IT Matters | Tech Solutions and Strategies for Every Industry

On this episode of the IT Matters Podcast, our host is joined by Michael Irwin, CISO for Odyssey Logistics, to discuss the challenges and misconceptions in the cybersecurity industry. Together, the emphasize the importance of understanding one's environment, prioritizing proactive measures over reactive chaos, and addressing legacy infrastructure.

Conversation Highlights:
0:00 Michael Irwin, CISO for Odyssey Logistics
[6:05] Michael's Cybersecurity Journey
[8:54] Challenges in Cybersecurity Investment
[15:22] Proactive Disruption vs. Reactive Chaos
[31:47] Advice for Emerging Cybersecurity Leaders

Notable Quotes:
"Cybersecurity is asymmetrical in general. We have to protect everything, and a bad actor has to find the one thing that we didn't protect." - Michael Irwin [9:10]
"Focusing on positive culture and work-life balance and really supporting the people on your team moves the needle more than anything else." - Michael Irwin [33:40]

Connect with Michael Irwin on LinkedIn.

Read the transcript: Episode 40

The IT Matters Podcast is about IT matters and matters pertaining to IT. It is produced by Opkalla, a technology advisory firm that helps their clients navigate the confusion in the technology marketplace and choose the solution that is right for their business.

Creators and Guests

AB
Host
Aaron Bock
KH
Host
Keith Hawkey

What is IT Matters | Tech Solutions and Strategies for Every Industry?

Welcome to the Opkalla IT Matters Podcast, where we discuss the important matters within IT as well as the importance of IT across different industries and responsibilities.

About Opkalla:
Opkalla helps their clients navigate the confusion in the technology marketplace and choose the technology solutions that are right for their business. They work alongside IT teams to design, procure, implement and support the most complex IT solutions without an agenda or technology bias. Opkalla was founded around the belief that IT professionals deserve better, and is guided by their core values: trust, transparency and speed. For more information, visit https://opkalla.com/ or follow them on LinkedIn

Aaron Bock: Welcome to the IT
Matters podcast, hosted by

Opkalla. We're an IT advisory
firm that makes technology easy

for your business. Our
vendor-neutral technology

advisors work directly with your
team to assess technology needs

and procure the best IT
solutions for your organization.

On this podcast, expect
high-level expertise from our

hosts, plus experience-driven
perspective from the leading

experts on topics like AI,
cybersecurity, industry-focused

IT solutions strategy, and more.
Now let's get into today's

discussion on what matters in
IT.

Keith Hawkey: And welcome back
to the IT Matters podcast,

hosted by Opkalla. At Opkalla,
we help IT teams understand the

busy marketplace of technology
strategy and services with a

data-driven approach. And on
this podcast, we invite

technology leaders to discuss
the challenges facing the modern

IT department. My name is Keith
Hawkey, technology and podcast

host of Opkalla, welcome to the
IT Matters Podcast. Today's

episode is going to be a little
different, in a good way,

because we're going to challenge
some of the assumptions that

have become pretty standard
across the cyber security

industry. We hear all the time,
more spend, more tools, more

complexity, but at the same time
breaches aren't slowing down,

and I think a lot of the
technology leaders are starting

to ask a simple question: Are we
actually getting better or just

getting busier? I'm joined today
by Michael Irwin, CISO for

Odyssey Logistics, who brings a
perspective that I think cuts

through a lot of that noise.
Michael has spent time inside

environments where the stakes
are real and the constraints are

real and the decisions aren't
made in a vacuum, and he's not

afraid to call out where he
thinks the industry might be

getting it wrong. And in this
conversation, we're going to get

into where cybersecurity
investment might be missing the

mark, and how to think about
trade-offs between operational

friction and real risk, and why
it matters when you don't have

enterprise-level budgets or
resources. Michael, welcome to

the IT Matters podcast.

Michael Irwin: Thank you for
having me.

Keith Hawkey: So, there, okay?
Before we begin, there's a

little game that we play here to
prime the session. Have you ever

played Two Truths and a Lie?

Michael Irwin: Two Truths and a
Lie. I have. Yes,

Keith Hawkey: the name is a
little bit self-explanatory, so

I'll.. these are cyber security.
Well, actually, today it's a

little less cyber security
related, but it's tech related.

Okay, and let's see if you can
guess what the lie is out of

these. So the number one AI
powered holographic companions

were introduced that sit on your
desk, talk to you, and help with

task, and even give you personal
advice. This was introduced at

the latest CES consumer
electronics show this year.

Number two, a startup has
created a device that lets you

upload your dreams and share
them like videos with other

people. Number three, robot
vacuums are being designed with

legs, so they can climb stairs
and move between floors without

human help. Let me know if you'd
like me to repeat any of these.

Michael Irwin: Well, I'd say in
this day and age, anything AI

related is perfectly feasible,
that somebody's selling a

product with it, right. So I
don't want to go towards that

one. Let's see, the I think I
had seen something about some

brain scan related imagery for
dreams, or associating that, but

that would normally be where I
jump to. But I think I'll stick

to the simple robot vacuum with
legs. I have one, and it rolls

around the house, and it's
gotten smart, but legs it has

not gotten yet.

Keith Hawkey: Well, I'll have to
say much to your amusement.

Robots do have legs now. Our
robot back of the vacuum

apparently company named let's
see Robo Rock unveiled devices

like the Soros rover, featuring
a wheel leg design that can

actually climb and clean stairs,
something traditional vacuums

have never been able to do.

Michael Irwin: Wheels and legs,
though, that seems different,

though. I wouldn't call wheels
legs, there's a trick,

Keith Hawkey: Maybe it was,
maybe. A trick, and in addition,

the gaming component company
Razor has come out with an

AI-powered holographic companion
that it's actually very strange.

It sits on your desk, and you
can talk to it much like I guess

an Alexa, but there's a visual
component to it. It sits in like

a little box, and you can adjust
the looks, and it speaks to you.

They are calling it Project Ava.

Michael Irwin: Oh,

Keith Hawkey: and to my
knowledge, you might have

knowledge that I don't. I don't
think there's been major news of

a startup that has a device that
captures your dreams quite yet.

However, honestly, I might just
not be read in on that

information yet. Well,

Michael Irwin: no, I think I
read something about like brain

activity during dreaming and
sleeping and tracking that, but

certainly you're not going to
have a video of what that dream

was, I'm sure. So, no, that's
interesting to hear.

Keith Hawkey: Yeah, I'm sure.
I'm sure it's coming, coming

very soon. So, let's, you know,
a lot of what this episode is

about is challenging assumptions
that are industry-wide within

the cybersecurity landscape and
industry, and it's gone through

a tremendous amount of change
over the last five years, last

decade. Before we start, there,
Michael, can you tell us a

little bit about how did you get
into it? How'd you get into

cybersecurity? A little bit
about your journey, and kind of

where you got, how'd you get to
where you are now?

Michael Irwin: Sure, yeah, my
really, my entire career path

has been IT oriented, so I kind
of started my career in managed

service provider space, small,
midsize consulting, or IT

consulting, which I think is
pretty common. Ultimately, at

that time, was looking for an
organization that I could really

establish roots at, and
something that I could see the

long-term value of the work that
I was doing, rather than kind of

jumping into each fire, as I was
kind of going customer to

customer, and so that landed me
at a media company in

Washington, DC. So it's an ABC
Seven affiliate, but also a

media company that focused on
political media, and I started

with them kind of as a
consultant, as somebody that was

helping during the transition of
a previous employee, and just

was able to find an opportunity
there, and that was something

that I kind of grew through the
help desk space, really, and

more IT generalist at the
beginning, but the track of help

desk management leading into IT
director kind of roles, and then

really building a cybersecurity
program at that organization

within kind of the efficiencies
that we found within the IT

budget allowed us to really
align those two things, I was

there for about 12 years, and
then ended up transitioning to

another organization when I
moved down to Charlotte, North

Carolina. So, obviously,
logistics were headquartered

down here. I always, I always
enjoyed the fact that

cybersecurity is really industry
agnostic. I was kind of curious

about the idea of can I
replicate the things that I did

in this organization, and can I
bring value with that to

another, and that was kind of
one of the things that I was

looking for coming here.
Obviously, Odyssey Logistics is

a much larger organization,
we're a global multi-multimodal

logistics provider, and so we
had a lot of presence kind of

around the world, including in
the United States. So, bigger

teams, kind of bigger budget
opportunities, kind of bigger

scope of responsibility, and I
think all of that was an

interesting challenge, and what,
what I found was much of my

roadmap at an organization that
was significantly smaller in a

different industry really
resonated in this one. Also, it

added a lot of value, they had
the similar challenges, they

might have been at different
stages of maturity, kind of in

their technology journey, but
really a lot of close alignment,

and I think that was really eye
opening to me, how a lot of

those kind of simple things were
able to land in such a good way.

So that's kind of how I found
myself here. I was brought in to

build a security program,
primarily, but early on was kind

of given responsibility for the
IT operations function as well.

Keith Hawkey: And you've said
the cybersecurity industry as a

whole has failed, despite record
spend and tooling, what do you

mean by that? What, what are we
measuring wrong exactly?

Michael Irwin: Yes, man, at the
end of the day, it's kind of the

nature of the function, right?
Cybersecurity is asymmetrical in

general. We have to protect
everything, and a bad actor has

to find the one thing that we
didn't protect. So, the odds are

kind of set against you to begin
with, but I think what you look

at is, you have a lot of
conversations around budget

opportunity, team size, resource
challenges, alert fatigue, like

there's all these conversations
about the challenges in the

space where generally, and
everyone would say they don't

quite have enough cybersecurity
budget right now, but generally

speaking, cybersecurity budgets
have grown annually. Most

organizations are spending more
than they ever have. Most

organizations are building
cybersecurity departments or

functions that maybe lived
inside of an IT operation

function historically, and so
the function is growing. There

is no shortage of tools and
services in the space that you

can buy to solve your
challenges, and so you're

spending more, you have access
to more technology, you have

access. More resources, but
breach incidents grow and grow,

right? And the breaches you hear
about aren't at every small mom

and pop shop, but they are
organizations that might be ISO

27,001 compliant. They might
have a SOC two type two. So, if

you have these mature
organizations that are still

experiencing breaches, and you
assume that they likely have

more adequate funding and
resources to monitor what's

going on, like, how does that
reconcile, right? And I think a

lot of it is, we're measuring
effort, we're not measuring

outcomes, we're still looking at
kind of identity, is still that

perimeter that we're dealing
with, we're still looking at

this castle concept in a lot of
ways, we're dealing with a lot

of legacy infrastructure, and I
think a lot of that is that

misalignment between
cybersecurity and technology,

much of the risk we deal with in
this space lives in the legacy

world, and if you have a
technology roadmap that's not

focusing on that, or you're not
focusing on the kind of the

housekeeping basics of stale
accounts, or permissioning

creep, or configuration
problems, if you're not focusing

there, but you're focusing on
that new tool, you're likely

missing the mark of where the
majority of the trouble is.

Keith Hawkey: Yeah, I think
you're exactly right. Just wait

for Gartner to come out with a
new three or four letter

acronym, and to start a buying
cycle for said tooling, and a

lot of that's laying on top of
where the real risk lies, which

is a lot of the maybe
traditionally on on-prem

infrastructure, some of the,
some of the policies, the holy

grails of organizations that new
IT leaders don't really want to

touch, because they're afraid to
break certain things. You, you

shared an experience where
delaying MFA implementation led

to a major incident. Can you
walk us through that decision

process, like what pressures
were at play, and what you would

do differently today? That's a
kind of personal antidote we had

spoken about, but I'm sure that
would resonate with some of

these cyber security leaders out
there.

Michael Irwin: Sure, I mean,
this story is pretty

straightforward, and hopefully
for most people listening now,

like this isn't still an active
problem, because these controls

have been needed for quite a
long time. But earlier on, when

I was dealing with this issue,
what it boils down to is the

usage of multifactor
authentication alongside the

usage of single sign on as a
larger initiative, so getting

away from distinct username and
passwords for each service, more

central identity management,
ensuring that you have the right

password policies, ensuring that
you have multi factor

authentication for everything,
and the expansion of that effort

is something I think a lot of
organizations have are either

actively going through today or
have dealt with in the past, and

during this time we were
expanding on single sign on in

that, in our, in that particular
moment, there was a lot of

friction relating to kind of
user experience challenges, and

so users had a particular
understanding of what they

wanted to do, what they thought
was appropriate, what might

impact their productivity, they
had preferences on what tooling

they got to use, or
collaboration suites, and so it

was a very kind of user
experience oriented culture

there, and they preventing any
interruption to productivity

culture, and so with that, we
rolled out single sign on. We

had documentation and training
around how to enroll your MFA

device, how to log in. That was
all great. As we went to expand

that functionality, we ran into
a particular function, so VPN

connectivity, that is something
that traditionally didn't use

multifactor authentication. You
might be using simple username

and passwords in order to
integrate that functionality

into that same single sign on
system, maintaining the same

ease of use that customer or
that employees were

experiencing. We weren't able to
do that immediately, so it had

some native functionality built
in, some email based time codes,

things like that, but didn't yet
support the integration with our

existing identity provider, and
so what we chose to do was say

rather than teach something
else, rather than teach this new

way of logging in, we're going
to upgrade our firewall, we're

going to upgrade that firmware,
we're going to get that

compatibility, and then we're
going to roll out the way that

we intended to, it's effectively
looking for the perfect solution

instead of progress, and in our
case that decision, which really

was just a delay of a few
months, ultimately resulted in a

large-scale incident that
required quite a lot of kind of

effort and financial resources
to remediate, and ultimately was

handled all right, but it's one
of those things that you have to

kind of go back and think, if I
had prioritized differently,

would this incident have
happened? I'm a big proponent of

not looking back with the same
sort of perspective and saying,

you know, there's something we
did do that didn't allow an

incident to happen. So, when you
flip priorities, you can't just

say that it wouldn't have
happened that way. That benefit

of hindsight, I think, doesn't
favor people in this space very

well, and so I think that's one
that I try to look back at, is

whether I'd make the same
decision, and in my case, I

think what the way I approach
things today is more in a

vacuum, it's more risk-focused,
it's saying if the worst were to

happen, what's the impact of
this thing, this control that

we're trying to. Impact really
taking all of the other factors

out of it and saying what's the
what's the right thing to do

first and then starting to look
at how you can kind of modify

that and fit into a larger
strategy but when when you're

looking at something purely from
the angle of satisfaction I

think you miss some of the the
signs of higher level of urgency

relative to the risk you're
actually dealing with,

Keith Hawkey: And those are
those are great points, Michael.

It actually goes, flows into the
same vein of other points that

you've argued that proactive
disruption is much, much

preferred than reactive chaos. I
actually love that, that way of

phrasing, proactive disruption
is better than reactive chaos,

which is much of what an IT or
cyber security leader is dealing

with today. A lot of them are
reactive in the chaos, and some

are, I think, are a little bit
too slow to engage and make the

case for that proactive
disruption, whether it's

password rotations, whether it's
service accounts or restarting

aging infrastructure. How do you
decide when to accept that

operational pain today versus
the risk to tomorrow? Do you

have a framework that you work
off of?

Michael Irwin: I wouldn't call
it a framework necessarily, but

I think a general principle is
that if we're nervous to touch

it, then we need to touch it,
right? It gets this idea of if

there's uncertainty like that,
need that means we need to act,

and ultimately, if we're going
to take the hit, I'd rather take

it on my own terms. So, if we
have change management

procedures and we're evaluating
what the outcome might be if

something bad happens, we
understand what rollback

procedures we have, or we can
control it. We have the ability

to fill in the gaps on that
uncertainty more proactively,

and so I would say it's less of
a framework, so much as you are

developing policies and program
guidelines that force you to

touch everything. You need to
audit and evaluate the

infrastructure you have. You
need to do proactive patch

management and vulnerability
management on infrastructure

that will require restarts, you
need to be rotating passwords on

service accounts that have maybe
been around for a long time. You

need infrastructure to do that
more automatically. You need to

be able to have those processes
in place that require you to run

into these problems, because
ultimately, when an incident

happens, the first thing they're
going to do is have you restart,

reset everything, every password
in the organization. They might

be accounts you don't know where
they live, right? They're going

to have you segment off areas of
the network to avoid kind of

lateral movement or sprawl. And
if you don't know what

infrastructure exists, you're
going to have a hard time doing

that. You need to install
endpoint protection on anything

you might be missing, or you
need to give an incident

response vendor access to see
logging and material from all of

your assets. If you don't know
where those things are, you're

going to have a hard time,
right? So, this element of

understanding what your entire
environment looks like

proactively, even if it makes
you nervous, it's always going

to be a better solution than
waiting for the reactive event

that then you have to act. I
think most companies are

generally weary of production
impacts. They're weary of any

business outcome that's
negative, and I think part of

this is just it's a messaging
problem, a communication

problem. If you're working with
an executive team or a sales

team or folks that are
responsible for kind of customer

experience, if they understand
what that impact would look like

in the worst of scenarios. It's
better to understand why you're

willing to kind of risk it a
little bit more in the better

ones. And obviously, the more
you do this, the more you do

this over time and track what
you're doing, this problem

starts going away. So, really,
this issue at its core is a

legacy problem, one that comes
out of programs maybe aren't

mature or haven't had that kind
of formal focus, but it's a

solvable one, where you stop
dealing with that same level of concern.

Keith Hawkey: And you've had
exposure working in a multitude

of industries, Michael, and I
can imagine that the, the, you

know, the receptive nature of
making change, particularly

disruptive change, can vary
somewhat industry to industry.

How does referring back to
cybersecurity? You've worked in

both media and logistics
environments. How does the

threat intent change based on
industry, and how should

defensive posture adjust accordingly?

Michael Irwin: Yeah, I mean,
threat intent changes

everything, right? So,
ultimately, your defenses should

mirror what the attacker
actually wants to achieve, and

so you need to look at it. In my
example, media, we generally

focused on persistence and
integrity issues, so we would

deal with sophisticated actors
that are trying to maintain

control in your environment,
perhaps for the purpose of

modifying content that we're
publishing, as an example, that

is, by its nature, very quiet.
It's something that isn't going

to be the big noisy disruption
that's obvious. And so, when

you're looking at that, you need
to protect that content, you

need to detect subtle
manipulations, and things you

need to really focus on
long-term access, things that

are harder to detect, it. It
really requires more visibility

laterally across your
infrastructure. When you look at

logistics, I think it tends to
be more financially motivated or

disruption motivated, and so
it's going to be louder. It's

going to be more obvious. You
might have an employee

compromise of an account that
you see negative effects of that

same day. In media, you might
have an employee compromise of

an account that you see the
effects of six months later,

right, and so that nature of I
can't remember what the exact

statistic is right now, but
there's a very lengthy multiple

months period of time on average
that it takes organizations to

discover breaches, and a lot of
that relates to what they're

trying to actually achieve, and
so when we think about

logistics, ransomware
disruption, the ability to

recover, protect backups becomes
a significantly more important

control. I mean, all of them are
relevant across the board, all

the controls and the areas that
you might deal with, but if

you're dealing with priority, if
you're dealing with budget

limitation, it's important to
understand kind of where the

most important component is.

Keith Hawkey: And you've also
suggested that the majority of

breaches stem from a narrow
identity-driven attack path,

which is the talk of today. If
you walked into a billion-dollar

organization tomorrow, what are
three foundational controls that

you would audit first?

Michael Irwin: So that I would
audit first is generally always

going back to what causes an
incident, what leads to a

breach. So we're thinking about
number one, if I'm going into an

environment, there's an
understanding of how well do

they know their own environment.
I've gone to organizations, or

I've worked with groups before,
that would say, "Oh yeah, we

have our EDR solution deployed
across all of our devices.

Great, that's a great statement
to hear. And you have a modern

next-gen EDR, perfect. Now the
question becomes, where's your

asset inventory? Right, do you
actually.. well, we don't have

that, or there's uncertainty in
that space. So, if you don't

know the assets you're trying to
protect, why are you certain

that you've deployed them
everywhere? That generally leads

to a, at a minimum, 10, 20% gap
in coverage at a lot of these

locations. That ultimately leads
to an incident. So, when you're

thinking about what an
organization might have what I

would be auditing that awareness
of their own environment, and

really proving that awareness
beyond just checking the box is

critical. From there, once you
know what your environment looks

like, you again, you go back to
where your problem is going to

be. You're dealing with employee
training and employee access

issues. So, on training, that's
obvious. You can do phishing

simulations, you can have
employee awareness training, you

can measure how well they're
behaving. That's all one

component, but you can also look
at, are they using single sign

on? What does their password
policy look like? Do they have

MFA enabled for everyone? When
you look at MFA these days, it's

not as straightforward as a
simple code that you need to

present, but rather, are you
protecting sessions? Do you have

proactive awareness of session
behavior that's an anomaly,

something that might signal a
token theft in an environment.

There's a lot of organizations
that are checking all the right

boxes, but they, un, they, they
kind of miss the understanding

of the underlying ways that bad
actors are using these accounts,

and they're bypassing them, and
so it's really a moving target

that we have to hit. But outside
of that, you look at endpoint

protection, right? So, I, I tend
to not be as infrastructure

focused at the beginning. I'm
much more user focused, much

more user device focused. So,
even thinking about things like

segmentation, I think there's a
lot more value in segmenting a

user population from one another
than there is segmenting, say,

resources in the data center.
One might be more important. A

lot of people talk about what
the crown jewels are, the most

important assets, and that's all
true, but access to those things

generally starts with that user
device. It's going to be the

email they click on, the malware
they download on a computer, and

where they can get from that
device laterally is what that

bad actor is going to be
following. So, really sticking

to the common causes of
incidents is what's going to

move that the needle,
particularly in ROI, and is

really achievable with low
investment. I mean, it's a

people and process problem more
than it is a technology problem.

So small, mid-sized businesses
that are trying to kind of keep

up with this changing world in
this space, that's an area that

you can really add a lot of
value for limited budgets.

Keith Hawkey: Yeah, and
following up with some of the

security tooling that you're
referencing between EDR asset

inventory, you also suggested
that much of the industry

messaging is geared toward the
enterprise space, not the mid

market. Like, what's.. I mean,
you've.. I'm sure you've

listened to dozens and dozens,
and maybe even hundreds of

cybersecurity tooling pitches in
your career. What, what

cybersecurity advice sounds
impressive, but it's really

irrelevant for most mid-size
organizations.

Michael Irwin: So, I think
anything that is pitching you at

this kind of re-architecting of
the way your business operates

as this prerequisite is always
always kind of makes your alarm

bells goes up. Obviously, in
this day and age, AI is a big

center of that, right? There's a
lot of assumptions that are

being made with the value that
certain tools in that space

might be able to provide.
Another big one is that there

are a plethora of products that
will say we. Will give you full

visibility into your network.
We'll show you all of the

traffic, we'll inspect all the
packets, we'll show you all the

vulnerabilities, we'll give you
all this information. And that

sounds great if you have a large
team to actually act on those

recommendations, but if you
don't, and you're expected to

provide them, and you have a
PowerPoint presentation with a

bunch of green, yellow, and red
check boxes that you're trying

to kind of show posture to
another group, it's not really

impressive if you can't act on
it, right? And so it's funny,

one of the thoughts I have, and
kind of hard to say where the

right answer is, but if you have
100 vulnerabilities and you

can't solve them all, like, do
you want to even know, right? Is

it valuable to even know a
vulnerability exists if you

can't remediate it. It's kind of
like, did a tree really fall in

the woods if you weren't there
to hear it, right? It's that

kind of idea.

Keith Hawkey: Yeah.

Michael Irwin: And so I think,
because of that, what especially

small or mid-sized companies
need is focus. They need focus

on what is actually being
compromised. They need focus on

things that small changes that
make the most large scale value.

So, if we're talking about
upgrading or patching something,

something that affects multiple
devices, not one. You're really

looking for something that you
can actually act on. So, even in

my own space, an area I always
look for is what organizations

are providing a tool, and they
also have a managed service

component. CrowdStrike, as an
example, as an EDR solution, has

a managed services component to
their licensing that you can

provide that's actually doing
some of the work for you. Other

managed socks service providers
might do the same thing, right.

So, there's different players in
that space that say we won't

only tell you when there's a
problem or there's a risk, but

we will help you solve them, or
we will help you weed out the

noise. Those are things where
you have a lot more value, and I

think oftentimes presentations
or conferences that are geared

towards larger organizations,
generally because they have

larger budgets to pay for the
products that they're being

pitched. Those sort of things
often assume a level of

resource, a level of maturity, a
level of documentation, a level

of things that have already been
achieved in order to be

successful, but they kind of
gloss over that at times, and so

it's, it's difficult to look
back and say, oh yeah, it's

great, you're referencing a
problem that we know exists,

this is a risk we're concerned
about, your tool sounds great,

but I have 10 other things I
need to do before I can even get

there, right? And I think that's
where that message gets lost on

smaller audiences.

Keith Hawkey: Yeah, I couldn't
tell you how many, how many

demos that I'm on. It feels like
weekly that the whatever name

your cybersecurity vendors is
requesting the client completely

re-architect their their network
design and I give kudos to some

of these AI advancements, like,
like you said, that really,

where these cybersecurity
vendors make their money and

differentiate themselves is the
services that they attach to the

tooling, because I have a lot
of, I have a lot of clients,

quite frankly, that they just
can't handle the alerts that the

mid-market IT teams are lean,
and more information really

isn't bliss. Yes, it actually
just causes them more headache

and heartburn because they can't
get to everything. So, you know,

having there are some
innovations in the AI agent

space that we are seeing with
cybersecurity that hopefully can

help remedy some of the log
ingest some of the tasks, some

of the especially the level one,
level two tasks that don't

require network changes, don't
require like fundamental changes

to the existing ecosystem that
can help, hopefully, save the

day to some extent with that
increased visibility.

Michael Irwin: Well, it's
interesting, though, because I

mean, I think one of the
challenges that we have in the

space is cybersecurity.
Obviously, there's stress,

there's burnout. I think what
people don't talk about enough

is there's a lot of imposter
syndrome, right? There's a lot

of people that they're in a
role, they're responsible for

something that they don't know
they don't necessarily have

confidence that they know what
the right answer is, and you

look at that in the example of
AI. Let's say AI as a concept is

now talked about everywhere,
people are trying to bring it

in, your board, your leadership
wants to bring this technology

in, you're tasked with
protecting it, and this is

something that is new within the
last year or two, right,

depending, I mean, not new
conceptually, but new as far as

kind of public favor goes, and
so you're now tasked with not

only understanding this thing
that is new and everybody's

trying to learn opportunities
for, but also understand and

articulate the risks involved
with it, the potential gotchas,

the configuration mismanagement,
the how to do that in a safe

way, and like you need to do all
of that at the same time, and I

think when you look at that
concept, and you say I have

alerts that are generated
problems that are generated from

a tool, I have some AI
integrated function of that,

that is now telling me what to
do, it's maybe translating

something, and that's where I've
seen a lot of success is taking

a technical alert and
translating into. Simpler

language, because many of our
teams are lower or mid-career

people. They may be focused on
their past experiences, they

don't have the technical
knowledge of some of the stuff

they have to learn. And so that
balance of AI is helping you

move faster, maybe it's telling
you how to remediate it. To what

degree, or are we there yet,
that we trust the answer it's

providing, right? Especially
with a team that can't

necessarily vet that, or is
missing some of that, and I

think that leads to hesitancy,
and so I think when you run into

that space, is the idea that
there's certainly opportunity,

without a doubt, there's
certainly value that these sort

of approaches have for
organizations, but when you are

using it as a fix for what is an
underskilled or under-resourced

team, I think there's often this
fork in the road, or this kind

of mid intersection point, where
they come back together, and

you're going to kind of run into
that same problem. And I think

that's the piece that, when we
talk about people, process, and

technology, what I often find
is, in this, at least in the

sense of AI, is that it's
technology in search of a

problem. Traditionally, we've
looked at technology as we have

a problem, we have a process,
and we're looking for technology

to be something that will help
with scale, it'll help with

efficiency, it'll add value that
way, but you're starting from

the focus of a problem. I think
when you go back to that and you

think about in the cybersecurity
space, a focus on people and

process, you focus on
administrative housekeeping, you

focus on best practice and kind
of cleaning up what you have,

and then you identify something
that has too much volume for

your small team to handle, that
becomes a great use case to

leverage that AI or that kind of
optimization technology into the

mix to make you better, but at
that point you're coming from a

point of awareness and strength,
you're not trying to fill a lack

of awareness with it. Right, I
think that's a distinction that

often will drive whether or not
you're successful in using it.

Keith Hawkey: I feel like we
could talk about this for hours,

Michael. I really appreciate the
antidotes and the conversation

that we had today, challenging
some of the assumptions in the,

in the cybersecurity industry.
Just, just leaving here, if you

were going to have a message to
a let's say a green behind the

ears cyber security, formerly it
getting into the cyber security

world leader, what what message,
if it could fit on a billboard,

would would you share with with
this individual?

Michael Irwin: I think the main
story is that you will be tasked

with solving problems that you
didn't create, and that's the

nature of the business. And so,
what that means is there might

be more than you can handle, but
you can continue focusing in a

methodical way, and you can
always make progress, right,

whether it's small budgets or
big budgets. If you have an

understanding of everything that
needs to be done, and you

prioritize and really align with
the business based on where they

are kind of financially or
economically, you'll be able to

continue making progress, and
what you really find is a lot

more success with that same
business seeking funding if you

are understanding of the
financial position they're in,

so if you're in a lean budget
year, that's the time to look

for high ROI people in process
work, right? If you're in a

higher budget year, something
that has a little bit more

capacity for new tooling, maybe
that's a good opportunity to

look for those high value but
higher dollar investments that

you have. So not being able to
do the high dollar investment in

a lean year doesn't mean that
you can't be successful, it

means that you need to be
aligning to what the business

needs in that moment, and
there's always work that can be

done, and I think when you look
here, what really moves the

needle in protecting against
incidents is just that, and the

only other thing, because I
think it's important, is don't

overlook culture, right, because
when you think about people,

when you're talking about AI,
when you're thinking about this

work, the inevitable bad days
that you'll have, focusing on

positive culture and work-life
balance and really supporting

the people on your team moves
the needle more than anything

else.

Keith Hawkey: Yeah, very well
said, Michael. How can you, how

can our listeners get in touch
with you?

Michael Irwin: So I'm available
on LinkedIn, so you can search

and find me there. I generally
accept invites from whoever,

whoever asks, so I'm not, not
particularly limiting on that

front, but I'm pretty active in
the Charlotte CISO community, so

I'm a lot of events in this
space, some of the Gartner Apex

Assembly things, there's various
things that are going on, so I

tend to be in those spaces, but
yeah, always reach out, and I'm

happy to chat, I do a lot of
mentoring for individuals,

particularly coming from kind of
IT backgrounds, or looking to

get into cybersecurity, so I'm
always open to chat if anybody

wanted to speak about anything.

Keith Hawkey: We'll make sure to
include that information in the

show notes. Michael, thank you
immensely for joining the IT

Matters podcast. Thank you. We
will catch you guys next time.

Michael Irwin: All right,
thanks.

Aaron Bock: Thank you for
listening, and we appreciate you

tuning into the IT Matters
Podcast. For support assessing

your technology needs, book a
call with one of our technology

advisors at O P K A L L A.com.
That's opkalla.com. If you found

this episode helpful, please
share the podcast with someone

who would get value from it, and
leave us a review on Apple

Podcasts or on Spotify. Thank
you for listening, and have a

great day.