it takes a real commitment and focus to get there but it's very rewarding if you want to do this and you follow it through, it's very rewarding once you get there.

Luke Vander Linden: Excellent, well Marcel Bucsescu, from NACD, and John Scrimsher from Kontoor Brands, thank you both for joining us on the RH-ISAC podcast. Given us a lot to think about and congratulations again, John, for your completion of the certification. By the way, we just launched our second cohort to go through the NACD Accelerated Program. There's still time to be a part of it though, and we will be bringing in new participants pretty much on a rolling basis for the foreseeable future. So if you're interested, and if you're an RH-ISAC member, please shoot me an email or find me on Slack or Member Exchange. I'll send you an application or we can set up a call to give you more information.

[ Music ]

Alright, now I'm happy to be joined by the RH-ISAC's own Ian Furr, who's a security integrations engineer for us. Welcome to the RH-ISAC podcast, Ian.

Ian Furr: Hey everybody, thanks for having me Luke.

Luke Vander Linden: So, many of our members have met you or work with you in setting up their tools to work better with ours, specifically our cyber threat intelligence tools, and data, so why don't you explain better than I can, your role here at the RH-ISAC.

Ian Furr: For sure, yeah. So like Luke mentioned, I am the security integrations engineer here at the RH-ISAC, so it's my job to help our members consume the threat intelligence that is shared within the RH-ISAC community. So when somebody shares something in any of our platforms, it's my job to one, help them get that information into whatever platforms that we're using right now that is [inaudible], so getting them to share that information in a way that's consumable and easy to share [inaudible], and then on the reverse side of that, once that's been published into our [inaudible] and processed by our analysts, to assist our members in consuming that intel into whatever tools they have in their tool stack, via their antivirus or EDR, or their network tools like a firewall, or even into their seams for alerting and analysis and things like that.

Luke Vander Linden: That's great, because sharing is why we exist and so we need to facilitate that and make it as seamless as possible. So, before you came to the RH-ISAC, what did you do professionally?

Ian Furr: Yeah, so before I was at the ISAC, I was a penetration tester with a specialization in purple teams, so my role really helped tie together red teams and blue teams so that we could one establish that dialog between them, and ensure that thing son one half of the team's radar would make it over to the other side, so that everybody could [inaudible] it.

Luke Vander Linden: That's great, well we're very happy that you're with us now. You and I are on calls often together, because we're onboarding or checking in with members and helping make that introduction to what you talked about earlier. One of my favorite memories of you, which is just a couple months ago, we had a call scheduled, we used Teams, so we're on video, and when you came on, your camera turned on, you were in the middle of a field. What was going on there?

Ian Furr: Yeah, so here at the ISAC, we've been very accommodating of me and my volunteerism we'll say, and that day I happened to be at an exercise for ITDRC, the Information Technology Disaster Research Center. So I've been volunteering with them for a little over two years now. I started out as a regular tech and now I am the deputy director for all of FEMA's Region 3, which is most of the mid-Atlantic states, Pennsylvania, Maryland, Delaware, Virginia, West Virginia, DC. Yeah, that's all six. So, I oversee a lot of the operations in that area. To backtrack a little bit, I can talk about what ITDRC is because I kind of skipped over that.

Luke Vander Linden: Please, yes. I was just about to ask.

Ian Furr: So it's the Information Technology Disaster Resource Center, they are a nonprofit that provides no cost technology solutions to communities in need. The most common instances you'll see them if you are for whatever reason, in a disaster area like something like Hurricane Ian, they sent people and technology assets down there to help get those communities back online. So, when a disaster comes through and impacts an area's technology, that really impedes recovery efforts because we use technology for everything now. For tracking the forms you need to send to FEMA to get reimbursements, or insurance payouts, to the computer aided dispatch that police and fire and EMS services use. And in disaster areas, technology's one of the first things to go down and one of the harder things to bring back up, because you lose a lot of the infrastructure and one of the things we try and do is bring as much of that in as we can. So, we have communications technology, we have radios, we have laptops that we'll bring in, wi-fi to set up at survivor centers, and things like that.

Luke Vander Linden: Right, just to enable communication from a personal and professional level for all those that need it. So, when you're in that field, you were with that organization, I assume this was a practice of some kind, or?

Ian Furr: Yeah, so as the deputy director of Region 3, I oversee a lot of the events and deal with some of the more haphazard ones, which is what this ended up being, just because of the way it was coordinated. But this was a search and rescue exercise with the Frederick County Sheriff's Office. So, they have a search and rescue team, as a lot of sheriff's departments do, and part of that is they need to participate in practice exercises every once in a while to maintain their certifications. And this is what one of those was. We went out to Camp Rock Enon, in the western part of Virginia, right on the West Virginia border and set up a search and rescue exercise so they stuck clues that marked someone's path through the woods and set up a scenario where a person was gone missing and they have to find and recover them. Part of the dependencies for that we'll say, is some tools that the sheriff's office uses to track and follow those clues on that path, which require internet access. And that's what my job out there was, was to provide internet access for those tools, but also for the drone operators there. So, in the background of some of my video on one of the later calls that day, you could see a drone taking off and hovering right outside my car, which was my office for the day before it took off and flew out to go and try and get some imagery of where they thought that missing person might be.

Luke Vander Linden: Wow, that's really awesome. So have, you know, not a lot of hurricanes hit the mid-Atlantic, but where have you been deployed, or where have you had to use you know, everything that you're rehearsing for?

Ian Furr: Yeah, so I've been deployed a couple times. The first one was when I was still living up in New York, we did an exercise in Taughannock State Park over Taughannock Falls and we shot wi-fi across the gorge there, just to simulate things and to get us used to using some of the equipment. So, we set up some point to point stuff and shot it across the falls and it was a really beautiful day, until it poured on us.

Luke Vander Linden: You get to go to some beautiful parts of the country.

Ian Furr: Yeah, second one was a deployment to Fort Dix, New Jersey. This was back in September of '21, we had a large number of Afghan refugees coming over, this was right after we had pulled out of Afghanistan, and we were setting up wi-fi so that the people that we're coming over could get online and talk to their families. Because they were living in an area that they were still setting up on base, they were starting in these giant tents that had power, but they didn't have much in terms of wi-fi or sailor access because they were one, using SIM cards from a different country, and those don't always transfer, but they were in the middle of a field in the middle of a military base, so cell service and wi-fi were very spotty. So we came in and set some of that up, that way they could talk to their families. But one of the most rewarding things coming out of that was we were setting up wi-fi near a bunch of the kids that were going through a school lesson, because they had been here for a couple weeks at this point and by the time we had gotten cleared to go in, they had gotten classes set up just so that they could learn just basic conversational English. And we were setting it up and as we were setting it up, a bunch of kids were like, looking over to us and trying to figure out what was going on, because we were wearing different shirts than everybody else. And through the language barrier we were trying to tell them what we were doing and it wasn't really sticking until we said wi-fi. And as soon as that happened, a bunch of the other kids heads whipped around and you could see a bunch of their faces just light up.

Luke Vander Linden: No matter where you are in the world, wi-fi, common understanding. And I will say, I can probably having two kids myself, they will understand that and no matter where you are, that's amazing. So, how did you get started with this organization? How'd you find out about them and how'd you get involved.

Ian Furr: Yeah, I saw a TikTok of all things, back in 2020 I think, that talked about one of the volunteers at [inaudible] networks on TikTok and a bunch of the other social medias, and she was talking about how you can get involved and how you can join up, and I said, wow, that sounds really cool. I've always been a person that loves volunteering. It's been a big part of my life ever since I was a kid in scouts and I was like well, right now I'm not really doing much, it's the pandemic, I've got a real-life adult job now, and haven't really settled into anything volunteer wise, so this sounds like a great opportunity for me to volunteer. But also, use the technology skills I have. So, I went online to the website, ITDRC.org, found the volunteer signup form on there and figured well, why not? I'll toss my hat in the ring. Did that, a couple weeks later started getting approvals and stuff like that, so I joined up and now it's a couple years later and I'm part of our leadership team.

Luke Vander Linden: That's awesome. So, this isn't the only group you work with though, is that right? Because I remember a couple months ago you were also working at the World Games.

Ian Furr: Yes, that was the same group. So, yeah, we deployed down there to assist the Jefferson County 911. They had a need for some land mobile radios that would work with their system. And also, support running a backup emergency operations center.

Luke Vander Linden: Great, but do you work with other organizations, or is this your primary outlet?

Ian Furr: So I'm current involved with two groups mainly, ITDRC is the first one, but I'm also involved with the Fairfax County Fire and Rescue Department. Yeah, so I'm still in the training phase right now, but depending on when this releases in August, which might be next month, I'll be starting EMT school so I'm going to go through that and join up as an EMT with the volunteers there and then hopefully next year go through firefighter school and do that as well.

Luke Vander Linden: Wow, excellent. So you clearly have, you mentioned the scouts, you clearly have a history of volunteering from an early age. So, but it's so great that you're able to use your professional skills now to help where you can.

Ian Furr: Yeah, being a part of ITDRC has been amazing, and even just those one-off experiences like with the Afghan refugees and getting to help those kids, just, it really brightens up.

Luke Vander Linden: Yeah, what an impactful story. I mean that's amazing. How were there other ways has it impacted you, volunteering?

Ian Furr: So I haven't only deployed out in the field, I've also done some remote response stuff, be it supporting some of the wildfires or recent tornadoes and things like that, that have come through and getting to see the stories in these communities of how impactful what we take for granted, even minor technology solutions are, in a disaster area it's huge. because it can be life-changing for somebody if they're able to get back online and talk to their family and, I mean in a disaster area, you lose cell coverage and you can't talk to them anymore. So just letting them know that you're okay, is huge.

Luke Vander Linden: Right, right. Just reporting in. Other than when you're deployed or if there's an emergency, because obviously you can't predict that, what's the time commitment like for kind of the normal weeks or months with this group?

Ian Furr: So for me, because I'm on the leadership team, we have some regularly occurring meetings and status updates, things like that. But for your average volunteer, it's as much as you want to get involved. We're launching some new initiatives now with our remote response team and some type of situational monitoring people, so that we can get ahead of incidents before they happen and get ingrained in those communities to pre-stage resources but also to get our names out there so that people know, hey, we're here to help. And that stuff is hugely impactful and a pretty minimal commitment. It's going in, getting your training done with ITDRC--

Luke Vander Linden: Rolls off the tongue.

Ian Furr: Yeah, yeah. Everything I do is acronyms nowadays. But getting that training in and getting deployable and then after that, unless you're going out to deploy, it could be maybe a couple hours a month just to get to know the local emergency community or the local volunteer organizations that are active and say hey, we're here to help. Let us know if you need us, this is what we can do and this is how we can do it. And that's something that any of our volunteers from somebody that's gone out and put a couple hours in to somebody all the way up in leadership team can do.

Luke Vander Linden: That's really good, I'm really glad that the RH-ISAC is allowing you to do that and take some time, because honestly, selfishly, it did help set your skillset, it helps out your leadership skills, and you're able to do good for the world around you. Is there a need, obviously many of our listeners, many of our members, have skills that could be helpful in this arena. Is there a need for more volunteers, both obviously in your zone but also nationwide?

Ian Furr: Absolutely, yeah. So right now we're sitting at about 36-3700 volunteers, and we're always looking to push the number up. More volunteers means more people might be able to respond, means more companies have us in their minds, which means that maybe we can stir up a couple of additional donations and things like that. So no matter where you are or what you do, ITDRC can use your help. Just a couple weeks ago we had a call for people to go out and climb towers in Guam, because they got hit by a typhoon, and we're still working out some of the details on that one, so people might go, people might not. But we use everybody from people that climb towers to people that set up firewalls and routers, to people that want to handle the logistics and admin side of things. It takes a lot to coordinate flying volunteers all over the globe to writing grants, to apply to get funding or materials donated or wrangling all those materials to begin with. So no matter what the skillset, ITDRC can use you for sure.

Luke Vander Linden: So how if anybody who's listening is interested in helping out, how should they proceed? Should they contact your or is there a website they can go to or what's the process?

Ian Furr: If they want to, they're more than welcome to contact me and I can definitely give you a good reference, but the easiest way to do it is to go to ITDRC.org.

Luke Vander Linden: Alright, say the acronym slower. I--

Ian Furr: ITDRC.org.

Luke Vander Linden: Okay.

Ian Furr: And click on the volunteer tab at the top and it'll pop up a little form that you can just put in your details and once you do that, you'll get an email that says hey, thanks for signing up, this is what your next steps will be and it involves a little bit of training and just kind of getting to know ITDRC as an org and then from there you're [inaudible] and excited to see you in the field.

Luke Vander Linden: That's so cool. And if someone wants to get in contact with you about automating their ingestion or sharing of CTI, what's the best way to go about that?

Ian Furr: Yeah, you can find me on the RH-ISAC Slack, I'm always online there. And if not, you can shoot me an email at ian.furr@rhisac.org.

Luke Vander Linden: Excellent. Ian, thanks very much for joining us. Good to see you in this context, and I'm sure I'll see you again soon with a call with one of our members.

Ian Furr: Absolutely. Thanks for having me, Luke.

[ Music ]

Luke Vander Linden: Alright, and now I'm joined by Bidemi Ologunde, or Bid, who you told us we could call you, intel analyst at Expedia Group, welcome to the podcast.

Bidemi Ologunde: Thank you, thank you so much, Luke, for having me.

Luke Vander Linden: Now I happen to know that you're no stranger to podcasts. You have your own podcast, so tell us about that.

Bidemi Ologunde: Yes, so thanks very much, once again. My name is Bidemi, I also go by Bid, as a lot of people know, and that dovetails into the name of my podcast actually, so it's called the Bid Picture. And on the Bid Picture I talk about cybersecurity, intelligence, analysis, the daily implications of cybersecurity. So my audience ranges from executives to parents, grandparents, to basically something for everybody. So, that's what I talk about on the Bid Picture podcast.

Luke Vander Linden: Well a lot of people come on this podcast and they say that they've never been on a podcast before and so to be gentle with them. But you're experienced, so we're going to expect a lot of great things from you over the next couple of minutes. So, welcome again. So tell us a little bit about your background. You're in cybersecurity, you work at Expedia Group. How did you begin your career in cybersecurity and how did you get to where you are now?

Bidemi Ologunde: Thank you, thank you. So to start off, I just wanted to a little caveat before I say anything further, the opinions and perspectives I'm going to be sharing on this podcast are mine alone and do not reflect opinions or perspectives of Expedia Group. So to jump into the question, I started in cybersecurity about 15-20 years ago. So back in Nigeria, where I'm originally from, I started electrical engineering for my undergraduate degree. My research and focus back then was wireless network security. So that is a good transition into the network aspect of cybersecurity, network security, making sure [inaudible] firewalls and everything is well secure. So gradually when I finished my graduate school here in the U.S., I was able to just transition naturally, like I said, into cybersecurity, incident response, [inaudible] operations, a little bit of forensics, and threat intelligence, in the latter part of my career so far. Yeah, so that's, I would say I took an academic route into cybersecurity.

Luke Vander Linden: Right, because not everybody does that. Have you, how long have you been at Expedia and tell us a little bit about your role there.

Bidemi Ologunde: So about a year so far at Expedia, basically what my job entails is making sure that all the security teams have the tools and the perspective context they need. So whatever threats we're seeing out there, how would it affect us internally. So, that's my role as an intelligence analyst. So, I basically advise all the security teams and it's a two-way communication. So what they are seeing, I provide context, what I'm seeing, they give me context regarding that. So that's kind of my nature of my role as an intelligence analyst.

Luke Vander Linden: So what do you, what do you see as the biggest challenges right now? Not only, I guess you could tell us also, your personal challenges in the role, but also the challenges that you and your team face, what do you see it out there?

Bidemi Ologunde: So our first challenge is we've all seen the rise of artificial intelligence and how everybody is developing and deploying AI tools. Incidentally the threat actors, all the bad guys out there, they're also using these same tools to be able to fine tune their processes, their attack vectors to be able to get into networks and devices easy. So the challenges I see is being able to stay one step ahead of these threat actors, being able to think like them, being able to I would say, predict how they would use the same tools we are using to defend, how will they use these same tools to attack. So, that is the cat and mouse game that is basically defined for my role on a daily basis. So ChatGPT came out about November last year, everyone has been using it in every industry. Of course these threat actors are using it to compose phishing emails, so now we see phishing emails that don't have grammatical errors. That is something that keeps people like me up at night. So--

Luke Vander Linden: Right, it used to be so easy for many of us, most of us to tell a phishing email and now it's really much more difficult. So, that's a fairly new tool, obviously it's incredibly powerful, it's going to be something that is going to be used by everybody for good and bad. What other tools have you seen like that, that are also used for good and bad that you've had to deal with in your career?

Bidemi Ologunde: So, so far social engineering, which I would say phishing and social engineering kind of go hand in hand because what's social engineering? It's basically trying to get someone, manipulate someone or convince someone, to do something they would rather not do. Phishing is a good example of that. Another way social engineering is being carried out is now a lot of people use social media to share details of their lives online. The kid is doing, is having some sort of graduation party, they post it on Facebook, they travel on vacation, they post pictures of themselves on vacation. That is all well and good because it brings people closer, however, thinking again like the bad guy, I'm using all these social media posts to gather as much detail as I can about my target. Whether it's an executive, whether it's the lowest level employee, and I look at it [inaudible], people go on LinkedIn for example, to post pictures of their badge, to say oh, this is my first day at this company, I was fortunate enough to get a job [inaudible], here I am starting my first job. The picture of that badge is a security risk, because now I know what your badge looks like and I can go ahead and make a fake copy and get into any of your locations anywhere in the country. So, social media is one example of something that is intentioned well but then of course the way these guys think, these bad guys think, they can basically use it to mop up data about individuals and organizations. We've seen the way they use social media to get data about vendors to then get into a large organization. So that happens all the time.

Luke Vander Linden: Yeah, what, let's talk about that. I'm glad you brought up vendors because regular listeners of the podcast know I love to talk about third-party risk. But in your industry, you are a vendor, Expedia is a vendor, you deal with a lot of our other members, which are hotel properties. You also work with a lot of consumers directly. And you have a multitude, thousands possibly of additional vendors. So, how do you figure that out and how do you protect all of those inputs into what you're trying to defend?

Bidemi Ologunde: Right, right. So let's take a step back and look at this concept from a holistic part of you. So take for example, an [inaudible] for example, that you mentioned Expedia, all these data points that touch Expedia from outside. We can control our own data but then of course if like, just like with social media, you can't control what someone is going to do with your picture that you post on social media unless of course you have your [inaudible] set to private. So the best an organization can do, not just even Expedia, any organization, whether you're dealing with an AC, an HVAC company, or you are dealing with a company that is handling your tax information, or you're dealing with whoever else you're dealing with, credit card companies, and so on, the best you can do is to make sure that they have contracts in place to make sure that you guys handle your data effectively, we are going to handle our data effectively, so that nobody is calling each one another about 2:00 am. Because the best you can do is just, just like you wouldn't leave your front door open. You wouldn't park your car in the driveway and just leave your door open. You would lock your door, lock your car door, and go to bed at night hoping that no one's going to come mess with your property. The same way companies should make sure that everybody they're doing business with should make sure they have their data locked down. And all the customer detail locked down. Because it's easy for one person's data to serve as a jumping point into another person's data. So that's the best analogy I can come up with here.

Luke Vander Linden: It's a great analogy and frankly, I have a number of friends who leave their doors unlocked and their cars unlocked at night, but they're also the same people who are probably reusing their passwords, so you know, it's consistent whether you're talking physical or cyber. So there seems to be a threat in a lot of what you're saying, social engineering, human beings trying to engineer your way into their lives. Certainly social media is great because you know, you don't have to do research for these kinds of targeted attacks anymore, you just have to go to one site and everybody's just giving you everything you need to know. Over the course of your career, have you seen a big change in the way that bad actors operate, or is it always, let's take a technology that has been developed for good, well-intentioned as you said, and figure out a way to make it bad, whatever it is, the flavor of the month.

Bidemi Ologunde: Right, actually there is a mix of everything. And threat actors are very enterprising, this is one of my favorite words. They would look for the easiest way to accomplish the most, I guess for them, the most good. Which for us is the most bad. If, for example, someone reuses your password, my Gmail password for example, if it's the same password I use on some gaming websites that I just forget about and I'm using the same password. So Gmail is quite secure, it's difficult to you know, go hack Gmail. But then if someone lays their hand on that my password from that gaming website that I don't pay attention to, then they try that same password on thousands of websites. There is software to do that. And all they need to do is just find one hit. Maybe it's from my Gmail, maybe it's from my Costco account, maybe it's from my Target account. Now they are inside. So that's an example of using barest minimum effort to accomplish the most damage. Another thing threat actors do like I said, is going into social media and then just looking at people's profiles and seeing okay, this is this person's high school, the name of the high school mascot is whatever, Teddy the Bear, and then this person's mother's maiden name is this because there is this event, family reunion they attended, and they took pictures and they see the banner from the family reunion, and again the mother's maiden name, and then on and on and on. So there's different methods, these threat actors use to just achieve the most bad with the least amount of effort. Another example I gave earlier was people posting pictures of their badge, work badge on LinkedIn. That is something for people to rejoice with and people say congratulations, but I'm looking at that picture differently. I'm not saying congratulations because there's nothing for me to congratulate you about, I'm trying to get into your company's network. Now I have an inside. So there's all, and it keeps evolving basically.

Luke Vander Linden: Well, you know, I can go back to the door analogy that if someone really wants to get into your house and the door is locked, they can probably still get in. But they want the least amount of effort, right? So this makes it a little difficult for them, maybe it'll stop them and probably that's true of most threat actors in cybersecurity as well.

Bidemi Ologunde: Yeah, yeah. Something I think it was one of the FBI directors or someone high up in the FBI said this statement that if someone wants to get into your network, having the best security will probably delay them. If they're really determined, they would find a way into the networks. So, if you reuse your passwords, you're making it easy. If you have two-factor authentication, you're making it not easy, but then there's so many other ways someone can get into your network, into your account, and so on.

Luke Vander Linden: Right, they'll keep trying. You sound very passionate about what you do. I think you like it a lot just from talking to you for the last 10 minutes. What advice would you give someone who's considering going into cybersecurity, whether the academic route, like you did, or on their own, maybe career switching. What's the best way for someone to break in or develop the passion like you have?

Bidemi Ologunde: Thanks for that compliment. And it's something I keep getting this from all kinds of people; my parents, my wife, even my son, who is 4 years old, keep saying, Daddy, I want to talk into the microphone. I'm like oh, okay. But the best advice I would give is find something you're passionate about and go all in. Which is something I would do for myself. When I say go all in, I mean every opportunity for you to learn, embrace it. Whether it's free resources on YouTube, free resources on LinkedIn Learning, or whatever website is out there, I don't know all the websites, whether it's just one on one meetups, or look at events, or look outside of a security [inaudible], or even podcasts like this one that we're on right now. Every opportunity you can to learn about this field. This cybersecurity field. It's multifaceted. There is not just one aspect of cybersecurity. I tell a look of the people I'm mentoring that whether you coming from the medical field, whether you're coming from a legal background, whether you're coming from even carpentry, which a lot of [inaudible] fun. You have the skills to pivot into cybersecurity. And it goes way beyond just even being curious and wanting to learn. It goes beyond having this end goal in mind that I want to be able to make whatever impact in my little community or I want to be able to host events at my local public library to tell kids about cybersecurity. I want to be able to address family members of mine about the benefits of having different passwords. I want to be able to impact my friends who just post anyhow on social media, and telling them that they need to look-- they need to look-- what'd he write, sis? That is your why. Which is a cliché by now, find your why. I would say, that would make going all in easier because there's going to be ups and downs, there's going to be times when you question what am I doing exactly. That why, that assets with your why is what keeps you going.

Luke Vander Linden: Right, you can always go back to it. You know, it's interesting in all the kind of threats that we were talking about in the first half of us talking, you didn't mention a lot of technical things. So social engineering, it was things that are fairly common, like MFA and changing your passwords, and in all those careers that you said that you see people pivot to cybersecurity, not all of them are technical either. Your background happens to be technical but so there's definitely room for the non-technical folks in cybersecurity.

Bidemi Ologunde: Yes. Yes, and like I said, it's not even-- people think cybersecurity is only for nerds the wear glasses and spend hours on the internet or hours on the computer in the dark basement drinking Red Bull and--

Luke Vander Linden: No. By the way, that certainly exists. That certainly exists. But it's not everyone.

Bidemi Ologunde: Right. I tell lot of my friends and family members that there are hackers who wear military uniforms. There are hackers who wear suits and ties. There are hackers who wear sweatshirts and sweatpants, there's all types of people you'll find in cybersecurity, and on the good side, there are good guys who wear all those different outfits I mentioned earlier. You don't need a technical background only to be successful in cybersecurity.

Luke Vander Linden: So Expedia is a fairly new member of the RH-ISAC, you're fairly new at Expedia. Is this your first experience with retail and hospitality ISAC or any ISAC in your career.

Bidemi Ologunde: So this is my first experience with ISACs but this is my first experience with the RH-ISAC. So, like you mentioned, I studied at Expedia, I just say about a year ago, I find ISACs in general a good way to just collaborate and learn. I'm always active in my previous roles I was a member of the FS-ISAC for national services ISAC before, I was always active on those, because I see it as an extension of my curiosity, I get curious about all kinds of things and then I just go on ISAC and the Slack channels and whatever platforms the ISAC is using. And then I just, you know, collaborate and ask questions if there's a question I can answer, I answer, and the best part of ISACs for me personally is that the fact that there exists guidelines that basically shapes information sharing. So, it's not a you just go and you're spilling all your company secret, no, there is guidelines both internally and then each company has the way they engage on ISAC and then the RH-ISAC itself and all the previous ISACs I have worked in, there are guidelines. You can't just come and post these TLPs, and traffic light protocols, amber, and there's red, and there's white, and green, so [inaudible] remains, okay, you guys can you know, share this with everyone else. It's open source, yeah. Amber is more guarded, red is even more guarded and strict, and those guidelines is what I find very, very helpful because me personally, I wouldn't want my company's information to just be exposed. If it's on, if sharing platform, not to mention just exposed on the [inaudible] anyhow. So the fact that those guidelines are in place, and everyone sticks with the guidelines, is a big plus for me.

Luke Vander Linden: Well that's fundamental to creating a trusted environment so that you know you're not just spilling your company secrets out there and they could get out there in the wild. So what do you find yourself using most in the membership? You talked about the sharing platforms, and protecting what people share, are you mainly looking at cyber threat intelligence, are you involved in any of the working groups? Just love a little feedback.

Bidemi Ologunde: Yeah so, I'm involved in the dark web working group. We meet every other Friday, fairly active on there. Of course I, every other working groups I see in the general channels, I try to join, just to get a feel of what's going on there. Like I said, I'm a fundamentally curious person. I like research, I like the investigation, I just like to know things. My wife will tell you I like to know things so much that it gets me in trouble sometimes. But that's another podcast to tell. So just--

Luke Vander Linden: Yeah, save that for your podcast.

Bidemi Ologunde: Got it, got it. So just being curious, try to, if I see a working group [inaudible] of, I look at my work calendar, if time allows then I just pop in, I stay quiet, I stay muted, and then I listen to what's going on and it's just an opportunity for me to learn more basically.

Luke Vander Linden: Excellent, that's great. So, I often ask my guests to predict the future. To pull out your crystal ball and say tell me where cybersecurity is going, you can focus on any aspect of it you like. The good guys, the bad guys, just in general, regulations, whatever you've prognosticated in the past. What's happening in the future?

Bidemi Ologunde: So I think with the rise of AI, we're going to see a lot more new, not exactly new ways of attacks and threat vectors but just new methods, for example, phishing like I said earlier, now phishing emails are going to be harder to detect because it's going to look just like a regular email that a particular company sends. Because it's possible to develop some fancy tool that says, write an email that would look like how [inaudible] employees communicate with each other. Maybe that exists already, maybe not. I don't know. But it's not too farfetched to predict that. Another thing is socialize [inaudible], we see social media becomes increasingly embedded in society which leaves room for socialized variants to become less detectable. And something else to pay attention to is the fact that remote work was kind of like an experiment, now it's everyone is trying to go back to the office, we might see some companies still keeping remote work as a fundamental part of their own culture. Many phishing emails come up regarding that kind of setup, maybe HR related phishing emails saying, we have this position, it's fully remote, a lot of people want to do fully remote work. And the whole thing is bogus, just to be able to capture your data through your resume. People are going to be desperate enough to not [inaudible] an email before sending a resume simply because the job is claiming to be fully remote. So that's just one thing to pay attention to.

Luke Vander Linden: Right, excellent. Well this is great. Bid, I really want to thank you for joining us on the RH-ISAC podcast, this has been a great conversation. And keep doing your podcast as well, there's room for all of us up there and keep sharing and contributing to our community. It's been great talking to you and great seeing you out there on sharing platforms.

Bidemi Ologunde: Thanks, Luke, thanks for having me.

[ Music ]

Luke Vander Linden: A huge thank you to all of my guests today. John Scrimsher from Kontoor Brands and Marcel Bucsescu from the National Association of Corporate Directors. Once again, if you're interested in the Accelerate Program from the NACD, and you're an RH-ISAC member, you can be in the next cohort of participants. Just shoot me an email or find me on Slack, or Member Exchange. I'll send you an application, we can set up a call to discuss the details. Also, thank you to Bid Ologunde from Expedia, and my colleague at the RH-ISAC, Ian Furr, for being on the podcast as well. Please let us know what's on your mind. Our email is podcast@rhisac.org. As always, thank you to the people who try to make me sound good, to the RH-ISAC Annie Chambliss and Marisa Troscianecki, and from the CyberWire, Jennifer Eiben, Tre Hester, and Elliot Peltzman. Thanks for listening and stay safe out there.

[ Music ]