[00:00] Welcome, Chris Hurst!

Rachael Lyon:
Hello everyone. Welcome to this week's episode of to the Point podcast. I'm Rachel Lyon here with my co-host, Jon Knepher. Jon, hello.

Jonathan Knepher:
Hello, Rachael.

Rachael Lyon:
Hi. So I know you kind of came in at the beginning when we were prepping for this, but Chris and I are our guest who I'll get to here in a second. We both have served in jury trials for criminal cases and wow, there's a lot about the legal process I wasn't aware of. And the other thing, just a quick sidebar. I don't know if you've served on a jury panel, but when you're in the courtroom, people can come and go as they please. It was crazy. Like anybody could come in, hang out and then leave. And then people who worked in the court were passing through the court.

Rachael Lyon:
I just didn't think it worked like that. I thought they locked the door. But anyway, just.

Chris Hurst:
Maybe slightly different in the uk.

Rachael Lyon:
Exactly. Yes. Okay. So I'm pleased to welcome to the podcast Chris Hurst. He is the chief Technology Officer at Blackwired where he also serves as CIO and CISO at the company. He applies a military grade intelligence led approach to cyber defense tracking threats from the dark web before they strike. He's also a veteran of BT Security leadership where he developed the award winning FedCore identity framework, now used in UK government programs. Welcome, welcome, Chris.

Rachael Lyon:
I feel like I already know you after.

Chris Hurst:
Yes, I do too. It's been great. We inadvertently tried many times to meet. Finally, finally everybody's technology works.

Rachael Lyon:
It's wonderful, wonderful when that comes together. Yes.

Chris Hurst:
Yeah, yeah.

Rachael Lyon:
All right, Jonathan, sorry to steal your thunder.

[02:07] Explaining Supply Chain Attacks, and What You Can Do About Them

Jonathan Knepher:
Yeah, it's all good, it's all good. So, yeah, great to have you on, Chris. You know, something, something that's been going on recently, it's been in the news and is this NPM supply chain attack. That's been real interesting. Stealing credentials and so on. And I wanted to see what are your thoughts on just supply chain attacks in general and what should be done to protect ourselves against them.

Chris Hurst:
Yeah. So what I'm seeing is a number of supply chain attacks that, you know, I have, you know, I have three on my desk at the moment which we, which we can see the future and the past. The consequences of supply chain attacks could be absolutely gruesome. Because in many ways it's a one compromise hits many type issue. So particularly on credential theft, particularly on PII, personally identifiable information cards, etc. But it's not only that, it's about IP theft, particularly when that platform compromise is using token replay, cryptographic tokens, sometimes replayed, also certificate manipulation and also cookie grabbing. And what we see is some serious problems that are widespread and may have, in one case that I worked on last year, around 1600 global casualties for one supply chain attack. And that supply chain attack was an attack on tokenization and encryption keys.

Chris Hurst:
Yep. So basically what happened there was the use case for that was very important information transfer, let's say. So the platform was meant to be secure. People were transferring highly secure, highly confidential nation state and law enforcement information, particular potentially over the system. And it was compromised because the system itself was old, it wasn't patched, the vendor hadn't done anything for eight years, but the platform was running, it was fine. So nobody ever looked at it until such time as that event caused basically global chaos. And it was right down to those kinds of supply chains to have a very wide reach globally. And I've still got three of those on my desk.

Chris Hurst:
Right. But that's one I think we have to look at the approach we've taken to cyber security for supply chain attacks, particularly when the supply chain element that's attacked is something that has multiple global organizations connected to it, where the identities can be grabbed, where the credentials can be grabbed, they can be reused and rolled out. I'm sitting here looking at over two megabits of stolen credentials from an organization. And these come from the same compromise. Yeah, but they're being replayed many, many times because they're giving a good initial access to a cyber adversary. So basically if I've got your root credentials and certificates for your dev environment and your production environment, and that's in that two megabit list, which I can see, and it's not the first time I've seen this and we've grabbed the list. You know, obviously we're an intelligence company, so we have the list. So we can look down it and say, okay, well it's going to be this company, this company, this company, this company.

Chris Hurst:
And basically the only thing that's limiting the blast ring for that is how much resources that the negotiators got to commit the crime of extortion or ransom. Because there's this double whammy effect when you've got, when you're doing, you know, secure file transfer because not only are you getting the credentials and you can go after the systems, you're actually getting the secure information as well. So then you can go on extortion and blackmail. So, for example, if you're transmitting your information between yourself and your auditor, your financial auditor, then basically that's information you don't want going anywhere. That's very, very private. But if you're using the same system due to the exchange and it becomes transparent to the adversary, you got a problem, you got a big problem. And basically if your auditor doesn't pay the ransom. Yep.

[07:21] Supply Chain Attacks in Action

Chris Hurst:
Then your information goes out to everybody who wants to buy it. These are the practical supply chain attacks that have really been the hallmark of the last two or three years, particularly coming up now where there's more of those. So for instance, you may have a small company, and I think we were talking about it earlier, that has a role to supply services to a bigger company, a mega company, you know, the biggest company in the UK actually. Right. You may find that, but you will then see that you can steal credentials, you can, you can pivot, you can worm, you can bot, you can launch that, you could, you could, you can then snowball that attack to take out the bigger company from the smaller one. And that is, that is what we're seeing quite a lot of. So if a small company is providing a unique service but has to have access to, let's say, millions of citizens, millions of customers, millions of businesses, hundreds of businesses, in fact, thousands of businesses, you'll find that list of, you'll find a 2 megabit list in there and here you go, and that goes from, that'll be reused. So a lot of times what I see, and this is an example going back to that 2 megabit file full of credentials, you get.

Chris Hurst:
That's a big file, right? That's a big, big file. And basically what you see in that one is the, the passing on of that list between actors. So you might get, you might see some attack information. What we're also seeing is very smart actors aligned to state, Klopp or Blackbaster or these guys will actually, will actually share information. Yeah, they might make a communication, they might not. And this is the silent compromise that leads to the mass compromise. It's very, very quiet. So they're using all these tools, very sophisticated tools to create, to tee up a bigger operation.

Chris Hurst:
Yep, that might be an operation against the state, that might be an operation against big business that they don't like. That might be a disablement attack. Yeah, that may be it. It. You see this, and the hallmark that I've seen recently is there probably isn't any. There's an attack, but there's no ransom note. Yeah. So.

Chris Hurst:
So, well, what do you do if there's an attack and there's no ransom, though? You know, nobody's contacted you saying, I've attacked you. Right. So, okay, so. So that's where our technology comes in to say, okay, you've been attacked. You don't know it, but you have. Right. So we can see that. And this is what's.

Chris Hurst:
These are the actions that are going on. Right. And it's really important these days to understand that the adversary is not going to, doesn't want to advertise what they're doing. So we see types of, if you like, cyber violence, so you'll see things like instrumental violence. I'm going to shut you down, take your information, take money off you. Yeah. Then you get expressive violence. Right.

Chris Hurst:
Which is, which is I'm gonna, I'm gonna hurt you a lot and I'm gonna keep hurting you and then I'm gonna, then I might just come after your money. But what we have is obviously laws against paying on ransom and so forth, which is, which is damaging some businesses that simply can't afford it. Right. So they simply can't afford it. So, you know, unfortunately, I've been in the room with lots of people. Growing men do cry. Yep. And do scream and they do get completely lose their head.

Chris Hurst:
Their hair goes on fire. I've been in that room several times on Massive Corporations. You know, I've been in the room with 170. Well, in the virtual room with 173 people on the first instant meeting, 173 executives. Because. Because the damage that can be done is so significant that people don't know what to do. They've stopped, their business has gone and they're going, how did that happen? And because, because basically it's something that we've developed in our company called AIM Ready Fire. We watch to see the adversary aiming.

[12:11] Intelligence as First Line Defense 

Chris Hurst:
We watch to see what they're making. Ready to do that. Yeah. And then we actually see and observe and predict fire. Yep. So we feel, and I feel that's the only way that we can actually protect ourselves by using intelligence as the frontline, first strike, counter strike measure. And that would be dealing with it from an intelligent perspective. So one of the things I was saying to Rachel before we joined was that, you know, I strongly believe that you get your business gets the future or chooses the future they have when they select the intelligence that they're going to use.

Chris Hurst:
Yeah. So I think the world's dynamics is changing so we have to be more cognizant of what the adversaries are doing because they move fast, they dominate the battlefield, they have superiority and it's proven every day when I see the flashing victims up. And also they've now moved on to a supply chain attack process that enables you to, that enables them to disable whole legs if you like of the, of the global banking system. It happened in New York, didn't it with the. Yeah, so, so you can see that. How did that happen? Well again it's a supply chain issue. Yeah. The other thing I would just say just to, not to put any more into this but what I would say is lot of the systems we use today in industry are what I would call brittle, right.

Chris Hurst:
So they've been in place for maybe 30, 40, 50 years literally as the foundations of which whole industries stand on. What they've done is organically maybe tweaked at the edge like so for example open banking services and mobile banking. So what you just did and I war games, open banking for the uk. So before actually came out and said look, how much damage can we do? How much self harm can we do by bringing out all of this stuff and everybody's banking information, pension information, all that input investment information and bring it on your phone. How much damage can you do there? So how many instructions can be given on a mobile phone that doesn't know I'm me, you know and I can, I can, I can spoon two factoring multi factor authentication, no problem. You know there's, there's the kit you can buy to do that online and there's actually services you can buy to do it, right. So you know, and I see it advertised in front of me and I see it used and I'm thinking well there's a problem here, isn't there? Because basically what you just did is connected something which is inherently insecure to something that's been secure for many, many decades. And also a gentleman that I kind of, I know very well, Vince Cerf, who invented the Internet, right.

Chris Hurst:
So he, he says, right that you've got bit rot in these organizations which means that the systems that you have, you have to preserve because no one can fix them anymore, they can't hatched, right. So you have to surround them and protect them. And that's, that's where my pattern come in which is doing that three legs to make sure you're never exposing the entire end to end cookie replay piece or tokenized replay. You'll see more from Black Wired on that pretty soon because there's some stuff that we have developed and nobody else can do, but those are the things, things that are going to be our future. Because if we don't deal with it, I'm afraid we're going to lose the cyber world. If we've not lost it already in some places. It's really, really tough. It's really, really tough because we have to build on what we've got.

Chris Hurst:
I know there's no option, but now what we're doing, you know, if I see people destroyed in a cyber attack, the first thing they do is rebuild what they have in the cloud. Right. So my advice is there is that, come talk to us because I don't want you to rebuild the same attack process, the same sleeping malware, the same living off the land stuff in your new system. Because all that's going to happen in your new system is the adversary is going to say, great, now I can really hurt you. The Chinese call that looting a burning house. Yeah. Because imagine the pressure once you've actually one actually spent a fortune. Right.

Chris Hurst:
On, you know, moving house. Yeah. And moving all your stuff to a cloud. Basically, there isn't any much more money to spend. Your insurance is not going to pay for it. You know, you probably lost a whole bunch of share price. You probably lost a whole bunch of, you know, face in, in the world. Everybody else is all your competition is sitting there going, oh, thank God it was them, not me.

Chris Hurst:
And then basically, you know, and then basically what actually happens is you think, oh, I've just about done this. I've paid an awful lot of money to do this. And now all I've done is I've replicated the same situation just in a different platform. Yeah. And, and this is, this is. Yeah. Where are we? We. Yeah, these are the things that are in our future and they're in our now.

Jonathan Knepher:
So you mentioned a bit about.

Chris Hurst:
The.

[17:55] Rethinking Threat Intelligence Strategy

Jonathan Knepher:
Intelligence feeds and the visibility into those threats. Can you talk a little bit about what cyber teams need to do to get that right visibility to stay ahead of this?

Chris Hurst:
Yes. So I'll talk about the kind of general cyber threat intelligence pieces, the landscape, because that's the business we're in. So basically what happens is it depends what business line you're in. You may get a feed from your local national cyber security center maybe of intelligence. You might get an agency fee from on cyber threat intelligence. You may buy some threat intelligence from when you buy your firewall, firewall, your edr, you know, your endpoint protection, you know, just, you know, the firms that they are, won't mention them, but basically they, they will provide intelligent services. You can buy more if you want. And you also might take a very unfortunate step.

Chris Hurst:
Right. Which is to. Which is to then develop an organization that costs you a fortune to process the intelligence. You may, you may take an approach. You have a cyber fusion center that says this cyber fusion center works out what this intelligence means to the organization. And what am I going to do about it? Right. And then basically, then they pass it on to security operations and they go around with a hammer and they whack the moles on the head. So that all works fine.

Chris Hurst:
Yeah. But unfortunately, in the modern world that we live in, that's what I would call winning the wrong game being the same as losing. Yeah. Because the adversary doesn't give them whatever. Right. So they don't give. They. Yeah, they don't care.

Chris Hurst:
You can patch all day, all year long. You can upgrade your software all day long. It's kind of a bit of a fallacy that costs organizations a lot of money. Every organization thinks they're unique and they have their unique problems and they don't want to release those problems out to people. The problem is. The problem is they don't realize the adversary knows what your problems are. You know, news flash, that's their job. Right.

Chris Hurst:
And they're good at it. Right. And you're not. So basically what you're doing is you're, you know, is. I would, I would call. You're doing a Mary Poppins job. Yeah. You're trying to be in a whack a mole situation.

Chris Hurst:
We detect and respond and be, you know, practically perfect in every way. Yeah. Unfortunately, that doesn't work in the modern world. That's dead. That world's gone. We see a lot of organizations that have been invested an awful lot of money in processing stuff. They've got analysts coming out their ears. By the time that those analysts have chosen what intelligence, cyber intelligence or threat intelligence, they're going to use, that's your first choice.

Chris Hurst:
Right. Why are you choosing that or do you actually know? Many of them just don't know. Yeah. So basically then, is that intelligence relevant to my organization and what I have, you know, who I am and what I have? Because that's what the enemy is attacking. Yeah, it's attacking you. In attacking, what you do is trying to take away your future and, you know, and ransom that with you. This is what they're doing. And we're still only on decision two of the six decisions about cyber threat intelligence.

Chris Hurst:
Decision two, is it relevant to me? People spend an awful lot of time trying to work out whether a CVE is relevant to them or not, or they've got it in their organization. And how many people know what's inside these package systems, the appliances that they have? How many organizations can afford the big program, if you like, of identity and access management along with privileged access management? How many organizations can afford to continuously monitor for standard deviations in problems that are happening across their organization to see their fight firewall heating up, going, that's wrong, that's wrong. I've got a problem. So where's the dashboard, which is where we come in with third watch? So we don't look at all that stuff. We don't look inside, we look outside. We look at the outside activity. Because that's the missing element in the cyber security periodic table. I talk to different markets and I say, you're blind in one eye.

Chris Hurst:
It's the eye that looks out to the adversary. This, this eye, the one you're looking at, the one you're seeing, it's very, it's a very seductive thing that managers see it all the time. Oh, you know, have I done enough? Have I done everything I possibly can do within the confines of my whack a mole, detect and respond response? Yep. Have I built enough teams to respond to an incident? What are you doing that for? Why are you spending money building teams under defender on the Internet? What are you doing that for? Why don't you spend your. Why don't you spend less money, Far less money, a couple of decimals less money on better intelligence from people whose job it is to provide that intelligence specifically about you? And that's the unique thing about where black wired is direct threat intelligence. And, you know, I've spent a lot of time, yeah, I spent a lot of time cogitating this as a CISO and training other CISOs in large companies to be CISOs, to take the kind of view that I'm taking of things and get them to understand that. Don't get drawn into the game of playing this, you know, make sure that you're operating with intelligence, you know. You know, and I know that we kind of changed the game here because the sorts of intelligence that we can do, you know, a friend of mine who's kind of.

Chris Hurst:
It was, it was in the US Navy in, in terms of. So, you know, his, you know, he's got multiple Hundreds of millions of dollars. Yep. Thrown at intelligence and defense. Yep. So you know about your enemy, you know, what your enemy's doing, how they're disposed to you, how their forces are disposed, what weapon systems they have, what, you know, what, what interdiction of your, of your own weapons can they do, you know, so, so in effect, that's, that's the right way of doing it. And basically, you know, something I really, you know, I really love, I won't mention, I won't mention names, but he says right out, the worst thing we have in the world. Well, the biggest problem we have is configuration.

[24:57] Industry Blind Spots and Missteps

Chris Hurst:
How are you configuring, how are you using intelligence? How are you configuring your defenses? Because if you're laying out the mousetraps on a trail where the mouses are currently running, guess what? The mice don't run there anymore. Yep. Oh, and you can't catch the rats because the traps too small, or you can't cat, you can't catch the mice because the traps too big. But it's still that whack a mole mentality. You know, if I work hard enough, if I, if I work long enough, if I process the six decisions in cyber threat intelligence, I'm going to be safe. You're not going to be safe because you can't outrun the adversaries. You can't outwork the adversaries. You can't.

Chris Hurst:
I'm sorry, if you look at the release from the dark space, a lot of the things that were scaring us a little while ago, you know, the, the lock bits of the world have gone through a process of evolution where they've, where they've started off as a, you know, as a boutique effort, and then all of a sudden they've gone through a transformation phrase where they've commoditized everything that they actually have and now they're renting it, that commoditized platform out to attack folks. And basically what we're seeing here is we can't name those organizations yet. We do name them, but, you know, in terms of, we'll make a name because we see the collective modus operandi of that organization, of what they're doing, and as they're moving along. So, you know, believe me, this is getting more difficult, not easier. And we're not doing anything as an industry. Yeah. We're not doing anything of an industry anywhere near sensible to deal with it. And I'm saying that because I'm really kind of criticizing myself on that.

Chris Hurst:
Yeah. Because I'm Part of the industry. You know, I love the industry. I love what I do. My wife will tell you that I love it too much. But. But you know what? It makes me happy to think I can. I can make a difference in there, whether or not advisory capacity or with an action capacity in what we're doing.

Chris Hurst:
And it is the first time for a long time, you know, since I've been a black white, where I've had that feeling of actually being able to do something about it and arrest that. And these are the things that make CISOs leave their job. Right. Because it's the only job in Christendom. I believe that for the first time, you don't get the job. Right. You're immediately fired. Yeah.

Chris Hurst:
So the consequences come to you. So basically, I look at it and I kind of advise CISOs and say, okay, well, look, you know, under these regulations, it won't be the company or the CEO standing in the dock. It will be the CISO standing and docking, New York State. Right. And you're going to be explaining like very few people have done. I have done that a number of times in front of. In front of panels, in front of all kinds of folks to explain, you know, how these things happen and why they happen and why is it. Why was it not stopped? And there's too much of it.

Chris Hurst:
There's too much of it. Learning from mistakes as a CISO is a terrible strategy because you only get one chance to make a mistake at that level. You get one chance. So we started off with one management kind of success paradigm, which is do everything really, really hard, patch everything, whack every mole, and they go, oh, yeah, where do you get the list of the miles from. Oh, yeah, well, I got it from NIST to CVEs, right? Yeah, yeah. Vulnerabilities, Right. Okay. Okay.

Chris Hurst:
You know, question I would ask is, you know, where. Where was this CVE first found? You know, was it. Was it pulled from the corpse of a, you know, corpse of a dead business or, you know, part as part of an incident response or an investigation or just pulled up by a security operation? When did that happen? How many times has that happened? Yeah. Okay. All right. And then it's like. Or did it. Or did it happen a proof of concept in a lab somewhere? This is an interesting one.

Chris Hurst:
So everybody's. Yeah, yeah, okay, yeah. So proof of concept in a lab not exploited, Right. So what do you do? You publish the proof of concept, right. And everybody goes. All the bad actors go, go. That's interesting. I think I'll use that proof of concept.

Chris Hurst:
Yeah. Is this kind. You know, I found it. You know, Jeremy Samidi, my CEO, when we, when we first met, he took, you know, he, he taught me what intelligence really means. And you can see it coming out. I'm animated about it. I'm excited about it because we can fix it. Not excited about it because it's dramatically bad.

Chris Hurst:
There's no point in sitting there going, it's really bad. We're going to lose. We're going to lose. What's that? Does it help? Does it help worrying about it? No. Do something about it. Get the blind eye open and understand you have to do it. It's not optional.

Rachael Lyon:
Right.

Chris Hurst:
Sorry. That was me getting on my horse there. But, you know, it's, it's. It's kind of funny. I, I thought that there was some problems with our industry. I'm criticizing me on this because I spent a lot of time in it thinking the same way until I met Jeremy. And I'd always been a little bit of a maverick. But when I met Jeremy, I realized that, you know, he gave shape and form to, you know, to that.

Chris Hurst:
And not bigging him up because I hope he's not listening. No. But. But bigging him up because he taught me what intelligence really mean. Really mean. Yeah. From a place of, you know, counterintelligence, you know, being. Being in the field, fighting the actors.

Chris Hurst:
Yeah. It's not, it's not a great place to be, you know, working with, working with chief general counsels on, oh, dear, the business is over. You know, what are we going to do here? And then getting into the complex legal minefield of who does what to whom, which is where we also have a problem. So I was talking about reliable systems that I was kind of working on and consulting on to UKGAR and looking at reliable international systems. So. So when you, when you look at that, reliable means secure. Yeah. The business gets tracked, it gets transacted.

Chris Hurst:
It means secure. We definitely don't often get the time to. Or the opportunity to secure somebody else for somebody else.

Rachael Lyon:
Right.

Chris Hurst:
Yeah. So basically, we choose who we connect to supply chain problem. And we need to risk, assess and risk, continuously manage and monitor those risks from an adversarial perspective. Hence our product, Third Watch, which does that, which you can pick anybody you want and you can watch them. They don't. We don't have to. We have no sensors. Yeah.

Chris Hurst:
We put no agents in anywhere. We don't need to do that. We're not watching that. We're not watching the subject. We're watching other people watching the subject.

Rachael Lyon:
Right.

Chris Hurst:
And there's a big difference. There's a big difference. So again, it comes back down to the blinding one eye, really. And, and also, unfortunately, we're locked into a success paradigm that clearly isn't working because I got friends in the, in, in the US that, that effectively, you know, run a business kind of to talk about this. Right. They, they, they do stuff. Yeah. Sean Martin does that.

Chris Hurst:
And, and basically we talk and, and I hear and I go and I see. What are the, what, what are the CISOs doing? Right. The CISOs are going to events looking for jobs because they know they're going to get either binned because there's going to be a cyber attack. They're just watching the clock. Yep. They, they also know that, you know, they, they might not be able to get through because of the communication barrier between the CISO and the board.

Rachael Lyon:
Right, right.

Chris Hurst:
Because the board says, I don't need this technical stuff. Right. I just need, I just need an answer. And sometimes the answer, because I know some CEOs obviously because I work with them and they would say, they would say, well, okay, so how does this happen? Somebody's got to be a blind for this, right? Somebody's got to be complained. You know, I've now got to go, I've got to go to Parliament, right. Not in this country. I've got to go to Parliament now and explain to Parliament why, you know, and actually the Prime Minister, I'm gonna have to explain to them how this happened to cause this. Right? And you're gonna, but there's always a vulnerability.

Chris Hurst:
That's the issue, is it not? And there's always, there's always some social engineering. It's an issue, is it not? There's always some, you know, there's always some injection of something, there's some cross site scripting and you're going to steal all this stuff and it's going to whatever. But, but there's something here though that nobody, nobody's looking at that we are, but others aren't. So it's kind of, it's kind of twist. I see, I see a big change, a big sea change in the cybersecurity industry. That, that's what I see. I've watched it, I predicted it. I've seen the chaos, I've seen the consolidation and I've seen the fragmentation and the reconsolidation and then I've seen a resolution to fatalism where everybody has now lost their, lost their desire to defend and they're actually using hopium to opium.

Jonathan Knepher:
I like that.

Chris Hurst:
That's a good one. Yeah. They're using opium to say, oh, God, if I, if I survive, if I survive long enough to, you know, earn a bit of money and, you know, maybe retire out or something like that, you know, then, then, then I'm all good, aren't I? Right. You know, this is, this was really, really good again. I see, I see. I, you know, I, I'm, you know, I see celebrity CISOs, or I call celebrity CISOs. They're the LinkedIn celebrities. Right.

Chris Hurst:
I love them. It's great. You know, tell me about it. It's all great. But, but, but basically, basically it's all talk. Yeah. It's all news and it's all. And, and sometimes, you know, you have to work out what's news, what is intelligence.

Chris Hurst:
They are two different things. It's a bit like what's journalism and what's facts. Yeah. So that's the way that we kind of look at it. So, yeah, you know, you know, I didn't make all that stuff up. I learned that from Jeremy. So you can. But it, but it's, but it's great to see people are still enthusiastic.

Chris Hurst:
Spent a career trying to. Being wrong for the most part of it, in terms of the approach, because, you know, you can train as much as you want, but actually you only really learn when you do it right. Yeah. And it's on you. And it's a very, very, very uncomfortable place to be, you know, unless, unless you build a, you know, you, you, you build the mental furniture to deal with it. The world as it is, not as the way that you want it to be. And I'm sorry if I'm rattling onto you, , that is.

Rachael Lyon:
Yeah, yeah, it's fascinating. And I also wonder too, because things are changing. I mean, is this kind of those maybe who are coming up in their careers or considering this career starting at a place with this kind of point of view as they approach it? I mean, do we see a generational shift then as maybe as people kind of who've been legacy systems or legacy thinking, maybe bringing new people into the industry, does that maybe help get the tide turning a little bit faster as well? I mean, I'm just asking.

[36:44] A Generational Shift in Cybersecurity

Chris Hurst:
I think so. I think so and I truly hope so. There's something here that, you know, people of a certain age built the world that we actually live in. Right. And it's not the same people who are going to be building the future. And that's the brilliant thing about life because basically people build things and you know, those kind of, you know, the, you know, know Leica or Loath, you know, Elon Musk is changing the prospects of the world and humanity by doing the projects he's doing, whether you like it or not, whether it is, he's, you know, he's moved the art of possible forward and delivered it. Yeah, it's, you know, that's the best example I could actually give, but there are others, you know, so, so Vint continues a very, very extensive age to continue to be the guy that is exciting or perturbing the journey to the future. You know, looking at, you know, intergalactic communications, literally, you know, literally designing for the future so that actually when we get to do it, yeah, we will have the communication capability to do that.

Chris Hurst:
Right. And it's, you know, that's why I, you know, that's why I call myself a practical futurist, because there is a practical future. There is, but a lot of ideas die because they're strangled out by, they're strangled out by all of the noise and compression, bureaucracy and all of that sort of stuff. And a lack of, it, lack of investment, you know, the world hasn't got, you know, the world's got probably a lot more money than actually thinks it is, but, but investing in real, you know, you know, in, in real future stuff, you know, it's a brilliant thing that I see in the us I don't see that in the uk and I don't see it in Europe either. So it's kind of a, it's kind of a, it's a really good thing. So, yeah, round of applause. Really for the U.S. yeah.

Chris Hurst:
And I think it's great. And I've had, I've argued on panels for people to take a look at because I worked with a company that evaluated the IP from federally funded research laboratories. So I did some of that, I did some of that evaluation because I was asked to say, you know, what's the value of this? You know, can it, can it be productized? Can it be moved through, you know, can it be sold? So I kind of specialized in. That really is a. Of a side hustle. But, you know, it's part of the job really. But it, it's, it's a brilliant thing. It's a brilliant setup.

Chris Hurst:
We don't have any of that. Right. So nobody's, nobody's going to give a UK university a billion dollars to develop something. They might get that. They might give it to mit. Right. But they certainly wouldn't Give it to us. Right.

Chris Hurst:
And I, you know, I, I love the way it's structured in the us, I have to say so. Yeah, but there you go. So another thing on your question, do I think it will be sorted? Yes, yes. And I feel it is my responsibility to help people to get through, to be good, have the view that I have, you know, be excellent at what they're doing and survive the initial impact with the job. Because it's not an easy job for people to do. It really isn't. And you know, I've seen so many people go through it and get broken and it's not, you know, psychologically, it's damaging. Sure.

Jonathan Knepher:
Just thinking about like the innovation you're talking about and combining that with like the intelligence and cybersecurity, how do you see that applying to other domains that companies are dealing with?

Chris Hurst:
Right.

Jonathan Knepher:
Physical security, operational resiliency and so on. There, there's got to be cross applicability here.

Chris Hurst:
There is, there is, there's always cross applicability. So, so I don't believe there's a problem that's been invented that can't be solved. Yeah. Because somebody will have actually thought about that one. And necessity is still the mother of invention. And the, the sharing of that is, the sharing of that is vital, but the sharing doesn't happen. It fails. So I do believe that that is a natural way of thinking and it is logical and it is required.

Chris Hurst:
However, it doesn't happen because I don't know anybody that sat in the room and I've challenged some very serious people about this. Well, okay, you think you're doing intelligence sharing, you're not sharing intelligence, you're sharing war stories. But that's not intelligence. Right? Yeah. And that's what, that's what I worry about. And so, yeah, I'm, yeah, I'm running against the clock here. But yeah, so I think I might have to deal with one of those issues that are on my desk at a minute. So I know my, my deputy CEO is going, oh, Chris, Oh Chris.

Chris Hurst:
I can see it down here. Right? Yeah. Can you help me with this? But that's the way, that's the way the truth and the life. Right. You know, of being in this business. It's non stop.

Rachael Lyon:
But that's what makes it fun, right? I mean it's, you're never gonna, why.

Chris Hurst:
Would you do anything else? I love it. Yeah.

Rachael Lyon:
You'Re always learning. That's what's kept me in it for so long.

Chris Hurst:
Absolutely.

Rachael Lyon:
Always learning. Well, Chris, I want to thank you for this great discussion. I feel like I learned so much.

Chris Hurst:
And.

Rachael Lyon:
And I really appreciate your point of view because these are the kind of conversations that we want to have on this podcast and get people thinking and considering.

Chris Hurst:
Right.

Rachael Lyon:
Because we have to constantly be evolving in this very dynamic industry.

Chris Hurst:
Yes. I think that we all love the industry. On this call. I can tell that there's a lot of connection, and I like that. And there's a lot of mutual growth here. Right. So know, it's kind of. Yeah, we should do this because it's recording the history, I think.

Rachael Lyon:
Yeah, exactly.

Chris Hurst:
You know, and I've really enjoyed it. So thank you, Rachel. Thank you, . And.

Rachael Lyon:
Awesome. All right, well, and thank you to all of our listeners. As always, we appreciate you joining us for another wonderful guest. And as always, I'm going to. Drum roll, please. Jonathan.

Jonathan Knepher:
Smash the subscribe button.

Chris Hurst:
I'm smashing it.

Rachael Lyon:
Smash.

Chris Hurst:
I haven't smashed it already, actually. Nice. Thank you, guys.

Rachael Lyon:
That's wonderful. So until next time, everybody stay safe. 

About Our Guest