I don’t sign s**t – Episode 143

Please note: This transcript was auto-generated and then edited by a person. In the case of any inconsistencies, please refer to the recording as the source.

Nathaniel Nelson
Hey everyone, and welcome to the Industrial Security Podcast. My name is Nate Nelson. I’m here as usual with Andrew Ginter, the Vice President of Industrial Security at Waterfall Security Solutions, who is going to introduce the subject and guest of our show today. Andrew, how’s going?

I’m very well, thank you, Nate. Our guest today is Tim McCrate. He is the CEO and founder of TaleCraft Security, and his topic is the book that he’s working on. The working title is We Don’t Sign Shit, which is a bit of a controversial title, but he’s talking about risk. Lots of technical detail, lots of examples, talking about who should really be making high-level decisions about risk in an organization.

Nathaniel Nelson
Then without further ado, here’s your conversation with Tim.

Andrew Ginter
Hello, Tim, and welcome to the podcast. Before we get started, can I ask you to say a few words for our listeners? You know, tell us a bit about yourself and about the good work that you’re doing at TaleCraft.

Tim McCreight
Hi folks, my name is Tim McCreight. I’m the CEO and founder of TaleCraft Security. This is year 44 now in the security industry. I started my career in 1981 when I got out of the military, desperately needed a job and took a role as a security officer in a hotel in downtown Winnipeg, Manitoba.

Shortly after I was moved into the chief security officer role for that’ that hotel and others and had an opportunity to move into security as a career path. And I haven’t looked back I decided I also wanted to learn more about cybersecurity.

Holy smokes, in ’98, ’99, I took myself out of the workforce for two years, learned as much as I could about information systems, and then came back for the latter part of my career and have held roles as a chief information security officer in a number of organizations. So I’ve had the pleasure and the honor of being both in physical and cybersecurity for the past 40 some years.

Andrew Ginter
And tell me about TaleCraft

Tim McCreight
It’s a boutique firm with two of our lines. Our first line is that it’s new skills from the old guard, and we are here to help give back and grow.

And it’s our opportunity to provide services to clients focusing on a risk-based approach to developing security programs. We teach security professionals how to tell their story and how to use the concepts of storytelling to present security risks and ideas to executives.

And finally, we have a series of online courses through our TaleCraft University where a chance to learn more about the principles of ESRM and other skills that we’re going to be adding to our repertoire of classes in the near future.

Andrew Ginter
And our topic is your new book. You know, I’m eagerly awaiting a look at the book. Can I ask you, you know before we even get into the the content of the book, how’s it coming? When are we going to see this thing?

Yeah Well, thank you for asking. i had great intentions to publish the book, hopefully this year. and Unfortunately, some things changed last year. i I was laid off from a role that I had and I started TaleCraft Security.

So sadly, my days have been absorbed by the work that it takes to stand up a business get it up and running. And my hats off to all the entrepreneurs out there who do all of these things every day. I’m new to this. So understanding what you have to do to stand up a business, get it running, to market it, to run the finances, et cetera, it has been like all consuming. So The book has unfortunately taken a bit of backseat, but I’ve got some breathing room now. I’ve got into a bit of a rhythm.

Tim McCreight
It’s a chance for me to get back to the book and start working through it. And and it’s to me, it’s appropriate. It’s a really good time. If I’m following the arc of a story, this is the latter part of that story arc. So I get a chance to help fill in that last part of the story, my own personal story, and and to put that into the book.

Andrew Ginter
I’m sorry to hear that. I’m, like said, looking forward to it. We have talked about the book in in the past. Let me ask you again, sort of big picture. You know, I’m focused on industrial cybersecurity. I saw a lot of value in the the content you described us as being produced. But can you talk about, you know, how industrial is the book?

We’re talking about risk. We’re talking about about leadership, right? How industrial does it get? I know you you do ah you do a podcast. You do Caffeinated Risk with Doug Leese, who’s a big contributor at Enbridge. He’s deep industrial. How industrial are you? How industrial is this book?

Tim McCreight
It spans around 40 years of my career and starting from, you know, physical security roles that I had, but also dealing with the security requirements for telecommunications back in the eighties into the nineties, getting ready for, and and helping with the security planning for the Olympics in the early two thousands, working into the cyberspace and understanding the value of first information security, then it turned into cyber security, then focusing on the OT environment as well, when I had a chance to work in critical infrastructure and oil and gas.

And then finally, you know the consistent message throughout the book is this concept of risk and that our world, when we first, you know when we first began this idea of industrial security back in the forties, bringing it up to where we need to be now from a professional perspective and how we view risk.

I do touch and do speak a little bit about the the worlds that I had a chance to work in from an industrial perspective. The overarching theme though is really this concept of risk and how we need to continue to focus on risk regardless of the environment that we’re in.

And some of the interesting stories I had along the way, some of the, honest to God, some of the mistakes I made along the way as well. I’ve learned more from mistakes than I have from successes.

And understanding the things that I needed to get better at throughout my career. I’m hoping that folks, when they do get a chance to read the book, that they recognize they don’t need to spend 40 some years to get better at their profession. You can do it in less time and you can do it by focusing on risk, regardless of whether you’re in the IT, the OT or the physical space.

Andrew Ginter
So there’s, there is some, some industrial angle in there, but, like I said, industrial or not, I’m i’m fascinated by the topic. I think we’ve, I’ve, beaten around the bush enough. The title, the working title is, is “We Don’t Sign Shit.” What does that mean?

Tim McCreight
I came up with “We Don’t Sign Shit.” And it’s I have a t-shirt downstairs in my office so that that I got from my team with an oil and gas company I worked with. And and Doug Lease was in the team as well.

And it really came down to this, the principle that for years, security was always asked to sign off on risk or to accept it or to endorse it or my favorite, well, security signed off on it, must be good.

Wait a second. We never should have. That never should have been our role. We never should have been put in a position where we had to accept risk on behalf of an organization because that’s not the role of security. Security’s role is to identify the risk.

Identify mitigation strategies and present it back to the executives so that they can make a business decision on the risks that we face. So in my first couple of weeks, when I was at this oil and gas organization, we had a significant risk that came across my desk and it was a letter that I had to sign off on. a brand new staff member came in and said, “Hi boss, I just need to take a look at this.”

I’m like, “Hi, who are you? What team do you work on? And what’s the project you’re working on?” When I read this letter, I’m like, are you serious that we’re accepting a potential billion dollar risk on behalf of this organization? Why?

And like, “Well, we always do this.” Not anymore. And we went upstairs. We got a hold of the right vice president to take a look at this to address the risk and work through it. And as I continued to provide this type of coaching and training to the team there, I kept bringing up the same concept. Look, our job is not to sign shit.

That’s not what we’re here for. We don’t sign off on the risk. We identify what the risk is, the impacts to the organization, what the potential mitigation strategies are. And then we provide that to executives to make a business decision.

So when I did leave the organization for another role, they took me out for lunch and I thought it was pretty cool. The whole team got together and they created this amazing t-shirt and it says, “Team We Don’t Sign Shit.” So it worked, right? And that mindset’s still in place today. I have a chance to touch base with them often. Ask how they’re doing. And all of them said the same thing is that, yeah, it’s that mindset is still there where they’ve embraced the idea that security’s role is to identify the risk and present opportunities to mitigate, but not to accept the risk on behalf of the organization.

That was the whole context of where I I took this book is, wouldn’t it be great if we could finally get folks to recognize, no, we don’t sign shit. This isn’t our job.

Nathaniel Nelson
So Andrew, I get the idea here. tim isn’t the one who signs off on the risk. He identifies it and passes it on to business decision makers, but I don’t yet see where the passion for this issue comes from, like why this point in the process is such a big deal.

Andrew Ginter
Well, I can’t speak for Tim, but I’m fascinated by the topic because I see so many organizations doing this a different way. In my books, the people who decide how much budget industrial security gets should be the people ah making decisions about are these risks big enough to address today? Is this, is this ah a serious problem because they’re the ones that are are you know they have the the business context they can compare the the industrial risks to the the other risks the business is facing to the other needs of the business and make business decisions

When you have the wrong people making the decisions, you risk, there’s a real risk that you make the wrong decisions because the the people executing on industrial cybersecurity do not have the business knowledge of what the business needs. They don’t have the big picture of the business and the people with the big picture of the business do not have knowledge, the information about the risk and the mitigations and the costs. And so each of them is making the wrong decision. When you bring these people together and the people with the information convey it to the people with the business knowledge, now the people with the business knowledge can make the right decision for the business.

And again, the industrial team execute on it. If you have the wrong people making the decision, you risk making the wrong decision.

Andrew Ginter
So let me ask, I mean, you take a letter into an executive, you you you do this over and over again in lots of different organizations. How do how is that received? How do the executives react when you do that?

Tim McCreight
So, I mean, my standard approach has always been, and and I use this as my litmus test is if the role I play as a chief security officer or CISO, and you’re asking me to accept risk, I come back. And the the first question I’m going to ask is if this is the case and you’re asking me to do this on, I’m going to say, no, invariably the room gets really quiet.

People start recognizing, oh, he’s serious. Yeah. Cause I have no risk tolerance when it comes to work. I would be giving everybody like paper notebooks and crayons and I want it back at the end of the day So I don’t have any tolerance for risk. But to test my theory is when I ask executives, if you’re saying that my role is to sign off on this, then I’m not going to, does that stop the project?

It never does. So the goal then is to ensure that the executives understand it’s their decision, and it’s a business decision that has to be made, not a security decision because my decision is always going to be, I start with no and I’ll negotiate from there.

But when we look at what the process is that i’ve I’ve provided and others have followed is I’ll bring the letter with the recommendations to the business for them to review and to either accept the risk, sign off on it, or to find me an opportunity to reduce the risk.

That’s when I start getting attention from the executives. So it moves from shock to he’s serious to, okay, now we can understand what the risk is. Let’s walk through this as a business decision. That’s when you start making headway with executives is taking that approach.

Andrew Ginter
So, I mean, that that sounds simple, simple but in in my experience, what you said there is actually very deep. I mean, i’ve I’m on the end of a long career as well, and I’ve never been a CISO. And in hindsight, I come to realize that, bluntly, I’m not a very good manager.

Because when someone comes to me, it doesn’t matter, so any anyone outside the the my sphere of influence my scope of responsibility saying, hey, Andrew, can you do X for me?

Whenever one of my people comes to me with an idea saying, hey, we should do Y, my first instinct is, what a good idea. Yeah, yeah.

Whereas I know that strong managers, their first instinct is no. And now whoever’s coming at us with the request or with the idea has to justify it, has to give some business reasons.

Again, so that’s, this is this is deep. It’s a deep difference between between you and and people like me.

Tim McCreight
Yeah well, and it is, and there’s, don’t get me wrong. There’s an internal struggle every time when I’ve worked through these types of requests where I, I want to help people too, but, but I understand that the path you got to take and how you have to get business to understand it, accept it and move forward with it. It’s different, right? This is why some great friends of mine that I’ve known for years, and they were technical, they’re technically brilliant. They have some amazing skills. Like, honest to God, I stopped being a smart technical person long time ago, and I’ve relied on just wizards to help move the programs forward.

And, I’ve chatted with them as well, and then they’re similar to you, Andrew. they’ve They’ve got great technical skills. They’ve been doing this for a long time. And, one of the one of the folks I chatted with, they’re just like, I can’t I can’t give myself the lobotomy to get to that level. I’m like, oh, my God. Okay, fair enough.

And I get it, but the way I’ve always approached this, it’s different, right? So I i take myself out of the equation of always wanted to help everybody to how can I ensure that I’m reducing the risk?

And if I can get to those types of discussions and have them with executives, for me, that’s where I find the value. So all of the work I’ve done in my career to get to this space, the amazing folks that I’ve met along the way, the teams that I’ve helped build, the folks I still call on to, to to mentor me through situations,

It always comes down to, can I have a meaningful business discussion to talk about the risk? And then it takes away some of the emotional response. It takes away that immediate, I need to help everybody do everything because we can’t.

But it gives us a chance to focus on what the problem is. What’s the risk that we’re facing? How can we reduce that risk? And can we actually pull this off with the resources that we have? So yeah, I get it. Not everybody wants to sit in these chairs. I’ve met so many folks throughout my career that they keep looking at me going, Jesus, Tim, why would you ever want to be in that space?

Why would you ever accept the fact that you’re, that they’re trying to hold you accountable for breaches or or for events or incidents? And I challenge back with it from it, for me, it’s that opportunity to speak at a business language, to get the folks at the business level, to appreciate what we bring to the table, whether it’s in OT security, IT t or cyber, it physical or cyber, it’s,

It’s a chance for all of us to be represented at that table, at that level, but at a business focus. So for me, that’s why I kept looking for these opportunities is can I continue to move the message forward that we’re here to help, but let’s make sure we do it the right way.

Andrew Ginter
So, fascinating principles. Can you give me some examples? I mean, TaleCraft is about telling stories. Can you tell me a story? How did this work? How did it come about? What kind of stories are you telling here?

Tim McCreight
So there’s there’s a lot that i’ve I’ve presented over the years, but a really good one is I was working with Bell Canada many years ago. We had accepted the, we were awarded the communication contract and some of the advertising media supporting contracts for the Olympics for 2010 for Vancouver.

And I was working with an amazing team at Bell Canada. Doug Leese was on the team as well, reporting into the structure. So it was very cool to work with Doug on some of these projects. We decided that the team that was putting in place the communication structure decided they want to use the first instance of voice over IP, commercial voice over IP. It was called hosted IP telephony.

And it was from Nortel. If folks still remember Nortel, it was from Nortel Networks. We looked at the approach that they were taking, how we were going to be applying the the technology to the Olympic Village, et cetera.

Doug and the team, they did this amazing work when the risk assessment came across, but they were able to intercept a conversation decrypt the conversation and play it back as an MP4, like an MP3 file.

You could actually hear them talking. And it was at the time it was the CEO calling his executive assistant order lunch. And we had that recorded. You could actually hear it. It was just as if it was, they were speaking to you.

So that’s a problem when you’re trying to keep secure communications between endpoints in a communication path. We wrote up the risk assessment. We presented it to the executives. We we presented the report up to my chain and it was simple.

Here’s the risk. Here’s the mitigation strategy. We need a business decision for the path that we wanted to take. And that generated quite the stir. My boss got back to me and said, well, we have to change the report. No, I said, no, we don’t. We don’t change this shit. We just, you you move it forward.

We’ve objectively uncovered the risk. The team did a fantastic job. But here’s an attached recording. If you want to hear it, but let’s keep moving forward. So it went up to the next level of management and same thing. Would you alter report? No, no I would not.

Move on, move on. Finally got to the chief security officer. And I remember getting the phone call. It’s like, well, Tim, this is, this is going to cause concerns. No, it’s a business decision. It isn’t about concerns. This is a business decision. And what risk is the business willing to accept?

So he submitted the report forward. Next thing I’m getting a call from, an executive office assistant telling me that my flight is going to be made for the next day. I’ll be, I’ll be flying to present the report. Like, Jesus Christ. So, all right, I got on a plane headed out east.

Waited forever to talk to the CEO at the time. And all they asked all they asked was, it is this real? are you is Would you change this? I said, no, the risk is legitimate.

And here’s the resolution. Here’s the mitigation path. Here’s the strategy. So they asked how much we needed, what we needed for time. it was about six months worth of work with the folks at Nortel to fix the problem. And all of that to state that had we done this old school many years ago, we would have just accepted the risk and move forward with it.

That wasn’t our role. That’s not our job, right? In that whole path, that whole risk assessment needed to presented to the point where executives understood what could potentially happen. We already proved that it could, but they needed to understand here’s the mitigation strategy. We found a way to resolve it.

We need this additional funding time resources to fix the problem. So that That stuck with me. That was like almost 20 years, like that was over 20 years ago. And that stuck with me because had I, altered my report, had I taken away the risk, had he accepted it on behalf of the security team, we don’t know what could have happened to the transmissions back and forth at the Olympics.

But I do know that in following that process, you never read about anyone’s conversations being intercepted at the 2010 Olympics, did you? It works. The process works, but what it takes is an understanding that from a risk perspective, this is the path that we have to take.

It’s not ours to accept. You have to make sure you get that to the executives and let them make that decision. Those are the stories that we need folks to hear now, as we move into this next phase of developing the profession of security.

Andrew Ginter
So Nate, you might ask, the CEO had a conversation, intercepted ordering lunch. Is this worth, the the big deal that it turned into? And I discussed this offline with with Tim and what he came back with is was, Andrew, think about it. Imagine that you’re nine days into the 10-day Summer Olympics or two week, whatever it is.

And someone, pick someone, let’s say the Chinese intelligence is found to have been intercepting and listening in on all of the conversations between the various nations, teams, coaches in the various sports and their colleagues back in their home countries.

They’ve been listening in on them for the the whole Olympics. What would that do to the reputation of the Olympics? What would that do to the reputation of Bell Canada? This is a huge issue. It was a material cost to fix. It took six months and he didn’t say how many people and how much technology.

But this is not something that the security team could say, “Okay, we don’t have any budget to fix this, therefore we have to accept the risk.” That’s the wrong business decision.

When he escalated this, it went all the way up to the CEO who said, yeah, this needs to be fixed. Take the budget, fix it. We cannot accept this risk as a business. That’s ah a business decision the CEO could make. It’s not a business decision he could make with the budget authority that he had four levels down in the organization.

Andrew Ginter
So fascinating stuff. Again, I look forward to stories in in the book. But you mentioned stories at the very beginning when you introduced TaleCraft. Can you tell me more about TaleCraft? How does this this idea of storytelling dovetail with with the work you’re doing right now?

Tim McCreight
When I was first designing this idea of what TaleCraft could be, we reached out to a good friend of ours here in Calgary, Mike Daigle. He does some amazing work. He spent some time just dissecting what I’ve done in my career and what I’ve accomplished. More importantly, some of the things that he wanted to focus on from company perspective.

And one of the the parts he brought up, and this is how TaleCraft was created, the word tail was I i spend a significant amount of my time now telling stories and it’s to help educate and to inform and stories to influence and and to provide meaning and value to executives.

But the common theme for all of this has been this concept of telling a story. One of the things I found throughout my career is as security professionals move through the ranks, as they begin, junior levels, moving into their first role as management and moving into director positions and eventually chief positions, the principles and the concepts of being able to tell a story or to communicate effectively with executives,

I found that some of my peers weren’t doing a great job or they were, I don’t know about you, Andrew, but if you sit in a ah presentation that someone’s giving and if all you’re reading is the slide deck, Jesus, you could just send that to me. I got this. I don’t need to spend time watching you stagger through a slide deck or the slides that have a couple of thousand words on them that you’re expecting us to read from 40 feet away.

It doesn’t happen. So what really bothered me is that we started losing this skillset of being able to tell a story. And to effectively use the principles of storytelling to provide input to executives, to make decisions for things like budget or resourcing or allocating, staff resources, et cetera.

So that’s one of the things that we do at TaleCraft is we teach security professionals and others, the principle and the concept of storytelling and how the story arc, those three parts to a story arc that we learned as kids, the beginning of the story, the middle where the conflict occurs, the resolution, and finally the end of the story, when, when you’re closing off and heading back to the village, after you slayed the dragon, those three things that we have, we learned as kids, they still apply as an adult because we learn as human beings through stories. We have for hundreds of years, thousands of years, used oral history as a way to present a story from one generation to the next.

We can use the same skill sets when we’re talking to our executives, when we’re explaining a new technique to our team, or when we’re giving an update in the middle of an incident and how you’re going to react to the next problem and how you’re going to solve it.

Those principles exist. It’s reminding people of what the structure is, teaching people how to follow the story arc when they’re presenting their material, taking away the noise, the distractions and everything else that gets in the way when listening to a story, but focus on the human.

And that’s one of the things that we’re doing here Telegraph is we’re teaching people to be more human in their approach and the techniques work. I just, My wife is up in Edmonton doing a conference right now for the CIO c Conference for Canada.

And she actually asked me to, this is a first folks, for all those of you who are married, what what kind of a progress I’ve made. My wife actually asked if I could dissect her presentation and help her with it. I thought that was pretty amazing. We restructured it so that she was able to use props.

She brought in a medical smock and and a stethoscope to talk about one of the clients that she worked with. And it sounds like it worked because she got some referrals for folks in the audience and she’s spending time right now talking to more clients up in Edmonton. So yeah, I crossed my fingers I was going to get through that one and it seemed to have worked. But these principles of telling a story, if you have a chance to understand how a story works and you’re able to replicate that in a security environment, all of a sudden now you’re speaking from a human to a human.

You’re not bringing in technology. You’re not talking about controls. You’re not spewing off all of these different firewall rules that we have to go through. Nobody cares about that stuff. What they want to hear is what’s the story and can I link the story to risk?

And at the top end of that arc, can I provide you an opportunity to reduce the risk and then finish the story by asking for help? If we can do that, those types of presentations throughout my career, that’s when I’ve been the most successful is when I can focus on the story I need to tell, get the executives as part of it and focus on the human reaction to the problem that we have.

That’s one of the things that we’re teaching at TaleCraft.

Andrew Ginter
So that makes sense in principle. Let me let me ask you. I mean, I do a lot of presentations. I had an opportunity to present on a sort of an abstract topic at S4, which is the currently the world’s biggest OT security-focused conference. And, if you’re curious, it was the title was “Credibility Versus Likelihood.” So, again, a very sort of abstract, risky, risk-type topic.

And the the the advice I got from Dale Peterson, the organizer, was, “Andrew, I see your slides. You can’t just read the slides. You’ve got to come to this presentation armed with examples for every slide, for every second slide.”

Tim McCreight
Yep.

Andrew Ginter
“Get up there and tell stories.” so I would give examples. Sometimes they would be attack scenarios. is that is that the same kind of thing here?

Tim McCreight
It is, I think. you And congratulations for for being asked to present at that conference. That’s amazing. So so kudos to you. That’s that’s awesome, Andrew. That’s great to hear. But you’re right. You touched on one of the things that a lot of presentations lack is the credibility or how I view the person providing the presentation. Do they have the authority? Do I look at them as someone who’s experienced and understands it?

And you do that by telling the story and providing an example for, let’s say, an attack scenario where you saw how it unfolded, how you’re able to detect it, how are you able to contain it, eradicate it, recover back. Those are the stories that people want to hear because it makes it real for people. Providing nothing but a technical description of an attack or bringing out, us as an example, a CVE and breaking it down by different sections on a slide. Oh my God, I would probably poke my eye out with a fork.

But if you walk me through how you identified it, The work that you guys did to identify, to detect it, to contain it, to eradicate it, and then recover. it If you can walk me through those steps from a personal example that you’ve had, that to me is the story.

And that’s the part that gets compelling is now you’ve got someone who’s got real world experience, expertise in this particular problem. They were able to solve it and they provide to me in a story. So now I can pick up those parts. I’m going to remember that part of the presentation because you gave me a great example, which is really, you gave me a great story. Does that make sense?

Andrew Ginter
It does to a degree. Let me Let me distract you for a moment here. I’m not sure this is I’m not sure this is the same the same topic, but I’ve, again, i’ve I’ve written a bit on risk.

Tim McCreight
Okay.

Andrew Ginter
You know I’ve tried to teach people a bit about what what is risk, how do you manage risk in in especially critical infrastructure settings. And I find that a lot of risk assessment reports are, it seems to me not very useful. They’re not useful as tools to make business decisions.

You get a long list of, you still have 8,000 unpatched vulnerabilities in your your your OT environment. Any questions? To me what business decision makers understand more than a list of 8,000 vulnerabilities is attack scenarios.

And so what I’ve argued is that every risk assessment should finish or lead, if you wish, with a in In physical security, you’re you’re probably more familiar this than I am, the the concept of design basis threat, a description of the capable attack you must defeat. You’re designed to defeat with a high degree of confidence.

And you look at your existing security posture and decide this class of attack we defeat with a high degree of confidence. These attacks up here, we don’t have that high degree of confidence.

And and what I’ve argued you should tell the story. Go through one or two of these attack scenarios and say, here is an attack that we would not defeat with a high degree of confidence. Is it acceptable that this attack potential is out there? Is that an acceptable risk?

Is that Is that the kind of storytelling we’re talking about here, or have I drifted off into some other space?

Tim McCreight
No, I think you’ve actually applied the principles of telling a story to something as complex as identifying your particular response or your organization’s response to ah either an attack a attack scenario or a more sophisticated attack scenario. So no, I think you’ve you’ve nailed it.

What it does though, in the approach that you just talked about, It gives a few things to the business audience. One, you have a greater understanding of the assets that are in place and how they apply to the business environment, right? Whether it’s in a physical plant structure for OT or whether it’s a pipeline, et cetera.

If you understand the environment that is being targeted, understand the assets that are in place and the controls that you have there in place, that gives you greater a greater understanding and foundations for what is the potential risk.

By telling the story then of what a particular attack scenario looks like, And if you have a level of confidence that you’d be able to protect against it, you’d be able to walk through the different parts of the story arc.

This is the context of the attack. This is what the attack could look like. Here’s how we would try to resolve it if we can. And then here’s the closing actions that we would be focused on if the attack was either successful or unsuccessful.

So all of those things, I think, apply to the principles of telling a story. What you’ve given is a great example of how to take something that’s very technical or, the the typical risk assessment I’ve seen in my career where, that Andrew here, here’s your 200 page report, the last 10, last hundred pages are all the CVEs we found.

And let us know if you need any help. Well, that doesn’t help me. But if you walk me through a particular example where here is in this one set of infrastructure, we’re liable or we’re open to this type of attack.

I think that’s amazing because it gives the executives the story they need. You understand the assets. Here’s the risk. Here’s the potential impact. Here’s what we can and cannot do to defeat or defend against this.

And then we need your help if this is a risk that you can’t accept. So no, I think you’ve covered all parts of what would be an appropriate story arc for using that type of approach. And honest to God, if you could get more folks to include that in reports, I would love to see that because I’m like you, I i have read too many reports that don’t offer value.

But the description you just provided and the way we break it down, that offers huge value to executives moving forward.

Nathaniel Nelson
Tim’s spending a lot of time emphasizing the importance of storytelling in conveying security concepts to the people who make decisions. Andrew, in your experience, is this sort of thing something you think about a lot? Do frame your your information in the same ways that he’s talking about, or do you have a different sort of approach?

Andrew Ginter
This makes sense to me. it’s sort of a step beyond what I usually do. So I’m i’m very much thinking about what he’s done and and how to use it going forward. But just to give you an example, close to a decade ago, I came out with a report, the “Top 20 Cyber Attacks on Industrial Control Systems.”

And it wasn’t so much a report looking backwards saying what has happened. It’s a report looking at what’s possible, what kind of capabilities are out there. And I tried to put together a spectrum of attack scenarios with a spectrum of consequences. Some of the attacks were very simple to carry out and had almost no consequence.

Some of them were really difficult to carry out and would take you down hard and cost an organization billions of dollars or dozens of lives. And everything in between.

And I did that because, in my experience, business decision makers understand attack scenarios, better than they understand abstract numeric risk metrics or lists of vulnerabilities.

But I described it as attack scenarios. In hindsight, I think really… what I was doing there was telling some stories and, I need to update that report.

I’m going to do it by updating it to read in more of a storytelling style so that, people can hear stories about attacks that they do defeat reliably and why, and attacks that they probably will not defeat with a high degree of confidence and what will be the consequences so that they can make these business decisions.

Nathaniel Nelson
Yeah, and that sounds nice in theory, but then I’m imagining, you tell your nice story to someone in the position to make a decision with money and they come back to you and say, well, Andrew, your story is very nice, but why can’t we defeat all of these attack scenarios with the amount of money we’re giving you?

Nathaniel Nelson
What do you tell them at that point?

Andrew Ginter
That is a very common reaction, saying, “You’ve asked us where to draw the line. We draw the line above the most sophisticated attack, fix them all.” And then I explain what that’s going to cost.

They haven’t even really paid attention to the attack scenarios. They haven’t even asked me about the attack scenarios. I’ve just explained the concept of a spectrum. They said, yeah, put it on the very put the line on the top, fix them all. And then you have to explain the cost.

And they go, “Whoa. Okay, so what are these?” And they ask in more detail and you give them the simplest attack, the simplest story that you do not defeat with a high degree of confidence.

And you ask them, is that something we need to fix? And they say, “Yeah, that’s nasty. I could see that happening, fix that. What else do you got?” And you work up the chain and eventually you reach an attack scenario or two where they look at it and say, “That’s just weird.”

I mean, let me give you an extreme example. Imagine that a foreign power has either bribed or blackmailed every employee in a large company. What security program, what policy can this the the CEO put in place that will defend the organization? Well, there isn’t one. Your entire organization is working against you. Is that a credible threat? The business is probably going to say, no, this is why we have background checks.

A conspiracy that large, the government is going to, be you going to come in and, and and and arrest everyone. That’s not a credible threat. And so, the initial reaction might be, yeah, fix it all. Draw the line across the very top of the spectrum.

And when that becomes clear that you can’t do that, this is where you dig into the stories and they have to understand the the individual scenarios. And they will eventually draw the line and say, “These three here that you told me about, fix them.” The rest of them just don’t seem credible.

That’s the decision process that you need to to to go through. And you need to describe the attacks. And I think the right way to describe the attacks is is with storytelling.

Andrew Ginter
So, I mean, this all makes great sense to me. I mean, this is why I asked you to be a guest on the podcast. But let me ask you, a sort of the next level of detail at TaleCraft. If, I don’t know, a big business, a CISO, says, TaleCraft makes sense to me and they bring you in, what do you actually do? Do you do you run seminars? Do you review reports and give advice? what What does TaleCraft actually do if we if somebody engages with you?

Tim McCreight
So there are a couple of things that we can offer to organizations that bring us in that from a TaleCraft perspective. First, what we offer, let me talk about storytelling first. What we offer from the storytelling approach is we will go to the client site.

We will run workshops, anywhere from four-hour workshop to a two-day workshop. We will bring team members from the security group, as well as others that the security team interacts with. We’ll go over the principles of storytelling and the concepts of storytelling, how to be more mindful in your public speaking and in your preparation.

And we’ll spend the first day going through the theory and the concepts of telling a story and becoming a better public speaker. Then on the second day of the workshop, we we then ask all participants to stand up for up to 10 minutes and provide their stories.

At the end of each one of the sessions, we provide positive feedback and provide them opportunities to grow and experience more more storytelling opportunities. And then we close out the workshop We provide reports back to each of the individuals on how we observed them absorbing all of the content from day one, and then offer opportunities for individual mentoring and coaching along the way.

So that’s one of the first services we offer. The second, as we come into organizations, if a CISO or CSO contacts us and asks us for assistance, we can do everything from helping them redesign their security program using the principles of enterprise security risk management, review the current program that they have today, assess the maturity of the controls that they have in place, identify risks that are facing the organization at a strategic level. And then we can come in and help them map out and design path to greater maturity by assessing the culture of security across the organization as well, where we go out and interview stakeholders from across the organization, from different departments, different divisions, and different levels of employees in the organization and identify their perception of security, the value that security brings to the organization, and how the security team can become greater partners and trusted advisors to the company. That’s part of the work that we do at Telegram Security.

Andrew Ginter
I understand as well that you’re working with professional associations or or something. I mean, I know that in in Canada, there’s the Canadian Information Processing Society. It’s not security focused. Security is an aspect of information processing in in the IT space.

In Alberta, there’s APEGA, the Association for Professional Engineers, Geologists, Geophysicists. I would dearly love to see these professions embrace cybersecurity and establish professional standards for practitioners for what is considered acceptable practice so that there is sort of a minimum bar.

So tell me, you’re you’re working with these folks. what What is it that you’re doing? How’s that going?

Tim McCreight
Yeah, so this happened, I’ve been thinking about this for probably the last 20 some years, and it always bothered me that the security director, the CISO, et cetera, in an organization, if they did get a chance to come to a board meeting or to be invited to talk to executives, you got a 45 minute time slot. Most times it was less. You had a chance to drink the really good coffee, and then you were asked to leave the room, and that was your time.

Where your peers who were running other departments across the organization in legal, finance, HR, etc. They stayed the entire weekend to help map out the strategy for an organization. Yet we weren’t invited to that party.

And that kind of annoyed me for the last some years. So I took it upon myself to begin a journey and I brought some folks along with me. There’s about 15 of us now that are working on the concept of designing and developing the profession of security, focusing on Canada first, and then working through the Commonwealth model to all those countries that follow the Commonwealth parliamentary system.

And it it made sense to me. I couldn’t do much work when I was the president of ASIS 2023. I didn’t want to have any perceived conflict of interest or anything that I was doing. But what we looked at from this concept of designing the profession of security It’s an opportunity for thus those who call this our profession and want to be recognized as such to borrow some of the great work that KIPPS has done and that APEGA has done here in Alberta, KIPPS across the country, to recognize the path that they took, how they were recognized and established, how they developed their charters, et cetera.

So we’ve had an opportunity to chat with some folks from KIPPS, but also to look at the work that they’ve done. And I’ve had a chance to review APEGA and it made sense to me. So now, Spin forward to 2025. We have a group of individuals who are focused on designing and developing what we consider to be a model that will provide a professional designation for security professionals in Canada.

It’s an opportunity to demonstrate your expertise and your body of knowledge. It’s an opportunity to take all of the the designations that you’ve received from groups like ISC squared, ISACA, ASIS, et cetera, use them as stepping stones to the next level where you’re accepted as a professional designation so that a security designation, whatever we can land on for the post nominals would be recognized the same as an engineer or as a doctor or as potentially a lawyer.

It gives us the validation of our work that we do. It gives us the recognition of the value that security brings to an organization. And it ties together OT, IT, t cyber, physical, all of the different parts of makeup security. And it’s a chance for us to come under one umbrella. So the way I describe it is that, I’ve, For years, I said, I ran a department. It just happens to be security. Now we can say I’m a security professional and my expertise is in OT security or in forensics or in investigations or in a crime prevention through environmental design.

It gives us an umbrella designation for security and a chance to specialize. So a good friend of mine is a surgeon. He started off as a doctor and now he’s a thoracic surgeon. So whenever he recognizes himself is that, he’s a, he’s a doctor, my specialty is c thoracic surgery, and now he’s chief of thoracic surgery at Vancouver General Hospital. Super great guy, but the path he took was become a doctor, demonstrate your expertise, spend more time to create your specialty, focus on that, be recognized for that. And now that’s his designation.

I want to do the same here in Canada for security. The reason why is, look, you and I both know this, Andrew, and we’ve we’ve seen this. If I go do a risk assessment for a client or internally, and if I do a bad job, I just go to the next client.

But if we have a doctor or a lawyer who mishandles a file or mishandles an operation or is liable for their actions, they’re held accountable to it. We are not. What I want to be able to do is put in the standards that demonstrate the level of our expertise, that we’re held accountable for our actions, that we maintain our credentials throughout our career, that we’re able to give back to the profession of security, and that if something does happen, we’re actually accountable for the work that we do.

And think that’s important, right? like here in our new house, an engineer stamped our plans. He’s accountable for the work he did. Why can’t we have the same for security? I think we need to, because then that provides executives a greater understanding of how important the work that we do every day to secure your organization so that you can achieve your goals and objectives.

That that’s what I’ve been doing on the side of my desk for the past 20 years. I finally got some breathing room to do it now with a TaleCraft giving me the space to do it. So I’m, I’m looking forward to trying to roll this thing out between now and the end of the year, at least the structure of it, and then we engage more people to get their comments and their perceptions so that we’re trying to reflect and represent as many folks as we can across the security profession.

Andrew Ginter
Well, Tim, this has been tremendous. Again, I look forward to to your book. Hopefully you find some time to work on it. Before we let you go, can I ask you to sum up for us? What are the what what should we take away from from the discussion we’ve had in the in the episode here and and use it going forward?

Tim McCreight
Thank you for that. I appreciate it. And yeah, fingers crossed, I can get working on the book over the summertime. That’s my goal. But for this particular episode, I think a couple of things. One, as security professionals, it’s not our job to accept the risk. It’s our job to identify it, provide a mitigation strategy, and present it back to executives. So that’s that’s one of the things that I want to keep stressing for everybody. Our role is to be an advisor to the organization.

It’s not to accept the risk on behalf of the organization. Second is, We all have a story to tell. We all understand the value and the power of a story. We all see how important it is when we tell a story to our executives, to our leaders, to our teams, and to others.

You need to focus on those skill sets of how to tell a story, particularly in the role of security, because not everyone understands the value that we bring. and the second annual and then And the last point for me is that You need to continue to look for mentors, for instructors, for trainers who can offer you these skill sets and you can provide this type of training for you so that you can continue to build your career.

We can’t do this alone. but You need to make sure that you have an opportunity to reach out to folks that can help you, whether it’s looking at your security program and trying to build it on a risk-based approach or teaching people the value of telling a story and then applying those skills the next presentation you give to executives. If folks remember those things, that’d be terrific.

So for those folks listening to the podcast today, if those points resonate with you, and if you’re looking for opportunities to learn more about telling a story or how to be effective doing that, how to look at your program from a risk-based approach and how to find mentors that can help you in your career path, reach out to TaleCraft Security.

This is what we do. It’s our opportunity to give back to the profession of security, to help organizations build their security programs, and to grow the skill sets of people who want to learn more about telling a story, becoming a better security leader, or understanding the concepts of a risk-based approach to security.

That’s what we’re here at TaleCraft for us, to help, to give back, and to grow.

Nathaniel Nelson
Andrew, that seems to have done it with your interview with Tim. Do you have any final word you would like to say gazelle today?

Andrew Ginter
Yeah, I mean, I think this is a really important topic. I see way too many security teams saying, this is my budget. This is all I have budget to I do not have budget to solve that problem. Therefore, I will accept the risk of that problem. And, especially for new projects, for risks that that we’ve never considered before, you That is often the wrong decision.

When we have new kinds of decisions to make, we need to escalate those decisions to the people who assign budget. We need to tell those people stories so they understand the risk. We have to get the right information, the right stories to the right people so they can make the right decisions. Saying, I have no budget, therefore I’m going to accept the risk many times is the wrong decision for the business. And we cannot afford to be making those wrong decisions time and again.

As the threat environment becomes more dangerous, as consequences of of industrial cyber attacks increase, we need to be making the right decisions. And this seems an essential component of of making the right decisions.

Nathaniel Nelson
Well, thanks to Tim McCreight for that. And Andrew, as always, thank you for speaking with me.

Andrew Ginter
It’s always a pleasure. Thank you, Nate.

Nathaniel Nelson
This has been the Industrial Security Podcast from Waterfall. Thanks to every everyone out there listening.