Introduction (00:14) You're listening to KBKast, the cyber security podcast for all executives cutting through the jargon and height to understand the landscape where risk and technology meet. Now, here's your host, Karissa Breen. Karissa (00:29) Jim Bates, welcome to the show. I'm really excited to have you here today. I actually got up super early this morning. I mean, it's not that early now that I'm talking to you, but I was really excited about the interview. I really like your energy. I like your passion. I like your experience as well. You genuinely are quite an endearing person to speak to. So I'm very excited to have you here today. So I'm keen to perhaps sort of explore, first and foremost, a little bit more about your background. You've got quite an extensive background. You've obviously worked on the government side of it, and you worked on both sides in terms of public and private. So I'm keen to kick into that. And then once we finish that, I'm really excited to sort of do a deep dive into other stuff. So, please, Jim, welcome to the show and tell everyone what's been going on. Jim Bates (01:18) Sure, Karissa. Thanks. And first, let's give you a shout out and a thank you for having me here and for what you're doing for the Cyber Security space. I was just in a client meeting just about an hour ago for a utility company here in Alaska where I live, and I was saying, hey, I got to get on this podcast with Karissa. Karissa Breen. I know. I watch her stuff all the time. So you're like a household name up here in Alaska, too. So thank you for what you bring to this space. Karissa (01:45) That's awesome. Jim Bates (01:47) Yeah, thank you for cutting just through all the muck and mire around this topic and bringing in so many interesting guests. And what you do for this space, I think is so important. Just to introduce myself. I am Jim Bates. You said that. And I'm from Alaska, born and raised, but I've done a lot of work internationally. And it's interesting growing up in Alaska, maybe some similarities to Australia where you're from, but Alaska is a huge territory with a small population but a lot of industry. And so growing up here, I went through starting in retail and got into the airlines, and literally in the 1990s is when I got into it. At the airlines, I took over Distressed Project because they had fired the prior It project manager that was running this big, huge multimillion dollar install. And we were on old systems. We had a Tandem and a Wang and Token Ring Networks, and 386 computers were just coming out with 16 megs, and everyone was like, Whoa, whoa. That was kind of where I first got my introduction in It and I saw that technology was going to be the future and I wanted to learn more about it. Jim Bates (02:58) So I actually signed up and worked for the largest IBM business partner in Alaska. And we were in every industry up here. So we did school districts, city government, state government, federal agencies, 200 commercial accounts and every kind of business type. So it gets you into every kind of business and it's really kind of neat because you get a lot of business experience because it's their information, it's their business. Intellectual property, the value that companies have now is their information and data. So that took me on a path. And one of the clients that I was doing work for, it's the Alaska Native Tribal Health Consortium, which is like they have a full on hospital campus, they do telemedicine to remote Alaska where there are no roads and there's no hospital. So having to do commissioned these practitioners that live in the villages have to tie into these doctors and then do everything over the wire, you know, because they don't have ability sometimes to get medical care fast, so they have to have someone who can help them stabilise the patient or whatever. So technology, we've been doing a lot of that kind of stuff, having to deal with our remoteness and bandwidth issues. Jim Bates (04:13) And also cyber security comes into this whole topic because security was different back then. I mean, we have proprietary systems, PCs were just starting to come into the business and become a business computer, which they were never designed for. So most of the vulnerabilities that were happening back then that were being exploited were things on your personal computer. The networks were different, TCP, IP and that whole stack wasn't really quite out yet and it was starting to trend. But we did ten base T and then things like peer to peer networking and finally got into those technology stacks in my career. But in that hospital, I did every kind of project you can imagine for a hospital campus and for a telehealth network. And cyber security was obviously always a part of it. I worked there seven years and I created the project management office and did all kinds of things to help mature the organisation, along with focusing on implementing a lot of It systems, lab systems, professional fee systems, we call them pro fee systems and facility fee systems and you name it, we are doing it and integrating it all together through our networks. Jim Bates (05:30) And security was still not as big of an issue as today because things have changed and definitely our threat surface has become a lot bigger now than it was then. So the attack surface, it's just a whole different day today than it was then. And so then I got recruited by Michael Dell's, company that creates the Dell Computers, to go do a project in Round Rock, Texas, where they're headquartered. And I got exposed to a whole new, bigger world that made me kind of compare Alaska sized industry to the bigger industries that were happening. And it was a great experience for me. It was a very successful project. And while I was there, I did other projects. I did one for Labcord, North Carolina with Lydia Fonseca, who is the CEO of Pfizer now, and really super neat lady, one of the best leaders I've ever worked with. And we were looking at assessing their entire staff, including security and disaster recovery, business continuity. And back in that day, that was probably about 2008, I want to say they were still using Vaulting with Iron Mountain and doing like, disaster recovery with Hot Sight through sun systems and all that. Jim Bates (06:42) Once again, security was another big issue in every part of my job. And then I also did a little ISO 27,001 project for Rackspace, which was a big hosting. They bought a mall in San Antonio, Texas, and we're converting it to a bunch of Rackspace and needed to make sure that things were secure. And so I went down that path. I got my CISSP, my Security Professional certification, my CSA, which is through Isaka, which is an auditor certification. And so my career was also being supplemented with education and getting credentials. And I came back to the State of Alaska in 2010 and started my business. But then I got recruited to go to the State of Alaska and be the Director of Enterprise Technology, which is the CIO role. And I served under two governors and did that running technology for the State of Alaska, including the Cyber Security Office, which reported up to me. And so we were involved with everything from policies down to controls and everything in between, and selecting and hiring the new CCELL that we did when I was there working with the federal government and writing White papers to the White House around cyber security. Jim Bates (07:54) Arctic, arctic. The ice was melting up here because of global warming and there was a big study during the Obama administration, I did that. I served for three years as that and then went back to kind of doing my business. I'm a consultant today, helping organisations a lot. From the more strategic perspective, I'm not as much of the practitioner as I once was because things changed so fast, but that's a little background on me. Hopefully that's helpful and gives everyone kind of an idea of where I came from and where I'm at today. Karissa (08:22) That's awesome. I love that. I like you enjoying old school computers. Do you ever do this quickly on that? You're talking about personal computers. Do you think back then people were under pressure? There's no way people would have personal computers because I think about what's happening now at the whole Web Three thing and I was like, oh, no, that's not going to be a thing. Do you think it's the same sort of conversation that's happening just 2030 years later? Jim Bates (08:49) That's a good question. So what we used to joke was get those dumb PCs out of here because they're just a big pain and they weren't designed to be here. We have industrial strength computing systems that were designed and scalable for high interactive hits with lots of people hitting them and we had dumb terminals where people couldn't break things very easy. They were hooked up, some of them were even still daisy chain. And then all of a sudden the PC started getting brought in and the power of the desktop, we couldn't argue with that anymore. It was like, dude, these spreadsheets and word processing and all things that you can do from a business perspective. But how do we start to fix the vulnerabilities associated with a personal computer? And everyone now going in and doing reg, edit and playing around with the registry on your computer and breaking it, having us try to come fix it for them. We're just like, how do we lock this down? And so we've come from that to now where we've built our own mainframes. Basically we've industrial strength. The PC then became the Pancake servers that you put into Iraq that were based on intel technology and Windows operating systems and etc, etc. Jim Bates (09:58) and so I think now we've started we went to the sands and everything. Now I feel like we've kind of engineered and built our own big mainframe computers and so it's kind of interesting. That's my perspective anyway. But I really feel like I couldn't live without my desktop stuff today. But back then we were fighting those people all the time, like the PC guys were the bad guys. Karissa (10:19) Yeah, I'm just hearing this. Not that I was like that much. Like I was obviously quite young when the PC came around, but it's just the same sort of conversation that has obviously been taking place now. So I'm just curious to always hear what people's sentiments are on that. So I want to sort of dive into how can companies align their cybercurity strategy with their business? Now, I think a lot of people say that they do, but I don't know an actuality if that is the reality of what they're doing. So I'm curious to know, from your perspective, with your experience, how do you sort of start that conversation internally? Jim Bates (10:59) Karissa, that's a great question and you know as well as I do with your experience that there's really no two companies exactly alike. And when I go into an organisation, I first of all tried to determine the culture because culture eats strategy for breakfast, lunch and dinner, literally, it does. And if you have a bad culture, you're going to have a harder time doing any kind of strategy or alignment or having that conversation. Because really, to me, a good culture starts with strong communication and great relationships of trust within an organisation and some companies are very small, where you have just one person trying to do all of it. And so there's a lot less communication channels and a lot less that can go wrong. But the great big complex companies that have subsidiaries and you're trying to do cybercurity and you're trying to create a strategy, you have a lot more challenge. So there's not like a cookie cutter answer to your question, but it all starts with just common sense, good communication and understanding. In my mind, if you're the C suite, if you're the executive and you're not into the It space per se, everyone has to be today, then learn. Jim Bates (12:08) You can't go to a CEO in the old days and say, oh, well, if, say, you were in charge of the railroad and you had no idea that you needed to keep things secure from a physical perspective, there's no excuse for that as a CEO. Well, now your assets are your information and your data, right? And so if that's the important part of your organisation, you're protecting something. It could be intellectual property, it could be someone's personal, identifiable information, it could be protected information from some regulatory or some compliance perspective or just things that are not public, that are private. And if you're a CEO or a CFO or a COO, start to learn this is the world you live in. You can't make an excuse anymore to say, well, that's just cyber security, It stuff. So if you're that level and I'm talking to you, I'm not trying to call you out, I'm trying to call you up. It's time for you to start really getting involved. And then number two, if you're a CISO or CIO or a practitioner in this audience, then learn to understand what's important to the business itself. Like what business are we in? Jim Bates (13:20) Well, we're a law firm or we're a bank or we're a hospital or we're whatever. Every one of those have unique criteria and business requirements and it's really important you understand it. So I always say, put on your project management hat and just start the whole thing. Like you're going to go out and get requirements before you can start to plan a strategy or do anything. You need to go and engage stakeholders. Listen, understand if you're a big company and you have a compliance officer, you have a risk manager, a risk officer, if you have a privacy officer, get with those people, engage with them, understand the big picture. And that's how you start with a bigger holistic strategy of all the things you need to do and then to start we'll probably get into that later. Karissa, I know you kind of have a way of facilitating this conversation, but that's how you're going to if you want to get to execute, which is where most people want to get, how do I do my job every day? And how is it important and why is there all this problem and why isn't that the executives understand a lot of times it's because we haven't communicated well, we haven't done our due diligence, and it's for everybody. Jim Bates (14:25) Security is everybody's job today. Cyber security is everyone's job. You can't say, well, it's those guys job. No, everyone has a responsibility. You have a duty to step up and to be part of the solution, not the problem. So, I mean, that's how I would start the conversation. There's a lot more that could be said about it, but communication and alignment starts with understanding everybody's role and what the organisation exists for, what's the mission and vision of the organisation, what are we trying to accomplish? So that will tell you what kind of data you have if you're a hospital, okay, well, in our country here, we're regulated by HIPAA, which is an acronym for the Health Information Prediction Accountability Act and Portability Accountability. So it's all about a certain kind of data that is regulated. So now I have to comply with that, right? And so that helps me understand what I'm doing, my security baselines, and what I need to make sure that I'm doing for a cyber security perspective. What controls do I have to put in place and what amount of risk are we willing to take as an organisation? You can have that conversation in a lot more meaningful way. Jim Bates (15:33) So that's where I would just start to say where we would start the conversation. I mean, if there's something more specific you're looking for, Crystal, please just let me know. Karissa (15:42) Yeah, you're so true. Just learn. Do you think that people, I mean, I can say in Australia, from my experience of talking to people outside at that senior level, like, oh, I don't know anything about computers, can't operate my phone, can't do this. And I was like, how are you then in this position? And you're saying that you can't operate a phone? I get it all the time. And so I'm curious to know, do you think that these guys perhaps are just turning a blind eye? Like, oh, it is that sizer or CIO's problem, they don't want to learn? And then if so, don't you think it's been counterintuitive to the overall problem? Jim Bates (16:22) Yeah, I get it. I'm the CEO of a company now, and I'm in a different role where I have to make sure that we're meeting our goals of our business and that we're making revenue and our costs are in control and that our customers are happy. So there's a part of business that distracts you, and so it's just like, easier to make it somebody else's job. But you're right, Karissa. I can't see where you can be an executive in today's world and not understand that technology is how if you think about the old days in America when they started building the railroad tracks, our entire economy was being moved by the railroad tracks. And then we went from there. We started into air travel and air cargo. We moved so much of the economy through transport methods. Well, now the new railway track stuff. Today it's technology. The Internet, the World Wide Web. We're all connected and we transact. Our economic engine is the fabric of everything we do is technology. How can you be a chief of an organisation and not see that? I go into so many organisations today, Kris, where the CIO is down below the CFO, or somewhere down there in the stack. Jim Bates (17:44) And it shows me they don't value technology as a strategic partner to help them innovate the future and transform their organisation. And it's hard for us, It perspective people to go, what? Are you kidding me? You still don't see the value of technology? And I think there's a real key here about trust. And it's probably from the past where it got this reputation for, hey, we need this big budget to buy this new stuff. And the executives didn't understand technology. They were intimidated by, what do you mean about you're going to buy a firewall and you're talking about a switch and you're talking about some endpoint product or some why am I going to put this many millions of dollars into a network and they just don't see the value? What am I getting back for that? But what would happen is technology, if there was an outage, an interruption of service downtime, they would pick up the phone, call it and start like, why are we not having our stuff running? So It's response was, okay, because you didn't give us enough budget for a redundant system. We had a single point of failure or vulnerability. Jim Bates (18:55) It got exploited. So then it would come back with one option to the business. We want the triple gold plated redundant system that never fails, have zero downtime, which is never really possible, but that's what we put in our budget. So then the business was always like, you spend way too much money, I don't see the benefit. I have no way of knowing that I'm really getting risk mitigation for the amount of money I spend or whatever I'm getting back. So I think that this trust happened and there's still a lot of the old school people who have carried over that kind of a culture and environment. And so I try to get people to say to It, I tell them, look, if you're the It, go to the business and understand the business perspective and let them make the decision ultimately. But you have to give them options, hey, look, there's option A, B and C. It's kind of like buying insurance, full coverage. We're not even talking about liability because there's no coverage for us. So we're going to take off the table, but I'm going to go to the executive and say, hey, we have three different options. Jim Bates (19:55) We like option C because it gives us the best coverage and we feel better at night when we go to bed that we're not going to have some vulnerability exploited and have downtime for us to deal with. But hey, there's option B and there's option A. Less spend for each option and more risk and have that conversation and build trust with those executives to where if you could build trust where they trust you and they know that you understand what keeps them awake at night, expenses and revenue and all that. And then you can say, well, hey, you don't realise how many door rattles we had of people trying to exploit a vulnerability on our tax surface. And they're like, what do you mean by that? At the state of Alaska, this was back in 2013 to 2016 when I was serving, we had two 5 billion hits a month on our gov space. Yeah, what we had public facing every department of the state of Alaska had a public facing web surface or landing pages. But people come in here and try to figure out how to go horizontal and get to the real data, right? Jim Bates (20:59) And we weren't even allowed to put in a honey pot because they said, well, that's enticement. Well, we're enticing with our real stuff. Why can't we find out how they're coming in and what they're trying to do to exploit our vulnerabilities? When you can get the executive and have that conversation to say do you realise how many hits a month people are trying to hit? Our public facing attack surface here, so to speak, are finding ways to come in and if they can find an HVAC system, tidy or network that they can exploit, they'll do it. Now with the internet of things, everything is hooked up right and we've added a lot more business functionality but a lot more vulnerability. So I think it's to your point, it's a conversation that builds trust and understanding to change that dynamic that we talked about where why do these executives just push off it as something they don't want to get involved with? Because they were intimidated in the past. They had a bad relationship, they didn't understand it. There was a lot of money being spent. They couldn't justify it. And I think it caused this kind of dysfunction. Jim Bates (22:06) But I see a lot of new companies where the CEO knows more about it sometimes and even some of the It people, which makes me really happy to see that. Karissa (22:15) No, I think that's good. Look, you have to do reasonable endeavours to understand conceptually about it. If you are, for example, a CFO, you're not asking me to go and recite TCP IP. We're just saying conceptually, this is how it works, like high level stuff. Because equally, you're not a CFO but you have a high level concept and fundamental knowledge about running a PNL. Yeah. So you're not a CFO to the Nth degree, but you have conceptually understanding. Okay, I can run a P and L got to make sure I'm on budget with my project, etc. The same principle and my understanding should apply on how, where is the data being stored, who's access, all that type of stuff. Like what cloud are we using? Some people don't know that answer. And I think in that role, you should that's a very fundamental thing that you should know. If your whole company is running on that, you should have that answer. Now, you don't need to understand the configuration of everything, but I think that, again, there needs to be an equaliser there between the cyber and the tech as well as the business. Do you think that's a fair statement? Jim Bates (23:29) Yeah. Jim Bates (23:29) No, absolutely. It's why we started this conversation. When you asked me that first question about how do you start the conversation is communication. So you just opened up a door to a great conversation about how do you get them to understand concepts when they're intimidated? Because if you intimidate an executive who's in charge of your paycheck, you're probably not going to get very far. We have our acronyms. We're talking about TCP, IP, and we're talking about VLANs and Lands. And they're like, what the heck are you talking about? And so what I've done is try to find how can I explain this concept in a way they can relate to without sound like I'm talking down to them? So I remember getting with some executives one time and I said, do you guys understand how the postal service works? And I know I just sent a package to Australia, and so I had to kind of remind myself, but we have zip codes. I said, Zip codes are like IP addresses. You have a block of zip codes so that we have a subnet. It's just an IP address. It knows where to send that packet of data and how to route it. Jim Bates (24:32) So we have post offices that sort mail based on zip codes, and there's an actual address within that zip code space. So when I started explaining to them, I said, Think of it, I was in session. So the legislature here in Alaska and you're trying to explain to them these concepts, and I was trying to show them this big Cisco switch. We needed more money to update our infrastructure. And I had a 13 year old gear that was failing and no more spares. And I'm having to upgrade a network of equipment. This costs a lot of money. And I'm like every email you send, every bit of data, everything you do is like transacting to this big post office system where you have these big depots, and then it goes to smaller depots and finally gets to the address where it's supposed to go. When I explain it to them like that, they were like, Dude, I get that concept. So you're telling me that all these packets of data are going through this big network of paths to routers and switches that are sorting mail and sending it to addresses. I said that's kind of a juvenile way of saying it, but yes, if you can get that concept, it's exactly what we're doing. Jim Bates (25:34) So now I have a trusted relationship where they say, hey, this guy can actually communicate with something we can understand besides some technical mumbo jumbo. Right. And so I feel like, to your point, if we could get good at communicating concepts in a way and then relate it to money, which is what really keeps them awake at night most of the time, then I think we can build a trusted relationship to align strategy to execution and do it way better than we do. So I don't know if that answered your question, but Karissa (26:02) no, I think it does because I would say that that would be an approach to get people on board with your strategy, to actually get them to understand in a way that makes sense. Right. Because do you think we should try to talk down to executives or I don't think I mean, maybe it's some people's intentions. I'd like to say more often than not, people have the right intention, but it can come across the wrong way. So I'm just curious to know, from your perspective, what are your thoughts on that? Jim Bates (26:29) No. And so it's why I first reached out to you. And if you remember, I sent you a LinkedIn because I've been following you for a long time. I love what you do. I watched you go from this, in my mind, what appeared to be an introverted person who wasn't so comfortable in front of a big crowd, to this person who can just cut to the chase, speak directly, communicate well. And the thing I've noticed about great leaders like you, Carissa, you're a leader, you're an influencer. You know, I don't even accept that responsibility. But you don't know how many people follow you, which means you're a leader. And leaders listen well and they ask great questions. So to your point, don't talk down. Ask intelligent questions to where they come to the conclusion themselves. And it's their idea, not yours. So I think if you're going to engage somebody, especially somebody that you report up to, that are smart people and they run the company, don't put them in a corner. I felt like most of the time, what I find works the best is to do what you're doing. You ask great questions and you lead a conversation to get results, right? Jim Bates (27:28) And it takes a little longer. You have to be patient. But if I just give you an answer I just gave you the answer, it's what I gave you, and you have to decide whether you want it or not. But if I lead you to an answer or a conclusion that you come to yourself, then that's yours. I think the most effective way is to kind of be an anthropologist, go. In there, figure out what's important to the people you have to talk to, study them, understand how to build trust with them, and then just ask great questions and don't talk down. I'm pretty direct person. You can tell by my my speech, and I like to just go right at things like you do, but I know my audience and I understand and I try my best. I've got my blind spots, like everybody. But I think great leadership is important and it can't be overemphasised. And I look to you as a great leader, Karissa, and just the way you do it is how I tell everyone, watch what Karissa does, do that. Go in intelligently, listen, ask great questions, and get this narrative to kind of end up where you need it to be. Karissa (28:32) Oh, that's very kind of you. I think that I listened very intently, so when I'm on this podcast or any podcast, I'm listening. I'm not on my phone or doing stuff in the background. You can sort of tell, right? I mean, I've been interviewed by people before, and I'm like, is this person listening to what I'm saying? Because it comes across quite clinical and quite contrived by the next question. So I do hear what you're saying in terms of listening to people and actually asking relevant questions. But if you look at, like, if you zoom out in terms of sociology, that does seem obvious, but we still get it wrong, and we've gotten it wrong for years. So what is it that people don't get that they're missing on how to listen and then how to ask questions that make sense to the person you're asking? For some reason in our space, we still don't get it. Jim Bates (29:24) Yeah. So there's a thing that I use that it's called the communication code. And whether you're the receiver or the sender, I start to set expectations for the conversation from the beginning. If I'm the one that's the sender and I'm talking to you, I'll say, Karissa, what I really need in this is for you to help me to shape this, help me get the best possible outcome. I need you to kind of collaborate with me, or I might come to you and say, what I really need you, Karissa, I really need your input on is tell me why this won't work. Beat this up for me. I have an idea or a concept, and I just need to have someone to kind of, like, critique it and see if there's a way you can bust my idea. Or I might come to you and say, you know, I really just need you to listen to me and confirm that you heard what I said to you and repeat it back. Because sometimes I have a hard time. I'm a big idea guy. I'm a strategic thinker, and my personality, style, my decisions are probably based more on people and values than they are on systems and logic, and it's probably why I communicate it in a way that some of the introverts that are more logic and systems oriented have a harder time with. Jim Bates (30:37) But those are the people that really save you. So sometimes I just need to go to them and say, okay, I'm having a hard time really communicating what I'm trying to say. So let me know if you understood what I just said to you, repeat it back to me, and I'll see if you got it. Or sometimes I might just this is one of my adult children. I had a big struggle with this. They just needed me not to solve them, because I'm a solver. I want to fix the problem. So whenever someone comes to me in communication, if I don't know what they want from me, I just assumed I need to fix it. And my kids would say, dad, I just want you to give me a safe space and listen to me and don't try to solve me right now. I just need to be able to share something with you. I think communication is a skill, and it is philosophical, but I think It people could learn a lot from getting more of those soft skills, because most of the It people I'm not going to try and make generalisations, but they're very logic oriented people, and values are kind of more fruity. Jim Bates (31:32) People skills maybe aren't the best thing. We used to joke all the time. We keep our It people walk behind bob wire and feed them raw meat or mountain doing twinkies or whatever, and don't let them interact with the public. But at the end of the day, if we want the business executives to know what we do and understand technology, we've got to get better at the business language and that communication. So that would be my advice to everyone, is just to know what the communication. I have someone who works with me, you've met madeline, and I just say, madeline, let me know what you need from me in this conversation. So I don't get it wrong. And I think the more that we can set expectations about what we're trying to, asking good questions is great, but every communication is different, and we just need to kind of understand what does the sender need or what does the receiver need, and can we set expectations at the beginning so we don't get it wrong and spend a lot of time going in circles? And I think it's more effective and efficient communication, and it's part of this whole leadership stack of how to be better leaders. Jim Bates (32:31) Leaders aren't just managers who have all the answers. They lead smart people. I say I want to be the dumbest guy in the room now and just surround myself with really smart people and just empower them to go get stuff done, not micromanage them, just get out of their way. So I think we can take a lot of lessons from that. And I think it's part of being at the level I have in my career, at the sea level and everything else. I had to get out of the trenches in my way of thinking, because, hey, we all want to play with technology. Just leave me alone. I want to configure my firewall, I want to go out there and do whatever I got to go make sure that my sock and my SIM are working and I got to make sure whatever we're doing. But why are we doing that? Why is that important? What's the firewall service? What's its role in the organisation and why is it important? And if you can start asking yourself the why question, I think it helps you with your communication. Like, when I was at the hospital, I would go to the It. Jim Bates (33:33) Now, I went to the programmers one time and I say, what do you do? I'm a programmer. I said, well, no, not really. Well, yes, I am. I go, no, we're a hospital that sees patients. This organisation exists for this purpose. You have a job that writes code for programmes that the doctors and providers are using to do patient care. That's the value chain, right? That's the value stream. If you can see yourself as part of something bigger, of why the organisation exists, it helps your communication better than just saying, don't tell me why we do what we do, or Just tell me how to do my job and I'll go, do it. People are like that my career, when I was young, I had to support a family, I had to punch a clock, make a paycheck and be my family. That was the most important thing to me. But then I started going, Why am I what's this company all about again? What's this mission and vision? So you talk about strategic alignment. You have to start with understanding why this organisation exists, what its requirements are and why your job is important and what your role is. Jim Bates (34:30) And then that starts to build the alignment and the communication needed to be very successful. Karissa (34:35) So would you say it's about having an understanding, a very clear understanding of the contribution that you're providing as an individual. But would you say then that software engineer that you just referenced before, do you think that perhaps people are clouded by their role? I'm just a software engineer? Well, no, actually, you're contributing to the overall hospital here, which does X-Y-Z. Jim Bates (34:55) Absolutely. And I know that you kind of mentioned when we talked before this call about how do you kind of keep the momentum going and how do you create excitement around what's happening in our world? It's constant change in the pandemic and covet and all the challenges that we're faced with now with our communication, because we're doing a lot more remote workforces. We got lots of different kinds of things happening how do you keep people excited? Well, if you know that, if you can go and say, hey, we just help that patient get better and my role in this database aligns to that, I can go, oh, you know, I might not feel like I'm just a programmer when I feel like that. I really what I did added value to something so important. And whatever's important to your organisation, if you can start to see yourself as part of that, I feel like it's really important. The Gallup Journal. I read a study they did here several years back. I can't remember, time flies by, but they did this study and they broke up employees in the organisation in three categories engaged, disengaged and actively disengaged. Jim Bates (36:03) And it was literally about 48% of the workforce that were engaged. Less than half and engaged was they came to work believing in the mission and vision and were totally engaged and why that company was there. About 33% of the workforce or something like that was disengaged. They punched the clock, they did work, they were valuable, they got stuff done, but they didn't really care if they worked here across the street, they just needed a paycheck and they weren't really bought into the company's mission and vision. And then there was 18%, I think, something like that. That was what they called actively disengaged. The ones that were undermining everything that you're trying to do, and that's the ones where you had to either bring them in or get them out because they're bad for your organisation, right? So I think engagement, this whole alignment from strategy to execution part is so important, and try to see yourself as part of a value stream. My job contributes. You might have been a security officer that was like standing outside of a building, guarding the building and thinking, wow, I don't have a very good job, but, hey, you're contributing to the safety of that organisation, just like a cyber security officer or somebody that's looking now at threat agents that are trying to exploit your data and information and do damage to you or whatever. Karissa (37:14) So one thing I'm curious to know about now, Jim, is we sort of already touched on it slightly, but I want to sort of get into a little bit more here is we always talk about what we're going to do. One thing I like to say, it's very easy to start something, but it's another thing to keep it going. So I'm curious to know, from your perspective, at a high level, how would you approach taking a strategy and actually implementing tangible outcomes? Because more often than not, the analogy I like to think of is Jan one, everyone's like, yeah, I'm going to go to the gym this year. And I think there's, like, studies. By Jan 17, everyone's given up and they're back having beers with their buddies. Obviously, as human beings, we're not really disciplined to continue things. And so I'm curious to know how would you do that with an organisation that already has complexities moving parts? People are stressed, people are sick, there's all these things going on. You've got to keep it moving. What would be your advice to that? Jim Bates (38:16) That's a really good point. I think, like I said, no two organisations are exactly the same. And so it's not like a prescriptive approach that I could tell you. But here's what I would say. If you start with the requirements and you understand those. And then you start to build out your cyber strategy around what's best for the organization's requirements. This mission and vision. And then have that trusted dialogue where you're building trust with the executives about risk and investment and then you're getting down to. Okay. How do I continually give them a scorecard and report up on how that investment is actually doing something? So I would say let's borrow from an Alaska up here. The safety culture is huge. Alaska has the translucent Alaskan pipeline where we have the North Slope, they call it. And we get crude oil that comes out of these oil wells and we run them down a pipeline that's over 1000 miles long to Valdez and put them on tankers and ship it all over the world. Safety has become a huge culture. You cannot go to any of these companies now up here that are in the oil patch or a lot of the other industrial companies without every day, starting with a safety stand up, there's a safety minute. Jim Bates (39:27) And every meeting I go to, there's placards all over the walls and there's these little metrics they use about how many days they've gone without an incident. And I started thinking, hey, we're cyber safety. We're providing safety to the organisation in a different way. Because why is safety culture so big? Because they know that one incident can cost them so much in downtime revenue, morale and everything else. If they don't be safe and someone gets killed or injured on the job, it's a big, big deal in the safety culture. Well, can we do that same kind of a culture? I mean, the executives from the top of the organisations are bought in to the safety culture. It's on their websites. Everything they do is like, we have a safety culture. Safety is part of our DNA. Well, how do we, as cyber security professionals, get them to see cyber security is the new safety arena and we have to be safe. We have to protect ourselves from malware and from all these things that are happening. We've had a big pandemic of ransomware up here to some big agencies and it's caused huge disruption and it's not safe. Jim Bates (40:35) Can we start to say, let's keep the momentum going by? How do we report metrics back up? You gave us this budget money, so what are the metrics that are important to your industry based on those requirements we talked about. And can we show them how many attacks we forwarded? How many 2.5 billion hits a month in our gov space? And here's what we've done to protect. And I'm grateful to God that in my three years of Seattle, the state of Alaska, we had no doubt time associated with a big cyber attack or anything like that. And so I was thankful that we were able to, because we all say in the cyber, it's not a matter of if, it's just a matter of when someone's going to find some vulnerability and exploit it and you're going to have a trouble. Right? But I feel like if we can change, if you want to keep this momentum going and execute this, then let's start giving ourselves a scorecard that aligns with our business score card and showing them exactly what the threats are looking like. How many of these do we have? What have we done to mitigate risk? Jim Bates (41:33) What have we done? And report back up and say, hey, celebrate with us. We want this many days without an incident. And let them feel, like, the pressure that keeps us awake at night. I feel like if you want to really keep this momentum going and execute, then think about how we're going to change the dialogue and something that keeps the momentum going, where everybody is involved and everyone sees that they're a part of it. Hey, 93% of malware comes in through email. Well, everyone uses email, so you've got to be due diligent. You got to tell people and teach and train and keep the message going and keep it always out there. Because we're human, like you said, entropy happens. We start to get all these things that distract us and we go back to creatures of habit. But the safety culture, I've watched it, it has not regressed. I don't know what it's like in Australia or other places of the world, but everywhere I go with the safety culture, I'm like, these guys got it down in spades, because this has not regressed, this has not lost momentum, this has not gone back to the same old way it was before the safety culture came out. Jim Bates (42:37) And so if I was to share a message with the world to say, if you want to change the dialogue and change the dynamic, let's figure out how to replicate what they did in the safety culture to get everybody from the C suite down to realise how important this is. And I don't know if that answers your question directly, but that's where I would start. Find something like that and model after it. And then just the regular project management approach to everything is get your requirements, get your plan, monitor control that have good change management, because as soon as you think you have something figured out, there's some new thread agent out there, some new vulnerability is being exploited. So information sharing constantly staying on top of it, watching the KBI podcast and listening in what's going on, listening to all the smart people pay attention. And that's really the best thing I can say about how do we get this moving in the right direction and stop the entropy where people are just going back to the same old status quo. We've got to make change happen. Karissa (43:38) I agree. On the safety culture side of it, do you think it's because in terms of cyber, you can't see cyber? So, for example, if you're in, like, a safety culture, physically, it's pretty obvious. If someone's on fire or a building burns down, you can sort of attribute to, oh, well, that was the fire that we had. But you can't really attribute necessarily, unless your whole machine goes up or your machine, you can't really see it. So do you think that because you can't see it, it's a little bit like that theory? Out of sight, out of mind. Jim Bates (44:10) Yes, absolutely. So that's great feedback, because when I got my CISSP years ago, I had to keep up my education units and all that stuff to keep it current. And I would go to schools and talk to school kids from elementary, high school, all the way up. And I said, look, when you were getting raised by your parents, they said, look, avoid that neighbourhood. Don't go down that alley. Stay away from over there. You had to be a citizen that was aware of the threat and it was physical, you could see it, it was tangible. And then I'm telling these kids, you've got to be a cyber citizen now. Don't go to that hang out in that chat group. Don't go over there. Don't believe that guy who says he's a 13 year old girl and wants you to come meet with him. And because you can't see it and because it's virtual, you're exactly on the money and it's been a challenge. But I would like to tell people, I said, hey, have you ever played a game that you didn't buy? And they're like, yeah. And I go, have you ever gone into a store and walked out with something you didn't pay for? Jim Bates (45:10) Well, that would be wrong. I said, well, it's just wrong to steal software that you didn't pay for. And I said, but you're not being told or trained that from the time you're young, because it's some virtual thing that the parents don't see, that this kid got this game or music from somewhere and they were stealing, they didn't realise they were doing theft. Well, those are the ones that some of these agents are recruiting, the Russian mob. And some of these people that we had to deal with, they find these young kids and say, yeah, but you can't get in there. Well, it's like a game to them, these gamers like, oh, yeah, I can hack into that. And the next thing you know, they get in there, and they're like, See, I can do it. And they're like, hey, while you're in there, get us this stuff, we'll pay you for it. And because it's out of sight, out of mind, it's not being visual. So that's what I was trying to say, is, if the safety culture is putting everything everywhere, you can see it, even if, like you said, the incident is visible and it's more physical and it's easier to relate to the placards about safety. Jim Bates (46:04) Everywhere you look, it's a reminder. Every time you pop your computer up, there should be like a little sign, like, hey, cyber safe, you got to do your cyber hygiene, be cyber aware. You're a cyber citizen, act like it. I think we could start changing the invisible of something that's a little bit easier to relate to because I think that's what exactly you hit the nail on the head. That's why we have to struggle to make it like the safety culture is, because it's not as easy to see until someone's company is completely in trouble because they've been hacked and down and now their business is in peril. So, yeah, no, it's a really good point. Karissa (46:40) So how extreme do you think we have to get? Like, what's going to happen now? It's like, oh, you got ransomware, next minute your whole machine blows up, which is, like, going to signal, well, clearly that wasn't ideal. How are we going to get people to notice? It's obvious to people like you and I, but it's not obvious for someone else, oh, I don't care, I don't have to see it. If, you know, like, the building's on fire, you're physically in danger, but from a side of perspective, the guy's like, oh, who cares? I've been here three weeks, I don't care. That responsibility. People can say, oh, it's everyone's responsibility. It most definitely is, but the challenge is some junior level person is not going to care at the end of the day. Jim Bates (47:21) Yeah, I know you're getting to a topic now about the human dilemma, right, where out of sight, out of mind, and just trying to get by and get stuff done and not really see the threat, so you don't really feel like it's real until it happens and then it's just like, too late. And I don't know that I have all the answers to that, but I think I remember when I was going through my disaster recovery business continuity training, they made us literally watch these videos of, like, this building catching on fire and the whole disaster and that people weren't prepared for how to recover. And businesses went out and the same thing happened when we had the twin Towers in New York and both of them went down. Well, some of those companies, their entire backup was in the other tower. We lost both towers. There wasn't enough separation. Colocation was not ideal at all. And so those companies lost everything. They lost their accounts payable, accounts receivable, all their intellectual property, everything. They went out of business, a lot of them. Sometimes it's like, how do we wake people up to the reality of what could happen? Jim Bates (48:35) And I don't think there's how do you start showing people videos of what ransomware can do? But what happened up here in Alaska, we had a big ransomware. It was public because it was a borough. We don't have counties up here. We have what they call boroughs. But there was an actual borough that got ransomware, and it took everything they had to completely take their entire from phones, networks, servers, everything, because their backups got corrupt. Everything was corrupted. So they had to start from the ground up, and the whole community came together. And since then, the gentleman who was in charge of that has publicly spoke everywhere and has brought an awareness to, hey, this is real. This was painful. The only thing I can say to you is we have to try and figure out a way to make it more visual, make it more real to people, make them understand that they're part of a bigger picture in the threat and say, hey, and now look at supply chain, right? The whole thing. Now our NIST over here in America came out with this whole new supply chain, risk management kind of set. Jim Bates (49:46) Everything that comes up now has a new we have the privacy framework. We have the cyber security framework. We got all these things, and now we have supply chain because look what's happened to the world because of cod with the supply chain and the vulnerabilities and security. You could say, hey, I'm secure, but somebody in my supply chain. If there's a vulnerability, it could disrupt the entire supply chain. One person in the b to b community that doesn't have the same ethics that you do around cyber security could cause your ultimate customer to be affected. The final b to c in that supply chain, right? So how do we start to become more accountable as a collective? Think about this. I know we're getting close to time here, Karissa, but in the old days, what was the asset that people stole? In the old horse and buggy days over here in the US. They would rob a stagecoach and get gold or go to a bank and rob it. Well, we made that really super hard for them to do. The risk was not worth the reward. You don't hear about people very rarely do you hear about people robbing stagecoaches and banks like they used to. Jim Bates (50:50) It's now always a way to do a cyber, because our money is not really being packed around as gold anymore. It's our information now. We've got things we're trying to put in place, like blockchain and the way that crypto is happening and everything else. But if we can figure out a way to make it not worth the effort, the risk is not worth the reward. Well, our community figured it out on those old school things, and they were easier to see. A piece of gold is easy to see. A crypto, you can't really see it, right? So I think we're all challenged with figuring out how to innovate ideate and change the narrative, because this is the world we live in. It's getting more and more connected all the time. I mean, literally, everything is connected. Wearables ingestibles. My refrigerator is having affair with the toaster. Because they're all smart, home smart, everything, right? And every one of those is a vulnerability that could be exploited if you're not careful. And we have to be aware and more and more aware. Everything we have is something that a threat agent can look to try and exploit. Jim Bates (51:52) So my big message to everybody is, we are all part of this. Jim Bates does not have all the answers. I've got a lot of experience. You've got a lot of experience, Karissa. You've talked to a lot of people. But I think what you're doing is how we get the word out. This is how we make it visible, and God bless you for what you're doing. I mean, everywhere I go, people have heard about you and what you're doing, and we want to make it even bigger. So anything I can do to contribute and help, this is how we start right here. Karissa (52:20) That's awesome, Jim. I really do appreciate that. I think it's just about having these conversations that are open. There's no alternative motive here. I don't sell security services. I don't have a horse in this race. But I really want to go back a step. When you were speaking before, what was coming up on my mind was, in people's eyes, the Internet doesn't feel like real. And what I mean by that is, if you went out and you punched someone in the face, you get reprimanded for that. But if you go out and you troll someone on Twitter, you don't really get reprimanded. So I think the same philosophy or theory extends in the cyber world. Right. It doesn't feel real, so it goes back to you can't see it, but there's nothing to really hang your hat on, really, at the end of the day. And I think that's the problem in the cyberspace. Like, oh, well, it doesn't really matter. The Internet is not really real life, per se. So I think that's the challenge. Jim Bates (53:18) Yeah, no, I think you're exactly right. It is. But think about it. We used to take our mail and send it through a stagecoach, the Pony Express over here, the famous Pony Express in the US. Then we went to a telegram over his wire, and then people would cut the wire or whatever, but it's still something you could see. And then we got to the telephone. We're now, okay, I pick up this phone. I really can't see the line between. Here and there. And so we started kind of getting this idea of I can pick up the phone and bully somebody over the phone. It's a little bit harder to see. But now we're to this thing where it's like literally communication has become. So I'm walking around with a so called smartphone that I can do everything from. And I feel like that you're exactly right. It's something that because it's hidden just the pornography industry and how big that is, because it's something that people can hide and do. You're not going out there physically out there where everyone can see you walking into some shop. You're hiding in your little space behind your little deal, but now eyes are watching you. Jim Bates (54:24) Everything's hooked up. I mean, cameras. I was just talking about some product the other day. I wasn't even online looking for it. And I started getting ads popping up. It's like they're listening on my phone or something. It's literally that scary. Karissa (54:37) There's more anonymity these days. So like with crypto and all that stuff, of course there are ways to find out who owns what wallet, but it's just more so like if you go in the street and you commit a crime, it's obvious it was you, right? But on the internet, this is sort of going back to my theory before on the Internet, like, oh, well, what's the worst, I troll you and then I get blocked. But I may be curious to breathe, but I may not be me either. And I think that it just doesn't feel real then because you can't physically see the person. That person may not even exist, for all I know. But if you go out on the street and you punch someone, that's very obviously that happened. And I think what's going to happen now with the whole Web three and meta and all this is going to become this it's almost going to become people are going to become delusional between what's real and what's fake. Is web the real world or is this physical world real or which one is real? Are they both real? Jim Bates (55:30) Yeah. So you just turned us into, like I said, the plight of the human race and with robotics and intelligent information and virtual reality and augmented reality. It's like I've talked to a lot of these kids and they're just having a hard time of understanding even what's real. And so this is the world we live in. This is where we transact business in, you know what I'm saying? It's literally where we're at. And this is a dialogue that's so important. And I'm glad that on your show, we have a way of your podcast. We have a way of bringing it up because we could talk about all the things that make us cyber security guys happy about. Oh, man, I've got this really? Now I've got this new service that I'm doing, the same service where I'm actually mining all this stuff with artificial intelligence and machine learning and it's doing yeah, but we're becoming harder to communicate in a real way because now people hide behind an emoji or an avatar on their computer. I'm on a zoom thing, I can't see their face. I like to read people, I like to read micro expressions. Jim Bates (56:35) I'm really good at it. And now it's like I've lost a lot of my ability to communicate effectively because of that. Right, and so you're bringing up something that's even a bigger topic that we could probably spend our whole podcast on. But yeah. Now it's great though. Because we need to start the dialogue about where we're headed as civilization now and how do we start equipping ourself. Become more aware. Help the young people that are coming up today in this world to be able to communicate better and to understand and to be a cyber citizen that's responsible. To understand what it means to have good cyber hygiene like we do with everything else. And take a world that's not tangible. It's something like that, right, and just say, hey, we've got to make this in a way that you can get your arms around it and protect the data and everything else that we're doing. Karissa (57:22) And one sort of last question to sort of close on. Now, we spoke about communication, strong communication, but as you sort of alluded to things that people's communication is sort of breaking down because of having so much distance and people are now working remotely and people are not going to see each other as much. Do you think we're going to get to the stage where, I don't know, we're communicating just via WhatsApp? And there's just no communication like this at all because people become so inept from it, because they're so used to it, like, are we going to feel so remote? And then if so, doesn't that then just broaden the problem and act like we're not closing the gap? Jim Bates (58:01) Yeah, no, it's true. I think you're on to it because I'm a world traveller. I spend a lot of time doing give back in Africa and just different communities in the Philippine Islands and everywhere and everyone uses WhatsApp and now it's like everybody's trying to blow me up on WhatsApp they want to call me on WhatsApp? And it's like time zones are different everywhere. I'm a working man and I'm trying to work and if I don't respond to somebody instantly, they get their feelings hurt. Like, you didn't talk to me, why don't you respond to me? I'm like, communication is my in baskets now. I teach at the college and I have my business account, I have my personal account, I have probably four email accounts and then I have texting and WhatsApp. And it's like I could not process all the voicemails, emails, texts, WhatsApps that I get every day if I work, couldn't respond to everybody. And so, yeah, I'm laughing because you're just opening up another whole dialogue, right? It's going to become more and more rapid, more instant, more points, and it adds way more complexity to our entire world. Yeah, so yeah, that's a good one. Jim Bates (59:13) I don't know if I answered your question, but I think I added on to fuel to the fire. Karissa (59:18) Well, I think it's just more so an observation because what you should have said, most of the conversation is it people generally. Again, it's a general statement, not the strongest communicator. So if we're there at this stage, imagine next five years when things are more remote and more online and we don't have to see people, imagine how much harder it's going to be to communicate with people, to then get like budget and all that stuff. Overall, I'm curious to see how it's going to sort of pan out. Jim Bates (59:45) Yeah, no, you're right. I think that's a really good point. I think that the audience needs to really kind of think about the innovators out there, the people who are trying to bring things to market that will help us look at five years out, where are we going to be? What's the answer? And we need to collaborate and figure that out because I feel like it's just going to get harder and harder to communicate. It's going to get more instant. There's going to be a lot more like, how many times have you read an email and you misinterpreted what someone was trying to say because you're trying to figure out what their tone is and maybe they didn't mean anything, but it was just like they just were trying to hurry up and communicate. So they were mad all the time. Karissa (01:00:24) I think that's human nature. Jim Bates (01:00:26) Right? And so now I have to send five or six emails just where I could have picked up the phone and talked to someone for three minutes and then got it solved. Karissa (01:00:34) I am a phone person, though, to be honest, as a millennial, which is like me, I think it's more gen Z's anyway that don't like speaking to human beings. But I actually like it because I think about optimising my time. Jim Bates (01:00:46) Yeah, exactly. Because I have this big lean background. I've done a lot of lean process improvement and digital transformation optimization by taking technology, business processes and all that and trying to find the most optimal way to deliver our business services. Right. That's what I do in my company business improvement group every day. And I feel like you're right. I'm seeing that some of the newer generations coming up, they communicate different. They send these emojis to show emotion when I can't tell if they're real or not. Are they really laughing out loud? Are they crying right now? I don't know. I'm somebody who is old school, maybe a little bit older school than you, but I just like the old touchyfeely. Talk to somebody, pick up the phone, solve it, make it efficient and effective, and yet I see these new generations coming up that can type on a phone, like ridiculous hyper speeds, and somehow they're communicating, and yet they're sitting sometimes 10ft apart from each other. They're not talking. They're talking on their phone to each other, and they're literally in the same room, and they've learned to communicate through this new forum. And maybe we should pick their brains a bit about what they think, because I'm serious, maybe they see something we don't see. Jim Bates (01:02:04) I don't know. Karissa (01:02:06) Maybe it's just can I get more budget thumbs up, thumbs down? Like, who knows? Jim Bates (01:02:14) Like, send a picture, a stack of dollars and a thumbs up or thumbs down. That's great. Karissa (01:02:22) Yeah, that's what I'm saying. Like, who knows? Maybe that's the stage we got to get to. Look, I think that it's more just zooming out conceptually around communication. I don't think there's a silver bullet to it. I think everyone's different. I think everyone is at their own stage on how their communication journeys per se. So I think that it's just giving high level strategies, sharing some of your experience and your insight and your thoughts about what's worked for you in the past. And that's all we can really do. So I really appreciate your time, Jim. I love your energy. I love your realness and your rawness, and I really do genuinely appreciate your time for sharing some of your insights today. Thanks very much. Jim Bates (01:03:06) Thanks, Karissa. You're the best. Karissa (01:03:08) Thanks for tuning in. We hope that you found today's episode useful and you took away a few key points. Don't forget to subscribe to our podcast to get our latest episodes. If you'd like to find out how KB can help grow your cyber business, then please head over to KBI Digital. This podcast was brought to you by KB Net Media, the voice of Cyber.