Facts and Myths of Insider Threat Programs

Show Notes

In this episode of Unspoken Security, host AJ Nash welcomes Virgil Capollari, the founder of Adaptive Risk Strategies, to dive into the intricacies of insider threat programs. They discuss the often misunderstood aspects of these initiatives, emphasizing the importance of clear definitions and transparency to foster trust within organizations.

Virgil, leveraging his extensive experience in intelligence and risk management, highlights the fundamental elements required for an effective insider threat program. He stresses the necessity of executive buy-in and continuous training to maintain security awareness across all levels of an organization.

The conversation shifts to the delicate balance of maintaining confidentiality during
investigations while being transparent about processes and objectives. Virgil advises against excessive secrecy which could alienate the workforce the program aims to protect. Instead, he advocates for a collaborative approach to strengthen the program's effectiveness and ensure organizational security.

Finally, as with all episodes of Unspoken Security, AJ presses Virgil to share something he has never talked about before; something unspoken. Virgil responds with a powerful lesson about the risk of - and potential harm that can be caused by - cutting and pasting.

Support the show

Transcript

Unspoken Security Ep 16: Facts and Myths of Insider Threat Programs

AJ Nash: [00:00:00] Hello, and welcome to another episode of Unspoken Security brought to you by ZeroFox, the only unified external cybersecurity platform. I'm your host, AJ Nash. For those who don't know me personally, or first time listeners, I'm a traditional intelligence guy spent nearly 20 years in the intelligence community, uh, both within the air force.

And then as a defense contractor, most of that time was spent at NSA. I've been in the private sector now for, I went and checked my own resumes. I can't remember now, closing on eight and a half years. Uh, primarily I build Intel programs or I help people build Intel programs, build effective intelligence driven security practices.

I'm passionate about intelligence and security, public speaking, mentoring, and teaching. I'm also deeply committed to servant leadership, which is why I completed my master's degree in organizational leadership at Gonzaga university. Go Zags. Uh, the goal of this podcast is to bring all of those elements together Along with some incredible guests and, and have authentic unfiltered conversations, maybe even debates about a wide range of topics, [00:01:00] challenging for most of us in this industry.

This is not going to be a typical polished podcast. You might hear or see my dog. She's usually around here someplace. Uh, people may swear. Uh, I certainly do on a regular basis and we might argue or debate and that's all okay. Think of this podcast as the conversation you might overhear at a bar after a long day at one of the large cybersecurity conferences we all go to.

These are the conversations we usually have when nobody's listening. Now, today I'm joined by an old friend of mine going all the way back to the time we were together in the air force. It's Virgil Capollari. Now, Virg has decades of experience in intelligence, risk, and insider threat within the DoD, DIA, the financial sector, and also as the founder of a boutique consulting firm, Adaptive Risk Strategies.

Uh, Virg, anything else you want to tell people that I left out?

Virgil Capollari: Uh, no, that was a very warm welcome. I just want to highlight that. Uh, I think I'm forever a student of life risk and security.

AJ Nash: [00:02:00] All right. Well, it's a good strategy to have. I'm always learning something usually from smart people like you. Virgil is also the prettiest Albanian I'll probably ever have on show. Um, so if anybody wants to know more about that, feel free to reach out him directly. He'll tell you all about his cute button nose and green eyes.

Those are direct quotes, uh, for those who aren't actually seeing the video and are to the audio.

Virgil Capollari: We're off such fine start.

AJ Nash: That's what you get for joking before we got on, before we started recording Virgil, I use everything, man. You got to know better than that. Uh, yes, this is gonna be a good time.

We've been together a long time. Virgil and I, like I said, grew up together in the air force. Um, I was, uh, not, uh, the model airman, uh, and neither was Virgil. If I'm gonna be honest, but, uh, we both grew up to be somewhat successful in life. So,

Virgil Capollari: Well, I was going to say, uh, you've picked up the skill of a bus driver because you threw me under a couple of times.

AJ Nash: Yeah, man, that license was hard to come by as it turns out, I have backup job in case this doesn't all work out. And I need something to do so I can drive the bus over just about anybody. Uh, all right, listen, [00:03:00] man. So today's episode, we should jump into this thing. Uh, today we're going to talk about the facts and myths of insider threat programs, because frankly, I mean, there was a lot of misconceptions about insider threat, about what you do, uh, you know, and what you've done for a long time now.

And I think there's an opportunity for people to better understand how most of us, you know, can see insider threat as a partner instead of an adversary, which I think is how a lot of people perceive insider threat programs, um, as you know, the spies that are watching us or that kind of a thing, right?

Which is, which is really not the point. Uh, I'm aware of that, of course, um, but I'd like to have that discussion, you know, with an expert and that's you, right? And so that you've been doing insider threat a long time now, uh, in the government space, long after we got done doing, uh, linguistics together in the air force.

So. You know, let's jump into this one, man. What do you see, first of all, like, set a baseline. What do you see as fundamentals for, you know, an effective insider threat program? What does that look like to you? Mm-Hmm.

Virgil Capollari: Uh, well, first and foremost, uh, anything you do has to have definition. People have to know [00:04:00] what it means has to be, uh, and how it's applied. Therefore, if the concept is poor in its construction, everything else around it is going to follow suit. So. Has to be clearly are, uh, clearly defined, articulated, and most importantly has to have buy-in from the top downward.

AJ Nash: Mm-Hmm.

Virgil Capollari: It's very difficult to try to build it the other way around. So after you have all those elements, you have to have a training program to once again, reinforce those concepts and keep training, training, training. Why? Because, uh, these are perishable skills and what becomes out of sight becomes out of mind.

Then you need the right kind of tool set, which means you read the right kind of expertise, knowledge, and you really need to be your own evangelist and your own programs evangelist. At the end of the day, you should be the chief crafter of your message. And what you do, uh, so, and then, [00:05:00] uh, after all that's said and done, you need the right kind of processes and procedures in place so that it reinforces the trust and gives everyone an equal footing.

Uh, what I do not recommend is keeping the program secretive and not communicating with anyone. Uh, you don't want to become the very threat to the program you're trying to enhance. So work to be a better friend. Uh, don't undermine what you're doing.

AJ Nash: So, that's a good point. So I, you're talking about being secretive, right? So I've worked, I, I don't work insider threat for anybody who doesn't know that, I'm sure anybody. I've worked with that insider threat. I'm an Intel guy, right? So I'm a big believer in partnerships, Intel. Everybody's a customer of Intel, in my opinion, insider threat, physical security, you know, the, the sock, you know, take your pick, right?

Almost every HR, everybody can be. Um, but you talked about, uh, you know, transparency and trying to be open and trying to, to not be so secretive, but there's a balance there, right? I mean, obviously. [00:06:00] The nature of the work of insider threat, you know, you're, you're investigating folks. Those are closed investigations.

So how do you, how do you have that open kimono? So people know what you do and understand your processes and understand the structure and your goals and objectives and still keep that separation to keep the integrity of the actual work itself.

Virgil Capollari: I go back to definitions. A lot of times you hear a lot of, uh, uh, conflation of terms and terminologies. Uh, they conflate risk, security, and threat. All three are not the same thing. So I kind of like to discuss risk in and of itself. Life is risky. What we do on a day to day basis is generally risky. We don't think about driving on an interstate highway is something risky. It's just something we have to do to get from point A to B or C and D depending on what we're doing. Uh, the other point of it is that a threat and I kind of use the, uh, the government department of defense's general definition, uh, [00:07:00] an entity with a, uh, the means and capacity to want to exercise harm. Not every sure.

Not everybody in, uh, not everybody in your organization. Is waking up with the, uh, with the pre cons, uh, premeditated concept of trying to hurt the company, hurt the organization or hurt you. So let's kind of reserve certain words for when they really become applied. Uh, but once again, uh, it comes down to how you articulate that at its earliest stages, and if you're throwing the word threat around, Uh, loosely, uh, in my personal opinion, you're really undermining the very nature of your program, which is to protect people.

AJ Nash: So do you think we shouldn't be calling it insider threat? I mean, do you have another term that you're using for this?

Virgil Capollari: I think insider risk may be, uh, maybe a better, uh, kind of initial point, or at least communicate risk as [00:08:00] the primary function piece of it. Some things that are risky can lead to threats, but not everything is a threat.

AJ Nash: Interesting. Yeah, that's a good point. I don't think I've heard it said that way before. In fact, I'm quite confident I haven't. And I think it's an interesting point. Like you said, I think insider threat as a term, and it's, listen, it's an industry term. I doubt that you and I having a conversation today is going to change that.

But I think you make a good point that it, it, it creates an adversarial start, right? Everybody's seen as a threat. That's a problem right from the start. And everybody's not a threat. As you said, it's, it seems like it's more about mitigating risks, whether those risks are, are malicious intent, whether they are accidental, you know, anywhere in between, you know, somebody who's a victim.

Um, it's, it's more about, as you said, you know, adversaries. Uh, who have intent and capability are threats, right? Um, but what you're talking about is risk. It's a combination of those factors along with weaknesses and vulnerabilities. Um, I think that's interesting. I'd be interested to see what that takes off.

I think talking about his insider [00:09:00] risk instead of insider threat. Um, so you also mentioned talking about, uh, you know, building that communication standards and processes and structure. Uh, you know, can you talk a little bit about. You know, we don't need to go too far into the weeds, but I, I am curious a a bit about how that gets set up.

You know, in Intel we talk a lot about, you know, building processes obviously, and there's a lot of standards to how you write and how you, uh, do analysis and how you assess and how you, you know, communicate and how you report things. But for you, what does that look like when you talk about processes and standards like tactics, techniques and procedures for doing insider risk?

I'm gonna call it insider risk now. Uh, and just upset anybody who's a professional besides you in this industry, I guess. Um, and also like, how do you document and manage standards for, you know, ethics, objectivity, uh, you know, we have, we have structured analytics techniques and Intel side. Is there something like that, uh, you know, in the insider risk side of things?

Virgil Capollari: well, I'd say so. Just very similar to Intel. And having come from a long career in intelligence and encounter intelligence, uh, it [00:10:00] begins with the earliest communication to the stakeholders, to those, uh, individuals that you're looking to partnership and work with. Why? Because no insider threat program can act alone, so you kind of need to understand what the norm is or what the normative flavor or as I would always say in my, uh, intel life, if another security professional thinks something's a concern. It's probably worth listening to, to kind of see where that may go. So, uh, I don't have to understand every disciplines ins and outs. Uh, but I think, uh, I think any security professional would be wise to listen and, uh, use that kind of as the, uh, base point for building out. The other part of it too, is like, just like when you're building a house or building out any other program, I do a lot of volunteer work with veterans, veterans organizations.

And I'm always willing to listen to what the stakeholders and other people want and what they're able to do. Cause then [00:11:00] we can kind of leverage and build around it. I think too many, uh, I think that once again, very similar to the messaging. If you build it with too much of a narrow focus or not enough, uh, you're not really serving the very needs of the program to begin with and the organization.

AJ Nash: So, I mean, that sounds familiar to me, obviously, in the Intel side of things, we talk about stakeholders and requirements. Every episode seems like I'm hammering about intelligence requirements, you know, stakeholders engagement. Right? Uh, so this, this sounds familiar to me. How do you view for the insider risks program?

You know, risk program? How, who are you viewing as stakeholders? And how do you, how do you work to collect data from stakeholders? Requirements in, I don't know if they're called Intel requirements for you, if you have another term for it, but how do you, how do you look to collect those requirements to codify those requirements to make sure that there's a shared understanding between the identified stakeholders and your program on what, you know, what you do and don't do, right?

Where are the guardrails? I'm sure that ethics and objectivity priest comes back in there as well. How do you, how do you build [00:12:00] that relationship? How do you structure those things?

Virgil Capollari: When I'm talking to a client, when I'm interacting with other professionals, I try to get a better understanding of what they're doing, which begins with rapport, rapport, rapport. It was, it was true when we were working in our intelligence business, whether it was human intelligence or counter Intel. If I come to you right from the start.

And start preaching a bunch of rules to you and what you have to do. I'm probably going to turn you off. How about I try to get a better understanding of who you are and what you do. And, and I find that, uh, since, since this tends to be more of a support to a large organization, subordinating our egos is probably the first thing we need to do.

And work on the relationship because. One problem with building out procedures and rules is if you make it too narrow, you're going to shoot yourself in the foot because in my opinion, you're not going to catch those other things, nuances, [00:13:00] observations that people may see. And, uh, You know, uh, but if the, if you don't articulate the process as well enough, then you may not be capturing what needs to be take a look at what's existing in place.

Once again, just like the messaging build around it. That's my, that's my recommendation.

AJ Nash: I think that's really good. And you talked about, uh, you know, took a look at what's in place. Um, you know, making sure you're not too narrow scoped, you know, with the, with the tooling, you know, so you're talking a little bit about TTPs earlier with the tooling. I mean, again, we're not here to plug specific, you know, tools and, and.

You know, platforms, whatever. I mean, you're welcome to if you want to really care, but I'm curious about the tooling that goes into some of this stuff. When you talk about getting baselines and understanding, you know, is it behavioral analysis tooling? Uh, at first baseline, is it really? I mean, I'm sure you have to figure out at first, does this organization have any sort of insider, you know, risk program?

Um, but you know, how much, how important is it the visibility [00:14:00] into, you know, the, the baseline, right? That baseline behavior on normally it's endpoints, right? On, on, you know, Laptops and phones and that kind of thing. Um, but you know, is there a, how challenging is it to get the right tooling in place, especially if you're starting from scratch or to, to determine if you have the right tooling or need to make changes in some of those areas?

Virgil Capollari: If you're looking at it from purely an electronic, uh, viewpoint, which is where a majority of the programs, it's very difficult. There is a ton of, uh, Uh, alleged out of the box solutions that are going to resolve every one of your problems. And there's an endless amount of literature and salespeople promoting them.

I'm not saying that they're not helpful. I'm not saying that they don't deliver on some of the points, anything that seems to be too good to be true probably is. I kind of wind it back as we were talking about the education piece, the training, the awareness, you know, if I tell you AJ, I don't ever want you to think about a purple horse, [00:15:00] I've now put that in your head, let's,

AJ Nash: about now. Mm-Hmm?

Virgil Capollari: but let's talk about something much more because it's on base level conditioning and it's about working and making your human element, the first foundational layer, because if I said to you, uh, whenever you go to your favorite store in Minnesota, I don't know, target and, uh, Whenever you leave your neighborhood, I want you to count how many, uh, white houses are on the right side of the road as you're leaving. Those white houses have been there the whole time. You just haven't thought about it. Maybe you probably had it more subconscious. That's essentially what we're going to do with the training piece. We're going to get you to kind of think about it without changing what you're really doing. Cause I don't need you to disrupt what you're supposed to be doing.

All I need for you to do is if you see something that's kind of strange to you, let us know. As far as the tooling goes, [00:16:00] program can survive without some sort of case management system or Yuba. You know, uh, user behavioral activity. So what I would say is, uh, think about it like a house. When you're having a home built, uh, you need a bunch of different people with skillsets working together.

So you need a plumber and you need an electrician. You don't need one to do the other's job, but you need them both working in tandem. So as you're building out the program, uh, your case management system should be built around the messaging and training piece. Because, uh, your focus, regardless of what you have is going to shape whether it's successful or not.

AJ Nash: So, so when you're talking about training so far, you're talking about training the workforce, you're talking about training. Uh, are you talking about training managers and just, you know, general workers? This is the, the see something, say something model. Essentially, we've all heard about, you know, counterterrorism and everything.

Of course. Um, so I'm, I'm curious about that and, and the training and the, the [00:17:00] awareness, I guess is probably the type of training you're talking about, but then let's also, I want to learn more about that, but then as a two part question here, so I can talk less and listen more after you've talked a bit about that.

I'm curious to know about the training of the team itself. I'm going to make the assumption here. The insider risk is, is not just one person in a closed room. Although I know that. Uh, but the training for the, for the insider team itself, you know, in terms of, uh, not just the tooling and some of the, you know, some of those things, but you said, you know, see something, say something.

Okay, great. So I'm the employee who saw something and said something. How do you train the team? You know, how are they going to react to that is, you know, to make sure they don't jump to conclusions to, to stay, you know, unbiased to, uh, I know you and I've talked a You know, prior to being on this today about actually biasing towards the accused for lack of a better word, you know, to stay really objective and not jump to the, ah, they must be guilty.

Let's put them away, which I know some people in this industry is certainly counterintel. There's lots of folks that are looking to break the next spy. And so, Every [00:18:00] opportunity is a chance to be a hero, right? So how do you, how do you train the workforce to, to be diligent and aware without becoming paranoid or over the top?

And then how do you train the team to be objective and run through a process?

Virgil Capollari: That's an, that's an excellent question because

AJ Nash: Thanks. I worked hard on that one, man. Took me a while to think that one up and everything.

Virgil Capollari: I got to tell I got thank your dogs and every,

AJ Nash: Yeah. Yeah. Riley had a lot to do with this one.

Virgil Capollari: I would say that it has to begin kind of with the earliest side of it. Uh, I think he kind of, uh, it's incumbent upon a really effective program to kind of have a natural dose of skepticism if you're going to If you hear something and you're constantly reacting, in my opinion, your program's not proactive. In that case, you're just being reactive and there's not much difference between that and the eight o'clock news every night. That tells you it's the end of the world. Step back, [00:19:00] assess all the facts, make a decision. I spent many years as a counterintelligence special agent. I spent many years as a human intelligence agent.

I can tell you right now that throughout my career, the stuff that I thought was going to be really big. Wasn't and the little things that I didn't think there was much to at first turned out to be far bigger than I thought. So, uh, it's a, it's important to kind of stop, pause, assess, re engage, spar. If it's too good to be true, once again, we come back to it.

It probably is. However, you're not, you're not charged with any position other than being a fellow team member in a large organization, which means base level respect for your peers. And the people that you're alleging in programs you want to protect should be the driving force behind what you do. Now, you may come across elements that are, uh, up [00:20:00] to something, maybe more nefarious or malicious.

That's not for you to determine. In my opinion, what we do is we gather information. We bring in other stakeholders. We give them what we find. We, we may offer at times our assessment of the situation. After that, there are other professionals that handle it and may choose to. Uh, so that's where, uh, that's where I think, uh, the impetus really needs to come down to is. Understanding our inherent roles and our limitations. And I think, uh, kind of stepping back sometimes may do us far more good than not.

AJ Nash: Well, and that reminds me a bit of Intel, uh, you know, and Intel, we always talk about, listen, as an Intel professional, our jobs are to gather everything we can, all the data, all the, all the, uh, Indicators, all the facts, all the, all the everything, right? And apply analytics to, you know, standards and tradecraft apply, you know, techniques, um, and analytic techniques, [00:21:00] and then provide our, our assessment and our, you know, our best.

Understanding of the situation and maybe some recommendations, but after that, we get out of the way, right? We're not operators. We don't, we're not trigger pullers, um, you know, to, to use the old military terms, you know, we may provide. Recommended course of action, a whole bunch of them, but then you hand it off to the people who actually are going to go in and do the operation, whatever it might be, whether it's in the military side, whether it's now on the civilian side, it sounds like you're saying it's similar and insider threat in that you do all the research and you make the assessments and you make the recommendations.

To leadership, and then, as you said, there's other professionals that make the determination. Is this, is this a legal issue? Is this a, you know, whatever the next steps are, you know, insider risk programs, um, which sounds really interesting to me. I hadn't really thought of it that way, I suppose, but, um, it makes you another, in a sense, another independent party.

That's that's a counselor to leadership. I would say. Say in that you're you're knowledgeable, but you're not making the call. Right? Um, I, suppose that does create that humility. You're talking about then, you know, it's not about trying to get the [00:22:00] next person. It's just trying to get to the facts and get to the truth, um, which is tough.

Sometimes I'm sure you guys are dealing with not just what happened. You know, what did somebody do? When did they do it? How did they do it? But why did they do it? Um, you know, it was a big piece and, you know, was it malicious, you know, where they tricked into doing something versus whether they did it on their own?

Was it an accident? Um, you know, I mean, some things I'm sure stone cold cases, somebody stole a whole bunch of IP and sold it on the dark web and you watch the whole path or whatever, but I'm sure a lot of them are much more complicated than that. Um, go ahead.

Virgil Capollari: For many years, inside the defense industrial base, we had all sorts of counterintel investigations trying to, uh, figure out X, Y, and Z. One of the earliest, uh, one of the earliest kind of learning opportunities or engagements I had was When people reference countries or activities, I think we is, I think it's logical to have this preconceived notion of, of the caricature of the [00:23:00] individual from that country with that accent.

You stick around the business long enough, just because it's that country doesn't mean it's a member of that society. And I think that's where, where it kind of, uh, causes you to readjust. Uh, if I talk about a, uh, countries in In Asia with over a billion people, just because those countries may be doing something doesn't mean that the individual working on their behalf comes from there. Same thing with terrorism. And I know that you and I were both around door and 9 11, both in the service, but afterwards, how many people have they found? We're engaged with terrorist activities who have no absolute direct connection to the Middle East.

AJ Nash: Well, yeah, lot

Virgil Capollari: here. Same thing applies here. And, and once again, we have to be constantly concerned about our own awareness bias. Because if we're only seeing one thing and one thing all the time, [00:24:00] that's what we're focused on. It's time to step back. Just like being a member of any other organization, committees. It's the integrity of the program that supersedes our own personal opinions and desires. That's at least how I've tried to approach it over the years.

AJ Nash: Yeah, I love that point. You know, the, the bias, right. Um, and, and being able to step back from that. I mean, listen, if, if, if we said, you know, a terrorist act, uh, happened, right, I think a lot of people will immediately picture, uh, well, these days, uh, a Middle Eastern person, right. Uh, I think that's the bias. A lot of people have meanwhile, domestic terrorism is massive problem.

Uh, it's generally white guys. Um, not always, it can be anybody, frankly, but it is, uh, terrorism in, in Ireland, uh, been a problem going back a long time. Um, uh, I promise there weren't many Middle Easterners involved in that. I don't think there were any, um, terrorism is around the world. It's, it's not a geographic issue.

There certainly is a lot of, you know, uh, uh, religiously generated terrorism that [00:25:00] comes out of the Middle East right now. Um, you know, so it's not a non issue. I'm not going to pretend it isn't. Uh, a real thing, but I think you make a good point that, you know, people have a bias, right? And if you said, oh, this, this activity came from, from China or from India or whatever, uh, and there's that bias.

And then you realize, well, somebody could just be using their infrastructure or their architecture, or they could be a contractor or they could be placed there by another nation. You know, we talk about nation states a lot of time and you see that crossover, uh, you know, uh, People who are, who work for one government, but are inside the borders of another, uh, you know, we've, we've seen that, uh, you know, Russia, China, that kind of thing.

And then, you know, Iran, and then you've got the question of, are they partnering? And that's why that's happening. Or are they there because they're co opting somebody else's architecture so that they can then put blame on that country or have somebody chase that down. So obviously in Intel, we've gone through a lot of this, and this is why attribution is so difficult because you can't just say, well, it happened there.

So that's the people responsible. Not necessarily. Let's slow, slow our roll a little bit. And look and see,

Virgil Capollari: humans are far more complex and you know, [00:26:00] both you and I have, uh, been in the Intel business for many years. Even prior to our venturing off in our private lives.

AJ Nash: just calling me old again. Every episode, somebody calls me old. I got It's okay.

Virgil Capollari: couldn't help myself. It was kind of a knee jerk reaction,

AJ Nash: right. That's

Virgil Capollari: but beyond that, but beyond that, humans are also more nuanced and complex.

And I think that we live in a day and age, and this will be maybe a point of maybe you want to bring up here in a little while, but I think it's really quick to want to slap a label on something or somebody. Humans just don't operate like that. It's, you know, uh, I kind of liken it to my upbringing and family from the Balkans. Many Balkan countries will blame Turkey for everything because of the Ottoman Empire. But if you try to rationally explain to somebody that, well, the Republic of Turkey is not the same thing as the Ottoman Empire, uh, it becomes a little more difficult and then, oh yeah, what have you done in the hundred years [00:27:00] since the Ottoman Empire's collapsed?

How can it still be Turkey's fault. 

AJ Nash: At some point you got to move on from that. And listen, I, I was a, for those who don't know, I was a linguist in the air force, uh, serving in Croatian. Um, so I'm familiar with the Balkans. Obviously Cap's got background there as well, both as a linguist and, and, you know, as personal history, his family background, uh, we're not here to refight the Balkan wars, which I'm sure in another 50 or a hundred years, they'll take another swing at it themselves.

Cause it

Virgil Capollari: Oh, yeah.

AJ Nash: wants to, uh, but, but you make the right point, you know, in my opinion, at least in this, it could be other regions. I mean, I don't want to go too far down that path, but it's at some point you've got to move forward from whatever. And I'm not saying the past didn't happen.

I'm telling horrible things didn't happen. Pick a geography, pick a nationality, pick a culture, pick a race, whatever it is you can pick. Almost across the board. You can say that's that's there. But at some point, it's how do we move forward if we keep looking back at those things? And you talked about how people are complicated and those biases exist.

So actually, it brings up a question. I wanted to ask, um. [00:28:00] You know, the world is a complicated place. There's a lot of terrible things. There's always a lot of terrible things, by the way, going on in the world. For those who don't know, we all think this is a really violent, horrible time in history because it feels that way and it is to an extent, but it's actually the least violent time in human history, we don't see it that way or perceive it that way because we see everything now, you know, but in.

Antiquity. We didn't, we only saw what was around us. So there was violence and terrible things going on around the world. We just didn't know. But that said, it's still a dangerous, violent, you know, scary place to live. How does that impact when you're talking about insider risk, right? How, how does the geopolitical events going on around the world, how does that affect a workforce?

You know, is it something you're concerned about when it comes to insider threat and insider risk? Is it something you have to calculate and prepare for? And how do you, how do you How do you work through that? And again, those are political minefields, right? If, if you say, Hey, this, this thing happened. And as a result, you know, we know we've got some folks who might have interests here because they have family there or whatever.

How do [00:29:00] you take that approach without worrying about crossing a line and being seen as targeting somebody or picking a side or political, you know, the, listen, Gaza and Israel. I mean, we can use that one as an example. It's, we can talk around it all day, but people are going to think it anyway. Um, you know, bad things going on there.

Yeah. If you have, you know, employees that, you know, have, uh, historical times, family ties, religious ties, uh, you know, to the area, you know, does this become an issue you might have a concern for, but at the same time, you don't want to cross over, you don't make assumptions and you don't want to start targeting people, but you also can't ignore that world events impact people.

So it was a long way for me to ask what should have been a short question, which is how do you work through. All of that complicated morass when it talks about geopolitical events. And, and is this something you think about in terms of workforce and possibly raising the risk or the, or the threats of, of insider activities?

Virgil Capollari: Short answers. Absolutely. Let's

AJ Nash: Okay. On to the next question. No, I'm just kidding. 

Virgil Capollari: let

AJ Nash: going.

Virgil Capollari: me kind of wind this back here we're as we're talking. Uh, I, uh, I do various, [00:30:00] uh, foreign travel security. Uh, uh, presentations I prepare people and they traveled to other parts of the world where they're ongoing conflicts, ongoing issues, struggles, uh, political dilemmas.

And, uh, when I look back to my, uh, counterintelligence life and I look back to my human intelligence life, this would have been one of the ripest times to kind of seek out individuals. Now I'm going to put in a plug for Dr. Eric Shaw. Who talks about, uh, insider risk, but more importantly talks about the critical pathway, uh, to behavioral issues and, uh, stressors and various things that could affect someone during the course of their life and day, financial, divorce, uh, death in the family, other things, other distractions.

It's not that necessarily these people are bad people. It's just that sometimes life gets in the way. And they may not [00:31:00] be as alert to what they're doing. So just because we see an activity on the other side, we don't necessarily have the whole story. And this is where the, uh, former, you know, special agent me kind of comes out and says, it's incumbent upon us to try to learn as much as we can about what's going on.

What led to that? So as to determine whether this was malicious or not. Now, the end result is still the end result. And that will probably be dealt with by, uh, other stakeholders, other people, much higher on the food chain.

AJ Nash: Hmm.

Virgil Capollari: if we're not asking the why. Then what we're really doing is we're just checking a block and behaving like a compliance and, uh, this is kind of where I editorialize if the insider threat or insider risk program is compliance driven, in my opinion, it's going to have a compliance reaction, and it's probably not going to be as effective and it's going to, [00:32:00] uh, Likely hinder progress. I understand that, you know, there's varying degrees of it, depending on what industry you're in. Uh, the other thing too is I think, uh, and this is just kind of me editorializing. I think that anytime the government pushes a certain type of requirement, it almost inherently will, uh, create this checklist mentality. Therefore we've checked these blocks. We've done what you wanted. The idea is to think a little more openly about that and try to really deliver. If all you're doing is checking blocks, then what makes you special?

AJ Nash: Sure. But you gotta be able to balance those things, right? I mean, I don't disagree with you, by the way, if, if all you focus on is compliance, whether it's security, whether it's Intel, whether know, insider, yeah, if all you focus on is compliance and checking the right boxes, you're going to miss a whole lot of stuff, right?

I mean, compliance is really meant to be sort of a minimum standard, not the, not the perfect standard, but you have to be able to do both, right? Yeah. I mean, compliance compliance. You can't just [00:33:00] not do it. So, and sometimes cause you're underfunded and under, you know, under utilized and under. Manned and womaned, uh, however you want about it.

Undermanned.

Virgil Capollari: Understaffed. There

AJ Nash: Understaffed. Thank you. That's the word I'm trying find here to get off of that. Understaffed. Somebody will edit that out and fix me later. Um, so when you have all those challenges, you got to be able to do the compliant stuff first, because that's the stuff that keeps you in business.

But you're, what I'm hearing you say is you, you got to go beyond that into there's more of a human approach, right? People are complicated. As you said, and it's messy and, and your check boxes get you through, but they don't necessarily make you safe. And it's hard because you're talking about now getting into into much more complicated issues of really understanding the depths of people, which I assume means communicating with HR, for instance, you know, you talk about stressors, you know, if somebody's going through a divorce or a child custody case or financial stress, I know those are a few indicators, you know, of possible challenges.

You're going to have to work with HR on that, which of course is close hold things, but [00:34:00] it's a human approach. It's understanding the person and not to get them right. But, uh, to understand, you know, who might be a likely target. I'm going to look at it from a positive standpoint of others, targeting our folks to try to turn them into insider.

Threats when they're not intending to be one, um, helps to know what their vulnerabilities might be and, you know, what they may be up to, which might include, you know, what are they posting on social media? Do they seem like they're distressed? Are they, are they stressed? Are they angry? Are they, are they challenged?

Are they financially struggling? Uh, maybe they're having mental health challenges, whatever it might be, right? To try to prevent somebody from, um, Being lured into making a bad decision. Um, but that takes a lot, right? So you got the compliance stuff. Do you, do you find programs have enough resources to do the must haves?

And the really should have is a need to have to be successful.

Virgil Capollari: The answer to that would be no. And I'm going to explain why kind of with it, because as I look at my career from a, from a, uh, intelligence collection side of the house with people in [00:35:00] trying to recruit, uh, identify possible sources, this would have been a ripe environment. It. As those stressors that you mentioned, because if you're distracted, if you're, if you're, if you're thinking about things outside of there, it's going to make my life a whole lot easier.

So when talking about the staffing standpoint, the reason why I kind of go back to my original point of being the evangelist is because you need to recruit your organization. To be one giant layer, that human layer, you're going to have, you're going to go from having a handful of people in your program to a lot more.

Why? Because they're helping identify things you might not. So it's about winning them over. And if you're not winning over your organization, that may be more reflective too. Uh, in my life as a special agent, regards to the presentations, I gave counterintelligence awareness. It was incumbent upon [00:36:00] me to make sure that the message was delivering, which means It involves eating crow stepping back and allowing, uh, and allowing people the other side of the modern coin is there's a real lack of empathy in modern society people need to, I think if we take a little more time to empathize.

With the people around us, regardless of what we may think of them up front, chances are, it's probably gonna have more beneficial results

AJ Nash: I'm glad you said that. I apologize. I'm gonna cut you off. Cause forget thoughts otherwise. Cause I'm ADD, but I'm glad you said that. Cause that's what I was going to jump in with is when you do training, you know, the, the counter awareness, you know, counterintel, we've talked about in the awareness, right?

See something, say something, all the trainings and you and I have had those, you know, I guys like you gave them to guys like me in the Intel community too. But is it just, and it sounds like it's not, so I'm setting up for an easy answer. It's not just. The see something, say something and all those you're saying, I think I don't put words in your mouth.

We also [00:37:00] have to train the workforce empathy, right? To better understand our fellow person, right? To, to, to take that time because that affects the see something, say something approach. If I see something and I have no context. I may report that, and if I have some context, cause you know, I'm taking time to actually get to know people around me and actually care about the people I work with and for, or who might work for me, then maybe that context allows me to, uh, better understand it.

And either, either now I'm reporting something that has a little more substance to it and, and, you know, some reason, or maybe I'm able to go, Oh, you know what? No, they're just ranting because of this thing today, that this is probably not an issue. But does that also open you up to that question of, you know, do we want people making those judgment calls?

So do you include the human approach, the, the empathy you're talking about as part of your awareness trainings to people, whether it's as a consultant or for companies you've worked directly for, um, and how does that balance out?

Virgil Capollari: Absolutely. Anytime you lead with empathy, [00:38:00] it's not going to hurt because once again, you're building relationships. I can't stand the word connections. Well, I got these connections at work. It's too impersonal. These are humans. These are relationships. There's people we like and don't like and vice versa.

They probably don't like us, you know, and that's okay. However, what's not okay is, uh, to, to miss the signs. There's a lot of discussion these days about all these red flags, but if we're not seeing them and they're being flashed right in front of us, what good are they? What good are, what good is the program of any value?

If it's not connecting with the very people it's claiming to want to protect, if you protect people, you protect, Uh, IP, you protect product, you protect the organization. That's what it comes. It all begins with the human

AJ Nash: See, and I love that. I think two programs that I've often been talked or told, you know, remember, they may [00:39:00] seem like they're here to help you, but they really just work for the company, our HR, uh, you know, any place you go, you know, people will remind you as nice as the HR people are don't forget.

Ultimately they're, they work for the executives and their job is to protect the company from, from risk and harm. Right. And I love, by the way, most HR people I've ever worked with really good people, hard job, but ultimately it's a true story, right? They eventually are there to protect the company from risk.

They may really care about us and try hard, but push comes to shove. They're going to do what's best for the company. And I've always heard the same thing about insider that, you know, ultimately their job is to protect the company. And not, you know, we are part of the equation, but not necessarily the important part is the workforce.

But it sounds like you're really saying, I mean, of course you still have to protect the company, but it sounds like you're saying it really starts with the people. And I hear a lot more from you about protecting the people. From becoming the problem. And of course you'll find the malicious ones there. I mean, listen, they're going to show up either way.

They're going to be there, but it sounds like you're really much more focused on understanding people and protecting the people because that also does protect the company. It [00:40:00] can reduce the risk of somebody being put in a position to make a bad decision. They may not otherwise make an own. You can't do anything about the ones that are just straight up malicious.

You're going to find them. The cops are going to get a chance to talk to them and prosecute them or whatever happens. Right. But it's interesting and refreshing for me to hear you talk so much more about the people approach, get to know people, get to understand people, empathy, care about people. You know, we got a lot, I'm with you.

We got a lot less empathy in society and business now than at any time in my life. Um, it just seems like, you know, it's more people are, are out for themselves out for number one. Um, and as a result, don't pay enough attention to how to help other people, which is super depressing and frustrating to me.

Virgil Capollari: year after year, year after year in January. There's a slew of different reports from industry talking about how insider threat has exponentially increased. And, uh, every. Every incident has now cost X number of more dollars. So I'm sitting there thinking to myself, okay, after all these [00:41:00] years with all this programs out there, it keeps going up. Are we just missing what's in front of us? I know I probably am. And sometimes you need to pinch yourself and kind of step back. Uh, and I, and I, and I think that not enough people in the program space to do that. Second, if we're just chasing down a bunch of red flashing lights, like the little buzzer, like the mouse going after the cheese. What about when there's something bigger going on? Is this just another example of how alert fatigue has worn us down to where we're missing it? And are we really, are we really identifying the real threats and risks? Or are we concentrated on the low hanging fruit? Essentially, the goal of the program is to Should be to not be a better victim.

I mean,

AJ Nash: Right. Well, and how do you convince people to care? You know, we just talked about companies will have, you know, people have lack of empathy and people are more focused on themselves, but at the same time, you're saying to [00:42:00] be successful, you're never gonna have enough tools and people. You need that layer of the workforce who is, you know, aware, let's see something, say something, but also, you know, provides that empathetic layer to understand people in context, but also.

But that also takes people caring about the company, which I think also is diminished quite a bit rightfully. So in my opinion, or at least justifiably so, because companies have proven they don't care as much about people as they used to. So, you know, how do you account for that? Or can you account for the idea of, Hey, here's a person who probably could be useful for us, but listen, they.

They're just here to make money and they're looking for their next job and the next opportunity because the company just had another series of layoffs and most folks here realize the company doesn't love us. So what do I care if Bob and accounting is stealing money? It's not my problem, right? I got my own things to do.

So, you know, I don't know if there's any way to attack that or approach that or it's an but I'm curious about how that plays out for you.

Virgil Capollari: think I think you kind of have to approach it from more of a from more very simplistic adult approach, which is [00:43:00] I don't expect everyone to walk away with the same enthusiasm of a message, I gave counterintelligence briefings to a room full of people with very sensitive accesses to very sensitive programs.

I never once left there thinking, wow, everybody in there understood exactly what I said, and they're going to embrace it. And it's not that if you're able to connect with a few people along the way, that that becomes a force multiplier in and of itself. If you're, if, if, if the day consists of just sitting behind your computer.

And not talking to anyone and then the only time you're talking to them is when something bad's happening You kind of, you, you've created that awareness yourself. So I think it's incumbent to just get out. Uh, I do, like I said earlier, you know, I do a lot of veteran support. Very first question I ask a lot of veterans is how can, how can we better help serve instead of telling them what they need, once you ask them what they need, can, how [00:44:00] can our program better help what you're trying to do? 

AJ Nash: I love that. I think everybody probably realizes why, you know, I love you so much and why you're great to have on like humanist approach. How can I help servant, uh, you know, certain leadership? Obviously, I talked about the beginning. So, you know, you're, you're saying all these things, which I obviously believe in very deeply, but it's nice to hear that, you know, this is something you're, you're working on out in the world, out in the field and having a lot of success with clearly.

Um, so, uh, With all of this discussion, I mean, at some point, listen, if you're going to continue to have a program or build a program, uh, keep funding, gain funding, you know, et cetera, somebody has got to decide what, what does it look like? What is success look like? So who's accountable for success or, or failure?

If there's such a thing, I guess there is. And, and how do you, how do you measure that? Is it just a matter of, well, we haven't had an insider threats, uh, uh, attack. So we must be good because if that's the case, then people would just have terrible tooling and never, you know, if you don't find something, nothing bad happened.

Right? So it can't be that no, no bad things have happened, but also I'm sure you don't want it to be a bean [00:45:00] counting of the most, you know, insiders, uh, addressed and stopped because that is an overaggressive strategy and then forces people to go on the path of that's the metric to succeed. So now I'm going to attack every little detail and fight everybody.

So how do you, how do you determine the proper metrics for measuring a successful insider threat program and who's ultimately responsible? For success and failure, uh, of that program.

Virgil Capollari: shared responsibility. It's not just one factor. Metrics are part of it, and let's face it, metrics are a part of organizations. I think it comes with how the message is crafted. If one is only looking in terms of this is how many we've identified, that's only a partial picture. I think there also has to be other elements to it.

One of the things, uh, Uh, I've tried to do and I recommend, I strongly recommend with clients is, uh, how much of the program involves training, because [00:46:00] in my, uh, in my opinion, even from my counterintelligence life, a majority of what I did was really training and awareness because that's what led to these other things.

And, uh, I kind of go back to the basic messaging of it. Uh, and then it's building the team around you. Supporting their inherent, you know, investigations programs, maybe their travel security, what they're doing, being able to deliver on those points. So I think that when, when, when just talking about metrics, I think you kind of, kind of break it down a little further, what is it where, what is it that we've really helped address? The message shouldn't be the same for every organization, because if we're going to say our company's unique. Then we should have our own unique challenges. So I think it just involves kind of more baseline and then really it's understanding what each stakeholder views as success and you need to, my, my recommendation is you should tailor your message around that.[00:47:00] 

AJ Nash: Okay. I mean, that makes sense. I think, you know, most organizations I've said this many times, uh, ultimately, you know, the C level, they only care about two things, which is, uh, you know, lower my risk or improve my profit margins. And to be honest, I've been modifying and saying at this point, they actually care about one thing, which is profit.

They'll lower my risk. It's just lower my risk towards my profit margin or towards my bottom line. Right. So how do you. do you make that happen here? How do you have metrics that are going to tie to these things? Now, risk reduction, I'm sure you work with a chief risk officer. I'm sure there's some risk ratings you can talk about and risk reduction is.

Squishy. I mean, there's math to it. I'm not an expert on that. I find it to be somewhat squishy because risk is a challenging thing. Uh, but I'd be interested in your thoughts on how this fits there. And then that cost savings approach, you know, Hey, we stopped this, uh, event from happening. Uh, and it would have been, or could have been, could have resulted in these kinds of damages.

Now preventative is always really hard. We have the same problem in Intel. If we prevent bad things from happening, how do we prove they would have happened with a reasonable amount of [00:48:00] And therefore, how do we extrapolate the costs and what we've saved you? Because prevention doesn't provide great metrics, but without it, then you don't have the metrics you need to, you know, justify funding the program.

So how do you tie. Insider risk insider threat, depending on who wants to call it. What? How do you tie these programs metrics to risk reduction in a justifiable documented mathematical type of a way? And how do you tie them to cost savings to show that? Hey, we're we're not a cost center. We save you more than we cost you.

And therefore you should continue to fund us and let us keep doing what we do. How do you make those things happen? Or

Virgil Capollari: That's a, that's a very good question. This is very difficult. I say it has to start off slow and has to start off with getting a better understanding of exactly the stakeholders you're working with and how they're measuring success, because at the end of the day, you're leveraging a Existing tools and functions within, within any organization to help kind of deliver that.

Therefore you're not requesting, uh, [00:49:00] another five add ons every year. You're making do with what you have. And let's face it, uh, even in the best of programs, you kind of have to do that. If you're not sooner or later, someone's going to take a look at, okay, what are you doing exactly? And, uh, I think that, uh, I think that in the general messaging around it, you kind of help kind of condition that by not focusing specifically on that, but yes, you do still have to produce something and you can also tie in metrics to the amount of presentations.

Interactions, other organizations, how you've helped them streamline, because your insider threat program should really be organizationally focused.

AJ Nash: Now, does that mean you have connections to corporate training programs? For instance, um, I mean, you're talking about doing a lot of training and personnel training. Do you, do you find that insider organizations tied to training? Do they tie budgets together? [00:50:00] Sometimes, uh, does training offer any, any insights on how they value and create a metric that shows value for training, uh, which I also see our budgets that have a tough time sometimes, uh, beyond whatever's mandated.

That is.

Virgil Capollari: So rather than kind of going to that kind of large organizational standpoint, see it as you connecting with a manager and then suggesting to the manager, what's If you and your team have 15 or 20 minutes available on this day at this time, I'd be more than happy to provide something. Manager's involved, manager reaches out, so you kind of have the buy in at that level.

Now, at the same time, you're also working with the upper echelons to make sure that the message is coming across from top down, but you're also working across. Once again, By working with them, you're showing that you're trying to be a team player with them. And I say that that's how you kind of help conquer that.

And let's face it, word of mouth is far better than [00:51:00] any other thing. Because when someone says something to someone else, you know, uh, my parents passed away in the last year and a half, but I always, uh, you know, it's been tough, but I always, I would always laugh when my father would always know how much the house in the neighborhood up the road sold for. And I know that he was too grumpy to talk to any of the neighbors. So how did he know that somehow there was an intelligence network there that was alive and well, because the neighbors all knew it. It's the same thing with the program. Uh, good news and bad news travels fast. Average news doesn't.

AJ Nash: Yeah. I mean, it's a good point. You keep your, your ear to the ground, so to speak. And, and, uh, that awareness component, uh, you know, combined with the empathy we talked about and things will, will come to you. Um, but I think it's interesting. You're also talking about, you know, those, those building those, uh, relationships.

I like that. You said, you know. Relationships. I don't really like the word connections. I like relationships, you know, building those [00:52:00] relationships, uh, you know, really matters because that's where a lot of these things are going to come together and you're going to see them. It's also when you're talking about building these relationships, there's some perceived value, right?

We have the same things with Intel, Intel. Ideally, if you do it really well, a lot of it is preventative, but then you run into the, why are we spending so much money on this? You know, bad things aren't happening. I, I, Use example all the time that if you run a bank and you don't get robbed for three or four years, nobody ever comes in and says, fire all the security guards, get rid of these cameras.

You clearly don't need these. We all accepted that there's a risk if you do that, but there isn't a metric that really tells you, well, what if I get rid of one camera or one security person? Or what if I got two of you? Where's the sweet spot? Where's the number, right? And some of that becomes a bit of a gut feel, I suppose.

Um, and I think it's the same thing you're talking about. About here is building those relationships so that people say, I really like working with Virg. I like, I like, I like this program. I felt like the training we got was really valuable. I feel like our folks know what to look for now. I feel like I know what to look for and how to talk to people differently about some of these things.

And I believe that's going to pay off and that's going to prevent harm, you know, and I'm sure tied with an intel program as [00:53:00] well. We didn't really talk about that. We're out of time. So we'll do it another time. But how that connects back to intel and how the intel team is able to to feed in and say, these are adversaries you should look for.

These are, these are people that are targeting our company or our organization or, or people like them and having that as part of the awareness training, as you mentioned, right? So listen, I I'm running out of time, so I gotta, gotta kind of wrap us up today. Um, you know, as you know, the name of the show is unspoken security and I get to ask every guest the same question and put them on the spot.

So you're, you're on the seat today.

Virgil Capollari: Oh,

AJ Nash: yeah, with that in mind, uh, tell me something so far for you that has gone unspoken.

Virgil Capollari: wow. A deep, dark secret,

AJ Nash: Don't confess to a murder. Like this is, you know, I don't have responsibilities, but yeah, you know, something that they haven't talked about with people. So I'm unspoken.

Virgil Capollari: something unspoken. I rarely tell people that during one of my very first [00:54:00] investigations, I not only got the person's name wrong, but I got some other basic identifying information because I was too busy cutting and pasting. And fortunately enough, somebody in the DOJ was kind enough to call me and save me an enormous amount of embarrassment that told me no more cutting and pasting and trying to take the easy way out.

And it set me on a, uh, an overly meticulous, uh, pathway. I can't believe I've admitted this. I, it was beyond embarrassing.

AJ Nash: but it's, it's a, it's, I think it's a great, first of all, thanks for sharing it. And you'd be surprised how many people will share things and go, I can't believe I said that. Um, but, but thanks for that. I think, I think you make a really good point with this. First of all, it happened a long time ago.

Um. Uh, it didn't end up in harm, thankfully, because again, team game in this case, a colleague was able to reach out and [00:55:00] go, Hey, uh, you might want to check this. Um, I think there's great humility in saying, Hey, I'm not perfect. You know, things happen. Um, but it sounds like the lesson is the big piece, right?

You said it, I stopped taking shortcuts. I don't cut and paste anywhere. Now listen, all of us cut and paste stuff still sometimes, but the importance of the work. You know, whether it's Intel work, whether it's insider, uh, work, you know, some jobs and not to, not to put us ahead of anybody else. Everybody's job is important, but some jobs just affect more people differently.

And, and when you work in a job with such great impact, uh, you know, we did this in the military, right? You, you make a mistake and throw the wrong coordinates on a target and a bomb shows up, that's a rather significant problem. That is a more significant problem than accidentally overcharging somebody, uh, because you typed the wrong code into a system, right?

And that's not. Again, it's just how it works. And in your case, you're talking about, you know, bad information could have led to the wrong person. Uh, you know, it could have created all sorts of impactful things. So, you know, it's great to learn that. Go ahead, man.

Virgil Capollari: well, I was so proud of that [00:56:00] report because I got it done. I was on top of the world. I was on cloud nine. I was borderline cocky and it was such a nice, uh, personal character readjustment.

AJ Nash: Yeah. Humility is always nice to pick up. Um, and, and we all struggle with it. I do as well. Um, but yeah, I think that's another key point you mentioned, right. It also could have, and I'm sure you've thought of this, I'm putting words in your mouth on this, but Intel, we talk about how difficult it is to do the work we do.

And same thing with you, you write these, you do this research, you write all this stuff, you make these assessments. And I think to me, our, one of our biggest challenges in our, one of our top jobs is to create trust, to get people to understand the processes and the, and the challenges and the difficulties and the time and effort that went into trust.

That what we've done has resulted in the best possible answer we could give. And it's amazing how quickly that can be eroded, right? Uh, this biological error being off. I remember reports were that there were minor [00:57:00] typos and then people would spend all their time questioning the typo. And you're like, this is a rather significant report with 600 sources Perhaps we should look at the conclusions, the assessments and the recommendations, and maybe not the typo on page three that distracted you. But I think this is a key piece, right? That could have been a credibility issue. Uh, that thankfully somebody was nice enough to correct, but, um, you know, I think that's, I think it's great that you've, you know, you brought that one forward.

We've all done it, by the way. I can't count the number of

Virgil Capollari: Can I give one alibi,

AJ Nash: Yeah,

Virgil Capollari: one alibi to kind of, uh, on a previous topic, uh, we discussed, we are heading into what is otherwise going to be. A, uh, a spirited presidential campaign season.

AJ Nash: to say the

Virgil Capollari: I am asking all security professionals, regardless of what your personal preference, political parties, whatever, pay attention, to see how this affects the, the workforce, because.[00:58:00] 

Unfortunately, people, a lot more people carry their political opinions on their sleeves, regardless of whether what they hold is true or not. And, uh, stay tuned. Uh, you may have a bumpy ride along the way.

AJ Nash: Yeah, I think that's a, that's an excellent point, you know, and, and, uh, and like I said, it doesn't matter what side you're on, right? That isn't the point of this. We're not picking positions, but you're right. We're at a very contentious time. Uh, and, uh, And people are very passionate about their positions, and some cases influenced by things that aren't true.

You know, I spent a lot of time talking about misdisc and malinformation, and that can affect either side or both sides as well. And if there's a 3rd side of this at this point, whatever that might be. So I think you're right. You know, I think it's, it's We got to be aware of those things because people are getting amped up about all sorts of topics.

Some may be, you know, valid and true and some less so, um, but designed to, to create great, deep passion that is going to put people in positions of conflict, um, that [00:59:00] it's going to bleed over into some workspaces. It just does, you know, humans are humans, um, and may lead to, to physical security issues, maybe the cyber security issues, maybe the insider issues, all the, all these things we've talked about.

So I think that's a great point to bring home. And again, for those listening. Um, you'll hear it all the time from guys like Virg, myself and other Intel folks. It's not about politics. All right. This is we're Intel people. We're insider people. And the point here is the risks are real and you can't just not talk about them because you're afraid somebody's gonna be offended where you became too political.

This isn't political. It's all sides. There are risks. There are threats. We have to be aware of them, but as Virg pointed out, we've got to be able to do it, you know, with, with humanity, with, with empathy and try to tend to see the whole picture and the whole person. But I'm with you, man, the next several months at least are going to be a bumpy ride for, for a whole lot of us, I think.

Um, ahead, man, you get the last word, and then I'm going to close this out.

Virgil Capollari: No, I just wanted to say, AJ, it's been great. It's been a lifetime. We grew up together in this business. Uh, uh, [01:00:00] I'm happy to, uh, have taken part today. I love talking about this stuff. Uh, sometimes at nauseam to the people around me, but I'd be remissed if I just didn't say to my fellow professionals out there, government, non government, uh, please always feel free to reach out if we're not talking amongst each other.

And we're not being critical of ourselves. Uh, we're probably not learning.

AJ Nash: Yeah. Great. Great point. And contact information readily available for Virg. Uh, I definitely recommend reaching out. We've been friends so long that he had more hair and I had less. So that gives you an idea of how long it's been. Um, so anyway, with, with that, this has been a great conversation. I really appreciate you taking the time, you know, to hang out with me today, man.

Um, and for those who've been listening or watching, you know, if this is something you like, uh, please do take the time to leave feedback, like, subscribe, download all of those things, because that's what keeps us able to do. Uh, if you really dislike the show, please don't tell anybody, uh, ever. Um, but do tell me, I'd like to know I'm good with the [01:01:00] feedback.

Positive or negative want to make it better. It's not about me. As I say, every week, it's, you know, every time we do this, it's about the guests, it's about the audience and we're trying to provide value to folks. And if you're not getting value, I do want to hear about it. Uh, but you know, give me a chance, give us a chance to try and make it better before you go out and rant to the world.

Uh, so far we've been lucky enough not to have that. So please continue to, to listen and focus and let us know how we can do more. Um, so for that is the last, uh, I'm going to say today, this is the last of this episode of Unspoken Security. So until next time, uh, be safe out there.