Through the Eyes of a Startup CISO

Show Notes

In this first episode of Unspoken Security, AJ Nash and Neal Bridges explore the nuanced world of cybersecurity from a startup CISO's perspective. They get into the differences and similarities across various CISO roles, highlighting the unique challenges startups face. Neal, with his extensive background, offers insights into the evolving landscape of cyber threats and the role of human expertise amidst the rise of AI.

The conversation also touches on the personal side of cybersecurity professionals. Neal candidly discusses the balance between work and personal struggles, including his fight against cancer. This blend of professional and personal discussion paints a holistic picture of life in the cybersecurity space.

Lastly, the episode challenges the industry's status quo, questioning the effectiveness of traditional security measures like patching and compliance standards. Neal's forthright views on the maturity of the cybersecurity industry and the need for a reality check provide listeners with food for thought on the future of cyberdefense strategies.

Support the show

Transcript

Unspoken Security Ep 1: Through the Eyes of a Startup CISO

[00:00:00] AJ Nash: Hello, and welcome to the first episode of Unspoken Security, brought to you by ZeroFox, the only unified external cybersecurity platform. I'm your host, AJ Nash. For those who don't know me personally, at least not yet, I'm a traditional intelligence guy who spent nearly 20 years in the U. S. intelligence community.

[00:00:18] Both within the U. S. Air Force and then as a defense contractor. Most of that time was spent at NSA. I worked intelligence missions fighting terrorism, human trafficking, chased war criminals, and combating threats in cyberspace. So I'm old and I've been around a while. For the past eight years or so, I've been building or helping other people build effective intelligence driven security practices in the private sector.

[00:00:38] I'm passionate about intelligence and security, and I enjoy writing and speaking publicly on these topics. I'm also deeply committed to servant leadership, which is why I completed my Master's Degree in Organizational Leadership at Gonzaga University. Go Zags! The goal of this podcast is to bring all these elements together with some incredible guests and have authentic, unfiltered conversations and debates on a wide range of challenging topics most of us are faced with every day.

[00:01:01] This will not be the typical polished podcast. You might hear a dog barking. People might swear. We may have heated disagreements, and that's all okay. Think of this podcast as the conversations you might overhear at a bar after a long day at one of the larger cyber security conferences. These are the conversations we usually just have when nobody's listening.

[00:01:21] So today, I'm joined by Neil Bridges, another intelligence community veteran, who's now the CISO at Query.ai. He's also the host of the Cybersecurity Stream and a good friend of mine who won't hesitate to tell you he has cancer. So Neil, uh, as you're battling cancer and beating that and everything else.

[00:01:40] Can you tell the audience a little more about your background and all the things you're working on today man.

[00:01:44] Neal Bridges: Absolutely. And AJ, thank you so very much for, for your introduction. Thank you very much for your service to our country. It is awesome to be joined with a fellow veteran. Name's Neil Bridges. I'm currently a CISO Query.ai, but like AJ, I spent time in the, uh, service as well. I spent 10 years the United States Air Force as a network warfare operator, which meant I spent a considerable amount of time with the National Security Agency, being the proverbial state sponsored hacker on behalf of the United States government.

[00:02:09] Um, I also helped build the Air Force's first functional training program as it pertained to cyber security, specifically offensive security that trained a lot of the hackers that ultimately went on to work at the agency as well. And since being out, I've done a litany of cyber security jobs. I've built red teams and penetration testing teams.

[00:02:25] I've helped build an MSP practice to five million ARR. I've worked for a big four consulting company. I've built security teams for some very, very large fortune 100 companies. Um, and I've done the startup thing quite a bit. And so, uh, uh, really enjoy, uh, you know, doing the wide range of cybersecurity roles.

[00:02:41] And as AJ said, I host the cyber insecurity podcast. Um, if you don't know about that, that's over on Twitch. Uh, we do, uh, tons of career, uh, conversations as well as, uh, to AJ's point, talk a little bit about the, the secret things that most people don't want you to talk about when it comes to the cybersecurity industry.

[00:02:57] So I'm super excited to be on your inaugural podcast. I can't even begin to tell you how excited I am for this.

[00:03:02] AJ Nash: man? I'm so happy you're here to like, you know, listen you had me on pretty early in yours And I know I've been there a couple times. I look forward to coming back and you know It just when I was going through this, I'm like a live man building a podcast. You know this right? This is hard It's a little daunting.

[00:03:14] I've been on a bunch of these things It's really easy to just show up with a mic and talk much much crap for 30 minutes and walk away. It's hard when you're on the back end Yeah, it's so hard on the back end. Like, Oh my God, I got to plan stuff now. So this has been kind of a journey. Like, all right, what are we going to name it?

[00:03:28] Oh shit. I didn't think about a name. Okay. Well, now I gotta come up with a name naming and you got to have all the graphics and it's like, well, how are you going to get guests? So I don't know. I know people, let's see if people like me or not. So you get out there and you start asking about that. All of a sudden now it's starting to come together.

[00:03:39] It's kind of exciting. I've got, you know, you're number one on the list. Uh, I think I got 23 confirmed guests and like 25. More people have said they want to be on, but I haven't come back to them yet. So, I mean, that's up to 48. We're going to do this every couple of weeks. So, I mean, that could be two years worth of shows.

[00:03:53] So, yeah, I'm pretty excited about it. Uh, but I was really excited to have you on first. Everybody knows you. I mean, frankly, you've been around a long time. You've been doing a lot of this stuff. Uh, I'm not going to lie. It helped me to have somebody who's a friend come on first. Plus somebody who's done a lot of, you know, podcasting before, because I don't know what the hell I'm doing.

[00:04:08] I'm probably going to screw this up today.

[00:04:09] Neal Bridges: Well, I'm going to ask you, I know, I know, I know you've got questions for me, but I'm going to flip the table on you

[00:04:14] AJ Nash: Oh, no, this is not the deal.

[00:04:17] Neal Bridges: was not what we talked about. I know, but this

[00:04:19] AJ Nash: not part of the prep. All right. Episode one. Screw me. Let's go. What do you got?

[00:04:23] Neal Bridges: What is your biggest learning coming out of doing this podcast stuff?

[00:04:27] Just so far,

[00:04:28] AJ Nash: my big. Well, my now my biggest learning is to keep you on the script. But no, I said it was unscripted. I mean, that's the deal, right? So I think my biggest learning so far and I'm 12 seconds into the first episode. Um, is it takes a lot of organization on the back end? You know, it's, it's not as easy.

[00:04:45] It's certainly a lot easier to be a guest, frankly. You know, I show up and I'm an underpreparer. Everybody knows me. Like when I said, Hey, I want to do a podcast and we're not going to script things, I really don't want to prep and people like, well, of course not. Cause you're lazy. I'm like, well, yeah, that's, that's true.

[00:04:57] But also I want authenticity, but that's how I do most of my things. Right. I just want to roll up. I'm like, what's the topic. Okay, cool. You know, people ask me like, Hey, you're ready for tomorrow. I'm like, what? What's tomorrow? They're like, dude, we got this big thing. I'm like, Oh, uh, I don't know. I'll look at my calendar in the morning.

[00:05:09] I guess I'll figure it out. So you can't do that here. I can't just roll up and be like, Hey, Neil, can you come on tomorrow and we can record a show? So that's my learning so far is this whole process. I've had to go through of, you got to develop a list of possible guests and a list of topics and getting it approved.

[00:05:24] And there's, there's technical stuff and there's a lot that goes into this. Um, and the other thing I've learned, which I know, you know, and everyone else, there's a million podcasts. So, you know, I, on the one hand, it's like, man, there's a lot of work. And the other side is how are we actually going to matter in this huge sea of podcasts?

[00:05:41] But I think, you know, I'm lucky that I'm old. It's still around, I guess. So I know a lot of people and I'm lucky. I know people that are way smarter than I am and way more interesting who like spending time on microphone talking to me. So, you know, I'm hoping that this is going to be a lot of fun for folks.

[00:05:54] I've told people. Their goal was to be, uh, entertaining, uh, you know, to be educational, uh, and we gotta be, you know, well, let's see, informational, educational, entertaining, exciting. There were a few other words I had in there. This has to be something people want to listen to, right? This is not, it can't be a sales pitch, you know, people are like, I don't want to listen to a podcast.

[00:06:13] It's just somebody selling stuff. That was the first thing I said. I'm not doing, this is not an infomercial. It's not Ron Popeil. I'm not going to be selling food dehydrators for 30 minutes or how amazing and wonderful ZeroFox is. Sure. I'll talk about us a little bit. You know, the sponsor of the show.

[00:06:25] And I do like my company. We do some cool things, but this isn't going to be a sales pitch, not having sales people on. Um, you know, this is about, like I said, those conversations, it came to me frankly, a while ago and full credit goes to a couple of friends of mine who I can't really talk about right now, but we had talked about doing a podcast possibly.

[00:06:40] And I said, you know, It came to me as one of those discussions after one of those, uh, conferences I was talking about. We're sitting there, I'm like, man, this would make a really good podcast. Like, we have all these conversations. You and I have conversations on the phone, on the microphone, you know, at these bars, whatever.

[00:06:54] And everybody does this. There's all these great conversations where we say shit we really mean and care about. And then you get on stage and you have that stuff. You don't talk about, well, no, I can't say that. Or, eh, it's not going to fit with the corporate model or whatever. And I was like, what if people got to hear all the stuff we actually talk about, you know, and, and, and the times you argue, like, I'm going to get one more beer and I'm going to tell you how wrong you are for 28 minutes, you know?

[00:07:14] And, uh, and people do that. Right. And I was like, all right, well, let's, let's make that a thing. Right. So, you know, I'm really excited about the chance to do that. I gotta, I gotta admit one plug. I'm thankful, you know, ZeroFox has given the opportunity. They're paying like, this is not free. Um, so that was the other thing I learned is like, you know, it's not super expensive to build a podcast, but it's also not inexpensive.

[00:07:33] Um, so I'm thankful that, you know, I work in a place where people like, yeah, man, go do your thing. You know, this is what we want to contribute to the community. You know, we're going to talk about, sure. We'll talk about some technical stuff and we'll talk about, you know, fighting bad guys and we'll talk about security and intelligence, but we're also gonna talk about culture and we're going to talk about, you know, uh, equality and we're going to talk about real life issues and trauma and things like hell, we'll talk about cancer.

[00:07:53] Like we'll talk about real shit, right. That we're all going through and how it all mixes together. Cause this is, this is about. You know, our lives in security, not just what's the next cool platform. And when's AI getting blockchain and to solve all my problems. And, you know, there's, that's all in there someplace.

[00:08:08] I'm sure. And I'm sure I'll have somebody come on some block blockchain, bro. Explaining to me why I don't know anything about blockchain. And you're going to tell me all, you know, about NFTs you love them.

[00:08:16] Neal Bridges: I was going to say, I was like, you want me to start? You want me to start that trend?

[00:08:19] AJ Nash: well, that's not this episode. We'll do NFTs in a different episode. I'll have you come back. I'll have return guests.

[00:08:25] I got like a two year waiting list. So we'll see you. We'll see in 2026 or

[00:08:29] Neal Bridges: That's

[00:08:29] AJ Nash: um, Now, no, actually we should talk about, so today's episode, first guy, first, first episode, first guest. So, you know, the working title we went with on this one was Through the Eyes of a Startup CISO. Now, listen, everybody heard your background.

[00:08:42] I talked a little about too. Neil, you could have been on the show for a number of things. We could have talked about NFTs. We could have talked about military service. We could have talked about culture. We could have talked about, You know, like I said, startups, you've worked at major healthcare, there's a lot of things.

[00:08:53] You could be a weekly guest on your own, um, but you already have your own show and you're fighting cancer, so you're pretty busy, so, and you have a job. Um, so, but I wanted to focus on one for this episode, you know, through the eyes of a startup ciso, right? You've done this before from all these different, you know, levels.

[00:09:08] So I said, you know, I wanted to really understand like what are the similarities and differences across CSO roles, right? You know, what's it like to be in a small company versus a, you know, a big company or a startup or, you know, a large international, you know, all those things, right? So. Um, uh, for those who don't know, I should say, as we started in this, the format for the show, by the way, is gonna be super simple.

[00:09:23] There's three questions. That's it. Like we didn't, Neil will vouch for this. We did very little prep. I did have a prep call. I'm an adult. We had to agree on the topic. And then it was like, here's a couple of questions. I'm thinking, man, don't give me your answers. And that was it. So there's three questions.

[00:09:37] Granted, there's gonna be one closer at the end, so four questions for those listening, but that's it. Like this isn't scripted. I'm going to ask. I have no idea what Neil's going to say. Maybe I'm going to cut him out of the show and you're never going to hear this. But let's just knock out the first and we'll see where it goes and we'll kind of riff and see how it happens.

[00:09:51] So, the first question I had down was like, what's the hardest part about being a CISO? Like, especially at a startup, but what's the hardest part about being a CISO, man?

[00:09:59] Neal Bridges: Um, and, and I answered this question with a little bit of context because I still consider myself a very technical person, right? I've, I've done a really good job throughout my entire career of maintaining a lot of my technical chops, right? I still do try hack me as I still, you know, peruse the, the bug bounty.

[00:10:14] You know, boards every now and then I'm obviously on my stream. I've built honey pots on my stream and done, done a lot of technical work. And so I, I consider myself, I mean, hell at the startup that I'm at now, I literally am everything from the CISO to the analyst. And so, and I've always been like that.

[00:10:29] Like it's, it's something I've tried vehemently never to lose as I've gone up the corporate chain, but I can unequivocally tell you that as my eyes. have changed focus. I know that we're, I know you probably can't relate to that because, you know, you've,

[00:10:44] AJ Nash: Because I can't see anything.

[00:10:45] Neal Bridges: see anything.

[00:10:47] AJ Nash: For those who don't know, I'm getting eye surgery soon. Both eyes, neither of them work worth a shit. So, but I don't have cancer, so I'm ahead of you there. But yeah, I can't see anything. So as you were saying, you're switching your focus

[00:10:57] Neal Bridges: Yeah, you switch, you switch your focus around. And I think that as I got out of the Air Force in 2013 and moved through various roles in cybersecurity, moved up that corporate ladder, and that lens has changed very, very much to realize that. When you're young and when you're highly technical and when you're tactical on the ground, we talk about technical and tactical and being in that day to day fight, whether you're an incident responder or a pen tester or an auditor or an analyst or, you know, an associate at a big four consulting firm, like there's a lot of idealism.

[00:11:31] That happens in our industry. Oh my God, why didn't you just patch this? Why didn't you do more user awareness training for the help desk at MGM, right? Why didn't you, you know, oh my God, there's, there's a new zero day out all hands on deck. We've all got to patch this immediately. Like there's a lot of idealism that happens.

[00:11:49] Early on in your career and I mean, I was guilty of it, man. I remember the first time I talked to a CISO when I got out of the air force and I was talking to them about nation state hackers because obviously I just come from the air force. I just come from both defending against nation state hackers and conducting nation state operations and I'm talking to a CISO about nation state actors and he's like, I don't care about this.

[00:12:10] This is not. This isn't important to

[00:12:13] AJ Nash: and he's probably right.

[00:12:14] Neal Bridges: Yeah. And it blew my mind. I was floored. I was like, how am I ever going to survive in this organization when they don't care about the things that I care about?

[00:12:26] AJ Nash: And, but the thing is a funny thing. He was probably, like I said, it was probably right. And I've talked about this. I'm gonna talk about this in some other episodes coming up too, but you know, a lot of organizations I'm I'm I'd love to know, you don't have to spit names out here or anything, but I'd be curious who that CISO was because.

[00:12:38] I have, I have a lot of opportunities that have been the other side of that where people are like, Hey, I want to know everything about this all the way down to the detail. I'm like, why they're, they're a nation state. You can't do anything about it. Like, why are we chasing this rabbit hole all the way to the end?

[00:12:49] So you can find out this person's home address and what organization within that government they work for that you're never going to do anything with. You can't hack them back. You can't arrest them. Is this, can you find out like it's a budget thing or something? I want to wow my boss so I can get more money.

[00:13:03] Like, all right, you hired a bunch of spies and you're not doing anything to keep your org safe. Whereas criminals are stealing every dime you have in the bank. You know, so he was whoever this was, was probably right on, but yeah, I can imagine the shock for you coming out of the government, this is what I do and they don't give a shit.

[00:13:17] Neal Bridges: yeah, it was. And I think that, and I think that as I, as I grew up into the different roles in cyber security, and this applies for both my time at Query as a startup CISO, all the way to some of the larger organizations I worked for. And I talked a little bit about this when you when you when you air this, there will have been a stream this morning.

[00:13:38] I talked a little bit about this this morning where my reality for that for me really came as I sat in a room full of finance people. And we were talking about pay no pay. And this is obviously on the heels of the MGM ransomware stuff because you've got and I talked about this is you got a tale of two casinos, right?

[00:13:54] Because you've got MGM and you've got Caesars And you've got MGM who chooses not to pay and you've got Caesars who chooses to pay. And I can remember that that moment for me, that growth moment for me, really came to a head as I sat in a similar room with a bunch of finance people who were asking me my advice and I was advising them not to pay.

[00:14:13] AJ Nash: pay. God,

[00:14:14] Neal Bridges: And, and, and they looked at me and laughed, AJ, they laughed so hard and they said, Neil, they said, if, and I won't rat out the CEO's name, if the, if the CEO is about to go to the street to deliver the financials for the street and his laptop gets encrypted with ransomware, there is no end to the amount of money that we're paying to get that, that laptop

[00:14:37] unencrypted. 

[00:14:38] AJ Nash: Yep. Pay attention, ransomware groups. That's the target right there, just so you know.

[00:14:42] Neal Bridges: I was like, I was like, okay. This is reality. Now it is about risk, man. And I think that's the hardest part as a see. So is realizing that that at some point in time, your priority and the business priorities are so far away from each other and to realize what that distance is and how quickly you have to close that chasm.

[00:15:06] And I've had Joel Fulton. You met Joel before on our stream, and he said it best, right? Do you want to be right? Or do you want to win?

[00:15:13] AJ Nash: Aw. Mm hmm.

[00:15:14] Neal Bridges: And realizing that the role of the CISO is about winning together as an organization for the goal of protecting the business, that's the goal of a CISO, not about being right.

[00:15:28] AJ Nash: Oh, that's, I mean, that's a really good point. Right. And, and yeah, Joel's a really, really smart guy, smarter than you, frankly. But, uh, that's, uh, that's, uh,

[00:15:35] Neal Bridges: I'll give you that one. I'll give you

[00:15:36] AJ Nash: yeah, I'll have to get him on the show. It's about, you were like my second choice. Joel wasn't available, but,

[00:15:40] Neal Bridges: okay. Yeah.

[00:15:41] AJ Nash: don't tell anybody I said that. So, uh, No, I think that's a really good point though.

[00:15:45] Right? Like, do you want to be right or do you want to win? Right. And, and, uh, and it is interesting, you know, listen, I'll also tell people all the time, don't pay the ransom and, you know, full disclosure, I'm prepping for future shows. One of our shows is actually going to be on this topic specifically, like whether, whether you should or shouldn't do that.

[00:16:00] And maybe whether it shouldn't be legal. Um, but I've said the same thing. I'm like, listen, don't do it, but. Right. There's exceptions everywhere. Uh, I understand why hospital systems are going to pay because we're going to die. The example you gave. Yeah, there's a point. There's certain critical moments where I just, just pay it.

[00:16:15] Like it's just, it costs us less than not paying it. Right. There are going to be exceptions in general. I think the rule of thumb is don't pay the ransom. You do just become a target for more ransomware. Uh, but at the same time, yeah, there's exceptions to every rule. Right. Uh, which I think is really interesting.

[00:16:28] So, but I think you made a good point about it. You know, it's, it's, do you want to be right? Do you want to win? Right. CISO is a hard job. Um, there. I don't know, I haven't yet to see one yet who's... Got more resources than they know what to do with. Right. No CISOs ever come and said, my biggest problem is I have too many people and I have too much budget.

[00:16:45] I just have so much time on my hands right now. I'm bored. Right. That's not happening much. A lot of, I don't sleep. I get a lot of that. A lot of CISOs, I think. Next to the presidency, the CISO is the job where you age the most in four years.

[00:16:57] Neal Bridges: There, there was a recent, there's a recent study that come out that talked about the amount of burnout, the amount of mental stress that sees us have been under the amount of CISOs who have utterly vacated the industry altogether because of the stress that they're under. And it's. It is insane.

[00:17:12] AJ Nash: Oh, it's true. I mean, look at you, Neil. You've been a CISO and Neil's only 12 years old folks. So you can see what it does to you. But, uh, no, it's, it's, it's a hard job, man. I got, I remember when I first got in this industry. In the private sector, right? And my first gig, I won't name it, but anybody can look on LinkedIn and see where I used to work and, and I saw the CISO and I was like, man, that would be the job to have this guy.

[00:17:32] I mean, he runs the world. It seems like he makes a ton of money. I think I was driving a Ferrari. Uh, and now I look and go, yeah, I got no desire to be a CISO. That's, that's, that's a brutal gig. Uh, I don't know if you could pay me enough to do it. Um, you know, it's, it's, uh, you could, by the way, by if somebody's out there looking for a CISO and you think I'm qualified, come talk to me.

[00:17:49] You can pay me enough, but, uh, it's, it's a lot of money. So, all right. So, so the takeaway, anyway, hardest part you said, you know, is, is just making sure that understanding the machine, like knowing when you want to win or whether you want to be right. Is it different in a startup versus like other, like you've been with giant.

[00:18:04] International companies now, you kind of, we kind of ate into the second question. The second question was going to be, you know, what's it like being a CISO to vendor after all your time on the other side of the fence? And I think we'll still ask that question because there's a difference there, but I'm going to expand it a little bit.

[00:18:17] And so, you know, talk about what it's like. You've been a customer side, obviously, uh, you've been in the government space, you've been healthcare, you've been around, right. And you've been in startup and, you know, now you're at a vendor, of course. So, you know, can you talk about the differences between those kinds of roles?

[00:18:33] And then, you know, let's, with this question, I would like to roll back to the vendor specific was, I know there's some very interesting takes on how people think of vendors in the CISO space, but, you know, talk to me about the differences across these different roles.

[00:18:44] Neal Bridges: yeah. So, um, you know, it's, I think that everybody understands that, that a CISO or let's just, let's even go even more macro than that. Right. You know, a fortune one, fortune 100 company has a different set of priorities than a fortune 1000 company than a fortune 5000 company, then a small to medium business all the way down to a startup.

[00:19:03] Like, I think, I don't think that that's lost on anybody. Um, but what I do think. Okay. And it gets back to kind of some of our mentalities that we have in the industry when it comes to, oh, well, you know, everybody should be doing cyber security. Everybody should be involved in cyber security, but I don't want to pay for us.

[00:19:19] I don't want to pay for a see. So I don't want to pay for cyber security. I've got, I'm, I'm an S and B. Who's going to, there's, we hear all this time, all the time, like who's going to attack us, right? We're an S and B. Um, you know, and then you've got, you know, well, I'll just let a third party handle that.

[00:19:33] Like I'll hire. Okay. Insert MSP here to take care of all that stuff for me, right?

[00:19:37] AJ Nash: Right. That'll work.

[00:19:38] Neal Bridges: Um, I, I think that, I think what I would say is, is what makes Query different. And this isn't, you know, this is what has

[00:19:46] AJ Nash: Plug query a little bit. It's all right, man. Give it to

[00:19:48] Neal Bridges: No, no, no, no, no, no, no. This is, this is cultural. This is more culture than it is company related.

[00:19:53] Yeah, um, when, when Andrew and Dhiraj first came to me, who are the co founders of Query, um, You know, they came to me because they realized that they are a security startup. They want to be in the security space. And so how important is it for them to be in the security business? If they don't have a CISO, right, right, what image does that set forth if they're trying to, to put forth that they care about security, that they actually genuinely care about, you know, providing, you know, some type of product to security organization, who's going to evaluate them for third party risk management is going to evaluate their code from a SAS perspective, if they don't actually have a dedicated CISO function.

[00:20:34] And so I think that that has helped make it. You know, the case as to why you'll see certain startups who recognize that like, Hey, this is an expense that if we want to be taken seriously in the audience of the people that we're trying to market to, we should probably invest in this early on because I make no qualms about it.

[00:20:56] I'm very grateful that query at the stage. of funding that they're at has decided to hire a CISO and invest in having that security posture. It has paid off. We've, we've done some amazing things. We've had some huge milestones that from a startup perspective are really, really unheard of in a startup.

[00:21:12] Things like, you know, achieving levels of compliance that help us, you know, get new customers, um, streamlining the third onboarding process with a lot of enterprise customers, which if you've been on the vendor side, you know, is a. a huge giant pain in the ass. Um, and, and so I, but on the flip side of that, right, once they've made the decision to hire a CISO, and I'll kind of put this in perspective where you mentioned some of the big companies I've worked for, my bet, my biggest cybersecurity budget was 50 million for a large healthcare organization.

[00:21:43] AJ Nash: Did I get any of that money? Did I? Were you a customer of ours? Did I get

[00:21:46] Neal Bridges: did it, you did it, when you were, when you were at the, when you were at the other threat

[00:21:49] AJ Nash: The other. Yep. Yeah. Got it. All right.

[00:21:51] Neal Bridges: yeah, yeah, yeah, you guys got some of that money, um, yeah, and I mean, Splunk got a lot of money too,

[00:21:56] AJ Nash: I bet they did. Sorry. Splunk got a lot of money from Cisco, uh, for the last 24 hours or so from what I saw. So they're doing all right.

[00:22:02] Neal Bridges: yeah, so,

[00:22:04] AJ Nash: any of my Splunk friends out there, congratulations.

[00:22:06] Neal Bridges: know, right, speaking of Ferraris.

[00:22:09] AJ Nash: Right. They all have one

[00:22:11] Neal Bridges: Right. Right. Um, and I can definitely tell you that, like you, and this is part of, this is part of being flexible, not just in cyber, but also if you're a practitioner or a CISO or you're a director in the space, you have to realize that like, sure, it's really nice to have a huge budget.

[00:22:27] Like it was great. It was awesome to have 50 million. And I mean, you know, I've been in lots of conversations with vendors and it was like, listen, I got a checkbook. You got a wine and dine me if you want to like, you know, So, You know, hit me up for some of this money. Like, we got to know that there's something really, really important going on here, right?

[00:22:42] And, and now on the flip side of this, I'm having to do like everything with open source, right? I'm having to beg, borrow and steal for 5, 000 a year for a, for a managed detection response, you know, solution or 5, 000 a year for, for an MDM solution, right? You know, anything like that. And so like, there's a huge mentality shift that comes with, You know, I've got money to burn and I'm going to spend it on cyber security to what are the priorities that I need to do for this startup that says, what are the things that get us a minimum baseline, acceptable security posture for where we're at as a company to move forward?

[00:23:18] Because as a startup, as many, maybe, maybe, you know, maybe you don't know at a startup, everybody, everybody wears 50 hats. It does not matter how many people you are. Everybody's wearing 50 hats.

[00:23:28] AJ Nash: Yep. Yep.

[00:23:29] Neal Bridges: And so like, you know, I can't just like poke the dev team and be like, Hey, you know, we've got to do this on the app because it's part of this compliance or because we just had a pen test and do this because that dev, that engineer, he's wearing 50 hats.

[00:23:45] To get that first million dollars or that first 2 million, that first X million dollars for us to be a valuable company in the industry. And so I think a lot of that has been a lot of the growth that I've had is in terms of like juggling plates or juggling spinning plates on sticks

[00:24:03] AJ Nash: Mm hmm.

[00:24:03] Neal Bridges: to take everything that I know should be right from my days of big four consulting to having a huge budget at a, at a fortune 100 company and saying, all right, how do I do this?

[00:24:14] With table scraps with less than table scraps,

[00:24:17] AJ Nash: Right. Right. Right. Well, so here's a question for you then. So all that really, really interesting stuff, by the way. And I think, I think you, you made some good points there, especially for a small company to have the balls to say, Hey, listen, we need to see. So, right. If we're going to be, if we're going to be, and maybe I should have picked a better, better word than that, but if we're going to be credible.

[00:24:36] You know, we've got to have the Spago spine. That's a better word. We got to the spine to say, Hey, we're going to spend, because this is credibility. Like we can't be in the security space and not have a CISO guiding us on what other CISOs need, and otherwise we're just out there just selling stuff. Right.

[00:24:51] So I think that's very, very cool. So here's a, uh, kind of a sub question. This is not question three yet for anybody paying attention. We're still on two, but do people consider you a real CISO now? Like if you're in a vendor, are you a real CISO or are you just a guy with a CISO title? Because. They need to sell stuff and they want to have a CISO on board, or are you still considered a real ciso?

[00:25:10] Neal Bridges: this is, this has also been super eye opening for me because I, I had always known tangentially that this would be a reality, but I thought that it would be easier for me to, um, to fight against this. And I'll tell you a real, I'll tell you where it really hit me. And it really hit me last year at the Gartner conference.

[00:25:28] Um, yeah. And, and not because it's Gartner, but because, um, you know, we were, Query was obviously going to go to the Gartner conference. And if you've ever been to Gartner, right, you've got the main track and you've got the CISO track, right? And the CISO track is very networking centric. You get to spend a lot of time with CISOs.

[00:25:42] Um,

[00:25:42] AJ Nash: Were they all shunning you? Nobody wanted to talk to

[00:25:44] Neal Bridges: that was, that was exactly what Gartner, Gartner shunned me. Gartner was like, no, no, Neil can't participate

[00:25:51] AJ Nash: you're not a true ciso. You're just a vendor with a title. They didn't want you in there selling to them. They thought,

[00:25:55] Neal Bridges: oh man, it was, it was brutal. I was like, I was like, hold on. Are you telling me that I have no value because I work for a vendor? You tell me the vendor can't have a CISO that actually represents security CISO interest and therefore you're just going to shun me from the community.

[00:26:10] Oh man, it was, it was the, the amount of, I eventually got in, but the amount of strings that I had to pull the favors that I had to call in to get access to that was something I was not prepared for

[00:26:22] AJ Nash: And, and as a reminder, you've been prior to to this, you've been a ciso. For how many years? I mean, I lost track of your resume, but you've been a CISO for not, not one or two, you've been a CISO for quite a while at big companies, large pharmaceutical companies, like you've, you know, you've been a real CISO, right?

[00:26:39] Uh, but it's funny. You're a vendor and suddenly you're, you know, persona non grata at those events. Right. You

[00:26:43] Neal Bridges: 100 percent it, it was,

[00:26:45] AJ Nash: some of that as an Intel guy too. Not nearly to that extent, but

[00:26:48] Neal Bridges: yeah, yeah. But I mean, it's, it, and so like, I think that that's, that's been, that's been the hardest part of my job is that you do get that vendor title tagged to your name and, and I'll tell you like, and, and, and you'll appreciate this because you've been on the vendor side longer than I have.

[00:27:04] Um, I've got friends now who, if I were at any other company. If I were at any other company, they'd pick up the phone for me and they would talk to me right off the bat. The, as soon as I worked for a vendor, the amount of people who stopped talking, who stopped answering my phone calls because they're like, Oh, Neil's just going to try to sell me something.

[00:27:23] I was like, wait a minute. How do you even know?

[00:27:26] AJ Nash: Yeah, yeah, if it makes you feel any better, and you're right, I've been in vendor space for a while, right? So when I, when I left the government, I worked at a bank at first, so I was, I was not a vendor. And I only did that for about a year. Uh, and then ever since then, I guess I've been on the vendor side, right?

[00:27:37] Um, and you'll get there very quickly if you haven't already. I'm lucky that people still answer my phone calls. But it's because everybody knows I'm not gonna try to sell them anything, right? You know, it's, you can be in the vendor space, or you can be salesy in the vendor space. And, you know, it's funny, one of the goals of this podcast, in fact, is I've said, I don't want salespeople on the show.

[00:27:53] Um, I'm not putting people on with sales titles, generally. There'll be a couple exceptions. I have friends who are like CROs, but not salesy, right? Um, but this isn't a show to sell people stuff, because nobody wants another... Damn sales pitch. So, and you're, I mean, if you haven't already, you probably already have overcome it, but if you haven't, you will, it's people start to recognize, no, this guy's actually not going to sell me stuff.

[00:28:11] Yeah. He works for the vendor, but he's, he's the same guy he was before, or she's the same gal she was before, and they just want to have a conversation. And once they, they get their hackles back down, then you have these open conversations. Right. But I went through some of that first, people like, man, I'm not here to buy anything.

[00:28:24] I'm like, dude, I'm not here to sell anything. Like. I just, this is a Burger King, man. I just, I was trying to grab lunch. I'm not trying to sell you anything. That's all right. Uh, you know, it's just calm down. I get put it away. Like I didn't even bring any laptops and sure. I'll happily introduce you to sales later if you want, but that's not my gig.

[00:28:40] Right. And so I've been

[00:28:42] Neal Bridges: even, it's even manifested itself a little bit to where I've and, and, and I've, it took me a while to get over this. It doesn't happen much anymore. It did happen at the, at the beginning stages when I started at query last year, where when people ask me like, how's it going at query, I take pause and I'm like, okay, what do I say?

[00:29:02] That doesn't sound salesy so that I can make sure that I convey how's it going at Query without somebody thinking that I'm trying to sell them on Query.

[00:29:10] AJ Nash: totally.

[00:29:11] Neal Bridges: And I mean, yeah, that mentality, I was, again, I was not prepared for, not prepared for it at all.

[00:29:17] AJ Nash: Yeah, I've been there. People ask me and, you know, it's like, all right, how are things? Dude, I love my job. I like the place I work. People are great. I'm on a microphone right now. I mean, it's awesome, right? Somebody's paying me to talk to a friend of mine and they're going to record it and it's going to be useful.

[00:29:28] I love it, you know, but I don't come in and go, Oh, how are things at ZeroFox? Well, dude, let me tell you about our entire platform from left to right and everything we do, which is all great. I can go on and on about how we're, you know, very proactive and deep and dark web to the reactive and incident response and breach response.

[00:29:42] But I don't. Like have that conversation, you know, over coffee usually. Right. Uh, but, but when people have to figure that out, right. And the sad part is, I don't know if you had experience, but for me, when I first started doing it and each company I've gone to, frankly, it's tough early on because I'm still learning the pitch.

[00:29:56] And so I have a tendency to fall into that discussion because I'm learning this information. I'm like, Oh dude, you got to hear this new thing. And you go off for two minutes. Like, no, no, dude, I didn't mean to sell you. Thing it's I'm learning the information and I do think this is actually very cool, but I'm not actually trying to sell you.

[00:30:08] I'm not cause you'll get through it. And I'm sure you've had it. You're like, uh, you get five minutes in like, dude, I don't have any budget. I'm like, I'm not, I don't shit. I didn't realize I was selling you. I wasn't my plan. I don't care if you have budget. I'm just excited that we do stuff like you should meet the guys we have in the deep and dark web.

[00:30:22] They're, they're fricking amazing. But you know, I don't, I'm not trying to sell you on it. I'm just telling you, this is a great place to work. And I love my gig and I love my team. Right.

[00:30:29] Neal Bridges: that, that right there that you just, that, that you just described, that's, that's the current challenge that I'm on because, and, and again, back to, to, to the point, you know, I'm working for, I, I've never, I've never not worked for, and this is something, this is very cultural. This is very career reminder, right?

[00:30:46] I've never not worked for some, someplace that I wasn't passionate about the mission, right? Right. Like if you look, I could, I could name, I could name very specific things about every company I've ever worked for that where the passion has driven me and there's no difference in here. So yeah, I've experienced exactly what you're talking about, where it's like, how's it going at query?

[00:31:04] And I'm like, Oh, let me tell you like this thing that we're doing that I'm so passionate about, which was what led me here. And then you realize like, I promise you that was not a sales pitch. I'm just incredibly passionate about this.

[00:31:17] AJ Nash: Yeah. Oh God. The number of times I have to go. I swear I'm not trying to sell you anything because I'm like you, listen, I've yet to knock on wood. I haven't taken a job for the money. Like don't get me wrong. Let me be clear. People pay me to work and the day zero Fox stops paying me, I promise I will stop working.

[00:31:31] So I do it for the money. Sort of, but I've never taken a job just for the money. I came here because I was passionate about what the company was doing. Like they, they sold me on the idea, which was true. And I really liked the vision where we're going. I did the same thing at the last two companies I was at, you know, before that, and before that was the first one coming out of the government space.

[00:31:47] So I'm like you, I want to be passionate about this. I think most people, people want to know what they do matters. It's meaningful. It's important. They want to have some passion and I've been very, very lucky. Then I haven't yet had to take a gig where I'm like, Oh God, this job is meaningless and I hate it.

[00:32:00] Not since like high school. I worked at Dairy Queen once upon a time. Let me fake, let me tell you, I love ice cream. I wasn't passionate

[00:32:05] Neal Bridges: you look like, you look like a Dairy Queen worker.

[00:32:07] AJ Nash: look like I, I look like I spend a lot of time at Dairy Queen, not necessarily working there. I definitely spend some time at Dairy Queen still. Um, all right, cool.

[00:32:15] So let me, let's see, let me move on. We got one more question here. Uh, so, you know, the big thing, I mean, we've been going through all this, right? You and I have been doing this a long time. Uh, so like

[00:32:25] Neal Bridges: That's code word for old.

[00:32:26] AJ Nash: Right, we're old. Between the military and the government space, you know, in the private sector, like we've had, we've got, I don't know, 40, 50 years of experience on one of that.

[00:32:34] So here's the question, man. And, and. I asked a lot of people this, but how are your sleepless nights today from the ones you had in these other roles, from the ones you had, say, 20 years ago, right? Because I mean, sleepless nights come with the job. I, everybody, I'm notorious for a guy who doesn't sleep much anyway, but how, how are they different now than they were, say, like 20 years ago?

[00:32:57] Neal Bridges: Oh, God. Um,

[00:32:59] AJ Nash: Nah, you didn't prepare for this one. I can already tell.

[00:33:02] Neal Bridges: I, I didn't, I didn't prepare for any of

[00:33:04] AJ Nash: I know. I know you're like me. You're like me. Just figure it out. Let's go.

[00:33:07] Neal Bridges: Yeah. Like, like you want it naturally. A. J. This is what you get.

[00:33:10] AJ Nash: That's exactly right. I told people that don't edit it. Leave it in. No, I want the ums and the ahs and the ah, that's a hard question. I want all of it.

[00:33:17] Neal Bridges: You know, um, the world is world is obviously, and I think, you know, this is thank you captain obvious. It's obviously vastly different now than it was 20 years ago. It's that's, that's, that's easier to say, but it's mind boggling to think about. Right. And, and, and I. I deal with some of this with my coaching sessions, my mentorship sessions, and even the chat that I get on cyber insecurity, right?

[00:33:42] When people ask me questions about like, Neil, Neil, do you think AI is going to take our jobs? Like the, like, I got this, I got that question two years ago when we started cyber insecurity, and I'm, and I'm, and I'm, and I'm, it's, it's exponential GPT is a thing, right?

[00:33:56] AJ Nash: right?

[00:33:56] Neal Bridges: And, and. I, you know, again, we're not going to talk about NFTs and blockchain, but there was a time where, like, I wasn't, I wasn't a fan of NFTs and blockchain, um, and then there was a shift that happened that made me go like, okay, this technology has, has potential and the same thing has happened with AI and the same thing has happened with cloud and the same thing has happened with, with, with a lot of the stuff that's out there.

[00:34:20] So I think the, yeah. The, the crux of the question really boils down to is, I think the, the, the sleepless nights continue to be sleepless because the rate at which the world changes around us and the fact that in cyber, the world doesn't stay safe long enough for you to adapt to the status quo.

[00:34:42] AJ Nash: Oh, that's so true. Like, is the world ever safe, right? I mean, is when was the last time there was, but I think so interestingly with that, maybe there's also a flip side of, of numbing. You know, do people lose, lose sleep or do they get past it? So, you know, we, you, you mentioned MGM and, and Caesar's, a couple big breaches going on right now.

[00:34:58] Some of this is five years from now, they're back out. It's old news, but you know, those are massive deals, right? And they're in the news and they're making a big deal, but there are breaches every day that would have been the top story Five years ago, 10 years

[00:35:11] Neal Bridges: without a doubt.

[00:35:12] AJ Nash: we just shrug them off now. Like it's like, oh, yep that happened.

[00:35:15] I mean i'm I'm finding myself as an Intel guy who's supposed to care about all of this stuff, and I do to a point still care and pay attention, but the last, aside from these now, the last couple of breaches, somebody else had to send me something like, Hey man, what do you know about this? I'm like, I didn't know anything about it.

[00:35:29] I'm not even paying attention to it right now. Now, for anybody listening, I no longer actively run the Intel team. I promise you, the Intel team was paying attention. Uh, so just to clarify, so anybody doesn't run away from us, I helped put some things together and get people on the right track. I'm not operationally running the Intel team anymore.

[00:35:45] Adam and Olga and that group do. And they were the ones who asked me, so they're brilliant. But, um, but, but it's funny. I mean, I have people aren't even in it now. And I mean, security friends, relatives, like, what do you know about this? Like, I don't know anything about it. I'll go look now. Cause it's just, it's constant or they get very panicked about it.

[00:36:00] I look at you. I just shrugged. Like, what do you mean? I'm like. Yeah. That's, that's how things work. This is, this happens all the time. This is normal. Like this is, so how do we avoid the numbing instead of losing sleep? Just going, everything's owned. Just go get a good night's rest.

[00:36:11] Neal Bridges: well, and, and this, that's, that's, that is a very, very interesting and good question because like, I think the, I think the problem is, is that, you know, I think we're going to see the maturity. Of the things we care about change continuously as we see more normalization of breaches. And that's that's still a weird thing to say out loud, right?

[00:36:32] Normalization of data breaches. Um, like, like, I'm sure that, like, there's going to be a cringe factor that happens, like, oh, my God, did he just use normalization of data breaches in the same sentence? Yes, he did.

[00:36:41] AJ Nash: That's going to be the blurb for the show is to Neil Bridges says dated breaches are just normal. Now that's going to be, that's how I'm going to open them up with us. And that's how we're going to advertise this one out there. Neil Bridges says, don't worry about data breaches. It's all normal. That's totally what's going out.

[00:36:54] Neal Bridges: it is, I mean, that's, that's not an unfair statement because like, I think, I think that there's a, I think there's a split, I think that there's a split in the industry where a lot of us have come to that acceptance that that is reality. And I think that this is idealism we've talked about before.

[00:37:10] There's a lot of people like, no, no, we will get to a utopia where, you know, if people would just patch and if they would just train or help desk. To, to, to, to not answer, you know, phishing, you know, telephone,

[00:37:20] AJ Nash: happen

[00:37:21] Neal Bridges: like, like, yeah, yeah, it'll happen in day. And I think that, I think that what we're witnessing through the normalization of breaches is we're witnessing a maturity of the industry and realizing, holy shit, we were wrong.

[00:37:34] Nobody will say it out loud. Like you want to talk about a stream where we talk about the quiet parts out loud. Nobody will say that we're wrong because you, you are wrong about patching. You are wrong about compliance. You're wrong about GDPR. You're wrong about CCPA. You're wrong about NIST. You're wrong.

[00:37:51] You're wrong. And you're scared. You're scared to admit that you're wrong because you made money on it because you told people they would be safe because you told people it would work because you you attested to their certifications. And I think that that as if we look at cyber security as a being as a person as an entity, I think that that's the mental reality that we're starting to come to grips with.

[00:38:15] So I think that the fatigue And Is the reality that we've all been screaming at a thousand miles per hour, that all of these things are the things that we need to do to be safe. And we're seeing zero change and zero difference in the industry. And we have no flipping clue what to tell people because none of it is working.

[00:38:34] AJ Nash: Not to counterpoint. I don't disagree with

[00:38:36] Neal Bridges: Absolutely. Absolutely.

[00:38:38] AJ Nash: the counterpoint and one small piece of it, some of the things that aren't working it's because people still don't do the things we tell them to do. You know, patch prioritization would, would be useful if people actually did it, uh, you know, having a CMDB.

[00:38:50] And knowing your environment is really important, but if you get on, I've gotten on stages around the world and said, you know, by a show of hands, tell me everybody was confident in their CMDB and everybody just laughs. Like they just accepted that all my CMDB is garbage. I'm like, why, why, how do you not know your own environment?

[00:39:03] This is just basic Sun Tzu. You don't even know yourself. How do you, why are you worried about even knowing the enemy? Or, you know, um, uh, passwords. Well, password reuse is still a huge problem. Passwords are every time there's a breach, there's a segment of the passwords, like password one, two, three. I'm like, are you kidding me?

[00:39:19] Is somebody still doing this? So people are a big part of the problem. People don't seem to be. Changing their behaviors and they're expecting different results. Or frankly, a lot of users don't expect different results. They just don't care, right? It's not their problem. It's somebody else's problem. The IT geek will figure that stuff out.

[00:39:33] It's his problem. He can sleep never because I don't feel like having a hard password. And a lot of those people are the executives, right? A lot of people we find that don't follow the rules are the ones who are supposed to be enforcing the rules. And then you find out they get breached and it's their stuff.

[00:39:43] That's garbage because that's too hard to actually do it because it's not user friendly, so they do their own thing and then they get breached. So, you know, there's, there is an issue in that. Yes. In most cases, I think you're right. We. As an industry, people have come up with answers, trying to be the wrong answers, but the right answers still aren't being enforced.

[00:39:58] Now, as a self serving person, I'll point out, I've said, Intel is the right answer. And I don't think it's proven that one wrong yet. If you have Intel, if you know about bad guys before they do something, that is still the best plan. It's just expensive and metrics are challenging. Uh, but it's still proven to be true.

[00:40:15] And I mean, that's why it's true in war fighting. It's true in the government. It's true out here. If you want more money into Intel and prevention, they'd probably do better for themselves, but that metrics beast shows up and then sometimes can't, people can't explain the metrics well enough. So I got one more piece with this.

[00:40:28] So you mentioned it briefly. You talked to like chat, GPT and AI and all that. And you know, it's, is AI going to take my job? Right. And I will say, I'll preface this before I jump into the question, but. And this is, by the way, a sub question of question three. For those who are scoring at home, we're still on the same question.

[00:40:42] But, um, you know, when I got to the agency, I got to NSA in 1999. And, uh, so I got there in 99. And I remember I'd been on, you know, I'm excited, I'm a young kid. And, ooh, I'm in the agency, I'm an intel guy. And I remember very early on, people were like, Oh, enjoy it while it lasts, kid. Because you're all going to be replaced pretty soon by machines.

[00:41:00] It's all going to be automated. We're not going to need all you people anymore. It's all going to go away. That was in 99. It's 23. Three now, and there's more Intel analysts today than there were then. So I'm not remarkably concerned about being replaced by machines, but that's my opinion. How do you see the emerging technologies, the chat GPTs and the AI's or what people are calling AI and it's ML, you know, it's stacked machine learning or whatever the hell it actually really is.

[00:41:23] Or sometimes it's just a whole series of spreadsheets stacked together. Still, you know, squirrels on a wheel someplace like some of it's more real than others. I will say I just had a. Meeting this week with a bunch of CISOs and, uh, in there, there was a vendor pushing this small company and he's pushing his AI stuff and.

[00:41:37] I was less than, uh, courteous by the end to him as were a couple of the CISOs. Cause all of his talk came back to just like automated translation and it wasn't very impressive. So anyway, uh, what are your thoughts on where the emerging technologies fit into all this stuff

[00:41:51] Neal Bridges: I have

[00:41:51] AJ Nash: We're running out of time.

[00:41:53] Neal Bridges: But briefly, briefly, you should have hired, you should have brought a different guest if you wanted brevity.

[00:41:57] AJ Nash: History of the Earth. You got 30 seconds. Give me all of it. Right.

[00:42:01] Neal Bridges: So, so, so, all right. So I was going to tell you two stories, but

[00:42:04] AJ Nash: Tell me everything, man. We got editors. We'll figure it out. Tell me everything. Tell me all of it.

[00:42:08] Neal Bridges: Um, I, I, I laughed. When Chad GPT blew up, right, because and the reason I laughed, the reason I laughed is because I remember you remember this. I'm sure you do. Maybe 2 or 3 years ago, right before covid, right?

[00:42:26] What was the big thing that was over every banner at RSA? AI and ML, AI this, it was all over RSA three years ago. Everybody had AI and ML in their tools three or four years ago at RSA. It was, it was the Gartner leading way on how security technology is going to advance themselves three years ago.

[00:42:48] AJ Nash: Yep. Look what that's done.

[00:42:49] Neal Bridges: And, and, and then we get the chat GPT.

[00:42:52] And all I could think to myself were the screaming marketing people who were dying in a puddle of their own despair as they realized that they had burned all of their marketing material on AI and ML three years ago and couldn't use it anymore.

[00:43:09] AJ Nash: Oh, couldn't use it. You don't think they recycle? You don't think that's how marketing works? They recycle, or that guy's down at a different company takes the same ideas with him, changes the colors, calls it AI. Now it's ChatGPT. It's the same crap with a different wrapper. And to clarify, this isn't all crap.

[00:43:23] Don't come throwing tomatoes at me today. There's some real in this technology, but there's an awful lot of snake oil there, too. Um, yeah, no, you're right though. I remember that, right. It was all going to be this stuff. It was, that was the big push right before funny. It's like COVID I had to think from the before time.

[00:43:37] Uh, but yeah, right before I remember that. And then, then everything got quiet cause we were all busy at home suffering. And then, uh, and now it's yeah, chat GPT and you know, chat GPT is very interesting, does some cool stuff. And I've told folks this will make people into, you know, humans will become superhuman, but they can replace us, you know, while this presentation was going on yesterday.

[00:43:55] It's a true story. Um, and this guy was going on and on about it. I pulled up on my phone, chat GPT 3. 5, cause I like playing around with stupid things in my free time. And I said, all right, I'm going to prove to myself, remind myself how good or not good chat GPT can be. Right. I was like, all right. Uh, fact of what's the capital of Utah.

[00:44:12] Capital of Utah is Salt Lake City. I think two of us knew that. One of us knew that, at least. I don't know about

[00:44:16] Neal Bridges: I was gonna say one of us knew that.

[00:44:17] AJ Nash: not sure if you knew or not, but capital is Salt Lake City. Alright, next question was, alright, uh, why is it the capital? And it gives me a whole bunch of stuff, some of which was factual, some of which was theoretical on just how capitals are picked anyway.

[00:44:30] And, uh, okay, great. And the third piece was... Who decided on the why of making it a cable? Oh, then it just fell apart. Like it gave answers that were vague and semi true at best. Meanwhile, I went to Wikipedia and got the real answers with actual names and dates and all this stuff. I was like, I think chat GPT is not quite there yet.

[00:44:46] Um, and as I said to the guy who was giving his presentation, because he said, you know, he's talking about intelligence and the meaning of intelligence. He said, you know, this machine, it's, it's read everything that's ever been written. So it's, it's intelligent. And I said, no, it's read everything that's been written.

[00:44:57] It doesn't understand any of it. And so that doesn't make it intelligent. It's ingested all of the words. It doesn't mean it understands any of it. You don't have a sentient platform yet. God, I hope we don't because that's gonna be the end of all of us. But, uh, it isn't sentient. It doesn't understand it.

[00:45:10] It's a really, really impressive parrot in his machine was at least. And that's a long way from being a human being. It can't be held accountable. Uh, it doesn't have a reason. It doesn't have gut instincts, which do come in handy sometimes. They're actually valuable and important still. Uh, it's short on a lot of context.

[00:45:27] You know, the technology is better and a lot better. It does some things very, very well. Like you can do some summarization very quickly. You want a recipe? It's got all the recipes in the world. Like, frankly, if you want a recipe for anything ever, I think you ask ChatGPT. Now you don't, if you say the best of, I don't know which recipe you'll get, but it has things like that knock down.

[00:45:47] It can do math equations. It can do some things really, really well. I guess I can write code. I don't know how to write code. So it's already smarter than me. Uh, but I

[00:45:55] Neal Bridges: a lot of the.

[00:45:56] AJ Nash: do. Go ahead.

[00:45:57] Neal Bridges: I was, I was, I was at a, I was at a conference a couple weeks ago, maybe a month ago or something like that, and they were talking about the hypotheticals or the, the hypothesis driven stuff that Chad GPT and other large language models that AI is doing. And, and full disclosure, I'm not an AI large language model expert.

[00:46:13] I'm, I'm only, it's very, very, I would call myself like on a, on a. One to ten. I'm probably like a three maturity when it comes to this stuff, right? Because there's a, there's a lot of math there and I'm kind of a dumb kid

[00:46:22] AJ Nash: Yeah, but you're in the vendor space now, you have to pretend to be an expert, Neo, that's how it works. I don't know anything about any of this, and look at me, I got my own show talking about it now. But, no, it's, we're vendors, we have to pretend we understand, but I'm with you. I, the guy I was talking to had a PhD from Stanford, and I was like, I can't believe I'm gonna challenge the PhD from Stanford in a room full of people, I feel stupid.

[00:46:38] But, uh, it turned out the CISOs agreed with my point, which was helpful. So go ahead, man.

[00:46:42] Neal Bridges: yeah, but, but I mean, I think that that's the point though, is that they're talking about, they're talking about the, the hypothesis driven, um, stuff that, that these large language models have to do. And they're saying that I think that the crux of it really boils down to cyber security has a huge critical thinking component that they haven't baked into a lot of the large language models or the hypothetical, the hypothesis driven engines that a lot of these, these AI chat engines have.

[00:47:07] Um, it's great at filling in things like, Oh, you have to make. You know, fettuccine alfredo. Well, I generally know that these types of ingredients are included in fettuccine alfredo. Oh, you want to add this other component to it? I can hypothetical say, well, to do that, you kind of have to do these things together.

[00:47:21] But we've seen that hypothesis fail. There's been a case where somebody tried to get chap GPT to write a court argument, citing Court cases that have never existed and then they tried to present that to a judge and it didn't and it fell through and so I think that that's that's the current limitation that I see that while AI could probably help us with a lot of day to day tasks, a lot of the remedial type of stuff, um, I don't see us ever really having to worry about some of the critical thinking aspects of Chad GPT and I tell people all the time, like, listen, if you're worried about Chad GPT taking your job, maybe you need to upskill yourself just a little

[00:47:57] AJ Nash: yeah, that's a good point. Your job might be too easy to replace if you're really replaceable by this, you know, and some people probably will be, uh, I had also said, you know, there was a discussion about, well, can we get rid of like tier one and tier two? That's, you know, a lot of people talk about that, which is interesting.

[00:48:09] I've heard Intel too. Let's get rid of those low level Intel folks. We just do, you know, automated daily briefings, that kind of thing. And so, well, that's also while I could give you a hundred reasons why I worry about that from an Intel standpoint, even putting that aside. A bit. If you get rid of all your tier one and tier two in any career field, and you say, okay, all we need is experts.

[00:48:25] Now, where are you going to get the next set of experts from? Where are you going to grow them from? Like eventually I'm not working until I'm 80. Cause I'm the only Intel expert left in the house. I'm going to leave. And if the machines did it all the way through. Are you assuming the machines will get smarter and become the next experts down the road?

[00:48:40] Because if we can't get to that point, then you have nobody. So, you know, it's, I think that's a, something people may not, it's short sighted. And unfortunately in a world right now with economic, you know, pressures, people always want to do more with less and save money, etc. This feels like the next stage of outsourcing almost.

[00:48:56] Um, but there's no way to... Get the next group of people as a result. So I, I worry about it. All right. So listen, that's our three questions. I don't know if anybody kept counting at home. It felt like more than three of it. I promise it was just three primary questions. So, you know, we're, we're coming up to the end here.

[00:49:10] So you're the first person to be the first victim in this case, but every episode, we're going to have a closing question. Um, so yeah, you're the first victim, man. Good luck. So the closer is basically like, listen, the name of the show is unspoken security. So, you know, with that in mind. Tell me something you never told anybody before

[00:49:29] Neal Bridges: oh geez. Um, cybersecurity related, I take it as

[00:49:35] AJ Nash: doesn't have to be. I mean, I I'm thinking most will be, if somebody eventually is going to confess about infidelities or murders or something, and I'll, I'll certainly keep it in the show if they let me, but, um, you know, if there's such a thing as ratings week for podcast, I'll save it for that one. But I mean, it can be security related, you know, it could be, you know, career related, uh, you know, whatever, whatever it is, man, something that you haven't told anybody before there's something unspoken.

[00:49:58] Neal Bridges: Um, I'll, I'll, I will, uh, I will elaborate on something that I've kept very high level. Um, because I don't think that like, I, I, there's people hear me say it at a high level and I think that they're kind of like, yeah, I think that, yeah, yeah, yeah, gloss over. Yeah, yeah, Neil, Neil didn't go to college. Um, I. I don't think people realize just how dumb I was in school.

[00:50:22] AJ Nash: Okay. I should, maybe I shouldn't laugh at that. Maybe I'm an asshole. We're gonna have to cut that out later. Now that's a good thing. We're friends. Cause my initial response is to laugh. Like what a jerk, right? You probably, this is a serious moment. You've quieted the crowd. You've whispered your truth and I'm like, ha ha ha.

[00:50:37] What a

[00:50:37] Neal Bridges: That's

[00:50:38] AJ Nash: So anyway.

[00:50:39] Neal Bridges: Nelson the guy from Simpsons? HA

[00:50:41] AJ Nash: Exactly. So sorry, you weren't, you weren't a good student. All right. I got you. I'm following along

[00:50:46] Neal Bridges: let's, let's, let's, let's clarify like how not good of a student I was. Um, my, my high school class is a class of, of 350.

[00:50:54] Um, and I was number 340 out of 350, uh, from a, from a class perspective. Um,

[00:51:02] AJ Nash: good number. Usually. Yeah, I got you. But somebody was saying somebody was three 41 through three 50. Like, you're not alone. All right. I got you.

[00:51:09] Neal Bridges: I failed. I failed my very so. So I've been doing, um, I've been doing computer work for a number of years. I've got there's articles written about me about, you know, web pages being, you know, from the first web pages being written.

[00:51:20] I was doing work for NC State, um, you know, for the food science division, writing some of the first web pages. Uh, I was building computers from scratch. Uh, knowing all of that and some of the first jobs that I had coming out of high school were, were sysadmin jobs and tech jobs. I failed my first A plus and network plus, I've never told anybody

[00:51:38] AJ Nash: Wow. Okay.

[00:51:39] Neal Bridges: Um, and, and, and it really, it really kind of like, like it gave me a lot of doubt as to whether I was going to be a contributing member to the society for the longest time of my early years was, um, yeah, I, I did, I did not expect. To be smart enough to be in cyber,

[00:52:00] AJ Nash: So how did you, like, did you get it? It was a root cause analysis. How did you overcome this? I mean, you're clearly listen, you're very, very smart. Obviously, and you've clearly done very well. So, you know, it's, it's, I think, by the way, thank you. It's kudos, like what a revelation is you're the first person on spot with a question and you gave a really hard hitting answer, which I hope will help a lot of people.

[00:52:19] Cause listen, this industry is full of imposter syndrome and it's full of challenges like that. I, I, you and I've talked about this off, you know, off air before, you know, this is a huge issue. So. All right. You're obviously very, very bright and you've done very well, but what, was there a moment, was there a person that helped you through it?

[00:52:34] Like, how did you get from, Hey, I feel like I'm too dumb to be this, to clearly proving you're just the opposite of that.

[00:52:40] Neal Bridges: it took, it took an ungodly number of years. Like when, when I failed, so I, I failed a plus a network plus, um, I failed some of my first Microsoft certifications, um, before I ever got into the air force. Um, and, and I did not handle it very well. I, I fell into a deep depression. I was very, very recluse. I, um, I did not talk to friends or family.

[00:53:04] I, I had nobody. I, I was going through, I was going through some terrible times at the time. This is obviously post nine 11. The, this was the, this was the. com bubble and I had no degree and no certs. Nobody would hire me because they could get people with a master's degree for half the price that they, you know, were.

[00:53:21] You know, at the time, um, it was, it was a dark time for me, um, where I struggled mentally a lot. You know, I, I just, I mean, you know, I'd just gotten a divorce. Um, my, my ex wife had taken my daughter. I'd lost my house to foreclosure. I had to go beg my ex wife to go live with her because I had no place to live.

[00:53:44] Like there was a lot that was just generally going wrong in my life around that time. And, um, honestly. the military. gave me a new foundation and a new set of confidence. And I was 24 when I went in. I was a, I was a late entry into the Air Force. I was 20. I'd celebrated my 24th birthday in basic training.

[00:54:06] AJ Nash: in basic

[00:54:07] Neal Bridges: yeah. Yeah. So you, so, you know, you, you, so I don't know if you did it either. I didn't tell a soul

[00:54:13] AJ Nash: Oh no, I, I mistakenly told people. No, no, I wasn't that smart. I had extra two years must have made a world of difference because now I, I told people there's some good stories. But, uh, for those thinking about going in the military, uh, if you're going to have your basic training birthday for any reason, uh, don't tell anybody.

[00:54:29] Neal Bridges: Don't tell anybody. That was, yeah. I, I, I celebrated my 24th birthday under the sheets of my book in, in, in basic training and I didn't tell a soul.

[00:54:39] AJ Nash: that were what I did. I celebrated my 22nd birthday by being down in charge of quarters with a fellow airman knows the nose of me. Uh, attempting poorly in front of others to sing happy birthday to me

[00:54:51] Neal Bridges: Oh god.

[00:54:52] AJ Nash: bearing or be rolled back. So, um, and then I had my bed short sheeted by, by my flight.

[00:54:57] So, yeah, it was good times. I also had a, a, a letter from home from a friend of mine. I don't know if I can edit it out. But a female friend of mine, who's still a friend of mine, but she, uh, she sent me a card. I had actually called her on my birthday. Um, cause I was downstairs, I was doing background investigation.

[00:55:13] So I got to call home or whatever. And I called her, I didn't tell her it was, I didn't remind her. I just wanted to have a conversation and she felt so guilty after the conversation that she had forgotten. It was my birthday that she sent a card. I have no idea how she got the right address to get it all the way to the right unit and everything.

[00:55:27] And I opened it up in the latrine. And it was like a glitter bomb

[00:55:33] Neal Bridges: Oh no. Oh no.

[00:55:35] AJ Nash: was just trying to be friendly. It was glitter everywhere. And for those who don't know, never been in the service, a good little story for you. The latrines have these tiny little tiles, millions of them with all this grout and everything has to be spick and span, perfectly spotless.

[00:55:48] And somebody is responsible for that. It was not me. And so I've now made that person's life impossible. Because I have an endless supply of glitter in every little crevice and crack. So I was very, very popular for that moment.

[00:56:00] Neal Bridges: And, and, and, and, and you were just thinking at any minute that there's going to be a drill sergeant who's going to come in and see a massive amount of glitter or even a speck of a glitter in the ground in between the tiles and all hell is about to

[00:56:13] AJ Nash: Oh, Oh God, I'm surprised I didn't get, I thought it was gonna be murdered. I had, I had visions of like full metal jacket. I, things were going to be very, very bad for me in a moment here. Uh, it, thankfully it was not, but, uh, yeah, don't have

[00:56:26] Neal Bridges: Yeah,

[00:56:26] AJ Nash: in basic training. So, but that's interesting. So the military helped get you on track with

[00:56:30] Neal Bridges: yeah, yeah, the military gave me an unbelievable set, a set of confidence that I didn't know was possible and, and I found a, I found a good amount of camaraderie. I found a good amount of purpose and I found a good amount of mission in being in the military. And, and it was almost like, as obviously basic training is, but basic training is, but once you get to tech school and you get to live a little bit more of a normal life in tech school, and you get to go to a pseudo college type of experience where you have dorms and you have classes and you have a, a real cafeteria and you've got leeway to go out on the weekends and you realize.

[00:57:07] Like there's actual a support system and you've got training buddies and everybody's there to help you succeed. And, um, you know, everybody wants you to be the best version of yourself that, that you can have despite, you know, what's, whatever's been going on in your life. Yeah. Like if that's, that's, that for me was when, when things started to kind of turn up for me and I found my true self.

[00:57:25] AJ Nash: That's, that's an awesome story, man. Thanks for sharing it with me. I, I can relate. Uh, you know, if it makes you. I don't say it makes you feel better. It's just, it's a, it's a different story. Well, you're, you're, you're doing great. I mean, you've, you've overcome that feeling, right. And, and proven yourself and yeah, the air force can be good for the air force did a lot for me as well.

[00:57:42] I, uh, I didn't graduate high school, so you might've been three 40 out of 50, but I got thrown out of high school. Uh, my senior year in April and we graduate here in Minnesota in June. So, uh, yeah, I was about, I don't know, four or six weeks before graduation. And, and to be clear, this isn't unspoken. I've said this at least before, but, um, I, uh, I hadn't really been going.

[00:58:01] Uh, and so they just sort of relieved me of that responsibility. Uh, so I was, I was no longer invited to attend, uh, is how it worked out for me. So, um. Uh, yeah, so I mean, it's, you know, and eventually I found my way to the military as well and, and the air force, you know, cause the only branch of service that I care about.

[00:58:19] Um, no, it's just kidding. Uh, love all the branches of service. Please don't throw tomatoes.

[00:58:23] Neal Bridges: That's right. Love all the branches of the service,

[00:58:26] AJ Nash: they're not all equal, but we're all very important and useful. It's a, it's a good system. Some are not equal as others, but we're all good. Um, but no, the air force saved me in a lot of ways too, man. So I think that's a good story.

[00:58:40] Good little recruiting pitch for anybody who's not sure where they are in their early to mid 20s and want to, you know, uh, maybe a different sense of a way forward. Um, all right, cool. Listen, we're, we're out of time. And then some, frankly, I'm sure they'll edit some of this down, but I really want to thank you, Neil, uh, for coming on being the inaugural guest on unspoken security.

[00:58:57] Uh, this couldn't have gone any better. I'm super happy about it. Uh, thanks again, man. I'll look forward to talking to you, you know, both on your stream and here and just, you know, catching up in conversations. Uh, for those who don't know Neil Bridges, I highly recommend looking him up on LinkedIn, um, you know, and talking to him about what they're doing at Query AI, see if you can get on his show.

[00:59:15] His show's awesome. If you have, if you don't know about his stream, you should certainly find out cause it's fantastic. Um, you know, Neil didn't even bother to mention his cancer that I've mentioned several times, but Neil's currently kicking cancer's ass while we're having this conversation, which is pretty.

[00:59:27] Pretty freaking awesome. And he's also working his way towards the senior tour of the PGA. So, I mean, this guy, he's doing amazing things all the time. I couldn't thank you enough for being on man. Um, you know, I'll, I'll. I'll have you on again as soon as I get through a few other folks, I'm sure. Um, but thanks for being here.

[00:59:43] And, and for those of you listening and watching, you know, the first episode of Unspoken Security, thanks for taking your time to be here. Uh, I look forward to chatting with y'all here again in a couple more weeks, and we're going to keep this rolling forward. So for Unspoken Security and for ZeroFox, my name is AJ Nash.

[00:59:58] Thanks again, and have a good day.