WEBVTT NOTE This file was generated by Descript 00:00:01.170 --> 00:00:05.560 Welcome to The Chemical Show, the podcast where chemical means business. 00:00:05.930 --> 00:00:09.710 I'm your host, Victoria Meyer, bringing you stories and insights 00:00:09.710 --> 00:00:13.620 from leaders, driving innovation and growth across the chemical industry. 00:00:14.529 --> 00:00:18.830 Each week, we explore key trends, real world challenges, and the 00:00:18.830 --> 00:00:20.580 strategies that make an impact. 00:00:20.879 --> 00:00:21.959 Let's get started. 00:00:23.434 --> 00:00:24.814 Victoria: Welcome back to The Chemical Show. 00:00:24.884 --> 00:00:30.344 I am here with Rob Lee, who is the CEO of Dragos, one of the most 00:00:30.354 --> 00:00:32.904 premier cybersecurity firms in the U. 00:00:32.904 --> 00:00:33.254 S. 00:00:33.284 --> 00:00:34.394 and maybe globally. 00:00:34.444 --> 00:00:39.384 Rob regularly gets called in to consult with companies, with countries. 00:00:39.789 --> 00:00:42.559 and probably more on cyber security issues. 00:00:42.569 --> 00:00:45.869 So we're here again at the Marsh North American Energy and Power 00:00:45.869 --> 00:00:47.599 Symposium having this conversation. 00:00:47.599 --> 00:00:49.719 So when you hear a little background noise, you know why. 00:00:49.979 --> 00:00:52.979 But anyway, glad to have this conversation with Rob. 00:00:53.079 --> 00:00:53.825 Rob Lee: Thanks for having me. 00:00:54.055 --> 00:00:54.535 Victoria: Absolutely. 00:00:54.785 --> 00:00:58.715 So tell us a little bit about yourself and how did you get into cyber security? 00:00:58.743 --> 00:00:59.024 Rob Lee: security? 00:00:59.024 --> 00:00:59.305 Sure. 00:00:59.305 --> 00:01:00.615 So I started my career on the U. 00:01:00.615 --> 00:01:00.765 S. 00:01:00.785 --> 00:01:01.755 Air Force side of the house. 00:01:02.155 --> 00:01:03.795 It was building control systems. 00:01:03.795 --> 00:01:06.315 When we talk about cyber security, sometimes we talk about the information 00:01:06.315 --> 00:01:09.065 technology side of the house, which is more of like your email servers 00:01:09.075 --> 00:01:10.275 and computers and things like that. 00:01:10.655 --> 00:01:13.015 And we also have the operation technology side of the house, what we call 00:01:13.025 --> 00:01:16.205 OT, which is really your, chemical facilities, your water treatment 00:01:16.205 --> 00:01:19.275 facilities, your power grids, like the physics side of the house, right? 00:01:19.575 --> 00:01:21.725 And so all my work is really focused on the OT side. 00:01:22.050 --> 00:01:26.020 And I enjoyed doing humanitarian work in the Air Force, building control systems, 00:01:26.020 --> 00:01:30.460 building wind turbines in places like Cameroon, and then I realized that cyber 00:01:30.630 --> 00:01:34.050 could be used to impact those systems, got recruited into the National Security 00:01:34.050 --> 00:01:35.720 Agency, and ended up building out the U. 00:01:35.720 --> 00:01:35.850 S. 00:01:35.850 --> 00:01:38.480 government's mission, looking at various states and criminals breaking 00:01:38.480 --> 00:01:39.950 into infrastructure around the world. 00:01:40.420 --> 00:01:43.190 And then after that, started a company called Dragos. 00:01:43.190 --> 00:01:44.380 Okay, so 00:01:44.590 --> 00:01:46.120 Victoria: why leave the NSA? 00:01:46.340 --> 00:01:50.810 Rob Lee: Yeah, uh, lots of discussions and the wrong liquid in the cup, 00:01:50.840 --> 00:01:54.550 but, I enjoyed my time at the NSA, and, and surprisingly, we actually 00:01:54.550 --> 00:01:56.950 did a lot of like interesting defensive and cool work in that way. 00:01:56.990 --> 00:02:00.390 It was actually when I got sort of rerouted back to Cyber Command and looking 00:02:00.390 --> 00:02:04.380 at the offensive side, and I got to be other people's adversary for a while. 00:02:04.640 --> 00:02:07.530 I just didn't really agree with what I was doing. 00:02:07.540 --> 00:02:10.200 Like, countries should have military capabilities to impact 00:02:10.250 --> 00:02:11.550 others, no, don't get me wrong. 00:02:11.950 --> 00:02:14.410 Uh, generally though, I think everybody should stay out of each 00:02:14.410 --> 00:02:15.550 other's civilian infrastructure. 00:02:15.620 --> 00:02:18.690 And every 35 year old mom should be able to go home to her 5 year 00:02:18.690 --> 00:02:20.920 old kid regardless of nationality. 00:02:21.010 --> 00:02:23.590 And I don't think that's not typically the view. 00:02:23.795 --> 00:02:24.485 Victoria: Yeah, well. 00:02:25.215 --> 00:02:26.625 Different points of view everywhere. 00:02:26.885 --> 00:02:27.315 Everywhere. 00:02:27.565 --> 00:02:28.825 So, tell us a little bit about Dragos. 00:02:28.825 --> 00:02:43.385 Oh, 00:02:43.720 --> 00:02:45.700 Rob Lee: identifying vulnerabilities and threats and things like that. 00:02:46.150 --> 00:02:49.400 But a lot of the big incidents that take place, they'll call us in, hopefully 00:02:49.400 --> 00:02:52.760 ahead of time, but if at worst, sort of after the incident to try to deal with it. 00:02:52.760 --> 00:02:55.780 So like, we did the Colonial Pipeline incident, we've been involved in 00:02:55.780 --> 00:02:58.850 a lot of the Ukraine attacks and, and, and analyzing the cyberattacks 00:02:58.850 --> 00:02:59.900 and electric infrastructure there. 00:02:59.900 --> 00:03:02.880 So, kind of any of the big things you've heard of before, may have 00:03:02.880 --> 00:03:09.325 heard of in, in cyberattacks and infrastructure, usually there trying to 00:03:09.404 --> 00:03:10.474 Victoria: this all computer related? 00:03:10.494 --> 00:03:14.344 When I think cyber security and cyber attacks, I think computers is 00:03:14.344 --> 00:03:15.504 that what you guys are working on? 00:03:15.829 --> 00:03:18.149 Rob Lee: think a lot of, you know, probably one of the more surprising 00:03:18.159 --> 00:03:22.599 things is a lot of business executives of these companies feel, hey, we're 00:03:22.599 --> 00:03:23.609 doing a lot on cyber security. 00:03:24.179 --> 00:03:27.219 But there's so many different things in cybersecurity and the minimum 00:03:27.219 --> 00:03:29.394 there's that big IT versus OT bucket. 00:03:29.394 --> 00:03:34.059 And most governments, most board of directors, most business leaders are 00:03:34.069 --> 00:03:37.829 surprised to find that 95%, not a made up statistic, about 95 percent 00:03:37.829 --> 00:03:41.919 of all the budget to cybersecurity efforts is going to the IT side of the 00:03:41.919 --> 00:03:43.149 house, not the OT side of the house. 00:03:43.459 --> 00:03:46.239 But you generate all your revenue and have all your safety impact and your 00:03:46.239 --> 00:03:48.709 business impact and national security impact on the other side of the house. 00:03:49.149 --> 00:03:51.779 So about 5 percent of all of the efforts in the community and the 00:03:51.779 --> 00:03:53.849 resourcing is going to the side that actually generates all the 00:03:53.849 --> 00:03:55.179 revenue and national security impact. 00:03:55.189 --> 00:03:59.239 Victoria: so the actual asset, the infrastructure, the operating plant, et 00:03:59.359 --> 00:04:00.039 Rob Lee: Correct, correct. 00:04:00.179 --> 00:04:02.549 So for all your chemical engineers and business folks. 00:04:03.074 --> 00:04:06.904 What cyber security is to them is probably, oh, uh, secure 00:04:06.904 --> 00:04:08.644 my password, secure my data. 00:04:08.654 --> 00:04:09.314 That's cool. 00:04:09.524 --> 00:04:11.984 The cyber security that actually impacts them is as our industry 00:04:11.984 --> 00:04:13.014 has become more digital. 00:04:13.074 --> 00:04:16.324 We've become more complex, more control systems and automation. 00:04:16.794 --> 00:04:20.494 That digital network with the physics impact, the physical 00:04:20.494 --> 00:04:22.924 world, that's cyber security now. 00:04:22.924 --> 00:04:24.884 And it probably wasn't true 15 years ago. 00:04:25.024 --> 00:04:25.604 Victoria: Absolutely. 00:04:25.634 --> 00:04:25.884 Right. 00:04:25.894 --> 00:04:30.253 Because we're relying on computers, more efficient operating systems, 00:04:30.253 --> 00:04:31.633 et cetera, to run everything. 00:04:31.633 --> 00:04:31.733 In 00:04:31.893 --> 00:04:33.853 Rob Lee: If an operator can open up a circuit breaker through a 00:04:33.853 --> 00:04:35.183 computer, now an adversary can 00:04:35.423 --> 00:04:36.323 Victoria: Yeah, absolutely. 00:04:36.323 --> 00:04:38.283 In fact, I'm gonna say this for our listeners. 00:04:38.353 --> 00:04:41.773 Brad Amp, who's CEO of Carpenter, was on the podcast a couple years ago. 00:04:41.983 --> 00:04:45.493 We will link to that episode, and he talked about the cybersecurity 00:04:45.493 --> 00:04:48.673 attack that they had, how it took down their operations, 00:04:48.673 --> 00:04:49.993 and how they recovered from it. 00:04:49.993 --> 00:04:51.313 And they were able to recover. 00:04:51.350 --> 00:04:52.160 they found a solution. 00:04:52.160 --> 00:04:54.590 But it's an interesting story and conversation. 00:04:54.590 --> 00:04:56.750 So I will, I will link to that for people to hear 00:04:56.860 --> 00:04:58.485 Rob Lee: you know, one of the, one of the scary things for a lot of 00:04:58.485 --> 00:05:00.945 companies, so good on 'em because one of the scary things that a lot of the 00:05:01.005 --> 00:05:05.565 boardrooms I get in is most companies don't have the investments ahead of 00:05:05.565 --> 00:05:10.875 time into the cybersecurity of OT to even know when something goes wrong. 00:05:10.875 --> 00:05:11.865 Was it cyber or not? 00:05:11.990 --> 00:05:12.280 Yeah. 00:05:12.495 --> 00:05:14.355 And so, you know, a lot of the national security conversations 00:05:14.355 --> 00:05:16.485 I get in with various government leaders, they have the question of 00:05:16.485 --> 00:05:18.405 like, well, when a cyber attack happens and does this, what do we do? 00:05:18.405 --> 00:05:20.655 I'm like, how do you know that it's cyber or not? 00:05:20.655 --> 00:05:21.015 And they go. 00:05:21.830 --> 00:05:22.870 Oh, I don't, I don't know. 00:05:22.870 --> 00:05:25.060 And it's like, that's, that's the starting discussion. 00:05:25.410 --> 00:05:30.730 And so we've seen chemical mishaps, safety issues, et cetera, where people look 00:05:30.730 --> 00:05:32.040 at it and go, we don't, we don't know. 00:05:32.210 --> 00:05:34.050 We, like, I guess it's a maintenance issue. 00:05:34.110 --> 00:05:35.170 And you're like, okay. 00:05:35.170 --> 00:05:37.030 And that kind of ruins your ability to respond 00:05:37.095 --> 00:05:37.385 Victoria: Yeah. 00:05:37.505 --> 00:05:41.715 I will say on a personal level, you know, if I think about the internet of things 00:05:41.715 --> 00:05:45.725 and just the home internet of things, like, you know, we have a ring doorbell. 00:05:46.015 --> 00:05:46.995 We have a. 00:05:47.350 --> 00:05:48.880 I don't know if it's an, I don't know what it is. 00:05:48.920 --> 00:05:49.520 It's a nest. 00:05:49.520 --> 00:05:51.370 It's one of the, thermostats, whatever. 00:05:52.150 --> 00:05:54.140 And I do worry about the fact that, you know, 00:05:54.265 --> 00:05:54.465 Rob Lee: Somebody 00:05:54.556 --> 00:05:56.666 Victoria: somebody outside of our control can control it. 00:05:56.726 --> 00:05:58.736 And that's on a microcosm, on a home 00:05:58.950 --> 00:05:59.576 Rob Lee: example, though. 00:05:59.576 --> 00:06:03.131 Like, think for a second, you've got an internet connected thermostat, 00:06:03.131 --> 00:06:06.961 you've got an internet connected alarm system, and then you've got an 00:06:07.001 --> 00:06:08.531 internet connected toaster, right? 00:06:08.861 --> 00:06:10.961 And then one day you have a fire in the house. 00:06:11.391 --> 00:06:15.661 Did somebody hack your system, disable the alarm system and 00:06:15.671 --> 00:06:18.791 cause a fire in the toaster, or was it just a mechanical mishap? 00:06:19.156 --> 00:06:22.686 That question, take that now into any digital infrastructure that 00:06:22.686 --> 00:06:24.426 we have, that's really hard to 00:06:24.510 --> 00:06:25.824 Victoria: if you don't do 00:06:25.926 --> 00:06:26.996 Rob Lee: if you don't do the work ahead of time. 00:06:27.137 --> 00:06:28.779 Victoria: so like, I think it's, 00:06:28.811 --> 00:06:29.101 Rob Lee: Yeah. 00:06:29.131 --> 00:06:32.071 So like, it's, I think it's, I think it's easy, but you 00:06:32.071 --> 00:06:33.081 know, that's, that's maybe the, 00:06:33.377 --> 00:06:34.691 Victoria: coming off the edges, 00:06:34.701 --> 00:06:36.811 Rob Lee: yeah, yeah, maybe, maybe that's like coming off pretentious, 00:06:36.811 --> 00:06:39.171 but I think number one, we're all good at scenarios, right? 00:06:39.461 --> 00:06:42.411 So in the chemical industry, as well as infrastructure in general, we 00:06:42.431 --> 00:06:43.811 have a very good safety community. 00:06:44.131 --> 00:06:47.701 And so understanding safety process, process hazard analysis, HAZOPS 00:06:47.721 --> 00:06:50.251 processes, like going through a safety scenario, we don't sit there 00:06:50.251 --> 00:06:51.581 and go, I want a better valve. 00:06:51.996 --> 00:06:54.286 I want to better pressure it and go, what's the scenario that 00:06:54.330 --> 00:06:54.548 Victoria: it. 00:06:54.548 --> 00:06:55.643 And so I think cybersecurity 00:06:55.846 --> 00:06:57.126 Rob Lee: look at all the controls across it. 00:06:57.516 --> 00:07:00.016 And so I think cyber security sometimes comes out with like, you should deploy 00:07:00.086 --> 00:07:02.736 this thing, or you should have this tool, or a complex password, but 00:07:02.736 --> 00:07:03.966 they're not looking at the scenario. 00:07:04.356 --> 00:07:07.616 So one of the things I generally advise is, first off, look at the real scenarios. 00:07:07.926 --> 00:07:10.426 Your company doesn't have unlimited budget. 00:07:11.066 --> 00:07:13.556 It doesn't have the ability to go, how do we reduce cyber risk? 00:07:13.556 --> 00:07:14.236 Well, what does that mean? 00:07:14.886 --> 00:07:18.586 But we could say, Hey, here's three scenarios we've seen that have 00:07:18.596 --> 00:07:22.796 caused impact in the chemical or energy or water industries before. 00:07:23.456 --> 00:07:28.506 Are we ready for those three scenarios and across our 50 sites, three, three 00:07:28.506 --> 00:07:31.036 sites, 300 sites, what would it look like? 00:07:31.461 --> 00:07:34.931 Well, what are the abilities to try to prevent it, to try to detect it, 00:07:34.981 --> 00:07:36.371 and try to respond and recover to it? 00:07:36.741 --> 00:07:40.081 And you look at those controls across the scenario, and you can very easily 00:07:40.081 --> 00:07:41.211 get to something that you cannot measure. 00:07:41.231 --> 00:07:43.531 Now it's not some random presentation in a boardroom of 00:07:43.541 --> 00:07:46.541 like, High risk, low risk, is it 33. 00:07:46.591 --> 00:07:48.711 5, is it 40, and it's like, what does that mean? 00:07:49.021 --> 00:07:51.841 It's like, if that happened to us, would we be okay? 00:07:52.091 --> 00:07:54.121 Like, oh yeah, we could actually deal with that one. 00:07:54.144 --> 00:07:54.579 Victoria: okay? 00:07:54.579 --> 00:07:58.497 Oh yeah, we gotta actually deal with that one. 00:07:58.497 --> 00:08:00.674 Ultimately, the CEO owns the 00:08:00.746 --> 00:08:02.836 Rob Lee: mean, ultimately, the CEO owns the risk. 00:08:02.966 --> 00:08:05.806 So this idea that like the chief information security officer, the 00:08:05.806 --> 00:08:09.236 chief risk officer owns the risk, their advisors, the CEO owns the 00:08:09.236 --> 00:08:11.876 risk with oversight from the board, depending on your corporate structure, 00:08:12.186 --> 00:08:14.386 and the rest of it about advice. 00:08:14.476 --> 00:08:18.046 So the CISO or the chief information security officer sometimes is rolled 00:08:18.046 --> 00:08:21.776 under a CIO, which is debatable if it should be or not, is presenting 00:08:21.776 --> 00:08:22.926 me, here's what I think the risk is. 00:08:23.816 --> 00:08:26.006 You need to challenge those folks because a lot of the ways the 00:08:26.006 --> 00:08:28.466 careers have developed for chief information security officers is out 00:08:28.466 --> 00:08:30.516 of the help desk, out of IT, etc. 00:08:30.756 --> 00:08:31.586 They don't know your plans. 00:08:32.026 --> 00:08:35.306 So, they really need to understand what's your OT cybersecurity risk. 00:08:35.306 --> 00:08:36.206 Don't just speak about cyber. 00:08:36.206 --> 00:08:36.816 Like, challenge them. 00:08:36.976 --> 00:08:39.656 Like, is that the enterprise or is it enterprise IT? 00:08:40.066 --> 00:08:42.156 Okay, you're talking the enterprise or you're talking OT then? 00:08:42.696 --> 00:08:46.096 And so, are you talking about enterprise OT, chief information security officer? 00:08:46.126 --> 00:08:46.576 Great. 00:08:46.666 --> 00:08:48.376 What do you advise against real scenarios? 00:08:48.716 --> 00:08:52.696 And then it's up to the CEO, usually also the CFO or Chief Operations 00:08:52.696 --> 00:08:54.526 Officer, to sort of delegate that down. 00:08:54.796 --> 00:08:57.326 And the ultimate, especially in the chemical industry, ultimately 00:08:57.326 --> 00:08:58.286 you're coming to the plant manager. 00:08:58.463 --> 00:08:58.773 Victoria: from 00:08:59.026 --> 00:09:03.906 Rob Lee: if I operate that asset, I am responsible for everything 00:09:03.906 --> 00:09:05.286 that happens at that asset. 00:09:05.546 --> 00:09:08.116 And I am responsible for the cyber risk that goes into it as 00:09:08.116 --> 00:09:11.426 well, but I'm not responsible to know all the possible cyber risk. 00:09:11.426 --> 00:09:12.876 I need advisors in my organization for 00:09:13.076 --> 00:09:13.326 Victoria: Right. 00:09:13.346 --> 00:09:17.216 I was going to say, because a plant manager, they're often an engineer, 00:09:17.236 --> 00:09:20.646 a scientist of some variety that that's grown up through the system. 00:09:21.476 --> 00:09:25.306 They would say, I'm not actually equipped to, to handle cybersecurity. 00:09:25.456 --> 00:09:29.736 However, risk management is absolutely one of their remits. 00:09:29.991 --> 00:09:30.451 Rob Lee: remits. 00:09:30.741 --> 00:09:30.811 100%. 00:09:30.811 --> 00:09:33.821 And again, at a board level, really, if you're talking a lot of these 00:09:33.821 --> 00:09:37.001 like cybersecurity scenarios on an operations impact, you are talking 00:09:37.221 --> 00:09:40.481 safety, you're talking massive financial impacts for public company. 00:09:40.481 --> 00:09:42.971 This is like your eight K and 10 K filing discussions. 00:09:43.631 --> 00:09:45.491 You're talking national security, depending on the size of your company. 00:09:45.961 --> 00:09:47.531 It should be an elevated conversation. 00:09:47.961 --> 00:09:50.771 And once that elevated conversation happens, it's really just binary. 00:09:50.851 --> 00:09:52.271 Are we going to address this risk? 00:09:52.281 --> 00:09:52.781 Yes or no? 00:09:52.781 --> 00:09:54.341 Not like, what level of it? 00:09:54.341 --> 00:09:54.581 No, no. 00:09:54.581 --> 00:09:56.111 Are we going to try to address this risk? 00:09:56.111 --> 00:09:56.611 Yes or no? 00:09:56.961 --> 00:09:57.841 Because then there's got to be funding. 00:09:57.841 --> 00:09:59.831 And that was what was really useful in the chemical industry 00:09:59.831 --> 00:10:01.471 after the Bhopal incident, right? 00:10:01.471 --> 00:10:06.091 So from a safety perspective, used to, for many companies it was, safety comes 00:10:06.091 --> 00:10:08.041 out of your budget, and do it or don't. 00:10:08.596 --> 00:10:11.086 And then we looked at it as an industry and went, Oh, that's, that's not good. 00:10:11.126 --> 00:10:14.626 Like we, as a company shouldn't be able to like deal with that. 00:10:14.936 --> 00:10:18.126 Let's just say there's a corporate budget for mitigating the safety risks. 00:10:18.126 --> 00:10:21.846 And if you want to go beyond that, feel free to plant budget, but the minimum 00:10:21.956 --> 00:10:23.426 we'll take that out of the budget overall. 00:10:23.656 --> 00:10:25.906 And those same kind of mechanism that you have in long story short, there 00:10:25.906 --> 00:10:29.266 should be a company understanding of what are the risks we want to mitigate. 00:10:29.576 --> 00:10:32.776 There should be a company understanding of to this level, we'll resource it. 00:10:32.976 --> 00:10:35.706 And then underneath that and the how to do it should be the plant 00:10:35.958 --> 00:10:43.380 Victoria: underneath that and how to do that should be plan. 00:10:43.380 --> 00:10:47.726 It's starting to become, it may 00:10:47.890 --> 00:10:50.060 Rob Lee: become, it may become federally required in the U. 00:10:50.060 --> 00:10:50.250 S. 00:10:50.250 --> 00:10:50.580 actually. 00:10:50.600 --> 00:10:55.450 So, so what's, what we're seeing from, so SEC, right, has made this 00:10:55.450 --> 00:10:58.620 determination that you need to talk about material events in your company. 00:10:59.300 --> 00:11:02.680 And, and material event, obviously that, that's true regardless of cyber. 00:11:02.960 --> 00:11:05.800 Usually a 10K that you file with the SEC saying here's the 00:11:05.800 --> 00:11:06.950 things that can be material. 00:11:07.290 --> 00:11:09.940 And then when something happens that is material, you find out a 00:11:09.950 --> 00:11:11.510 file on 8K to say something changed. 00:11:11.960 --> 00:11:14.570 And it's required by law for any of these public companies. 00:11:14.840 --> 00:11:17.940 They have designated that cyber can be material and they expect to 00:11:17.940 --> 00:11:19.280 see the cyber components do that. 00:11:19.860 --> 00:11:22.710 So, it's already being mandated that you have to have the conversation. 00:11:23.000 --> 00:11:26.470 What we're seeing sort of as best practice is these companies are getting together 00:11:26.470 --> 00:11:27.940 saying, Well, what could be material? 00:11:28.390 --> 00:11:30.660 Instead of waiting for something to happen and filling out the 00:11:30.670 --> 00:11:32.660 8K, go reverse engineer the 8K. 00:11:33.195 --> 00:11:34.395 Hey, I'm a chemical company. 00:11:34.395 --> 00:11:37.335 What happened to make an eight K at the other three chemical companies 00:11:37.335 --> 00:11:41.115 that did it, let's take that eight K and reverse engineer it. 00:11:41.115 --> 00:11:43.235 And usually how that's done as a tabletop exercise. 00:11:43.635 --> 00:11:45.865 So you get around the room with the appropriate people in the 00:11:45.865 --> 00:11:48.795 room, whether security people, operations people, whoever, and go. 00:11:49.400 --> 00:11:49.650 Cool. 00:11:49.650 --> 00:11:52.400 Here's a fake scenario, but it's, it really happened for 00:11:52.410 --> 00:11:53.900 not just like lasers from space. 00:11:53.900 --> 00:11:54.910 Like do something real, right? 00:11:54.910 --> 00:11:58.590 Like here's what we saw happen before, respond. 00:11:58.630 --> 00:12:01.660 And then they kind of work through it like a game of sorts. 00:12:02.060 --> 00:12:04.530 And then they determine, oh, actually we're not in a good place to deal 00:12:04.530 --> 00:12:05.530 with this or we think we are. 00:12:05.570 --> 00:12:08.040 And that we think we are then should be followed up with technical 00:12:08.040 --> 00:12:09.730 assessments of, are you really? 00:12:10.015 --> 00:12:11.745 Did you really have those investments? 00:12:12.015 --> 00:12:14.435 And that should be reported back to the executive group to be able to say, 00:12:14.455 --> 00:12:16.075 yeah, we're actually as good as we are. 00:12:16.355 --> 00:12:16.745 No, we're not. 00:12:16.745 --> 00:12:17.675 We have these gaps. 00:12:17.705 --> 00:12:18.295 Let's go address 00:12:18.665 --> 00:12:20.885 Victoria: And you guys support companies on those exercises, is that 00:12:20.885 --> 00:12:22.315 something that you do as part of Dragos? 00:12:22.445 --> 00:12:24.705 Rob Lee: So even though we're a tech company that's like our bread and 00:12:24.705 --> 00:12:28.125 butter that preparation ahead and that tabletop exercise is where we get 00:12:28.125 --> 00:12:31.265 called in a lot and then unfortunately a lot on the response side as well. 00:12:31.345 --> 00:12:31.625 And we're, 00:12:31.805 --> 00:12:33.955 Victoria: Okay, so I like to always talk about leadership. 00:12:34.005 --> 00:12:40.125 You're a relatively young CEO, working with probably a lot of older CEOs. 00:12:40.521 --> 00:12:41.571 How has that played out for you? 00:12:41.571 --> 00:12:43.411 I'm just gonna ask that as a broad question. 00:12:43.761 --> 00:12:46.251 Rob Lee: Uh, really well, so far and surprising. 00:12:46.251 --> 00:12:46.751 I used to go in. 00:12:46.751 --> 00:12:50.031 I'd like have these meetings with these serious companies and like, Hey, I 00:12:50.031 --> 00:12:51.261 know I'm just a young CEO or whatever. 00:12:51.261 --> 00:12:53.551 And they're like, and eventually one of them told me, and this isn't really 00:12:53.551 --> 00:12:54.461 a question, but I think this is funny. 00:12:54.461 --> 00:12:57.541 Anyways, um, one of them told me like, stop it because I always played 00:12:57.541 --> 00:12:59.871 the card like, Hey, I'm first time founder, CEO, young guy, whatever. 00:13:00.111 --> 00:13:00.611 They're like, stop it. 00:13:00.801 --> 00:13:01.941 How long have you been CEO of Dragos? 00:13:01.941 --> 00:13:03.471 And I was like, at the time, it was like seven years. 00:13:03.921 --> 00:13:04.661 I was like, yeah, seven years. 00:13:04.661 --> 00:13:05.181 He's like, great. 00:13:05.271 --> 00:13:06.491 I've been a CEO for three. 00:13:06.631 --> 00:13:08.861 So you tell me, I was like, Oh, okay. 00:13:08.861 --> 00:13:13.371 And so I think a lot of the CEOs I meet are really humble in the position. 00:13:13.441 --> 00:13:15.001 I'm not saying like everybody else, but like most of them are 00:13:15.001 --> 00:13:16.111 very humble in the position to go. 00:13:16.341 --> 00:13:18.221 It doesn't matter how many years it took me to get here. 00:13:18.261 --> 00:13:20.081 I'm here and here's my base of expertise. 00:13:20.331 --> 00:13:22.311 You have a base of expertise and I'm calling on it. 00:13:22.601 --> 00:13:24.381 You tell me what your expertise is. 00:13:24.391 --> 00:13:25.911 So I found that to be pretty open on that. 00:13:26.201 --> 00:13:29.611 But it is, it's been fun on the infrastructure side because in 00:13:29.611 --> 00:13:31.301 cybersecurity, a lot of the cybersecurity 00:13:31.691 --> 00:13:35.021 executives, Chiefs, and Rescue Officers are always yelling like, How do I get 00:13:35.021 --> 00:13:36.391 the business to take me seriously? 00:13:36.401 --> 00:13:38.281 How do I get them to take seri And like, I don't have that problem. 00:13:38.651 --> 00:13:40.861 Because when I go talk to President Well, not like that, but when I go 00:13:40.861 --> 00:13:46.271 talk to No CEO, no President, no Parliamentary Member is confused about 00:13:46.271 --> 00:13:47.691 where their country generates revenue. 00:13:48.276 --> 00:13:52.366 Or risk, like it's just, I don't have the, well, how do you secure your data? 00:13:52.366 --> 00:13:55.636 I'm like, Hey, if there's a plant fire over there, it's 300 00:13:55.637 --> 00:13:56.746 million of lost productivity. 00:13:56.986 --> 00:13:58.356 They go, yeah, yeah, we get that. 00:13:58.366 --> 00:14:01.626 And so the impact allows it to sort of be the, yes. 00:14:01.656 --> 00:14:03.296 Now, how do we want to deal with that? 00:14:03.326 --> 00:14:05.726 And I think that allows the conversation to go pretty smoothly. 00:14:06.036 --> 00:14:07.360 Victoria: Well, this has been great. 00:14:07.450 --> 00:14:09.305 Thank you very much for the conversation. 00:14:09.305 --> 00:14:10.475 I know that people are gonna love it. 00:14:10.515 --> 00:14:12.705 And looking forward to hearing your speech 00:14:12.910 --> 00:14:13.580 Rob Lee: Yeah, good. 00:14:13.590 --> 00:14:15.900 Hopefully no one in this group ever has to call me. 00:14:15.940 --> 00:14:16.950 But if you do, do it in advance. 00:14:17.170 --> 00:14:17.360 Yeah, 00:14:19.221 --> 00:14:21.381 Thanks for joining us today on The Chemical Show. 00:14:21.721 --> 00:14:26.181 If you enjoyed this episode, be sure to subscribe, leave a review, 00:14:26.451 --> 00:14:30.011 and most importantly, share it with your friends and colleagues. 00:14:30.841 --> 00:14:33.731 For more insights, visit TheChemicalShow. 00:14:33.741 --> 00:14:36.261 com and connect with us on LinkedIn. 00:14:36.911 --> 00:14:40.861 You can find me at Victoria King Meyer on LinkedIn, and you can also 00:14:40.861 --> 00:14:42.811 find us at The Chemical Show Podcast. 00:14:43.221 --> 00:14:46.451 Join us next time for more conversations and strategies 00:14:46.711 --> 00:14:48.501 shaping the future of the industry. 00:14:48.871 --> 00:14:49.581 We'll see you soon.