Secrets of AppSec Champions | From Developer to Cybersecurity Without Certs – Ed Urbasius' Story

As the cybersecurity industry grows, more professionals are breaking into security from nontraditional backgrounds. In this episode, Edvinous Urbasius, a former developer turned cybersecurity consultant, shares his unfiltered story of how he got into the field without certifications—and what he learned on the job in a SOC.

🔔 Subscribe for real-world insights and actionable AppSec stories:
https://www.youtube.com/channel/UCLgzXoXJ-TGO-y7Eh9quDUQ?sub_confirmation=1

Chapters:
00:00 You Don’t Need Certifications to Start in Cybersecurity
00:56 Meet Edvinas: His Journey from Developer to Cybersecurity
03:50 The Cyber Attack That Sparked His Career Shift
07:01 Lessons Learned from Phishing Attacks and System Failures
11:02 Inside the SOC: Learning Logs, Alerts, and Triage on the Job
15:12 How Curiosity and Google Became His Cyber Tools
20:52 AI, Critical Thinking & Real-World Threat Detection
24:09 Peer Mentorship and Growing Through Collaboration
26:49 Why Coding Experience Helps in Cybersecurity Roles
31:49 Final Advice: Be So Good They Can’t Ignore You

What You’ll Learn:

- How to enter cybersecurity without a degree or certifications
- What working in a SOC actually looks like
- Why developer skills are a hidden advantage in security
- The power of curiosity, Google, and collaboration in learning fast

📺 Watch Next:
▶️ Secrets of AppSec Champions Podcast: https://www.youtube.com/playlist?list=PLR-uH0PJFszFcbMJ29AfAcWIJAPbBJaC7
▶️ Our Customers’ Success Stories & Reviews: https://youtube.com/playlist?list=PLR-uH0PJFszHDC0p6CBEvccqx1uNx8fpT&si=SUI6d31ResR51434
▶️ OWASP Top 10 LLM is Dead: Here's Why: https://youtu.be/Wet1tkt1eAw?si=NTUef42qt1WzcHbn
▶️ Mend.io Product Overview Demo: https://youtu.be/HfZ3uK-Eg5c
▶️ The Truth Behind Successful Security Operations Centers (SOC): https://youtu.be/XMlrxoIJVXg

🌐 Connect with Us:
🔗 Website: https://www.mend.io
🐦 Twitter: https://twitter.com/mend_io
📘 Facebook: https://www.facebook.com/mendappsec
💼 LinkedIn: https://www.linkedin.com/company/2440656

📜 Disclaimer:
This video is for educational purposes only. Mend.io is not responsible for any security decisions made based on this content.

#CyberSecurityCareers #SOCAnalyst #AppSec #Infosec #DeveloperToCybersecurity #SecretsOfAppSecChampions

Creators and Guests

Host

Chris Lindsey

Chris Lindsey is a seasoned speaker who has appeared at conferences, webinars, and private events. Currently building an online community and creating a podcast series, Chris draws on expertise from more than 15 years of direct security experience and over 35 years of experience leading teams in programming and software, solutions, and security architecture. For three years, Chris built and led an entire application security program that includes the implementation of mature AppSec programs, including oversight of security processes and procedures, SAST, DAST, CSA/OSA, compliance, training, developer communication, code reviews, application inventory gathering, and risk analysis.

What is Secrets of AppSec Champions?

Join host Chris Lindsey as he digs into the world of Application Security with experts from leading enterprises. Each episode is theme based, so it's more conversational and topic based instead of the general interview style. Our focus is growing your knowledge, providing useful tips and advice. With Chris' development background of 35 years, 15+ years of secure coding and 3+ years running an application security program for large enterprise, the conversations will be deep and provide a lot of good takeaway's that you can use almost immediately.

Rob Wood [00:00:06]:
Don't be the person who's saying, well, the less they know, the less harmful it is for us. No, that train has sailed, as I always like to say. That makes my analogy. It's. That's gone. You don't get the, let's stay quiet about it. Let's kind of just say less and then it's going to be less harmful to us. No, maximum harm is already going to come from this.

Rob Wood [00:00:27]:
Not mitigating through a lack of transparency. You're making it worse. You're amplifying it through a lack of transparency. Why? Because now you're turning it from a competence failure to potentially have an evidence integrity failure as well. Because you're not talking. So talk.

Chris Lindsey [00:00:47]:
Hello and welcome to secrets of AppSec champions. My name is Chris Lindsey and today we're going to be speaking with Rob Wood. Today's conversation is going to be around building trust in the heart of security. Rob is the ciso@trust.ciso. rob, please introduce yourself.

Rob Wood [00:01:02]:
Hi, Chris. I introduced myself as a CISO because that's the job that I do. But I guess more relevant is the fact that I'm a security industry survivor. For three decades now, my hair didn't survive the journey, as you can see, but yeah, I've been messing around with it and then security pretty quickly thereafter since the 90s when I fell into it, and I haven't fallen out since. Specializing in security for the last of two and a half decades. I've been around a little bit. I would like to say I've done. I came through the infrastructure route, but I also came through the information security route and also came through the application developer route.

Rob Wood [00:01:41]:
Whichever turn I took along the way, I still ended up where I am today. So I'd like to say I'm pretty well rounded. I'm still hanging in cybersecurity despite the massive rate of change over the past ten years or so.

Chris Lindsey [00:01:54]:
Somebody hit the gas pedal in the last six months. I mean, we're accelerating at a speed never seen before. When you look at the technologies and the things that are going on right now with AI, you got to be prepared. If you're not going along with the ride, you're falling behind really quick.

Rob Wood [00:02:11]:
I try to think high level. What is the North Star? Because it's so easy to get lost. It's so easy to get lost in application security, in cybersecurity, information security, however you want to slice it, it's so easy to get lost. How do you find yourself again? What is that North Star for me? That North Star is how do we earn customer trust, how do we maintain customer trust, how do we restore customer trust? What are we doing this for? We can say that back in the day, information security, I used to one of the kind old gentlemen that are retired now that helped mentor me in the industry. He said, Rob, when I first started information security you'd have security guards and fences and dogs and if no one walked out of an office with a PC under their arm then there was no, no information lost. There was, the computers were secure, nothing got stolen. His focus at that time very much on information security. Cybersecurity didn't exist as a term.

Rob Wood [00:03:05]:
The CISO term was just starting to be used a little towards the end of the 90s and seeing how it's changed from information security started with what do we need to do to manage information risk down. And then it came through.com era and like well all of the information's we put it in this one place where everyone's connected to everyone else. That was a stupid idea. It was so much safer when it was behind the six foot walls with the dogs and the fences. Well that's, you know, we've done that. So where do we go from there? Now everything's talking to everything else. It's not even users talking to websites anymore, it's websites talking to other websites with APIs. And then we get to kind of fast forward through a load of stuff I know I must be missing.

Rob Wood [00:03:49]:
But then Covid like well everyone go home, everyone's at home. This talk about kind of perimeter lists and where is the edge of our organization, where the data center is, our website and that's it. It's fine now it's Mike's house and Jenny's house and Maureen's Starbucks. So that's part of our place now as well. We've got to secure. We push in Covid times. Everything's everywhere all at once. And then obviously AI coming as well.

Rob Wood [00:04:17]:
It's the approaches. How do we manage informational risk down became quickly what do we buy to make ourselves more secure from a cybersecurity perspective. And I think perhaps sometimes, let's say it's easy to get lost. Sometimes we forget that we're supposed to be managing information risk down as much as we can, as early as we can, as far shifted left as we can. And then when we get that little bit lost go back to North Star and say okay, so but why are we doing this? Why are we doing this particular thing? It's to earn our customers Trust by diligently protecting their data. To serve ourselves well. By protecting our own data. By complying with the law and regulations that are in place.

Rob Wood [00:05:03]:
And it's a lot, Chris. It's a lot. No wonder they got to come back to it again. But it's the job, you see. That's right. That perennial debate about what is a ciso? Who should a CISO report to? What is the job? And there's so much debate about it still today, we don't know. There's no standard thing, is there? Sometimes you're a techie, sometimes you're a developer, sometimes you're a lawyer, sometimes you're a go. You just, you're a risk manager, sometimes you're creating policies.

Rob Wood [00:05:35]:
I mean, yeah. Or you're there to support, you know. Hey, we need a new ciso. Great. Who's the ciso? Can I report to head of sales? Got it. Okay, fine. A field ciso. We know what a field CISO is.

Rob Wood [00:05:45]:
A field CISO is someone who talks about how good the security program is to customers. How good is the security program, by the way? Don't worry, that's not your job. That's the head of it's job to do the security program. You're the field ciso. It's your job to talk to customers. So again, still as trusting. But that's talking about trust. Are you doing the right things to earn that trust? And that's someone else's job.

Rob Wood [00:06:06]:
So yeah, I can't walk past one of those debates when it's up on LinkedIn, what is the CISO role? And you go, yep, I can't walk past it. So I've got to get involved. If you look at what is happening with the CISO role today, it's a lot like what happened with the CIO role. People don't really argue that much about what a CIO is these days. Arguably, the CIO CTO thing is kind of worked out as well. But at one point it was just the IT guy or the IT girl. And then it became the CIOs. It became more strategic and people understood that it was a strategic and executive leadership role in an organization.

Rob Wood [00:06:42]:
And we haven't finished that for security. So there's my long preamble for me again. That's why I come back to okay, we can't work out what the CISO is in this organization by listing the hundred things they're going to do, but are they responsible for guiding the company to establish, build, maintain and restore customer trust? If we can Just agree that I'm sure we can do a good job of creating a program, managing a program, improving a program, driving a program. So, yeah, that's my soapbox moment.

Chris Lindsey [00:07:16]:
Well, then let me, let me add to it. Is trust and reputation the same?

Rob Wood [00:07:21]:
I think there's nuances, right? So companies have reputation and people have a feeling of trust as an emotion. So when people say to me, they say, trust is in cyber terms, trust in digital terms, it's certificates, right? You can trust that that server is the server that it says it is because it's got a certificate. And you say, yeah, I mean, that's not trust to me. Trust to me is all joking aside. Those things where they call you up on stage and stand behind you and say, fall backwards, pull backwards and I'll catch you. It's a human emotion, it's a visceral thing. It's in your organs. You have chemicals floating around in your body, hormones directly related to trust.

Rob Wood [00:08:09]:
If you are not experiencing a rush of oxytocin in the body, you not trusting someone, whether you then manage to look at a digital certificate and say, well, that server says it's the right server. Trust is a feeling and you can establish that through reputation. You can your company. If you have a company that acts with integrity and that means doing the hard things, even when, and the necessary things, even when no one's watching, doing what you say you're going to do. If you say you're going to do it, don't it? And having all that congruent and in alignment, that's the integrity piece. And integrity feeds reputation. And reputation is a component of trust. If you don't have reputation, you don't have credibility.

Rob Wood [00:08:57]:
People are just going on faith and people are going on your claims. It's very easy to do a very glossy marketing document saying we're the most trustworthy, blah, blah, blah in the world.

Chris Lindsey [00:09:07]:
Exactly.

Rob Wood [00:09:08]:
The trust is a thing you come back to at the end of the day. You read the glossy, then you can go back and look at the data and goes, do they say what they, what it says on the tin? Are they walking the walk and talking to talk? Does it all add up? And when it does all add up, what's that thing you're still looking for at the end of the day? If you want a customer to buy from you, if you want to put some transformation services into someone, you want to take some money off of someone to do something for them and make their life better, there is still that one thing that they need to Get. And that's that, that's that oxytocin brush. It's that feeling of trust. If they don't get that feeling of trust, you can't deliver to them what they need. You don't want someone coming into the start of a business relationship, even if it's just, I don't know, I'm going to put my date of birth into this website, which will send me a recipe on my birthday. Do I trust these people? Would you want to trust those people with your date of birth? Probably not, if they don't need the data. That's the privacy thing.

Rob Wood [00:10:07]:
You've got to think about where you're putting your data and why. But you're still at the end of the day going to look at a website and go, is this, Is this organization someone who. Am I getting this feeling of trust or am I not that should be. Not left a chance? You don't leave trust a chance. If you're a business, if you're an organization that wants to exist in the real world with customers, most customers have. They have physiological systems, they have endocrine systems, they're going to produce hormones that either make people, that the brain goes, oh, I get that good, trusty feeling from these people, or it doesn't. You have to be looking for that. And it can be engineered.

Rob Wood [00:10:42]:
It can be engineered. Trust can be engineered. And not a bad way, not in a manipulated way. It can be built. You can mean constructed well, with good foundations, with solid foundations and maintained. You go in and you check the bolts, you check the framework. You don't just build a roller coaster one day and go, I trust it's safe. Everyone enjoy themselves.

Rob Wood [00:11:03]:
You go out there, you make sure that the design is good. You make sure that it's built as designed. You make sure what you put together fits the specification that you wanted. You go out and you check the boats every day. You go out there and you run tests and you, you make sure that there is evidence that it is as trustworthy as you need it to be. And then everyone can have a great time. You can't just build it and hope for the best. You have to build it and account for it.

Rob Wood [00:11:35]:
So the other thing with trust is that it's. I didn't invent this phrase. You've heard this around, I guess that trust is built in drops and lost in buckets. So there's a currency. I mean, that's the implication. If I say trust is built in drops and lost in buckets and everyone goes, ping, yeah, that Makes perfect sense to me. Implicit in that making sense to you. You have to accept the trust is a currency and it is.

Rob Wood [00:12:00]:
It's a universal currency. It's a universal currency. We all understand it. We understand what it is to be in credit, we understand what it is to be in debt. We understand what it is to lose trust. We understand what it is to gain trust. And the reason we understand it is because our body tells us, it tells us what it feels like when we gain it and when we lose it. So understand that.

Rob Wood [00:12:19]:
Build that into your security program, build that into your messaging, build that into your marketing. Build that into build that into every conversation you have with your customers. Build management trust into everything you do in your organization. Every time you pick up the phone, every time you write a line of code, every time you fix a problem, every time you send an invoice, every time you listening to a customer with a need. How are you building trust with them and how are you helping them build trust with their customers? Because no one buys anything unless three criteria are met. This is my model. I'm sure other people have come up with it before me, but this is the one I'm going to imagine that I invented as the creator. People buy because they believe in the capability of your product.

Rob Wood [00:13:07]:
It's going to do what it says it's going to do. It's going to fix a problem for me. They believe in the value of it. It's going to make them some money or it's going to save them some money because they trust it. They're not going to end up as headline news and their customers are going to go away happy and believing in that organization, that product, that service. So capability, value and trust and capability and value are actually quite easy to build. You plan your product, you make it cost effective. You value based setting, hey, it's going to save you some money.

Rob Wood [00:13:35]:
It's going to take some cost out of your operation growth capability. The reason it's going to take some cost out of your business processes is because it's going to do these things that you can't do at the moment or it's going to do these things better. Capability and value, easy. How do you build trust in your sales process? So we know, we've talked about how, we have suggested that you should be building trust into everything you do, all your business processes. But is it part of your sales process now? Are you talking to customers? It's not just that throwaway stuff like oh, and don't worry, you can trust us. Oh Our security is the best security. Oh, don't. We've never been breached, so we're super secure.

Rob Wood [00:14:14]:
Or do you talk actually about trust with customers and how it is part of your DNA, it's part of your core values and that it's not something you're going to shy away from. I don't know how much you've dealt directly with account executive salespeople and supporting them as a cyber professional, as you've been for a long time. You want to talk about security, they do not want to talk about security. They the last. And they was, not only do they not want to talk about security with customers, they all say, oh, I hope the security question doesn't come up. And you kind of go, sad face. But why? Why shouldn't the security. We've got a good security story.

Rob Wood [00:14:55]:
Why don't we want to talk about security? And it's because it's this. This is the missing piece. Salespeople do not want to talk about security because security is a bad word. Oh, hey, salespeople. Why don't we talk about trust and how we earn a customs trust and how our security program is robust and everyone in our organization understands that they've got skin in the game and that we actually engineer trust and how we earn and maintain trust in every part of our business process. They go, oh, great, yeah, can you do a presentation? It's in five minutes. So that's our salespeople now going. Trust is a far more interesting story, a far more interesting conversation piece with our customer.

Rob Wood [00:15:35]:
It's now on the positive side, I'm happy to talk about trust because it's good, right? Don't talk about security, but you can talk about trust. So all we're doing is just flipping the story, right?

Chris Lindsey [00:15:44]:
You bring up a good point. How many times do you hear the security story of a company? It's rare, it's just not front and center. And you're right. In today's environment, when I think security, the first thing that comes to mind is the multiple breaches that have recently happened. The things that I was just notified. I just talked about this on LinkedIn recently, where I knew about breaches because I find the information on the dark web or I'm notified my stuff's on the dark web from a given breach. And the reality is when you look at it, it's like, why am I not hearing from these companies? Why are they so silent? And when you look at some of the facts and the details, trust has to be built in from the ground. Up source code.

Chris Lindsey [00:16:26]:
When you're doing basic development, it's not just from point A to point B, happy path. You're going to have things that ride the rails on both sides of the guardrails, saying, hey, can I get around this? Can I do this? Because you have bad actors trying to break that trust or break that reputation. A lot of companies today, if you're saving data on, for whatever reason, as simple as a birthday, are we trusting that it's being stored securely? And really what happens is a lot of people will start off very trusting of a company or of an environment or something. And then when that trust is broken to your point, it's buckets full of work just to get back that trust.

Rob Wood [00:17:08]:
It's always on that side. It's on the reactive side. It's on the after the boom thing. There's all of this time that you can spend in slow time. You can plan, you can strategize, you can build, you can engineer, you can be proactive, you can get ahead of things. And we kind of do. In a good security program, we kind of do, but not with a good strong view on trust. And then something, one part of our, one of our users will zig when they should have zagged.

Rob Wood [00:17:38]:
One of our security controls would have zigged when it should have zagged, or it would just be absent. Something goes wrong. Suddenly now everyone's interested in restoring trust. Suddenly everyone's interested in talking about security. Suddenly everyone's talking about the bad stuff. And we only talk about the bad. We only talk about that topic at all once the bad stuff has happened. And how do we turn that all the way around and go, how do you build trust with people on both sides? On both sides? How do we talk about how trustworthy we are as an organization? It's hypothetical organization.

Rob Wood [00:18:14]:
How do we get that conversation started out of the moment, out of the heat of an issue? How do we get that transparent, open dialogue started so that I can build trust with you and I can get trust in the bank today? That's what I do for security programs. That's what I do with customers who have got security programs. How do you build a security program that has trust engineered all the way through it? How do you put trust all the way through your enterprise? And how do you talk to customers in the sales process about trust? How do you get trust in the bank? We've agreed it's a currency. Remember, it's implicit in earning drops and losing buckets. It's a currency, which means you can Build it up, you can bank it. And when it comes to the. Even if you do everything right, there is still going to be some point at which you are going to get a trust event. You're going to get an incident, you're going to get a ding.

Rob Wood [00:19:05]:
And I draw this little thing called the trust graph. And it is just as you can imagine, you establish trust up here. If you're a startup, you've got no trust. If you're a Microsoft, you've got some background trust in. So you're starting halfway up the Y axis or not depending on if you have Microsoft. Sorry, don't see me. You start off with a certain amount of trust and then everything you do is building that. Now there is inertia.

Rob Wood [00:19:28]:
That trust comes down over time. Okay, so what are you doing to keep bumping out? What are you doing every time there's a success story? Are you blogging it? Are you putting. Just getting out there and helping establish background trust? How do you build trust with prospects? How do you maintain it over time and how do you restore it when it goes a bit wrong? So those are all the things that can happen to the graph. Those, the inflection points, there's the dips, there's the peaks and the troughs. Sorry, alongside that, what is that trust overall? If it's just a kind of how your customer feels about you in terms of your overall relationship and you score it 1 out of 10, that's how you want to measure trust, that's what it is to you and then great, as long as you are managing it in some way. But again, coming back to what does it really mean at a model level? Trust is customers belief in your benevolence, integrity and competence. And we've talked about integrity a little bit. Do you do what you're going to say and say what you're going to do? Are you communicating? Are you going to be the hard thing? Even when, even when I was watching.

Rob Wood [00:20:33]:
I mean benevolence is a bit similar but do you have fundamental goodness in your heart? Do you care about what the customer cares about is. Do you care about their data as you would your own? Do you have their best interests at heart? That's benevolence, that's caring. We care. Benevolence. We will act in your best interests. That's integrity and we can. That's competence. Okay, how does it all break down between those three? Benevolence, integrity and competence.

Rob Wood [00:21:06]:
Competence may seem like the big one and in terms of building a security program, it is you've got to be competent, you've got to do the right things, you've got to be effective, you've got to have coverage. You've got to be able to look all the way across your security program, your infrastructure, your people, your just the technology, it's the workforce, it's the processes, your application development processes. Are you managing the risks in the product you're developing, in the thing you're writing, the thing you're supplying? Are you doing that? And are you managing the risks in your organization properly? Are you being diligent? Okay, well there's ways of telling that. There's whatever. Pick your framework, NIST, CSF, Covid License 7001, whatever you like. Have you got a bunch of controls, 100, 200, a thousand controls that you can evidence in your audits and your trust site? If you've got one, you should have one as part of telling your story. Are you able to demonstrate that you're doing the right thing? Yes, except every organization that's ever been breached, it has been a breach of competence. Ultimately you can look at it and you can go, a user zigged when they should have zagged.

Rob Wood [00:22:16]:
They were so fed up getting this thing. Second fact authentication come up on their watch. They're like, no, no, no, no, no. And then one day they went, yeah, oh good, it's gone quiet. And someone slides in and they logged in as them and now they're lateral movement and they're going after living off the land. So it's still ultimately somewhere something went wrong in your security program. How do we as human beings get over a breach of trust or an incident? How do we get over as human beings that kind of someone did something bad, Something bad happened and it impacted me? Well, we have this thing called forgiveness and some people more, more than others. And it's when you're the guy or girl at an organization that is your management saying, how the hell did this happen? And you're saying it's because our supplier did X, Y, Z.

Rob Wood [00:23:12]:
You're feeling the pressure. You're feeling that some questions need to be answered here. But also at the same time you want to try and maintain that relationship with your vendor. You have to. You're relying on them to unscrew the thing that's screwed up and to help get your business back on track or whatever it is, you've got to try and manage the relationship while also appreciating that there is some damage and some repair. Not just to trust, as we say, but also possibly Reputation, what do we do? We look to see, understand the blip in the competence. But what we are ultimately doing is forgiving that. What we can't do is generally forgive a lack of integrity or benevolence.

Rob Wood [00:24:01]:
And I think that's really important.

Chris Lindsey [00:24:03]:
It is. You break up a good point when you have a third party supplier bringing in or connecting to you and they're the ones that are breached. You're the one impacted, you're the face to the customer, not them. And that reputation and that trust and that transparency is key to maintaining that trust going forward. Because blips are blips. We all know a blip is going to happen at some point. It's a matter of when, not if. But the question becomes, how do you react? And you bring up so many good points, because when things are good and silent, hopefully you're not breached and not knowing it, but hopefully things are going well.

Chris Lindsey [00:24:42]:
And that's the time to put everything together. It's the quiet times that you prepare for, the worst times. It's where you do the tabletops, it's where you make sure you have the playbooks all prepared. It's where you have everything ready to go in the event that that trust is broken. And when that trust is broken, where you have that breach or that thing happens by being prepared and ready, then you can react accordingly. And trust is key because the question becomes, what happens? Right now there's several companies that have been breached. Our information's everywhere. And the question is, how do we react as a customer to that? Because right now there's a major trust issue between customers and vendors or companies.

Chris Lindsey [00:25:26]:
Because even going and getting an MRI or getting something at the healthcare, is my information just going to show up on the dark web somewhere. You trust a doctor because you see them, you can go in, you talk to them face to face. You have that, but you don't have that with a lot of companies. When you interact with, with an online company or an online system or you're interacting somewhere, that trust is key to establish and maintain. And what you're talking about as far as having that trust page and explaining, hey, here's why you can trust us, I think that's absolutely critical and key. And then to your point, follow through. Whenever I say we're going to do X, Y and say, hey, you know what, we were breached, this happened, this is what we're going to do. If you follow through, you reestablish that trust.

Rob Wood [00:26:13]:
Your willingness to talk about all of it, your willingness to talk to Customers. And this is a big thing that's so frequently missing. And we talk about this kind of tone deaf. I'm not going to mention any names, but there was a recent. I guess they'd be a EDR company that took a lot of Microsoft machines offline because of a yada, yada, yada. The first tweet from the CEO was a little tone deaf.

Chris Lindsey [00:26:40]:
Oh, quite tone deaf, yeah.

Rob Wood [00:26:42]:
Somebody must have said, hey, listen, that doesn't sound good. We need to do better than that, okay? Because what we basically said is, look, it's not entirely our fault. Bad stuff happens and these other people do bad stuff as well. So. So there. No, you can't do that. You can't. You can't do that even if you really want to.

Rob Wood [00:27:01]:
Okay? You still can't. Because what is missing there is professional empathy. You cannot miss the point. You cannot miss the point that a few hundred thousand million plus people, their data got really bad and a whole bunch of other people whose job it is now to fix those machines, their job got really bad. In fact, there's a lot of companies out there that say they've lost a vast amount of money because of that. It's a big deal. And you, you do have to, first and foremost show that professional empathy. I don't want this to sound like a hot take, but if you, as the person tweeting at that point, don't really feel that human empathy, fake it, because it is right.

Rob Wood [00:27:44]:
It is right to have proper human empathy in that moment. And if you're not feeling it, do it anyway. This is something we did and we're going to fix it. We're going to earn that trust back, because that is a failure of competence. If you fail to demonstrate that professional empathy, if you're not able to show that you have fundamental goodness in your heart and have that benevolence, and if you're not able to show that you've got integrity about getting on and fixing these problems and owning up to them, that people are going to go, well, you know what I mean? Yeah, they screwed up and it cost us money. But that's got to be off the table. The only thing, when things go wrong, the only thing that needs to be on the table is that competence failure. And then let's fix it.

Rob Wood [00:28:29]:
What happened? What was the impact? How do we fix it? How do we stop it happening again? That's it. Within all of that, you are also thinking, I don't sure I trust these people. This keeps happening. They're not doing the Hard stuff. They're not getting better. They're not caring enough about us to fix basic things when we've spoken to them about it. They seem to be playing fast and loose with their customers data and the way they operate as an organization. And I don't like it.

Rob Wood [00:28:58]:
That's going to cost you business.

Chris Lindsey [00:29:00]:
And it's the follow up too, because I jokingly call that the great reboot of 2024. However, to go out and apologize with a $10 Grubhub card, bad choice. Bad choice. They can do better. So when you do slip and you do lose that trust, the follow up is absolutely key and important to make sure that you're being out there, you're being honest, you're being, even if you don't feel like it's truly your company's fault, you just ruined so many people's weekends and days and amount of money and that reputation. It's a great company. They do a lot of things. It's a rock solid company.

Chris Lindsey [00:29:37]:
They slipped up. Everybody slips up at some point and it's that recovery that's key. Everybody's out there shouting, burn them to the ground. Go elsewhere. But the reality is they're a great company. They'll get back and do the right things, which they have been since that incident. And they've come out and they've been very transparent with what happened, which is both a good thing thing because that helps build that trust back. But they also explain truly how that process worked, which now bad actors can look at and go, hey, guess what? Now we know how you do things.

Chris Lindsey [00:30:06]:
So there's pluses and minuses to that. So with trust being so important and when you do have that slip up, what do you think the best way to recover from something like this is?

Rob Wood [00:30:18]:
Truly, I'll take one step back first and say, I bet this company and I bet every company. When the proverbial hits the fan, that is not the time to say, oh, I wish that we had more trust in the bank. I wish that we had more customer trust and industry trust and peer trust and general credibility and reputation built up in the market before this point. We've had years to talk about how we operate, to be transparent, to get people to understand who we are as an organization, what our values are, especially our values of benevolence and integrity, two key pillars of trust. So that when it does go wrong, the conversation is about a competency failure and only a competency failure, so that people will go, as many people did in this instance, but very, very Many people didn't you want people to be saying, all right, well, yeah, this like, like Chris Lindsay says, they're a good organization. They were doing mostly the right things. They are a good, reliable organization. And in this case, they.

Rob Wood [00:31:33]:
They did a bad thing and they got caught out and we've got to move, move on from it. A lot of people were saying, wow, they're terrible. They must be a terrible organization because when they've checked their credit, they checked the account balance, the trust balance for that organization, there was nothing there. It was. It was showing zeros. How do you put that? How do you get trust credit in the bank ahead of time? Talk to people, go out, get people to understand you. Invite people, give things away for free. Not 10 bucks for your coffee or whatever, but go out there and build a relationship with the world about your values and what you are doing to be a trustworthy organization.

Rob Wood [00:32:18]:
Build that positive reputation, bank all of that. Okay, now you've done something wrong. There's a bug in your release process. Something that shouldn't have ever been released has now been pushed to a whole bunch of machines, and those machines are in a bad state. Okay, Communicate. You've got to communicate. You've got to communicate quickly. You've got to get out there and say, even if it.

Rob Wood [00:32:42]:
There are people I've worked for, senior leadership that have said there's no point saying anything until we know exactly what to say. Okay? I've worked with senior leadership that says we're not going to say anything until legal tells us what we can and can't say. Okay? Are either of those options a way to take a human whose heart is pounding, who just can see their weekend disappearing, who feels like their boss is going to say to them, why the heck did you buy this product? It's clearly terrible. Those people are scared and they're going to feel that they're the only person impacted by this for a little while, and that's going to make them feel even more scared. And it's going to make them feel alone, isolated and unable to deal with it. And to put, probably feel overwhelmed. These are all normal, totally acceptable, okay? Human emotions to have. So what do you do? What do you do? Reach out to those people straight away, as soon as you can and say, hey, we know about this thing.

Rob Wood [00:33:44]:
We don't know a lot about it yet, but let me tell you, we have all hands on deck on this. All hands to the pumps. As soon as we have more information, we will share it with you via this channel. If we've not got anything. We will come back to you every 30 minutes with an update, even if it's no news. Stay tuned. We're on this. And as soon as we have something, we'll share it straight away, front and center.

Rob Wood [00:34:09]:
Communicate. Communicate with as much transparency as you can muster. Be the cheerleader in your organization for telling the truth and telling it widely and in the spirit of transparency and professional empathy as much as possible, and human empathy as much as possible. Don't be the person who's saying, well, the less they know, the less harmful it is for us. No, that train has sailed. As I always like to say that mix my analogies, that's gone. You don't get the, let's stay quiet about it. Let's kind of just say less and then it's going to be less harmful to us.

Rob Wood [00:34:43]:
No, maximum harm is already going to come from this. You're not mitigating through a lack of transparency. You're making it worse. You're amplifying it through a lack of transparency. Why? Because now you're turning it from a competence failure to potentially have an evidence integrity failure as well. Because you're not talking. So talk as they did in this case when they did realize, a little bit delayed, that they need to be talking honestly and openly about what went wrong, how it went wrong, what you can do about it. That's the right thing to do, as well as threading that kind of professional empathy through there.

Rob Wood [00:35:21]:
You do need to work the problem and you need to do the thinking for people at that point. You've got a couple of roles. You can adopt this company, you can adopt the kind of wringing your hands humbly. We did bad. Okay, that was maybe the second role they adopted. The first role Persona that they adopted was the, yeah, it's a problem, but problems happen. It's not just us. You can't blame all of us.

Rob Wood [00:35:46]:
Okay, so that wasn't the right one. But very quickly, what people are going to look for, even if you are the company that has had the failure of competence, they want leadership. You screwed up. How are you going to fix this? How are you going to get us through to the other side? If in your darkest moment you said, that is on us, this is bad, I'm really sorry. Here's what we know, here's what you can do, here's how you can limit the problem, here's how you can stop it spreading, here's how you can go back and fix the ones that are already broken. And this is what you can do for the time being to prevent the problem reoccurring. And then we'll get back to you with what we're going to do to prevent this particular problem from ever happening again. Okay.

Rob Wood [00:36:27]:
Well, now I'm not so much worried about your benevolence and integrity at all, because you've narrated it. You told me what's going to happen. You planned it out, and you sound like you really care about it. So you've shown your leadership, and that's what I really need. Because I was feeling overwhelmed because a vendor that I'd invited into my organization has exploded my machines, and you're now guiding me through the steps to put it back together again. Okay? That's the right thing to do. It's always the right thing to do.

Chris Lindsey [00:36:57]:
That is the right thing to do. Rob, thank you so much for your time today. This has been a great conversation and it's going to be fun and I know our listeners are going to love it. Again, thank you so much for coming today. Thank you. Thank you so much for joining me on this episode of Secrets of AppSec Champions. If you found this valuable, hit that subscribe button on Apple Podcasts, Spotify or wherever you get your podcast. And hey, ratings and reviews are like gold for us.

Chris Lindsey [00:37:25]:
So if you're feeling generous, please leave a kind word. It helps others discover our show. Until next time, take care. Don't.