Episode 48

Transitioning from Physical to Cyber Protection | Shaun Southall

People often talk about upskilling from a physical security role to becoming a cyber or converged security specialist. But what does that really mean?  

On this episode of the podcast, we speak with Shaun Southall, an operator that has expertly and effectively converged the two worlds of physical and cyber together as a working security specialist.

Join us this week as we talk about: 

  • Shaun’s asymmetric career journey into cyber security.
  • How the ‘uninitiated,’ physical security specialist can augment their skills.
  • What steps to take and what to avoid when breaking into the field.
  • The single biggest mindset shift that will determine your success. 

As we say here, knowledge is power and, in our industry, “what you don’t know can hurt you.” So, tune in and get skilled up with our latest expert sharing his tricks of the trade and gems of experience!

 

More about Shaun:

Shaun is a Cyber Security Oversight Specialist for the Civil Aviation Authority, with almost twenty years of experience, a plethora of certifications, and an ambitious hashtag - #cisoby60! He holds a Level 6 diploma in Security Risk Management and an itch for formal self-improvement that has led to becoming an ISO 27001 Lead Implementer and gaining audit experience through voluntary work, before embarking on four ISACA certifications – CISM, CRISC, CDPSE and COBIT Foundation – in just four months.

He is heavily influenced by Doug Hubbard, Alexei Sidorenko and Norman Marks and is driven to shift the mentality from ‘red amber green and five by fives’ to a holistic appreciation of risk that considers the complexity of the threat landscape. Shaun is also a regular presenter at ASIS CPE events, promoting risk quantification and ‘debiasing the human’, an active member of SIRA, FAIR and ISACA London Chapter, is a proud to be part of an organisation tasked with maintaining the safety and security of aviation in the UK.

Linkedin

More about the Circuit:

The Circuit Magazine is written and produced by volunteers, most of who are operationally active, working full time in the security industry. The magazine is a product of their combined passion and desire to give something back to the industry. By subscribing to the magazine you are helping to keep it going into the future. Find out more >

If you liked this podcast, we have an accompanying weekly newsletter called 'On the Circuit' where we take a deeper dive into the wider industry. Opt in here >


The Circuit team is:

  • Elijah Shaw
  • Jon Moss
  • Shaun West
  • Phelim Rowe


Connect with Us: 

Circuit Magazine

BBA Connect

NABA Protector

British Bodyguard Association

Transcript
Shaun Southall:

If you're a security manager and you're managing as a security

Shaun Southall:

function, you still have to understand some of the fundamental concepts.

Shaun Southall:

So however it is that you learn, whether it's audio books, mentorships,

Shaun Southall:

certifications, or doing capture the flags, all of them help.

Intro:

welcome to the Circuit.

Intro:

Magazine.

Intro:

The number one source for information on protection matters.

Intro:

The industry leading magazine for all security professionals who

Intro:

want to stay ahead of the game.

Phelim:

People

Phelim:

often talk about upskilling from a physical to eight cyber or

Phelim:

converged security specialist.

Phelim:

But what does it really mean?

Phelim:

We are here with Sean south hall, the one and only converged security specialist.

Phelim:

And we are going to look this in a bit more detail.

Phelim:

It's a pleasure to have you on Sean.

Phelim:

How are you doing?

Shaun Southall:

Thank you very much.

Shaun Southall:

Pleasure to be here and thanks for having me.

Shaun Southall:

No, no, my

Phelim:

pleasure.

Phelim:

My pleasure.

Phelim:

It's great to have you on.

Phelim:

And I know you've spoken at several of my other ones.

Phelim:

Great to recently, uh, catch up in person.

Phelim:

Um, but, but let's, let's get into it with our three quick fire

Phelim:

questions and grapple with this topic.

Phelim:

Um, what's the problem with the industry as, as, as a sort of stance in relation

Phelim:

to being both proficient in physical.

Phelim:

Quote, unquote, cyber

Shaun Southall:

security doing an answer.

Shaun Southall:

One problem is difficult because there's so many, one of the major

Shaun Southall:

problems is that we see it in a siloed way that we are still talking

Shaun Southall:

about physical and information security as separate disciplines.

Shaun Southall:

What I found.

Shaun Southall:

And from my perspective, my journey from physical into InfoSec was

Shaun Southall:

simply by virtue of physical security becoming part of the attack surface.

Shaun Southall:

So I had to up-skill inside of the security and understand some of the

Shaun Southall:

fundamental concepts in order to be good at my job in physical security, because.

Shaun Southall:

Uh, I was part of that attack surface, uh, that could, could, could be attacked.

Shaun Southall:

So it was natural for me to want to up-skill in that area.

Shaun Southall:

I think one of the things you have to have is the motivation and the

Shaun Southall:

interests to be able to do it.

Shaun Southall:

And.

Shaun Southall:

From when I was about seven or eight years old, that was coding and basic back then.

Shaun Southall:

And that's not visual basic.

Shaun Southall:

That's the first basic like Sinclair basic forever for the listeners

Shaun Southall:

who are as old as we are the yeah.

Shaun Southall:

Having.

Shaun Southall:

I should, and then having that interest is part of it.

Shaun Southall:

I mean, you don't need it, but it definitely helps.

Shaun Southall:

So yeah, it, it kind of, uh, smooth the pathway a little bit to then

Shaun Southall:

develop my interests further and then take that understanding further

Shaun Southall:

and, and make it valuable to my job.

Shaun Southall:

And of course now it's kind of pivoted into a career.

Phelim:

I like that.

Phelim:

So, so, so, so you know, and you mentioned basic, I played around with

Phelim:

Q basic, quick, basic, not the same as, not the same as you want to see, you

Phelim:

know, not as the last years of course.

Phelim:

Um, but, but, but your, your, your, your own, your own career,

Phelim:

you know, what about you, right?

Phelim:

You you've mentioned your childhood experimentation with,

Phelim:

you know, programming and coding.

Phelim:

Um, where's your passion for both sides of the house really come from

Phelim:

how, you know, it seems to me that you would have been more logical for

Phelim:

you to start off in insufficient.

Shaun Southall:

Maybe, yeah, I kind of fell into physical security by accident.

Shaun Southall:

So the, there was no real passion there and physical security.

Shaun Southall:

It was, I actually saw my career becoming a translator, so I studied

Shaun Southall:

French, German, Italian at university, and still speak three languages before.

Shaun Southall:

reasonably well.

Shaun Southall:

So that's where, so my career going, but as it turned out, Google managed

Shaun Southall:

to get this really good algorithm called Google translate, which

Shaun Southall:

actually does a pretty good job.

Shaun Southall:

When I was at university.

Shaun Southall:

It was fish.

Shaun Southall:

It wasn't very good.

Shaun Southall:

So now the role of translators kind of limited, and certainly

Shaun Southall:

with those languages as well, you really have to speak some, some neat

Shaun Southall:

languages for that to be a career.

Shaun Southall:

So I fell into physical security and then as time went on, as I said, the, the.

Shaun Southall:

The kind of the way that physical security has developed to becoming

Shaun Southall:

security means that it's natural.

Shaun Southall:

I had to then pull upon some of my previous experience to.

Shaun Southall:

The coding is funny.

Shaun Southall:

You know, you mentioned about basic being, going to another level and it, it

Shaun Southall:

really isn't, it was quite simple, you know, uh, I've made AIDEA over making a

Shaun Southall:

football management simulate simulator when I was about eight or nine years old.

Shaun Southall:

And there was my primary primary school club.

Shaun Southall:

Against the other primary school class.

Shaun Southall:

I mean, it was, it was really primitive.

Shaun Southall:

It was just like text on the screen.

Shaun Southall:

It wasn't like football manager or anything like that.

Shaun Southall:

But my dad telling me, get out, get out and play with your friends.

Shaun Southall:

You're going to turn it to Kevin, Kevin Mitnick and it goes, you'd

Shaun Southall:

see these photos of Kevin Mitnick on, on TV, looking like a cereal.

Shaun Southall:

Uh, and didn't want me to turn out like a, you know, a guy who the,

Shaun Southall:

the, uh, the feds are chasing for two years to them, for the prison.

Shaun Southall:

So, uh, yeah, whilst it may seem on the face of it, natural that I

Shaun Southall:

would have started out in InfoSec.

Shaun Southall:

Kind of a, uh, an interest in younger and it was put on the,

Shaun Southall:

on the back burner a little bit whilst I progressed with languages.

Shaun Southall:

So yeah, it was, uh, it wasn't quite as cut and dried as it, as it sounds.

Phelim:

I like it though.

Phelim:

You know, that, that asymmetric route into physical security might resonate

Phelim:

with a proportion of our, of our listeners because you know, a lot of

Phelim:

people come from military or police, but there are a growing card of, uh, people.

Phelim:

I have come from neither, um, which is really, really, really important.

Phelim:

So our third quick fire, which is in a very important for the uninitiated

Phelim:

seems to be a catchphrase moment.

Phelim:

The uninitiated, the, the, the, the physical security specialists who

Phelim:

are absolutely not, uh, thinking, uh, or they don't understand yet

Phelim:

how they could augment their skills.

Phelim:

What, what do you want them to better on.

Shaun Southall:

Yeah.

Shaun Southall:

You mentioned about police and military company coming in to either physical

Shaun Southall:

security or, or, or information security.

Shaun Southall:

And they are an advantage compared with w w whereas someone like me who didn't

Shaun Southall:

have any experience in that field.

Shaun Southall:

I see, I see a lot of ex-military in cyber security and in successful roles within

Shaun Southall:

cyber security as well, because they understand stand stuff like, you know, the

Shaun Southall:

cyber kill chain and, uh, something like that, you know, the MITRE attack framework

Shaun Southall:

would make a far more sense to them than it did to me when I first looked at it.

Shaun Southall:

So yeah.

Shaun Southall:

Yeah, they've got some transferable skills that they can, they can bring

Shaun Southall:

directly in sort of role quite easily.

Shaun Southall:

Uh, and, and it will make far more sense for me.

Shaun Southall:

I had to go out and actually look for it.

Shaun Southall:

So aside from, and I mentioned basic earlier, and there's some crossover

Shaun Southall:

between basic complacent, you know, The construction of the code.

Shaun Southall:

It's very similar, but cybersecurity is all about coding.

Shaun Southall:

It's not about Python, there's other transferable skills

Shaun Southall:

that you can bring into it.

Shaun Southall:

And I like the Katz type biology, you know, which is that you kind of have

Shaun Southall:

your, your technical skills at the bottom.

Shaun Southall:

So you've got to still have that, that framework and that

Shaun Southall:

foundation of technical skills.

Shaun Southall:

And as you move up, there's soft skills, which are really relevant as well.

Shaun Southall:

A holistic viewpoint right at the top, which is the most important,

Shaun Southall:

I think a good balance of all of those can stand you in good stead.

Shaun Southall:

So whenever I get people who are in physical security, come up to

Shaun Southall:

me and say, you, how can I, how can I get these technical skills?

Shaun Southall:

Or how can I get enough technical skills that will help me in my role?

Shaun Southall:

The first question I ask is, you know, firstly, how passionate

Shaun Southall:

are you about this area?

Shaun Southall:

Secondly, how is it going to translate to your day-to-day job?

Shaun Southall:

And thirdly, you know, how is it going to translate to where you see

Shaun Southall:

yourself in five or 10 years time?

Shaun Southall:

Because it's not impossible for someone in physical security and their foot is to

Shaun Southall:

become a pen tester or an ethical hacker.

Shaun Southall:

Yeah.

Shaun Southall:

They can move in that direction.

Shaun Southall:

I see quite often, but I also see.

Shaun Southall:

People from a physical security background, moving more into maybe

Shaun Southall:

soccer blue team, or even in governance.

Shaun Southall:

And especially governance is an area where cyber security does struggle a low-paid

Shaun Southall:

and it's an area where we can improve.

Shaun Southall:

So.

Shaun Southall:

Yeah.

Shaun Southall:

What, what are your plans where you know what you need, because there's plenty

Shaun Southall:

of places where you can go and get it.

Shaun Southall:

There's discord servers, such as certification station, where if you

Shaun Southall:

want to work towards a certification and that's the route I took,

Shaun Southall:

but not everyone has to do it.

Shaun Southall:

It's not absolutely essential.

Shaun Southall:

It helped me because I need lots of different ways of learning.

Shaun Southall:

You know, I have my home lab, which is full of all sorts of

Shaun Southall:

great and wonderful things.

Shaun Southall:

I'm not going to give too much away on the, on the podcast,

Shaun Southall:

but I need to learn in that way.

Shaun Southall:

Uh, but also there's discord.

Shaun Southall:

There's some fantastic YouTube channels such as network charc and David Bombora.

Shaun Southall:

Channel as well.

Shaun Southall:

And some of this is just going away and working on raspy parts and

Shaun Southall:

just getting yourself familiarized.

Shaun Southall:

And then some of it is more on that sort of governance area.

Shaun Southall:

Is that kind of translating security management on a physical security

Shaun Southall:

level to holistic security management.

Shaun Southall:

You know, how can you take some of those skills?

Shaun Southall:

And building InfoSec into it and there's some great mentors out

Shaun Southall:

there and I highly recommend it.

Shaun Southall:

I'm in my forties now.

Shaun Southall:

And if I went into the job every day with the idea that, you know, I kind

Shaun Southall:

of, you know, I've done my, my 20 years in the industry, so I don't know why

Shaun Southall:

would I need a mentor then I wouldn't, I wouldn't be progressing every day.

Shaun Southall:

There's people like JJ Davey and, uh, Dr.

Shaun Southall:

Richard Destin as well.

Shaun Southall:

I mean, their mission is kind of to help people make that transition

Shaun Southall:

into, into InfoSec because.

Shaun Southall:

Like I said, are there, you know, security is physical security

Shaun Southall:

and InfoSec, are there security?

Shaun Southall:

You know, we we've had this conversation before when your other events converged

Shaun Southall:

security is something that the industry really does need to get its

Shaun Southall:

head around as quickly as possible.

Phelim:

I like that.

Phelim:

And you mentioned, uh, JD Davids and uh, the doctor, what was his name?

Phelim:

Uh, Dr.

Phelim:

Richard distant.

Phelim:

Distant.

Phelim:

Okay.

Phelim:

And I think, I think what's interesting, even for me, like some

Phelim:

people can be your mentors without knowing that your mentors, right.

Phelim:

It doesn't have to be a formal relationship.

Phelim:

Like I'm associated with a rookie group.

Phelim:

People who are actually fresh, uh, out of college, but yet they're

Phelim:

teaching me so many things.

Phelim:

Um, I hope I would be able to help them too, but I don't, I think, I

Phelim:

think maybe some people would have an issue with someone that's younger being

Phelim:

a mentor, but I think we've got to realize that a lot of the skills that

Phelim:

people in gen Z gen Y have naturally.

Phelim:

I'll only available because they've only had to emerge in the last five years.

Phelim:

So, so, so, so, so that's what I take your point about, um, about mentors.

Phelim:

And I think a lot of people hear that there's a massive skills gap in

Phelim:

the cybersecurity sector, and they assume that everybody is a Kubernetes

Phelim:

coder or everybody is something that actually does require a great degree

Phelim:

of technical ability from the offset.

Phelim:

But the skills gap or the employment gap really includes governance, but also

Phelim:

marketing and also PR and also operations.

Phelim:

Um, I guess.

Phelim:

Maybe that leads to a good question.

Phelim:

Imagine you're a physical security specialist, perhaps you're in executive

Phelim:

protection, like our community, what is not a good first step in your opinion,

Phelim:

there's lots of good first steps.

Phelim:

There's lots of YouTube videos.

Phelim:

Um, uh, but, but what would a bad idea as, as, as a first step, uh, you

Phelim:

know, to, to jump into this education,

Shaun Southall:

I think it goes straight into CSSP would be a bad move.

Shaun Southall:

It's a tough exam.

Shaun Southall:

It's a way of life rather than a certification.

Shaun Southall:

Uh, also I hear with people who've done the OSCP, you know, the 24 hours.

Shaun Southall:

Well, where you get, you get a small window where you can have a little

Shaun Southall:

nap and then you're back at it again.

Shaun Southall:

And yeah, it goes straight into that I think could be demoralizing.

Shaun Southall:

And it's certainly not what I would recommend.

Shaun Southall:

I look back up my own journey and I've made mistakes along the way as well.

Shaun Southall:

So some sometimes I think, yeah, maybe I tried to run before I could walk.

Shaun Southall:

So.

Shaun Southall:

Whilst I did have quite a bit of it knowledge from when I was younger

Shaun Southall:

and I've worked in network, video surveillance for 11 plus years still.

Shaun Southall:

I probably didn't quite have enough network knowledge.

Shaun Southall:

So even after I got all these I soccer certifications, I went back and did CCNA

Shaun Southall:

again because still I didn't really have enough understanding of networks and.

Shaun Southall:

With the physical security, you know, you're building knowledge in lots

Shaun Southall:

of different areas, criminology, you know, understanding rational choice

Shaun Southall:

theory and routine activity theory.

Shaun Southall:

Some of these motivations for crime when it comes to cyber,

Shaun Southall:

it's slightly different.

Shaun Southall:

The motivations are a little bit more complex and they don't

Shaun Southall:

necessarily tie into T capital to, uh, uh, capability of the agent.

Shaun Southall:

So.

Shaun Southall:

Yeah, I've gone off a, uh, a little bit of a tangent there.

Shaun Southall:

Um, Yeah, I wouldn't recommend going into something completely

Shaun Southall:

technical, you know, build lots of foundation knowledge in lots of areas.

Shaun Southall:

I think we'll have applications is something that's, you know,

Shaun Southall:

I struggled with and I'm going backwards now and, and learning again.

Shaun Southall:

Uh, I've got, got a course on, on Wednesday, actually on, uh, on web apps

Shaun Southall:

and, uh, Yeah, I think your networks as well, there, there was a few mistakes

Shaun Southall:

that I made where I thought I was probably better than I actually am.

Shaun Southall:

There's the Peter principle kicking in, you know, uh, risk management as well.

Shaun Southall:

That's something, something I'm learning every day.

Shaun Southall:

I think.

Shaun Southall:

Uh, physical security community.

Shaun Southall:

We're used to these heat maps and five by five likelihood versus impact.

Shaun Southall:

And eventually you get to a point where you, you, you, you study this for

Shaun Southall:

long enough and you're, you're working in this environment for long enough.

Shaun Southall:

And you've done about five years of everything being medium

Shaun Southall:

likelihood, medium impact.

Shaun Southall:

Yeah.

Shaun Southall:

One of the things I would recommend is for any security professional, not

Shaun Southall:

just those looking to transition from physical, into InfoSec, or bring in for a

Shaun Southall:

sec as part of their armory, but improve your risk management skills as well.

Shaun Southall:

See a lot in the physical security community and myself

Shaun Southall:

included when I was in.

Shaun Southall:

Where a lot of it is down to kind of gut feel and ex expert evaluation,

Shaun Southall:

which, uh, I think nowadays you have to be able to look for data

Shaun Southall:

classified data or give it a valid.

Shaun Southall:

As well, your value dates and value, the information that you have, and

Shaun Southall:

then doing stuff like the Monte Carlo simulations is it's fancy.

Shaun Southall:

It's a fantastic skill to develop in order to be able to show some value

Shaun Southall:

back to the board in terms of the data that you're collecting and then

Shaun Southall:

how you want to spend their money.

Shaun Southall:

A lot of boards, the security is a black hole.

Shaun Southall:

So even when I was in physical security, That I've built and built the capability

Shaun Southall:

of probably before I built all the Infosys knowledge actually was the management side

Shaun Southall:

of it is the, or sorry, the risk analysis.

Shaun Southall:

So that's the most important way to describe it because.

Shaun Southall:

Once you can show value on once you can show dollars, pounds, euros,

Shaun Southall:

whatever it is then that, that value you've committed to that, that value.

Shaun Southall:

And usually it's a range.

Shaun Southall:

So yeah, if you can think in, in that way, then that's a big help.

Shaun Southall:

And that sounds like actuaries.

Shaun Southall:

Yeah.

Shaun Southall:

It's like act, you're thinking in terms of risk because you know,

Shaun Southall:

You know, it's too often qualitative.

Shaun Southall:

We did within the security industry and stuff like, you know, a

Shaun Southall:

denial of service, you know, until you have a denial of service.

Shaun Southall:

How big, how big a risk is it?

Shaun Southall:

You, if you haven't had one previously and you're just using historical data

Shaun Southall:

or you're just using expert intuition.

Shaun Southall:

Well, you're probably going to be unprepared for it.

Shaun Southall:

Yeah, we just seen that with a global pandemic.

Phelim:

That's right.

Phelim:

That's right.

Phelim:

And, you know, w w with, uh, with, with another hat on, uh, we, we, we often ask,

Phelim:

you know, why not gameplay the black Swan events, um, because they're actually a

Phelim:

bit more engaging to gameplay anyway.

Shaun Southall:

Um, yeah, absolutely.

Shaun Southall:

Yeah.

Shaun Southall:

Yeah.

Shaun Southall:

It's, it goes beyond the, uh, the box that a bunch of guys sat in a room talking.

Phelim:

You mentioned before, you know, raspberry pies and just kind of playing

Phelim:

with stuff and getting to grips with it.

Phelim:

Um, it has been mentioned before that people should have a crack

Phelim:

at a capture the flag or on the easy side of capture the fact.

Phelim:

I know people will hear that and go, oh no, that sounds enormously technical.

Phelim:

But some of the easy ones, even I've had a go at, uh, the, the, the, the,

Phelim:

you know, the very simple challenges.

Phelim:

Would you, would you recommend that as, as something to play around with?

Phelim:

And if so, what should people expect?

Shaun Southall:

Yeah, I would recommend it.

Shaun Southall:

It's something that I do as well, you know, and there's some great resources

Shaun Southall:

out there that aren't expensive.

Shaun Southall:

So even if your employers aren't willing to invest in it because they don't see

Shaun Southall:

the benefit to your current job role.

Shaun Southall:

And that was the case for me previously.

Shaun Southall:

So I went out and invested in a premium try hack me account and hack the box,

Shaun Southall:

uh, and TCM security editor as well.

Shaun Southall:

We'll have a, yeah, there you go.

Shaun Southall:

Uh, TCM security as well.

Shaun Southall:

He's got items, his organization.

Shaun Southall:

All got these rooms where you can go in and practice and a lot of his walkthrough,

Shaun Southall:

you know, and it's just about practice.

Shaun Southall:

I got back to the languages and this is where, where it ties in.

Shaun Southall:

Yeah.

Shaun Southall:

I could pick up a language quite easier.

Shaun Southall:

Talk it every day, especially if I went to the country.

Shaun Southall:

Yeah.

Shaun Southall:

And maybe it wouldn't be able to understand Italian

Shaun Southall:

for a few years, but then.

Shaun Southall:

When I traveled to Italy and I'm sat in a gondola, you're not there

Shaun Southall:

enjoying the scenery with my partner.

Shaun Southall:

I'm talking to the polarities allium because everything comes flooding back.

Shaun Southall:

And it's exactly the same with programming languages as well.

Shaun Southall:

You don't use it for a little while, but as soon as you start typing the

Shaun Southall:

code, it comes flooding back to you.

Shaun Southall:

And it's skills that.

Shaun Southall:

Yeah, we've practiced.

Shaun Southall:

You can learn.

Shaun Southall:

And as soon as they go from being a, kind of a within your SIS system, one

Shaun Southall:

mental mode to system to, uh, to back to back the system, maybe the system too.

Shaun Southall:

So it becomes a kind of habitual, then it becomes a lot easier.

Shaun Southall:

So capture the flag, you know, the kind of.

Shaun Southall:

You envisage something very difficult and tight, something tiring, like the

Shaun Southall:

OCP exam earlier the 34 hour exam.

Shaun Southall:

And it can be tiring, but there are some simple groups and they

Shaun Southall:

can get your confidence up.

Shaun Southall:

Is it a prerequisite for a career insecure?

Shaun Southall:

Absolutely not, but it's interesting.

Shaun Southall:

It's interesting getting in the mind of the attacker and also how the attack

Shaun Southall:

surface plays out as well, because some of those CTS will include stuff

Shaun Southall:

like pivoting and privilege escalation.

Shaun Southall:

And these are concepts that you have to understand in security,

Shaun Southall:

especially if, if you're part of the attack surface, if you're a security

Shaun Southall:

manager and you're managing a security function, which includes a video

Shaun Southall:

management system or an access control system, and that sits on a net.

Shaun Southall:

Whether it's segmented or even whether it's air gap, it doesn't matter.

Shaun Southall:

You still have to understand some of the fundamental concepts.

Shaun Southall:

So however it is that you learn, whether it's audio books, mentorship.

Shaun Southall:

Certifications or doing capture the flights, all of them help.

Phelim:

And you mentioned elevation of privilege.

Phelim:

And in fact, somewhere I have, uh, the game elevation of privilege,

Phelim:

which, uh, sounds really a little bit sad, doesn't it?

Phelim:

Because it shouldn't be again, but it helps you understand that you,

Phelim:

you, you hear elevation of privilege and you think, oh, that must be holy

Phelim:

cyber-related yet a scam artist.

Phelim:

Make a phone call to a telco impersonate being you gain more access and

Phelim:

actually elevate their privilege.

Phelim:

Just on a few phone calls.

Phelim:

It's it's a mindset, isn't it.

Phelim:

It's not, it's not necessarily everything tied to Infosys.

Phelim:

It's much more

Shaun Southall:

about a mindset, isn't it?

Shaun Southall:

Yeah, for sure.

Shaun Southall:

Look at, look at Kevin Mitnick, you know, he wasn't one of the most

Shaun Southall:

skilled attackers in the, in the world.

Shaun Southall:

He was just the system and was really good on the phone.

Shaun Southall:

He was really good at convincing people to give him information.

Shaun Southall:

And then, you know, w was passionate enough to just keep trying from there.

Shaun Southall:

That's part of the mentality is the attacker, isn't it, they're not always

Shaun Southall:

the most skilled because it's a lot of open-source tools out there so they don't

Shaun Southall:

need to be, but getting the information is really important and really useful.

Shaun Southall:

I mean, if you don't have to go hunting around for it, if you can just get it over

Shaun Southall:

the phone, that's a low hanging fruit.

Phelim:

So I think then maybe I, I hope I'm not overstepping

Phelim:

any more, but I've noticed.

Phelim:

Uh, a train of thought, moving from your experiences as a physical security

Phelim:

specialist and your experience with colleagues in the physical world, to the

Phelim:

InfoSec world, the, the willingness to experiment or the willingness to try.

Phelim:

You mentioned motivation.

Phelim:

How motivated are you to learn?

Phelim:

I guess I want to ask the more thorny question.

Phelim:

Colleagues past and present in the physical security world.

Phelim:

Do you think they are too focused on gold stars on certificates on the,

Phelim:

the completion of a course, rather than the continual experimentation

Phelim:

with, with, you know, a Sudoku puzzle or a capture, the flag or something?

Shaun Southall:

Yeah, it's a good question.

Shaun Southall:

I mentioned Dr.

Shaun Southall:

Richard earlier.

Shaun Southall:

And one of the things he talks about is the T-shaped professional, and

Shaun Southall:

that's a professional who doesn't just understand security, but

Shaun Southall:

goes out and educate themselves.

Shaun Southall:

Reads books, understands decision science, uh, accounting, finance.

Shaun Southall:

Influence the so many different skills which builds your professional

Shaun Southall:

career and how you expand your own knowledge and your mindset.

Shaun Southall:

And eventually you get to a point where you see that, where they all interlink

Shaun Southall:

and you started to touch on it there about the social engineering and how,

Shaun Southall:

you know, how that fits into InfoSec.

Shaun Southall:

Thus, it's a clever link because it is one individual part of it.

Shaun Southall:

But.

Shaun Southall:

As a security professional, and I'm assured there'll be people

Shaun Southall:

listening who are security managers.

Shaun Southall:

Who've had to learn budgeting on the spot.

Shaun Southall:

You know, if I had to suddenly learn how to budget, they've got

Shaun Southall:

no accountancy background, but they have to learn how to budget.

Shaun Southall:

They have to learn how to conduct a third party, supplier risk assessments.

Shaun Southall:

What are we looking for here?

Shaun Southall:

You're learning on the job.

Shaun Southall:

And sometimes that experimentation.

Shaun Southall:

Has to expand beyond your day-to-day duties.

Shaun Southall:

You've got to take the time outside to go, okay.

Shaun Southall:

You know, it's part of the job, so I want to be better at it.

Shaun Southall:

I want to learn, learn more about it.

Shaun Southall:

And that was how it was for me.

Shaun Southall:

I didn't have to learn more about.

Shaun Southall:

Stuff like, oh, you're assigned firmware and trusted platform modules, but I

Shaun Southall:

want it to be the best or there weren't, you know, I wanted to know more than

Shaun Southall:

everybody else wants to be able to answer any questions that anyone asked me.

Shaun Southall:

And it's that kind of motivation, which is, I would say, not just the

Shaun Southall:

motivation, but the desire as well.

Shaun Southall:

Uh, you know, my.

Shaun Southall:

My hashtag CSO CSO bicycle is still, it's still alive.

Shaun Southall:

I go the less than 20 years, but I was 15 years to get there and I'm

Shaun Southall:

not going to get there just by stay.

Shaun Southall:

Stay.

Shaun Southall:

Yeah, you have to expand outside of that.

Shaun Southall:

And, uh, yeah, that T-shaped professional is something which

Shaun Southall:

really stuck with me learning all those different areas is, is crucial.

Shaun Southall:

You know, even in stuff like, you know, stuff, I risk reading books, like, um,

Shaun Southall:

uh, condiments . Yeah, no, I think you fastest slim, you know, the, that was,

Shaun Southall:

uh, that is, that started to change my mindset on, on certain things, you

Shaun Southall:

know, the cognitive biases, which we, which we have, and we carry into our

Shaun Southall:

work and our personal life as well.

Shaun Southall:

Uh, but it's the rational Dan Ariely, you know, these are fantastic

Shaun Southall:

publications that you just read through them and you're like, Yeah, as humans,

Shaun Southall:

we're pretty predictable actually.

Shaun Southall:

Yeah.

Shaun Southall:

We keep making these mistakes over and over in history.

Shaun Southall:

So yeah, I think having that willingness and desire to just expand your knowledge

Shaun Southall:

in all sorts of different fields, you know, not, not just the technicalities

Shaun Southall:

of cyber, as I mentioned, it's good to have that technical base, but.

Shaun Southall:

Expanding your knowledge outwards in lots of different areas.

Shaun Southall:

Yeah.

Shaun Southall:

There's only so long, you can go work in a nine to five or in some instances

Shaun Southall:

you're much longer and then go home and try and do your gold star certification.

Shaun Southall:

You know, I've run myself into the ground doing that for a year and now.

Shaun Southall:

And yeah.

Shaun Southall:

Okay.

Shaun Southall:

I would say it was kind of worth it because it gives you more chance

Shaun Southall:

of getting alternative employment, but was it good for my health?

Shaun Southall:

Definitely not.

Shaun Southall:

So is it good for my social life, but definitely not was a gift from my

Shaun Southall:

family that I've definitely not, you know, I had to make a sacrifice and

Shaun Southall:

it wasn't necessarily the, the only.

Shaun Southall:

So that's something to bear in mind as well.

Phelim:

I love it.

Phelim:

You are a T shaped professional.

Shaun Southall:

Not yet.

Shaun Southall:

Yeah.

Shaun Southall:

You can never stop learning.

Phelim:

You'll get into that T and uh, I love that.

Phelim:

See, so by 60 you probably make it a lot before.

Phelim:

You know, you might actually want it.

Phelim:

You know, a lot of people don't like getting a, the CSO job.

Phelim:

They want to pronounce it as soon as they get it.

Phelim:

So, but at least, at least you put it on your vision board,

Phelim:

which is, which is a really nice,

Shaun Southall:

um, every CSO tells me the same, same thing.

Shaun Southall:

Trust me, you don't want this job.

Phelim:

Well, at least, at least you got the goal and, uh, at least,

Phelim:

uh, you know, we'll, we'll, we'll, we'll put it on as pedestal for now.

Phelim:

Um, w we're coming up to the festive season.

Phelim:

What's next for you?

Shaun Southall:

Yeah.

Shaun Southall:

Good question.

Shaun Southall:

So, yeah, I've been with the CAA just over a month now, really enjoying their job.

Shaun Southall:

And that's taking a lot of my mint, not necessarily a lot of my time, but

Shaun Southall:

a lot of my mental time it's take a lot of my, my mental bandwidth as well.

Shaun Southall:

So I've put a kind of, kind of put the brakes on doing any certifications or

Shaun Southall:

courses or anything like that for now, but for next year, I'll be doing the C guides.

Shaun Southall:

So my aim is to have the full suite of ISACA certifications.

Shaun Southall:

I'm pretty close now how to, to go.

Shaun Southall:

So for them to, to go, but also being an aviation, I feel like I need to understand

Shaun Southall:

industrial control systems better.

Shaun Southall:

I'll be looking to upskill in that area as well.

Shaun Southall:

So, uh, yeah, some, some more security related certifications and courses and

Shaun Southall:

yeah, there won't be any, any finance or behavioral science or anything like that.

Shaun Southall:

I've done a lot of that over the last few years and lockdown down was, was, was

Shaun Southall:

great for that in one aspect, because.

Shaun Southall:

It did get him whilst we were tied to zoom for long periods.

Shaun Southall:

It did give us a little bit more time to be able to explore some of those

Shaun Southall:

different educational resources.

Shaun Southall:

So yeah, I'm going to get Christmas out the way and then

Shaun Southall:

to take the exam and see guides.

Shaun Southall:

I have a couple of other exams as well to take the.

Shaun Southall:

Fundamentals, which is a factor analysis of information, risks, or quantifying

Shaun Southall:

risk using the fair methodology.

Shaun Southall:

And I'm ready to set the example of too lazy at the moment to go and say,

Shaun Southall:

that's a test center and put my mask on underground and use my windows 95 PC.

Shaun Southall:

It's like, no, I'll save that to the new year.

Shaun Southall:

In, hopefully everything is open again.

Shaun Southall:

So yeah, that's the plan.

Shaun Southall:

And then look at the industrial control systems as a, as a focus

Shaun Southall:

area for next year, but not very as well, which I'm looking into is,

Shaun Southall:

uh, the legal side of cybersecurity.

Shaun Southall:

So that's something which is often overlooked.

Shaun Southall:

You're

Phelim:

going to put everyone to shame.

Phelim:

You're going to scare them away.

Phelim:

W w we're trying to tell them that it's okay.

Phelim:

You don't need to be missed us SOPA hero person.

Phelim:

Like you, you really are upskilling.

Shaun Southall:

Well, yeah, time is not enough for me, you know, see

Shaun Southall:

some basic stuff, but yeah, again here from, from working for the

Shaun Southall:

regulator, what we're trying to do is take complex legal jargon and make it

Shaun Southall:

something valuable for the industry.

Shaun Southall:

So.

Shaun Southall:

Take taking complex legal jargon, and just regurgitating complex

Shaun Southall:

legal jargon is of no value.

Shaun Southall:

If you can show how that can impact upon an entity, cyber security posture,

Shaun Southall:

and then advise them accordingly, then that's something that's really helpful.

Shaun Southall:

So yeah, the legal side of it is, is something which I want to pursue.

Shaun Southall:

So yeah.

Shaun Southall:

Nate, we could be talking in two years time and all that.

Shaun Southall:

I've done a master's in law.

Shaun Southall:

I doubt it, but you never know.

Shaun Southall:

And, and,

Phelim:

and for reassurance, Executive security professionals do not need

Phelim:

to do a master's in law necessarily.

Phelim:

Right.

Phelim:

We're trying to encourage them to take baby steps.

Phelim:

We don't

Shaun Southall:

have, yeah, just, just, uh, yeah, just get

Shaun Southall:

the free version of TRIAC Mia.

Shaun Southall:

Just a few CTS that's enough, but, uh, yeah.

Shaun Southall:

Well you asked what's.

Phelim:

I'm well impressed.

Phelim:

You're definitely T-shaped to me.

Phelim:

And, uh, I, I, I think absolutely CSO before 60 is, is on the cards.

Phelim:

Isn't it?

Phelim:

Um, well, Sean, I don't put a senior you again in person very soon and,

Phelim:

uh, yeah, have a great Christmas.

Shaun Southall:

you have been listening to the circuit magazine

Shaun Southall:

podcast, be sure to subscribe and be sure to not miss an episode.

About the Podcast

Show artwork for The Circuit Magazine Podcast
The Circuit Magazine Podcast
For Security Professionals who want to stay ahead of the game.