IoT Security Podcast

Ron Kuriscak is here to share his extensive knowledge and experiences in the world of IoT security, and has he got some great stories! Ron brings over 20 years of experience in the field to the show. He's been in the trenches on a number of high-profile breaches, giving him a unique perspective on the challenges and importance of securing IoT devices.

In our conversation, we dive deep on the role of the CISO, their relationships with other executives, and the evolving threat landscape, littered with unmonitored, unmanaged devices. Ron sheds light on the struggles faced by CISOs, as they juggle physical and data security responsibilities with different skill sets required for each. He also discusses the changing trend of CISOs reporting up through the legal chain of command or directly to the CEO for clearer communication and a better understanding of security matters.

Then we delve into the world of breaches and the lessons Ron has learned along the way. From the importance of being prepared with a good partner by your side, to the challenges faced when seeking assistance from big entities, Ron shares his valuable insights on prevention, preparation, and engaging with the right partners.

Furthermore, we explore the concept of being a "seesaw" in security, a topic rarely discussed in such detail before. Ron reflects on the ever-evolving role of security directors, the shift towards risk-driven approaches, and the need for effective communication and storytelling when presenting to boards and executives.

Let’s connect about IoT Security!

Follow John Vecchi at https://www.linkedin.com/in/johnvecchi

The IoT Security Podcast is powered by Phosphorus Cybersecurity. Join the conversation for the IoT Security Podcast — where xIoT meets Security. Learn more at https://phosphorus.io/podcast

What is IoT Security Podcast?

The IoT Security Podcast explores the Security of Things. The Internet of Things (IoT) is a giant network of over 50 billion connected devices, and it’s transforming the way we live and work. But a breakdown in security will prevent this IoT transformation. Join one of our hosts, Alex Nehmy, Eric Johansen, and James McCarthy, each month as they speak with the biggest names and the biggest brains in cybersecurity, including CISOs, analysts, security researchers, and other industry thought leaders, to give you the information you need to navigate security and threats in an increasingly Thing-based world.

Join us on the IoT Security Podcast, powered by Phosphorus Cybersecurity.
https://phosphorus.io

Jon Vecchi:
Well, hello everyone. You're listening to the IoT Security Podcast live on Phosphorus Radio and I'm Jon Vecchi.
Brian Contos:
And I'm Brian Contos, and we've got an amazing guest today, Ron Kuriscak. Welcome to the show, Ron.
Ron Kuriscak:
Thanks for having me, guys. I appreciate it.
Jon Vecchi:
Welcome, Ron. We've been waiting to get you on here for a bit, so excited to have you.
Brian Contos:
We're looking forward to this for sure, so Ron, for some of our listeners who maybe don't know a lot about you, perhaps you could give us a little bit of background about how you came up, got into security and what it is you do today.
Ron Kuriscak:
No, I've been in security for a number of years. I came out of school as a programmer trying to find my way. I was actually more interested in being an athlete than being a good college student, so I ended up trying out for some teams. Let's just say that didn't work out, then I had to find a real job. So when I did, I ended up working as a programmer and found out pretty quickly that being a programmer was pretty boring stuff. I worked for a fairly large manufacturing company and I could not stand the monotony of it and started working for a CIO who was a little bit global visionary, and he tapped me on the shoulder and said, "Hey, you asked some really good questions, let's put you in a security role." I said, "Yeah, sure." I had no idea what signing up for. I probably wouldn't change it today, but certainly glad he did tap me on the shoulder.
My first job was actually building an automated digital cert application that still had some challenges in trying to find the human interaction component to it. So, Oracle is not that flexible anyway, so I ended up just pivoting into security and then working for this company for a number of years, and as every young security person wants to be, I wanted to be a CISO at some point. I finally got my opportunity at a different company and at the time I stepped into a role and didn't realize that the day before I started was the 11th largest data breach for this company and got to-
Brian Contos:
Oh, boy, wow.
Ron Kuriscak:
Got to clean it up, got some scars, started turning gray. I remember the first day I called my wife and she said, "When are you going to be home?" I said, "I really don't know," and she starts laughing like, "Hey, you're going to with your buddies after or something?" I'm like, "No, no, no, this is something real, something that's in the news. I'll be home when I'm home, but I can't tell you much more," and hit the ground as a CISO. That was my first day, trying to find where the bathrooms were and being interviewed by the FBI. That was kind of a fun experience.
Jon Vecchi:
Wow, baptism by fire on that, right?
Brian Contos:
Welcome to your role, that's crazy.
Ron Kuriscak:
I'd say probably not what most CISOs want to do is their first day is being interviewed by the FBI, but certainly learned a lot, or learned what not to do, and certainly keep your C levels away from the FBI or any law enforcement. They try to make jokes of serious things and it's a serious point in time and they're trying to collect intelligence and information. Sometimes executives take it with a grain of salt, others go way off to the right and I learned a lot though. It was a fun experience.
Brian Contos:
And I'm sure it's been absolutely smooth sailing with no breaches or issues ever since?
Jon Vecchi:
Since then, yeah.
Ron Kuriscak:
I wish I could say that. Most of the companies, as you guys know, and then everybody listening here, it's just a matter of time. The adversaries we're up against, they're just topnotch. A lot of them have time, money, resources and capabilities that we can't fathom. Foreign nations that we go up against, corporations just don't have the skill sets and they don't have the monetary capabilities to match those capabilities, so it's been a fun ride. I'd say more than two dozen, maybe three dozen breaches that I've been part of with different companies and just a matter of time, and as long as you've done some preparation, there's a lot of basics that I think companies still struggle with. So, it's just stepping back, talking to the right people, making sure you're prepared. An ounce of prevention goes a long, long way.
If you're not engaged a good partner, I think that's... First thing I learned was with my first breach, I did not have a bad phone, I couldn't pick the phone up. I had no organization that was on retainer, I had no partnerships. I stepped into a new CISO role. Two days into it, I'm asking the board for $100 million for a response. I think the board of directors were laughing at me thinking, "Who's this guy? Is this the comic for the day?" And I said, "No, this is a serious thing," and the CEO put his arms around me and said, "You didn't sign up for this, but you kind of did."
And I did not get $100 million, I'll clarify that. I probably can't tell you what the number was, but it was extremely expensive. I learned a lot, especially on the advisory side of things and having a good partner, having somebody to pick the phone up... I called many companies, a lot of big four entities, they wouldn't even pick the phone up, and the other part was that when they did pick the phone up, I could just hear the cash register going.
Jon Vecchi:
Geez, and you're taking all of that experience, Ron, CISO role and all that, and in a different unique role today, can you tell us what does day-to-day look like now in your current role and company? Tell us a little bit about that.
Ron Kuriscak:
I'm excited to say I'm at offensive security company called NetSPI, was actually one of the first 20 customers in a manufacturer in the Twin Cities. I got to see them evolve and grow. A lot of colleagues over the years have progressed over there, and so when the opportunity arose for me to look at my next stepping stone in my career, NetSPI seemed like the right next step for me, especially with the people. And as you guys know, the more you're in this, you get to know people, you get to know who you trust, who you don't trust, who you want to work for, who you don't want to work for. And so, NetSPI pulled all the good people that I've worked for in the past and it just seemed like the right role. And so it's a combination of pre-sales, sales, accounts, making sure clients are happy, doing advisory services.
I still like to be a CISO. I'm an outsourced CISO for some companies even today, so keeping my skills sharp, talking to the board, which is always a fun experience. If you're a CISO and you've not talked to a board yet, I think you're behind the curve. Probably some of my funniest stories where I've lost the board in the first two minutes, I've got to say, one of my favorite ones was probably a few months ago in which the board started with a song, so we had to sing, did a prayer, and then we got into the meat of the conversation, which was...
This was a company that had some issues and they had to take things seriously and clean some things up, but I've never had to sing before, and then the prayer part was certainly part of my faith, but something a little bit different and I've had some boards-
Brian Contos:
Oh, interesting.
Ron Kuriscak:
I had one board where a colleague of mine who wasn't paying any attention was actually on the board and he was on his iPad, and I come in and I start talking, looks up, just gave me the head nod and is like, "Hey, keep going. You're fine."
Brian Contos:
So, were you singing the The Who's Don't Get Fooled Again?
Ron Kuriscak:
No, it was a custom song that was created just for this board meeting. This board member wrote it for the board.
Jon Vecchi:
Interesting.
Brian Contos:
Well, that's a first for sure. I haven't heard that.
Ron Kuriscak:
That's a first for me, but if you're a CISO or if you're an individual that wants to be a CISO at some point in your career, just be ready for the unexpected. You never know where the day is going to take that. Know that you've got some bad people out there trying to do bad things to you, but surround yourself with good people, make sure you've got good people around. You're not an island, get the right people, make sure they're trained and they're prepared for it, but there's certainly never a dull day in cybersecurity for sure.
Jon Vecchi:
No.
Brian Contos:
So Ron, you bring all these different perspectives to the table. You've been in the trenches, you've worked with boards, you started off as a programmer, so you certainly have the technical aptitude. How have you seen the security landscape mature or change or improve or get worse over the time that you've been in security? And is it things like XIoT and cloud and now AI and these new sort of hot buttons and how is that changing things?
Ron Kuriscak:
That's an excellent question. I think over the years I've been doing this 20 plus years, even though I hate to say that, I'd like to say, "I've only been in a couple years," but no, I've been doing this a long, long time, I've got to see companies and programs change a lot for the better. I would say adversaries haven't changed from a threat perspective. They've always been out there. One of my favorite stories is the first, I think, month I was a security director, was a manufacturing company. We had 24 global sites and a bunch of the plan managers sent a memo to the security team saying, "Hey, we're spending $500 for this security work that we don't think we're getting anything in return," and they faxed over.. Fax, I hate to say that's a long time ago, people don't fax anymore, but they faxed over the POs and there was nothing that we had done, but multiply that by 24 sites, by 25 years, they were just cutting checks for 500 bucks, not even knowing what they were getting.
And it was a social engineering back 20-plus years ago. It hasn't changed, there's always been somebody trying to do malicious things to companies. I would say the depth and the skillset though of the attackers has changed for sure. Security teams, I'd say organizations still are behind the curve from a leadership perspective, I've always been an advocate that a security director or a CISO, I'm a big advocate for the title, that if your CISO is not in a position to say no, they're never going to be successful, they're just going to be the fault person because if you can't say no, you're always going to be overruled by cost, convenience, the CIO, the CEO, somebody in the organization is going to say, "No, you're going to do this and you have no ability to say, 'Hey, let's pause. Let's look at this from a cybersecurity perspective. Is it the risk profile that we as an organization want? Does this fit into our risk appetite?'"
And I would say that security programs have really progressed away from checkbox programs, compliance driven ones to very much risk driven ones, and if you're going to be a CISO, understand how to factor in risk into your program. If you can't tell a story to the board and why... Because the details are the facts, but you can't over overcomplicate the issue to a board without telling a story. You can't just go into these numbers. I've been part of too many new directors and CISOs who, "Hey, does this 60 slide deck look okay for the board?" I say, "No, you've got 10 minutes." There's a local bank here in the Twin Cities. I was supposed to have 30 minutes, I got to the meeting that morning, they said, "You know what? We got a merger and acquisition going on. You're going to have about 15 to 20." I get to the door, "You got seven minutes, go."
Brian Contos:
Wow.
Ron Kuriscak:
So, things change as you go and making sure you've built the program that's based on something tangible, something you could tell the story is paramount. Don't try to scare people. I've seen security leaders too, the other piece that is you've got to build trust. If you're not honest in what you talk about, you're not an honest person, you're going to mislead the board or the ELT, don't be in the position. You have to build your reputation on trust and doing what's right and then protecting the people. Everybody makes mistakes. If one of your staff members, and you're the leader, makes a mistake, find out what happened, but not everything is malicious. I know that with that breach I was talking about, we had an individual and we were scared, we were terrified. We were in the news, we had reporters all up in our business. To tell you, and you guys I'm sure are aware of this, but the media is relentless. And we had an individual who was a big...
We had a collections business and he was walking his dog and he saw somebody new in the neighborhood and that person was walking his dog and asking me a bunch of very poignant questions that didn't make any sense and he at the end said, "Well, wait a minute, where do you live?" He goes, "I don't live here." "You're walking your dog." "Yeah, I'm a reporter for the Washington Post." So, they mislead to collect information. I don't think this person said anything that was proprietary at the time, but that the extent of what people will go to find information, knowing what you're going through, how you're going through it, just make sure that you dot your I's and you've built this risk based security program, so that you know how to answer questions and you don't dig yourself into a hole. And I will say being in front of Congress in a closed door session was probably the scariest moment of my professional career where I had senators grilling us for questions, that was not something comfortable and hopefully we'll never have to do that again.
Jon Vecchi:
It's a hot... It's not that it's always not been a hot seat, but boy, that role today. CISOs are now on the line for a lot of things, and you can say they're being hauled before Congress, and it's not for the lighthearted. You really have to know what you're getting into, and back to the risk factor, it makes such sense that you boil it down to you better know your risk and how to articulate it and address it. How has even approaching dealing with the risk profile, the attack surface, everything, how has that changed? What does it look like today compared to even five, six, seven years ago for a CISO trying to do what you just said they need to do?
Ron Kuriscak:
I would say companies are beginning to understand risk and that risk acceptance is okay. When I first got into this 20 years ago, it was, "We're going to remediate everything. There's going to be zero risk to the organization." I said, "Whoa, do you understand how expensive that is?" And then once you get into how you justify a budget, you build a budget... I worked for another manufacturing company in which we had $100 million to right size the organization. You could do a lot with $100 million, but you can't find the people to facilitate the program to some degree. I remember this was in Milwaukee and we were going to hire 90 people that year, and I started smirking like, "You're going to find 90 security professionals in Milwaukee? Maybe there's 90 total, but you're not going to find 90 more."
And so, getting the right people to facilitate it I think is important. So, I think getting to the risk question, using a set foundation in an industry leaning format, there's lots of them out there. They're not cookie cutter, NIST, ISO. I've used the OCTAVE Approach from Carnegie Mellon. Find something that you understand, that kind you can facilitate and then customize it. Set the foundation of your program in something that an auditor, an assessor can understand, that you can at least communicate to them, here's what a risk profile looks like, and then socialize it with the ELT and the executive leadership team. Find out what the risk appetite of the organization... I joke a little bit about we didn't accept any risk because we didn't understand risk back then and we had to mitigate everything. We never got the budget to fix all of it.
But today, companies are becoming more astute to saying, "I can accept the risk with these compensating controls. I can build a program with a risk tolerance that aligns to our culture of the organization." I would say companies are a little bit more risk accepting than they used to be. Companies used to try to mitigate every single little thing, and sometimes you get lost in the minutiae, but you've got to figure out what's important, stepping back and saying, "What are the crown jewels?" I'm still surprised how many times I walk into a company, data classification isn't addressed and I can't name all the companies where the data... We have a data classification policy, but guess what? It has no teeth, no one follows it. If you've got one of those policies, you're going to set to fail as well. You've got to have some punitive piece to it as well that people have to follow the rules.
Documenting what's important is also another important piece. You guys have been through enough audits to know if it's not written down, it doesn't exist, and an auditor will never take you, "Hey, this is what Bob does down the road." Well, who knows? One of my favorite stories, and again, I can't name these companies, but the company who had never had a security program assessment ever, and this is probably five years ago, they had built their security program initially on PCI and Bob was running PCI, Bob's running it for seven years or so, and he's been doing a fabulous job, so we don't ruffle his feathers, we stay out of his business, but consulting a big four convinced them to bring in a consulting firm to actually assess what their program is from a maturity perspective.
It makes sense, right? Bob has been doing this for seven years. Comes to the day of the assessment, it's nine o'clock, Bob should have been here already, bob's not showing. It's an hour and a half later. Where's Bob? Did he get hit by a bus? Was he in a car accident? The CIO checks his email and there was an email from Bob. Bob's like, "Hey, guys. I'm sorry, I'm not going to make it. I'm actually never coming in. I actually resigned. The last seven years, I haven't actually done anything, and then guess what? It's your fault."
Brian Contos:
Touchy.
Ron Kuriscak:
So, companies aren't doing that anymore. They're taking it far more seriously. Boards are asking questions. 20 years ago, very, very few companies had board presence with the security program. Today, every single company does. The difference though is the ability to, of the CISOs, if you're a security leader, I would say there's probably two or three phases of a CISO's security lifecycle. One, a lot of them are technical. They're either networking or application based, they're experiences. I don't see too many other CISOs out there. There's probably a few here and there. I do know one that came out of HR, a fabulous CISO, but they get very detail oriented and they have to show success in a very short time period. So they go in and they're adding things, they're building the foundation. After about five to 10 years, then they've got to move into this...
I've got to socialize, I've got to be a salesperson of this. I've got to develop the skill to actually obtain a budget. Going in front of your ELT and being able to show growth of the budget is a skill that not many CISOs have. You've got to develop those soft skills to say, "Hey, adversaries aren't getting easier. They're getting more difficult to detect. You've got to have the tools, tech, get rid of your redundant technology," be able to sell the vision and where we're going. Another interesting story I have is a big manufacturing Fortune 100 brought us in and out was the, call it interim CISO, and the CFO was moving to the board of directors and he said, "Ron, we haven't invested in cybersecurity in 20-plus years. Why should we start?" I sat back in my chair and I go, "Wow, this guy has no idea. You do spend money on security. You have a firewall, you're a global company, you've got security professionals. You'd probably be embarrassed you didn't know that they even existed, but you've got people that that's their day-to-day job."
And it isn't about protecting today, it's about protecting the intellectual property, so that the people that start today have a job 40 years into the future. The people that are retiring already, they're going to have their benefits, they're going to be retired. It's protecting what's important today, so that the next 30, 40 years your company can flourish and not have your ideas and thoughts and new product lines stolen by some adversary.
Brian Contos:
Ron, when you brought up the CFO, that triggered a thought. So, what's your take on reporting structure? So, I know early days we saw CISOs reporting into CIOs and now we're even seeing a flip-flop where a CIO might promote themselves to CISO and hire a CIO under them, so we're seeing a lot of CIOs reporting to CISOs, CISOs reporting into chief risk officers, CEOs, legal, tied to the audit committee. There doesn't seem to be one direct path, there seems to be many. Have you found that one's more successful than the other or is it dependent on the company? What's your take on that?
Ron Kuriscak:
I think it depends on the company. There's no cookie cutter and whenever you bring that up to companies, it's a sore spot. Traditionally, CISOs were under the CIO and it still remains that way predominantly, very few companies are willing to make that change. Ones that have gone through significant breaches though, that's the caveat. They see the operational deficiencies, they see where issues, sometimes convenience, or cost becomes the driver, not the risk to the company. And so, I would say I still see 80% of CISOs reporting to a CIO, but I think that is slowly changing. Very few are direct. To me, what makes sense is that the CISOs become the CSO, the chief security officer, and then they both have physical and data, and I did have both. When I was at a financial services company, they had both, and I'll tell you, the different skill sets were enlightening to me.
I picked up the-
Brian Contos:
I bet.
Ron Kuriscak:
... The physical, but it takes over your day. When you put people in a room and you have spousal abuse and you have people that are abused, you've got to make sure they're protected and you don't want that to spill over into the workplace. How many times, we get into a domestic argument and it would come to the office and we have to protect employees, we have to contact local law enforcement when we see these things happening, and it's a very touchy subject for many individuals, but it was easier for me to pick up the physical than it is for someone who's physical to pick up the cyber piece.
If you're in a boardroom and you got to sign off for Sarbanes-Oxley and really understand what TCP/IP is, they're not really going to know any of that stuff unless they have some education, and fortunately, a lot of them are police officers and they're great at the physical part, but the cyber piece is where falls apart. I do see this logical legal migration where I've seen in some cases where CISOs or CSOs are now up through the legal chain of command and others I see through the CEO specifically. The message doesn't get garbled or misinterpreted, but legal I think is becoming the more predominant piece where CISOs are reporting up through.
Jon Vecchi:
Interesting. When you were mentioning, which is fascinating, the convergence of the data and the traditional CISO role combined with the physical security, I was going to switch a little bit and ask you about the XIoT set, which is what we call XIoT. Ron, we talked about this before. It's all the IoT, the OT, the IoMT, the IIoT, all that stuff, but interesting, a lot of that touches the physical side. When you're talking about physical, it's like wow, from the traditional CISO side, this stuff is exploding. It's a big piece of the attack surface now you have to deal with, but geez, if suddenly you're a CSO and you had the physical security, all the cameras, all the door systems, the access, wouldn't even make that focus bigger? Talk a little bit about that.
Ron Kuriscak:
Oh, it does. It's bigger and then you get into... On the OT side, you get different manufacturing facilities, different parts of the world where communication, I think, is... A lot of it. People don't communicate all that well. Individuals like to stay in a dark room and do what they do and the softer skills become more paramount. I think when the scope or the security position gets bigger and having face to face time, understanding the stress that people are under, I'm big advocate of having tools and technology within local areas or jurisdictions in which they actually are effective and efficient, testing to make sure they're... If you spend a million bucks on something, you want to make sure it works and bringing an outside party to test to make sure it's working effective and efficiently I think was eyeopening. Every assessment that I've done, I've learned something from either a pen test or an IoT assessment.
Even in a facility where we would have trade secrets... I worked for a company that had a huge trade secret facility in which not one person knew the formula, kind like the co, but it wasn't cope, and we would see individuals... Minnesota has got this concept called Minnesota nice. We're going to hold the door open and let somebody in, that doesn't mesh, especially when you've got protected areas and only authorized individuals who maybe go through additional screening, like a background check to make sure that they're the right person. And so, I've done multiple pen tests where the Minnesota nice thing becomes a negative and then we've got to somehow change the way people authenticate at the door. And so, what we did is we built badges with colors on them and said, "If it's an orange person, let them in. If not, challenge."
It's okay to challenge, and I think I'm also a big advocate if you're the security person, you've got to go see people, go to the facility, ask them what's their concern, ask them what's important, just being empathetic about their challenges I think are important because a lot of times we sit in this glass ceiling and we don't understand what's happening day-to-day. Take them out for coffee and talk to them, what's working, what's not. One of these manufacturing facilities, call it a tube bender, this guy's basically pulling down on a device that bends a tube, and I remember going there in the late 1990s and I went there 15 years later and the guy is still doing the same thing. He knows his job and he knows the right people and he's not shy to say, "This person shouldn't be in this room."
Those people know each other in smaller facilities, but multiply it to bigger ones or in different parts of the world where maybe you don't know that. I think that's an important piece, and having the right tools and technology... And separation of duty I think is another interesting one where individuals who test devices... The remediation piece I think is where the concern is. If I'm testing and I need to fix it, how do I fix it appropriately in an effective and efficient manner? Because if I have this vulnerability sitting out there for months, if not years, what is the risk to the organization if that tube bender is exposed and it introduces risk to the organization?
Brian Contos:
So Ron, this has been a masterclass in being a CISO, which has been incredible. We haven't had anybody, I think, speak to being a CISO in this level of detail and all these great and unique stories. I love the one about singing in the boardroom. I think that was certainly unique, and I'll also say you mentioned tube bender and that's the first time that's been mentioned on this program, and why I personally like that is I actually did that in high school.
I actually worked at a BRKSTRAND, we cut the tube, we welded the sides and I thought that was the job no one's ever heard of, so, but it did a lot of AutoCAD, so it was a lot of fun, but the question that I have for you as we sign off, and I know we could talk about this for hours and hours, is to those listeners that we have right now that are maybe come from that CISO side, but now are being asked to do the CSO role as well or have a CSO report into them and be responsible for all those physical security aspects you discussed, everything from door locks, to working with local law enforcement, security cameras and everything that goes with that, what advice do you give them? What's the best way of merging those two worlds and being effective?
Ron Kuriscak:
I would say the number one thing I don't see is collaboration at the CISO level, and maybe it's a time investment thing, but mentoring, I have a lot of mentees that I've had over the years, mentors, they've been critical in the success of individuals. If you've got the challenge or got the opportunity to become a CISO or CSO and you're a CISO, go out and talk to others that have the challenge. There's some really good individuals. I don't know if you know John Valente, who used to be the CISO at 3M and Best Buy, he's retired now and he's looking for individuals to share some of his experience with, go find those individuals. As a consulting, you could do a round table of some type. There's always going to be a vendor that would love to sponsor it, but find the individuals to share some of these war stories.
I don't think reading a book gets you enough experience. Go find individuals. There's probably 100, if not 1,000 more stories I could continue and tell you what happened, what I did wrong, probably more of what I did wrong than right, and finding that information I think is important and critical and things that you don't get in a book where somebody... Well, here's a good story, where somebody at three o'clock in the morning, I get a call, the CSO, because my team, we had panic alarms and at 3:00 in the morning people, there's a shift change kind of and people get hungry, and one of my guys went out and got McDonald's and he just did this long stretch and he hit the panic arm with his foot, didn't even notice it, but the six people before me, before I got called were unavailable.
So, I got called at 3:00 in the morning and I dealt with it and found out that we really need to have another compensating control or at least a way to validate that the individual, if they set the alarm off, that they should probably turn it off because he made a mistake, and we didn't know that at the time. Those little things where an IP based security surveillance system with door latches and all this stuff, we didn't have an override for somebody to at least turn the alarm off if the security alarm guard made a mistake, those little things, you can't pay for those things for those experiences unless you've actually gone through them.
So, I would say the number one thing I would love to see more of is in our industry people sharing information and not waiting until you're at a conference, just put something on the calendar and just get together, share some war stories, what works, what doesn't. I really wish people were more involved in the mentor piece too because if you're trying to get into being a security leader, and it doesn't have to be a CISO, I've got the t-shirt, I've got the scars, I don't know if I want it again, but certainly let's share the experiences, what worked, and what didn't with others, and I think that's where the opportunity is.
Jon Vecchi:
Wow.
Brian Contos:
Fantastic advice. Well, Ron, thank you so, so much for joining us on the program today and sharing all your stories and all the cool little examples and antidotes that added great color, so we appreciate your time.
Ron Kuriscak:
Thank you so much. I appreciate being here. Thank you so much.
Jon Vecchi:
And thanks so much again, Ron, for joining us. Great podcast, and remember, everybody, the IoT Security podcast is brought to you by Phosphorus, the leading provider of proactive full scope security for the extended internet of things. Thanks again to our guests and until we meet again, I'm John Vecchi.
Brian Contos:
And I'm Brian Contos.
Jon Vecchi:
See you next time on Phosphorous Radio.

Lessons from the Frontlines: Ron Kuriscak's Experiences with IoT Security Breaches

Lessons from the Frontlines: Ron Kuriscak's Experiences with IoT Security BreachesLessons from the Frontlines: Ron Kuriscak's Experiences with IoT Security Breaches

More episodes

Lessons from the Frontlines: Ron Kuriscak's Experiences with IoT Security Breaches

Lessons from the Frontlines: Ron Kuriscak's Experiences with IoT Security Breaches

Chapters

What is IoT Security Podcast?