.gif)
Unspoken Security
Unspoken Security is a raw and gritty podcast for security professionals who are looking to understand the most important issues related to making the world a safer place, including intelligence-driven security, risks and threats in the digital and physical world, and discussions related to corporate culture, leadership, and how world events impact all of us on and off our keyboards.
In each episode, host AJ Nash engages with a range of industry experts to dissect current trends, share practical insights, and address the blunt truths surrounding all aspects of the security industry.
Unspoken Security
Let's Get Serious about Intelligence Requirements!
In this episode of Unspoken Security, AJ Nash is joined by Brian Mohr, the founder and CEO of Reqfast, a technology startup dedicated to helping security teams document and prioritize their needs to better focus on work instead of workflow.
Brian and AJ talk define what is meant when we talk about Intelligence requirements, why they are important, how to document requirements and use them to measure the value of intelligence (that all-important metric needed to justify investing in Intelligence, and their personal observations on the progress made when it comes to understanding and accepting the need for Intelligence requirements to justify spending and drive successful security practices.
Finally, as always, the show wraps up with our guest revealing something that had, to this point, gone "unspoken." In Brian's case, his secret has to do with the novel way he has been keeping track of his passwords which is both simple and feels a bit James Bond-ish.
Unspoken Security Ep 8: Let's Get Serious about Intelligence Requirements!
brian_mohr: [00:00:00] Intel goes both ways. It's, it's external and it's internal. Right. And a lot of people forget that, like you can run, you can look at your own organization and say like, if this were to happen, what's the likelihood. So you have disaster recovery doing Intel that you need to collaborate with. So if you say this happens, you know, let's play this out.
Tabletop exercises, a great way to start developing Intel requirements for what would happen if. I don't know. Do we even have a response to that? Do we even know? Do we even have a corporate policy on whether or not we're going to pay a ransomware, you know, threat? So like, these are questions.
[00:01:00]
aj_nash: Hello, and welcome to another episode of Unspoken Security, brought to you by ZeroFox, the only unified external cybersecurity platform. I'm your host, AJ Nash. For those who don't know me personally or are first-time listeners, I'm a traditional intelligence guy who spent nearly 20 years in the intelligence community, Both within the United States Air Force and then as a defense contractor.
Most of that time was spent at NSA. I've been in the private sector for about eight years now, primarily building or helping other people build effective intelligence driven security practices. I'm passionate about intelligence, security, public speaking, mentoring, and teaching. I'm also deeply committed to servant leadership, which is why I completed my master's degree in organizational leadership at Gonzaga University.
Go Zags! Now, the goal of this podcast is to bring all of these [00:02:00] elements together with some incredible guests and have authentic unfiltered conversations, even debates about a wide range of challenging topics. This is not going to be your typical polish podcast. You might hear or see my dog. She's around here someplace today.
Uh, people may swear, uh, we may argue or debate and that's, that's all okay. Like think of this podcast as the conversation you might overhear at a bar after a long day at one of the larger cybersecurity conferences. These are the conversations we usually just have when nobody's listening. So today, my guest is Brian Mohr.
Brian's the CEO of cybersecurity company Reqfast, a good friend of mine. Uh, he's, before his life as a tech company founder, which is the brave life I can't even imagine, frankly. Uh, Brian served over 15 years in the United States Marine Corps. Uh, so couldn't get into the Air Force, I'm guessing. And, uh, he's had, he had a couple stops along the way in the private sector, uh, you know, where he's been focused on threat intelligence.
So, you know, Brian, that's a really quick, you know, brief of your history. So is there anything else, anything I left out? Anything you want to add as far as, you know, who you are and where you come [00:03:00] from?
brian_mohr: Uh, the only thing I would add is when I left active duty, I was thinking of going into the reserves and I actually went to the Air Force and they told me that I had too much of a military mindset and so they wouldn't accept me. Just
aj_nash: I, I, I am not surprised or offended by that actually. Uh, that's, uh, it sounds about right. You know, the military, listen, all the branches are useful. They're all valuable. They're all important. Uh, we all have jobs to serve, you know, for anybody who's not military listening. We all poke fun at each other.
Obviously I nothing but love and respect for the Corps. They do all the things that I neither want to nor could ever do. So, um, you know, but yeah, yeah, I can see how you might not have been the greatest cultural fit after 15 years in the Corps, although I don't know, you're pretty laid back guy.
brian_mohr: Well, yeah, I've been in recovery for what, eight now, nine years? Doing
aj_nash: Well, well, it seems to be going all right for you. So listen, today's episode, the title is Let's Get Serious About Intelligence Requirements. Now, listen, I'm a career Intel guy. So are you, uh, you know, and I spent a lot of time now and I have for all these years I've been in the private sector. I spent a lot of time talking about the importance of [00:04:00] intelligence requirements and how they're a foundation for any successful Intel program.
So to be truthful, I'm really, really excited to hear someone else get on the soapbox with me for a change. Uh, so let's get into it, right? When we talk about intelligence requirements, what are we really talking about? What's an intelligence requirement?
brian_mohr: Well, it's the start of the cycle, right? And I will say this in almost every conference I've spoken at and every class that if you are If you have an intelligence program that's not based on requirements, then you are wasting your time and your stakeholder's time tonight. So is it, is your reason for existence?
Um, intelligence is two things. It's decision support, and it's a customer service, right? Your customer, your stakeholder needs to make a decision and they need information to make that decision with confidence, right? Your job as the intelligence person is to provide that information. And your measure of success comes with whether or not they were able to make that decision with confidence.
And the more confidence, the better, right? The [00:05:00] only way you can show that is if you actually write those requirements down and then go off and do the work against that. Um, anybody who's in the customer service business understands this process. So it's a little curious to me that even now, after all these years, you and I are still having this conversation about the importance of intelligence requirements.
Well, you've never gone to any other customer service industry and said, well, why do you want to know what your customer cares about? And so here we are. So yeah,
aj_nash: that's, it's a, you know, it's a good point, right? So to me, I gotta be honest, I always thought it was obvious and maybe that's, that was my ignorance going into the private sector, right? You know, you grow up in Intel space and you go, well, yeah, you get your Intel requirements first and you go out and get things.
I'm still surprised it's hard for folks to gather sometimes because I don't know any other business that doesn't have this. They just don't call it that. Maybe, you know, you're building software, there's these giant documents that people go through a software requirements. What do customers need? And, you know, huge Excel spreadsheets and all these other things, right?
I think in most anything you do, hell, if you're, if you're launching a business, right, if you're an entrepreneur, what's the market need? [00:06:00] Like people talk about the need first before you go do something, is there a need and then document that and say, okay, well, how do we go meet those needs? Yeah. It seems like it's
it's understood in most industries, but intelligence, I guess, is this magical mystery world for a lot of folks. So when you talk about Intel requirements, it seems to get lost. And I often just hear, well, just your jobs to tell me what I need to know, which is, you know, really
brian_mohr: you're the Intel person. You tell me what's important. Like, that's not how this works.
So
aj_nash: Imagine if that was the true for anything else. Well, what do you need in a, in a sales support to, I don't know, you tell me what I need. Well, no, I need to understand what, how your process works. What's the sales process and what do you do and what do you need? What are you struggling with?
Right. You know, I will say before we move, uh, you know, we have a few questions today before we move to another one. You mentioned briefly, uh, you know, I said, what's the Intel requirement sets the start of the process. So for those who don't. No, the Intel cycle, right? Um, we should probably at least quickly reference it for people.
I know you and I know it. We talk about all the time, but the Intel cycle, you know, the six steps of the cycle, there's planning and planning and development first, you know, where you get into talking about Intel requirements and stakeholders, right? Who, who are you serving and what [00:07:00] are their needs? And then from there you can get into collection and discuss, you know, what do we need to gather, etcetera.
And then the cycle continues to go on for anybody wants to Google intelligence cycle. It's easy to see all these graphics, but I think it's important people to know That first step, that planning and direction piece is where you talk about intelligence requirements. What do we need? Which starts with stakeholders, which who are we serving, right?
They have to tell us our requirements. Now, a lot of times I'm going to ask you this, but I know from my experience, this is what I've worked with a lot of times. A lot of customers don't know this, as we mentioned. So oftentimes, if I've got a customer, no customer, few customers, I will say, are unique, right?
A banking customer, they have their own things, but banks are banks to, you know, health care, you know, different industries. So a lot of times we are able to come in and say, well, here's what a lot of folks in this industry need. So we at least have a baseline. And if they can customize you, do you do the same thing?
I assume when you start talking about Intel requirements be able to come in and say, here's some places to start. Mm hmm. Mm
brian_mohr: Well, we also, I, I focus now on, if you just say, what are your requirements? You usually get a blank look, right? And so I say, [00:08:00] okay, who's your, who's your primary stakeholder? And that's like the CISO is usually the number one. And it's like, okay, what are the decisions they're trying to make, you know, and then what actions are they trying to take?
And then that's how you kind of backwards your way into Intel requirements. So like, if they need to make take this action, or they're trying to choose between courses of action, you know, what is the information they need in order to do that? So you kind of get away from the list mentality and kind of focus on the customers actions of what they're trying to do.
And the military was easy, right? For at least on the Marine Corps side is that, okay, the colonel wants to be on that hill in three days. We're in the kind of backwards plan from that. What are all the things that we need do to get on top of that hill? Or from the defender's standpoint, like how likely is that guy going to try to get up our hill?
And what do we need to know? Um, starting from the weather and you work your way out. So there's really no difference. It's just, you're asking different questions and there's different things. And when people say actionable intelligence, it's easy to understand on the military side, because usually something explodes.
That's, you know, actually on the cyber side, it's like, here's a list of [00:09:00] IPs, go, you know, um, a little bit different, but I find that if you start tying it to dollar amounts of like the budget, you know, is a big one and CISO needs to decide where to put her budget, you know, allocate dollars. There's some decisions there that you might want to be part of as an Intel person.
And I would rather be part of guiding that conversation than being the target of the budget cut. So, um, I tend to focus on the action and work backwards, but yes, you're absolutely right. It always, you have to start somewhere. And usually you can say, okay, this is a list of things we normally provide. What appeals to you on here?
And then that will start the conversation. You shouldn't go in there with nothing and just say, what do you want? Cause we all know how that works. Making thumbs. Okay.
aj_nash: right. Hey, I'm just going to mention to you when you're hitting your hands either on the table or the, the chair, it's pick, it's picking up and you can wave around all you want, but you're banging on it. It's picking up on the mic. So no, no worries. Like we'll cut that. I've just said this out too, but yeah, I wave my arms a lot, but if, if you're hitting the table, it is picking
brian_mohr: Yeah. Okay.
aj_nash: right. So I'm going to jump back in. Where you just left off. So no worries there, though. I mean, that's that's all really important. Right? So listen, you talked about a couple things. I really want to dig into a couple important pieces. The first one that you mentioned that hit me was documentation, which we started talking about.
Right? And then the other one you talked about was that need for showing. That the delivered intelligence, you know, actually met those needs. And so what I hear when you talk about mapping intelligence to [00:10:00] needs, you know, and decision making is what I'm hearing is value, frankly, which we hear all the time from customers, right?
You know, it's, it's anybody who ever says, well, you know, they didn't renew because we cost too much. Uh, no offense to anybody in sales out there, but I've always said that's bullshit. Um, you know, it's not that you cost too much that you didn't deliver value. Nothing costs too much. If it's. Delivers more value than it costs, right?
So I find, and you mentioned the CISO, who's often the buyer on this, I find that's the biggest challenge with Intel a lot of times is the two pieces you mentioned, documenting intelligence, but then also how do you tie Intel to deliverables? And what was the action taken? And how do you measure a value that goes with that?
So, you know, Digging into those further. How do you document Intel requirements? Like how do you personally do it? How does your org do it? How does your company do it? And and how? How can we use those? How can we use that documentation to measure the value of intelligence? Because people are paying a lot of money for this, and that's our big challenge.
I think we talk about budgets. You don't wanna get cut. It's expensive, and I find it really challenging. To help people understand value, right. To put a metric on it and say, this is, you spent this, but you got this at [00:11:00] save this, whatever it might be. So, you know, how are we, how are you guys documenting Intel requirements and how you using that to measure value is, is where I'm trying to get to here.
brian_mohr: Yeah. And most of the industry, I would say 99 percent of it. Um, requirements are tracked via the super spreadsheet, right? You have lists and lists and other lists of stakeholders and list of requirements and list of reports that you've sent out and you try to match them up. That's all great. But that's usually where it falls down when you try to offer, you know, operationalize that.
aj_nash: And assuming they have Intel requirements. Like
brian_mohr: well, right. You
aj_nash: that's not including the ones where you walk in and they have no requirements,
brian_mohr: yeah. And then even And even if they have requirements, they're usually just lists of keywords, right? They're not tied to anything like, Oh, here's my list of, you know. Dark web of, you know, APT 34. Cause that's how those guys refer to themselves in the back.
aj_nash: right in the dark often talk about themselves
brian_mohr: like, Hey, number 28.
How are you, sir? Hey, fuzzy Panda what's going down. Um, yeah, they're not handles. Right. So, so it's like this weird list of keywords that aren't tied to anything. So when I work with [00:12:00] customers and, you know, our platform, we. We have, yes, the statement of what's the requirement of, you know, talk about, you know, threat actors, discussing intent of targeting, whatever, but there's a there's a end point to that.
There's a why what decision are supporting? What's the stakeholder? What are they trying to do? In fact, I encourage our stakeholder profiles to say, like, what's important to them? What are the decisions that they have to make? What are the actions that they're trying to take? So when the analyst goes to say, okay, if this is the requirement, this is the stakeholder.
Work. This is what they're trying to do. That is going to color their, you know, their viewpoint and flavor what they actually report to that stakeholder. Now, instead of just writing these, you know, Microsoft says it's bad, and we agree, um, it's this is bad because this could impact these operations. And, you know, the stakeholder has now a point of reference.
And so you always want to like, anchor what you're writing to relevance. And that starts with the requirement. It's the what is it you want to know? What is it you're trying to do? And how do you tell us if this is successful or [00:13:00] not? And that's where you start getting into the value. Um, the more you can tie dollars spent in intelligence to the dollars made in revenue, you know, you're doing a lot better.
Most people don't do that because they forget they're part of the business. You start with value by understanding how you fit in with the business. And so,
aj_nash: Yeah, I mean, that's, that's, you know, it's a really good point, right? And that's, to me, that's been the big challenge. You know, I've been, I've been private sector eight years or whatever now. And, you know, when I came out from the intelligence space, like I said, I thought Intel requirements would be simple and obvious and it wasn't, um, which on the one hand made my job really easy.
People thought I was brilliant. Oh, this is a great idea. It's a great concept. I'm like, well, this is pretty basic, yeah. Okay.
brian_mohr: I am special, right?
aj_nash: invent this. I don't want, I don't want, I don't want someday for somebody to wake up and go, holy shit, he's a fraud.
He's been telling us all these, we have a patent on the back and this is all just available. So, you know, I always talk about JP2 0 and, you know, the ICDs and all this kind of stuff. Uh, so that people know this documentation [00:14:00] exists. Um, but, you know, getting out there and say, okay, here's Intel requirements, but then getting that value piece, you know, I learned.
It didn't take long to figure out how budget works in the private sector on how metrics driven almost every company is, uh, which a lot of cases I get, and it makes sense really does, but it tends to be really, really challenging for Intel is my experience has been, you know, and I've often told people.
You can't think about us the way you think of your, your sim or your firewall or something like that, right? It's, we don't develop those kinds of metrics. I tell people to think of intel a lot of times more like physical security or say health insurance. You know, if you run a bank and you haven't been robbed in five years, I doubt you're going to fire all your security guards and shut off all your cameras because clearly you're just wasting money.
Nothing bad has happened, but an ROI there in deterrence. It's understood that if you Or a bank and you have money, people will want to rob you. And if it's known that you don't protect yourself, you'll be robbed. Um, you know, I haven't had knock on wood. I haven't had, you know, a heart attack. I haven't had a stroke.
Um, I have health insurance costs money. I [00:15:00] don't just cancel it. Well, I'm clearly not getting value out of this health insurance because someday something bad is probably sadly going to happen. That's how the world works, know, so, but, but that's not good for metrics, right? Figuring out where, where the value fits in.
So you talked about, you know, impacting decisions, um, you know, and finding out how to How to tie that back. And I've seen, I don't know about you, I'll ask you here in a second. I've seen some progress in that space and being able to say, well, what did you do with the Intel? Well, we took this Intel and we changed this policy, we changed this procedure, etc.
But I still, are you having more success than I'm seeing in the next step of that? Being able to say, hey, we did this and it changed an action, it changed the decision is great. But what did that decision save us? Would we have been attacked otherwise? How much would it have cost? Etc. If you're doing proactively, which ideally with Intel could do more of, that's the goal.
How does that, and I hate to put you on the spot, it may be a hard question, are you seeing the way that turns into value or is it just a matter of being able to say, Hey, listen, you said these are your requirements. We delivered X number of Intel against those requirements. That's your value prop and that's good enough metrics [00:16:00] to show that what we're buying aligns with what our needs are, not necessarily the outcomes.
brian_mohr: no, cause those, I would call those the, uh, the efficiency metrics. Not helping you get into the efficacy metrics. Like, does this actually matter? One thing that Intel teams almost across the board are failing to do is actually collaborate with other teams. Um, and first and foremost, you need to collaborate with the risk side of the house.
I have seen it where some Intel teams have actually been pulled out of the SOC and put into the risk side of the house, which I think is a great idea. Um, or at least build that relationship because the language That the risk organization is speaking to leadership, leadership understands that because it's usually wrapped around dollars understand as an Intel team, you need to understand how risk is communicated to leadership.
And then you need to communicate and work and collaborate with risk in that same language. You need to change from IOCs to, you know, potential loss. There's a definite vernacular and there's an understanding of [00:17:00] what is impacted here. So, uh, when I look at like, uh, alerts in the SOC of like, Oh, this system is getting attacked.
Well, what system is it? And then how does that system, what applications are sitting on that? And if those applications go down, I'm sure there's a business continuity or disaster recovery team that has assigned a dollar amount to those systems and understands exactly what happens when those systems are down for 30 seconds or three days.
You know, there are dollars available that you can assign to what those alerts are saying. Hey, we stopped this attack We stopped this system from going down. Yes. There's a dollar amount there. And Intel always struggles with that. You know, if nothing happens, how do you show value? You know, but if something happens, how do you prove that it wasn't my fault?
You know, um, and it's no different. Yeah. And it's no different than the Intel community, right? Like there's always somebody, you know, there are beans to be counted. And we talked about this earlier is requirements or like, how are you satisfying those requirements? But then it goes beyond that. Not just the [00:18:00] requirement, but like, what's behind that?
Everybody asks, you know, a few years ago, it was all about context around IOCs. It's like, no, no, no, no. It's the context around the risk. then you work your way. Eventually you'll find the systems and the IOCs are damaging that. But really you need to start with the dollar amounts for the business. And that's how you show value.
You'll never show it from just data logs in the SOC. You have to work with other teams and come back in.
aj_nash: That's a really good point. It's also really, really difficult. I think most people know that, right? you have to know you need to do
brian_mohr: yeah, it's all relationship building. And then, then you start uncovering other people's dirty laundry. Like, what do you mean we don't have a risk register? Oh, it's on our roadmap. It's like, oh,
aj_nash: Yeah. Yeah. Risk registry is a good one. You know, it's funny. I talk a lot about, uh, configuration management database, um, and chrome jewels assessments. And again, those are things that really align. Intel needs these things, frankly, we need, we need to exist and we need to know where they are. Because if I come in and say, hey, there's a really dangerous threat, you know, valid actor, they're talking about us, they have the capabilities.
And then the question is, what does it mean to us? My. All right. Do we have the software? I don't, [00:19:00] I don't we have it in our systems. Well, that's a problem. I can't tell you what it means to us, but we have it, but I don't know where it is. I don't know. Is it just in a air gaps lab somewhere where you say the risk is really low or is it tied to our crown jewels?
Well, we don't have a crown jewels assessment. Uh oh. Well, that's,
brian_mohr: how am I ever going to provide you value? Like, how am I going to tell you what matters if you haven't even established what matters? And that's, those are difficult conversations to have. And oftentimes. The team that's, you know, five levels down from the CISO shut in the SOC somewhere, isn't going to be able to have that conversation.
So that's, that's tough. And that's one of the reasons why Intel has been relegated to IOC management. Um, and sadly that's, you know, we have a whole bunch of people that are underutilized, especially when you're bringing people in from the intelligence community that have all this experience, but they also have experience with infrastructure that's been in place for, you know, about 60 decades or six decades or so, 60 years.
You to come into the private sector and they're like, we don't have a list of requirements. We don't have a risk register. I can't tell you what the crown jewels are. We, you know, we're just now [00:20:00] standing up asset management and they're expected to demonstrate value. It's like, Whoa, okay.
aj_nash: it's really hard. One. You also mentioned they're often buried low and obviously this is self for me because this is one of my topics for last few years. But I wrote a an article called rise of the scene. I'll rise of the chief intelligence officer a ago and it goes around circles and I still have a big believer in that part of our challenges.
We bury Intel so deeply, you know, we gotta have an Intel team, but they're not gonna bury it in the sock under some defensive operations, senior director or director or manager or whatever. And that's so many layers removed from where you need to be that you can't have the influence you can have. You know, one of the things I had at least in my experience in the Intel community going back, you know, in the military or private sector as a contractor was we weren't far away from the decision makers, you know, I wasn't buried six layers deep, you know, we wrote Intel that went to the four star or the two star or the SEC def or the White House or wherever.
So. We were considered their counselors. That was the point of having Intel, you know, and that's what I wrote with this rise of the CNO piece was that, you know, Intel, there should be a chief intelligence officer along with the chief legal officer. They should be [00:21:00] the counseling areas basically for the CEO, which also would change a lot of this.
It would provide direct access to talk about what corporate level requirements are, not just security, but across the board and better direct resources. Um, to talk about what's really needed and get away from this, you know, just IOC management buried deep in the sock because that's what the sock manager, sock director, whoever needs, right?
It doesn't really get into the bigger picture piece, so you're not getting the value. I talk a lot about this stuff. Intel costs money, but you can get more value to elevate it. So that's back in
brian_mohr: that's one thing I, you know, when, when message I, you know, Blair from my soapbox is that everybody already. is doing Intel, they're already making decisions at every level from down in the sock all the way to the board. They're making decisions. need information to make those decisions. They go and get it.
And then they realize like, I need more information on this is good enough and move on. Everybody's completing that cycle, but they're not doing it the same way. Right. So they, like your Intel organization and that chief Intel officer, which would be fabulous, uh, would kind of coordinate that now [00:22:00] understand that there already is an organization and most of these, you know.
Huge companies, they have business intelligence and what have, what has BI been doing for decades and decades, they've been taking large amounts of disparate data, running some sexy queries against it, and then, you know, you know, suggesting courses of action for the business to take, you know, whether it's from building a data center in this country or where to put a product in the aisle, it's being done in your organization.
Why are you reinventing the wheel for your CTI? Like, why wouldn't you put CTI very closely together with them and say, okay, if we want to do this. What are the cyber security concerns around that? Um, it's a missed opportunity and it's just, I don't know if it's a paradigm shift, but like, well, Intel is Intel, right?
It doesn't matter what you could risk. Intelligence fraud, physical security doesn't matter. It's all
aj_nash: why I think they all be together. I agree with that. That's that. I think the intelligence officer, all those should be under the chief intelligence officer, business risk, you know, uh, you know, uh, strategic Intel, tactical Intel, operational Intel, um, you know, all these bits and pieces [00:23:00] physical, uh, should be tied in there as well.
I mean, physical would be more of a customer, but all of these are tied together, right. As, as one unified piece.
brian_mohr: even if it's nestled under the CIO, like the CIO's chief of staff, you know, it wouldn't just, because what is it? The chief of information? Oh, that's what we're talking about. We're talking managing and creating a system of record and historical database and,
aj_nash: Yeah. I mean, I can live with that, but don't screw this up for me, man. Chief Intelligence Officer needs
brian_mohr: no, no, I'm Well,
aj_nash: this. Don't screw it up. Let's swing for the, for the fence. But no, you're right. Even upgraded to to, to being under the CIO, you know, I've seen one CSOs, but the CSOs often under legal and it just, you know, you start burying them down.
But every time I find an org that says they have an Intel team, you find it's like one person wearing seven hats that's buried in the sock and you know, they're, they're a manager level or not even, you know, like, well, you're, you're checking the box of Intel because somebody said you had an Intel team, but you're not doing.
You're not doing Intel. You're not doing this person any justice. You're not investing significantly enough to have the impact you really have from this. And then you're expecting things you're not going to get. And often that's the same company that's going from vendor to vendor to vendor to every [00:24:00] year they blame the vendor and they move to another one and nothing really changes.
And then they say, well, these vendors are the same. None of them can produce what we need. And the challenge is you didn't have Intel requirements. You didn't put your work in the right spot. You didn't man it up, uh, or woman it up. You don't think you pick, I'm not trying to be gender specific here, but you didn't put the people in place that were needed.
And, and. Sadly, like you can't have that hard conversation with the customer a lot of times for a prospect because it sounds insulting and I don't mean to. It's just they didn't know, right? They didn't have somebody come in and say, this is the way it's done. This is this is your plan. This is the best way to do it.
And by the way, it's gonna cost a lot of money, which gets back into Intel requirements, get back into the value of the whole discussion we've been having, right? And if you're lucky enough to find somebody who gets it, you know, you get a see so who understands or some of the see so trust who understands or a sea level or whatever, and you start building this right and you pitch this whole program and they buy into it and they go.
Then that person leaves, you know, that
brian_mohr: well, yeah,
aj_nash: another job.
brian_mohr: because they're
aj_nash: the next comes in, sell it all over again. And they may or may not get it, or they may not believe in it, or the budget might just change. And, and everything just seems to revert a lot of times. So [00:25:00] it's hard to get somebody who buys in, believes in this, is committed to it, and then also stays put because people move around from company to company, um,
brian_mohr: I do see a change. I see more CISOs. That are, you know, leaning towards getting MBAs versus CISPs, and I think that is an opportunity for. Security companies that are going to try to survive, you know, the next few years as budgets decrease and consolidation happens, it's, how do we start speaking to that CCO and supporting them as part of the business?
We talked about budget planning. There's a great opportunity there because that's Intel, right? You're making a decision. You need information. Where do I put the dollars, you he or she will need to. Have a process in place. And so if you are an Intel company, that's just pushing out, Oh, fuzzy bears at it again, you know, like what decision are you supporting?
How are you helping anybody accomplish the, like, what does fuzzy bear at it again,
aj_nash: What does that mean to me? Yeah,
brian_mohr: unless you're articulating that you're just noise,
aj_nash: That's [00:26:00] right. You're, you're telling the people, the news. You know, I say all the time with Intel, it's tell me what it is, tell me why it matters, tell me what I can do about it. If you're just telling me what it is, you're just the news, which is fine. News is important, but I don't have time to read all the news.
I certainly don't if I'm an executive trying to keep the company safe. Tell me what it is, tell me why it matters, and really why it matters to me. Like, that's really want to know, not just why it matters globally. Maybe sometimes there are reasons to know things that are not actionable. Some things are just informational because they lead to it.
But tell me what it is, tell me why it matters to me, and tell me what I can do about it. And if the answer is I can't do anything about it, that doesn't mean don't tell me. That's still important to say, Hey, this is it. This is why it matters right now. You can't do anything about it,
brian_mohr: Well, there's the, there's the what, there's the so what, and then there's the now what. Most the industry is shoved into what, and very much, Kamali, you get around to the so what. But the problem is it's your internal team that tells you the now what. You know, a third party can't tell me how I'm supposed to action information to mitigate risk because threats are ubiquitous, risk is personal, right?
So your intel team should be the now what. Like this is what we're doing. Because of the, so what, right. Um,
aj_nash: [00:27:00] And then you've got to be able to keep all of this. Document it, right? you got to have sort of living
brian_mohr: Write that
aj_nash: that's going that's going to last longer than the people, because as you said, the people move on. So you have to have a database that shows here's our requirements. Here's what this means to us.
It's, you know, it's modular. It can change over time. Here's what we put into it. And maybe some documentation also says, here's why it matters. Here's, here was the thought process that led us down the path to buy this database or build this data, whatever it is, right? So that when you do have a leadership change, You have a better chance of selling the new person they didn't come in already believing in what you had on the idea.
This is, this is all the work that went into getting us here, sir or ma'am. So this is why we would like to continue on this path. This is where our value is. And if you don't have that, which spreadsheets are not the same thing. Um, and disparate documents all over the place don't work. Or if you, again, you have it on one person's shoulders and there's some very junior person that C level may not listen to them.
Um, so it has to be elevated a high enough level that has, you know, some, some, uh, Gravitas behind it. If you don't have that at all, just evaporates anyway. So, you know, I, I, [00:28:00] I feel like that's what rec fast, what your company, I feel like that's the gap your company's has been trying to fill, right. Is, is not only help people understand all this and build all this, but also have an enduring database, uh, and, and be able to do all this, you know, and, and I've worked with you a bit in the past, obviously, even before you were rec fast, you had a different name previously.
Um, and so we go back a long way, but you know, it's, it's frustrating that it hasn't caught up more, obviously. Um, so, you know, it seems to me that they're just, there aren't enough companies that are willing to invest, you know, very heavily in this. There's just, there's a lot of small teams or one offs. I mean, I'm surprised how many Fortune 100s I talked to and you find out their Intel team is not a team.
You know, one or two people and it's their secondary job behind a bunch of other things. And then we see these massive breaches happen and you realize, you know, the, the casinos were breached not long ago. And I know one of them came out and said, we were just completely caught off guard. know, didn't know anything.
And, and I was kind of rude on LinkedIn about it and said, you know, if you were caught off guard, it was on purpose, you know, casinos print I mean, they're, I don't know how much [00:29:00] money them it's billions and billions of dollars. I'm sure every vendor in the space has gone and talked to the casinos.
It's not like we We all know, you know, we would skip over all those guys. I mean, we talked to anybody who's got money, right? So banks, casinos are right at the top of the list, but they didn't have Intel teams, it sounds like, uh, and not to pick on those guys, by the way, I don't want to do that and get myself trouble, but you know,
brian_mohr: I think it's a, it's a, they're willfully not investing in process. You know, so they're, they're investing in people sort of, they're definitely investing in technology, but they're failing to invest in process. And probably like everybody's quick to automate, but if you don't have a manual process to automate, what are you doing?
You're just adding more confusion to your tech One thing I like to see is when IR teams, incident response teams, you know, have playbooks that they actually update regularly and a playbook is a great opportunity to start building on, like saying we do this because of this, this happened before.
This was the result. And that is why this is now an item in the playbook. So like, if you have a playbook, great, but you also have a huge opportunity to build on that and put the historical [00:30:00] reference and the documentation behind that. Companies have to be willing to enforce documentation. They have to be willing to enforce that investigated discipline of, you know, you did something now check the box and fill out Um, you can see it in there, the tickets in the sock. Like if they're not telling their analysts to be, you know, verbose and why they did what they did to close out a ticket, then yeah, they're going to get breached. I mean, cause if you're not putting the time and effort and that comes from leadership, that's part of like, that should be part of the job.
Like you and I both know. On the human side of the house, for sure, that if you did anything for, like, you talked to a human for an hour, that's three hours of paperwork that you had to do on the back Same on the technical side. There's always, you were, there was a whole bunch of CYA paperwork that you had to fill out because that was your job. We don't require that in the cybersecurity industry. It's the only industry that I know of that, as part of a business, gets away without having to count their widgets and show where them are. Um, really.
aj_nash: is, which is really challenging because you're talking about an industry where there's never enough time, [00:31:00] right? We all talk there's, you know, this is endless, right? Adversaries are growing every day. They're bigger. They're stronger. They're more voluminous. Now we've got AI coming in. So everything's faster and more dangerous.
Listen, I don't have to do documentation. It's probably the first thing I'm going to, I'm going to skip on and save my time on. Oh, this is done. Check the box, you know, market complete. Oh, there's more. There's a field where I can add details. No time for details. Let's move on to the next thing. And then you have nobody can go back later and even say, well, what did we do?
Why did we do it? How did we do it? Oh, I don't know. That's all been lost. That's in the ether because I'm onto the 68 other things because I've only got 10, 000 alerts to go through today. And I've got, you know, eight hours to do it in. So
brian_mohr: of the matter is you're, you're not going to get through that 10, 000 lists. So at least do the, the a hundred that you do that day and do them well. Um, cause that will be more valuable to your organization in the long run. And especially as you're bringing AI in on the defender side, you got to train it on something.
If you're training on open ticket, close ticket with no details behind that. You're going to get what pay for. Right.
aj_nash: Yeah. You're not getting any better. [00:32:00] And I know I've spent a ton of time and effort and I continue to, and I like to, by the way, but I spent a lot of time and effort, you know, trying to help people understand the whole thing, the Intel cycle, how Intel feeds in proactive security, all this from a more approach, but it's really hard, I find it to be just insanely difficult, uh, to get the right people to understand the value, uh, and, and understand.
The time and the effort this is going to take to do, you know, why you need to invest money at the value of process and documentation and standardization for building a sustainable intelligence program. And, and listen, the payoff is the only proactive solution to security is Intel. I know I say this and it seems like every episode now, but true.
There is nothing else proactive. By definition, everything else is reactive. Intel also helps the reactive. If bad things have happened, we can hopefully, you know, shorten your, you know, your time, you know, what does it mean? Time to discovery? Meantime, you know, remediation, those kind of things. But Intel is the only thing that can stop you from being compromised.
If I know a bad guy is doing things to a company like you, uh, you're, you know, and, and we know, Go with the dark web, whatever they've [00:33:00] chatted that you're on their target list. We know what they do and how they do it. And we know that you actually are vulnerable in these spaces. And as a result of that knowledge, we can help you make those changes.
And you, you get ahead of the curve and the adversary shows up and can't do the thing they've been doing to everybody else. You can only do that through Intel, but it takes a lot of time. It takes a lot of effort. It takes money. It takes patience. It takes, uh, investment, which may not have immediate return.
I often tell people you're gonna do a lot this year. But by the end of the year, you're probably gonna have at least one, if not several non breaches that you're gonna be able to report and say, well, this is, this is why we do these things. You know, uh, customers who weren't hit by WannaCry years ago, I had customers and when WannaCry went live and cost everybody so much, we had 40 some odd customers where I was working at the time and nobody was hit by WannaCry.
Because we wrote an Intel report two months previously, the team did, I didn't write it, uh, that told people about Bluekeep. And our customers read it and took action. So want to cry shows up costs billions of billions of dollars and our customers aren't impacted. That's what Intel will do for you. But next year, how do you sell that on the budget?
Right. So, you know,
brian_mohr: Intel goes both ways. It's, it's external and it's internal. Right. And a lot of people forget that, like you can run, you can [00:34:00] look at your own organization and say like, if this were to happen, what's the likelihood. So you have disaster recovery doing Intel that you need to collaborate with. So if you say this happens, you know, let's play this out.
Tabletop exercises, a great way to start developing Intel requirements for what would happen if. I don't know. Do we even have a response to that? Do we even know? Do we even have a corporate policy on whether or not we're going to pay a ransomware, you know, threat? So like, these are questions.
Those are Intel requirements, or that's the start of it, you know? So yeah, it's. There is an investment there and it doesn't, it's not flashy. It's not exciting. And I always joke, you know, people, Hey, how's Ruckfast doing? I said, well, I sell process accountability and transparency to the cybersecurity industry.
So it's just flying off shelves. Right. Um, but I do it because I believe in it. Right. Maybe, you
aj_nash: maybe regulators can help with some of this. I do find finance is the best at this. I think I think part of that's because I say it all the time. It's a cultural thing that you mentioned internalizing, right? Listen, if you work at banks were in finance, that's that's a culture forever.
Banks have been robbed since they were banks. People understand [00:35:00] robbery and understand banks and crime. So They always have a bit more of a security mentality. I think, you know, I, I pick on healthcare a little bit, not intentionally, but just culturally healthcare is different. Healthcare is about helping.
It's about openness. It's not nobody ever grew up in hospitals worrying that somebody might steal their patients. It's
brian_mohr: And doctors hate putting in passwords and they just want things to work
aj_nash: Oh, they want. Yeah. And they need efficiency. Like, it's not just a want. I get it. Sometimes it's life and death. They don't have time. They let's just go right.
Okay. And they do incredibly meaningful, you know, work, but as a result, the cultures are different. The security culture in health care lags behind. Right. And I think that's, you know, that's a challenge that we run into that, you know, you were sort of hitting on there a bit. So with all of a sudden, and it's frustrating, and we've talked about some of the negatives, but also some of the opportunities here.
Listen, you're in the market. You guys have been in business now this past five years, I think, right? That Refa been, REFA been out there. So, you know, what are you seeing in the market as far as acceptance for the need of Intel requirements? Are we getting better at this? Is there a level of maturity needed before people, you know, catch on with this thing?
Are there certain [00:36:00] roles that are more receptive than others? You know, what, what are your thoughts across the board in this area? What are you seeing out there? Mm-Hmm.
brian_mohr: Yeah. So I definitely see, I'm seeing more conversations about it and I'm having, you know, more requests for, you know, consult, you know, consultation to come in and like help them build a program. Um, so the conversations are there and people actually now are acknowledging there's a need. Uh, there's still a lot of.
There's still a lot of work to be done and how do you actually take a requirement and put that into action and then show value behind it. But at least the language is there. I think, um, the marketing that we've done for the last 10 years finally has shown people that a lot of it is just marketing and there needs to be something behind that.
A
aj_nash: Mm-Hmm.
brian_mohr: of the business has said that we were really good about being all hat and no cattle. And I think the time to bring the cattle is here. Um, I see, especially with. Cyber insurance and things like in, you know, breach dollars. I think the money is finally there to push this market, you know, this industry [00:37:00] forward to be a value, um, but that's on us, right?
And so example of cyber insurance, uh, the underwriter has a list of things that they're going to look at to determine whether or not we're going to give you an insurance policy. That list is exactly what the CSO probably cares about on a daily basis and the likelihood of an insurance payout. It's pretty important to the board if they're hinging their entire cyber security policy on cyber insurance, right?
So I see dollars as driving this Conversation forward because like okay, we know we need Intel, but how do we make this useful? It's like a wall cables three requirements But what is a requirement? Well, it's what you need to know to make a decision. Where are you going to write that down? Um, so I see, I see improvements in the process, but it's still, there's still a huge disconnect between what is happening in the SOC and what's happening in the business and how do we bridge that gap and I think.
I think we're not doing ourselves any favor by utilizing a lot of cybersecurity jargon. I think we need to start speaking more in terms of the business and we'll see some improvement. I also see, [00:38:00] you know, breaches are happening every day. Nothing's stopping them no matter how much you invest in technology.
So I see a lot of the consolidation. I'll see a lot of companies going out of business. Um, on the cybersecurity side is you're, you're seeing layoffs on a daily basis. Um, I think the industry, just like any other industry has to figure out how to show value. And no matter how much we posture and show, Oh, we'll stop all your breaches.
Like you're not going to do that from a third party, unless you get involved and train your users inside of the company and out like. So I don't know, I, I see a lot of the same and that's sad, but I do at least people are having the conversations now. I'm getting a lot more requests for coming in and talking about the Intel cycle.
How do you actually apply that? that's good for me. Um, will it be fast enough? I don't know. And then AI is definitely. Um, I'm going to change things quickly for better and worse.
aj_nash: yeah, well, yeah, I, AI is, yeah, it's a whole nother episode of
brian_mohr: yeah,
aj_nash: Security for later, I'm
brian_mohr: inviting because I'd like to soapbox about that as well.
aj_nash: yeah, I don't, [00:39:00] like I said, better or worse, you know, it's gonna do a bit of both, I think, and,
brian_mohr: yeah, absolutely.
aj_nash: that for now, but I think, you know, you point out. That it is good that you're seeing more prospects, more customers.
I want to talk about this, that know what the terms intelligence requirements mean, that know what the intelligence cycle is right. And I'll, I'll take my very, very tiny fractional credit for that. Cause I went out there screaming about it for years and on stages and talking about it, me and several, several other people, of course.
Out there saying these things. So it's nice to hear somebody who's out here every day, say I've seen a tangible change that tells me there's, there's some market change there and I've seen some of the same, but it's, you know, just my little sliver of the world that more people understand these concepts and at least talk about them.
That's a, you know, it's a really good start, right? I don't know we're keeping up or not, but you know, you've been doing this for a while. And this is all to my knowledge, this is all Reqfast does, right? You're not, you're not doing this and 28 other things, right? So have a lot of vendors in the space who are.
Intel requirement adjacent, let's say, you know, they're, they're Intel providers, uh, whether it's [00:40:00] technical data, whether it's a strategic Intel operational, something in the middle. Um, and so they would benefit from knowing the company's Intel requirements, be able to push Intel to meet those requirements, but they may or may not be developing those requirements.
They may not have access to them, or they may not have a system. Which might be the most important thing or a platform that can tie them. Right. So if a vendor is delivering Intel, if I'm a vendor delivering Intel to somebody, I might even know the requirements. Maybe they're mature. We've had this discussion.
I know they care about maybe not all, but I know they care about APT one, let's say. So I know I'm sending them Intel on APT one, and that's great, but I don't. If I send them other Intel that I think is interesting, I don't know if it actually meets a requirement, I don't know how to tag it, I don't know how to get it into a system where they can quickly match it to their requirements, so they've got all the metrics and the data that goes with that, you know, and are vendors building more of this into their technologies?
Are they partnering with you to do this? Are you a side piece to this? Like, how are they partnering with you to do this? How are all these going to be put together? You mentioned all these different orgs you got to be able to work with. You got to work with risk and you got to work with, um, you know, a policy and you got to work with whoever's doing the, the crown jewels assessment and who's got [00:41:00] the CMDB and all these other organizations, patch prioritization, the sock, it just goes on and on.
Right. But there's gotta be a place where all this gets stitched together. All these requirements, the business intelligence requirements, all these things get stitched together. And I don't know any vendor that's above all of those things, right. That has that in their platform. Is that where Rackfast fits in?
Is that where you fit in? Or is that still a gap we're trying to get
brian_mohr: where we try to fit in because every like we want to sit kind of above all that. So it's not just CTI like. We track risk requirements or fraud requirements or physical security. Intel is Intel. Like it does not matter to me when we first designed this, we first started, uh, we sort of had a large financial CTI team in mind to market too.
But our, one of our very first customers was a vendor. Um, Because why they had a bunch of disparate customers who all had different needs and they were sending stuff out and how are they tracking and they needed some way to provide a feedback mechanism to say this customer is happy with this. This customer is happy with that.
Um, at the same time, they had providers because they were kind of a. for a lot of information. So they needed to have a way to like, [00:42:00] Hey vendor, other vendor, we needed this from you, you didn't provide it in a timely manner so that they needed some way to get metrics and feedback there as well. So we were kind of surprised when a, you know, provider was our first customer, but it really made sense.
And so we're. You know, we're customer industry agnostic where whether you're the Intel team, that's a company providing information or your internal team, it really doesn't matter to us because once again, Intel is Intel if you're risk intelligence, fraud intelligence. And so, uh, that's kind of where we fit in is we, we manage the requirements.
Are we delivering against those requirements, customer service? And then what are the metrics around that? How do you show dollar amount? And can you present that to leadership in a meaningful way? Uh, nobody else really does that. Um, most. Providers that we work with out there, they'll have a mechanism to record a list of requirements to stakeholder, but there's really no operational.
Um, you know, it's not really tied into what they're doing in JIRA. It's not really like, so where's your tie to your operations? Where's your case management? And we start providing that, uh, that's, well, it's not [00:43:00] entirely true. I have seen some progress finally, uh, some of the, uh, Intel platforms out there started adopting this, and this is great.
Uh, I, yes, it's a competition sort of, but I'm happy that they're doing it. Cause they should have been doing it 10 years ago. Um, glad to see that they have finally seen the writing on the wall that we should probably track what our customers want to know. And if we're delivering against that, that to me.
I have no idea why, as an industry, we're all not doing this from day one. Your sales engineers certainly are writing down success criteria. How come you're not passing that on to your providers and analyst team, right? They actually wrote down, that is a customer requirement. Like, why is that sitting in Salesforce and not in your day to day, you know, corporate for your analyst?
There's there's your, here's your free tip for the day.
aj_nash: Right. Well, it's a good point. The customers only know two things like CISOs at least it's, and, and C levels it's, you know, either, either lower my risk or improve my bottom line, right. either lowering costs or, or, you know, raising revenue somehow. Right. [00:44:00] And so. Intel fits into that, right?
We should be able to help people lower risk, but that requires a lot of things you're talking about and people either aren't documented or they're not going that step further. And, you know, I'm with you that I think platforms, listen, I used to work for a threat Intel platform. I've been in the space a while.
Obviously I've been advocating for platforms to have. Intel requirements for years in their, in their technologies. Um, you know, as an Intel guy, when I write Intel, it's nice to be able to tag it back to the Intel requirement and the customer knows where it goes and it gives us our metrics, etcetera. So I'm, I'm with you that I'm happy to see more vendors going in that space, even if it does create some competition for you, it sounds like you're more holistic anyway, um, and go beyond just the Intel requirements to the whole corporate requirements piece.
And I assume I don't wanna put you on the spot, but I assume you plug into a lot of other, uh, enterprise databases as well, or are probably working on that. At least pull in know, all the different things that are out there, the risk registries in the tent and the ticketing systems and the, you know, all the things that go in there, right?
brian_mohr: right. Working on it. So, yeah.
aj_nash: Yeah, well, that's a big process, right? And you need
brian_mohr: Well, yeah, everybody's different. That's the problem. It's not like I can make a one [00:45:00] size fits all platform. So there's a lot of bespoke work and that's part of the struggle. Um. But the fundamental problems are all the same. Um, it's just the technology is changing. And so we believe in sticking to the process, the overall process, and then we'll just find individual ways to like, it's hard to scale that way.
Um, but that's so be it.
aj_nash: absolutely. Well, listen, I, I should have mentioned this at the beginning of the show for anybody who's been listening this whole time. Uh, if you want to know more about REQFAST, uh, it's actually spelled R E Q F A S T. Um, uh, Brian's a great guy, as I said, you know, he's, he's a Marine, so he's not as, you know, great as some of us, but he's still a great guy anyway.
Um, and, and listen, their technology is really cool, and what they do is really cool, and there's a big need out there, so, you know, if, if you're looking for more. On, on his company, on him, on what they do, you know, REQ, FAST, reqfast. com, or is it io? Which one is it, man?
brian_mohr: Dot com.
aj_nash: com. Okay. Reqfast. com is
brian_mohr: find me on LinkedIn.
aj_nash: Yeah. And or find them on LinkedIn, right? So I could keep talking about Intel requirements all day, especially when I talk to somebody who sees it the way I do. That's great, but I [00:46:00] don't, I don't get to do that. Uh, so like I said, if people are looking for more, I hope they reach out to you or, you know, reach out to me.
You can find me on LinkedIn. Um, you know, I'd be happy to talk about Intel requirements, um, and you know, how to build Intel programs, the Intel cycle, how to search for the requirements and stakeholders, all these things and, and how to help people get more value. Um, which starts again, you've got to know what your needs are.
You got to tie Intel to a tire, spend to it, tie the results to what you got. Uh, so you're able to say this is the value. Um, so I think, I think, I think you nailed it. I think we're on the same page on this one, you know, which I appreciate you taking the time to come in and explain it to folks and hopefully more we'll reach out to you.
Um, I gotta get to the point of wrapping up here, unfortunately, but with that said, so the closer question. For everybody on the show, you know, the name of the show is unspoken security. So, you know, with that in mind, I always close with the same question, which is tell me something you've never told anyone, something that to this point has gone unspoken.
What do you got, Brian?
brian_mohr: Um, the one that came to mind was I, especially during the Marine Corps years, I always carried around a copy of The Catcher in the Rye, and that was because it was my one [00:47:00] time password cipher. Um, I didn't write anything in it. But if I had, you know, a password hint, they would say, you know, 88 and 10, meaning I would go to page 88 and count the first 10 letters, you know, the starting of each line and that would be my password.
And then of course I knew what my little, uh, if I need the special character in the number, I would always use the same one, which isn't great, but at least I would put those little two at the end of it. And so my password hint was always just a page number and. A length of the password, but nobody knew that that's what I was using as the base of my, so, you know, another book that I happen to have is, you know, 1984.
Don't use that anymore. Um, you know, so if the password was like Bank of America, I would say 2 77 15, and that way I would know, I would've to count down the first, I'd go to that page and count down the first 15 letters. And so that was how I tracked my passwords.
aj_nash: What a, what a really interesting concept. So I listen, I've, I mean, I'm familiar with ciphers and codes a little bit, of course. And I think most everybody, frankly, is whether you're an Intel and you're familiar really directly, [00:48:00] or you've watched movies, whatever. But this is a really interesting idea. So, so you carried around Catcher in the Rye, which of course, if you ever lost one, you can go get another copy.
Like it's relevant,
brian_mohr: as I knew what that edition was.
aj_nash: well, that's a good point. You better have the right edition because it changes, you know, the spacing and everything changes with it. Right. But, um, but being able to find that book, you know, should you lose it as good. So, so you would just, like you said, like you, you'd say, okay, you know, page, whatever, and then a number and that's how many now I, I assume you picked a page where the first word started at a certain place, like you were in the middle of a paragraph or whatever,
brian_mohr: Yeah, I would always start on the upper left hand corner and it'd be the first letter of each line going down, but then you'd get a mixture of capitals and lowers and it wouldn't create a word, so it wasn't creating in something that, you know, it would be in a rainbow
aj_nash: Wouldn't work now that with alphanumerics and special characters.
brian_mohr: Only if you, well, that's what I'm saying is I always knew what my, I would put like, uh, you know, asterisk seven or asterisk and percent. I just knew that that would be what I would put at the end
aj_nash: was
brian_mohr: So I would do the 10 letters and then I would put my special characters at the end.
aj_nash: Got it. Got
brian_mohr: Granted, reusing those isn't great, but [00:49:00] once again, if nobody knows what your base is, then.
aj_nash: Yeah. Now do you still, obviously I want to switch book, but do you still do things this way? Or
brian_mohr: No, I have a password because, and also I'm getting older. I forget where I put stuff, so I can't carry a book around with me anymore. So. Uh,
aj_nash: Like did somebody else teach it to you? Was it just a random thing?
brian_mohr: it was a random thing. Um, I kind of, I came like going through Intel training, learning about one time ciphers being, you know, long as each person had that one time pads being the most secure and they're still considered one of the most secure ways to do it. Um, I thought, well, what could I use if I'm, where's my one time pad?
And I just happened to have a book on me. And so I'll start doing that.
aj_nash: Sorry about that. That one's mine. No, it's not your dog. It's mine. Riley apparently
brian_mohr: defense.
aj_nash: Yeah, Riley apparently is very excited about the concept of, of doing these one time passwords. Uh, yeah, she's sorry about that. She's very excited about one time passwords. Hey Riley, knock it off. Don't make me pause. Don't make me pause. Not your pause, my pause. So, somebody must be at the door invading or it's more likely Amazon delivery. But um, Very interesting, man. It's a really cool concept. I haven't heard of before. For anybody out there who's trying to figure out a way to handle passwords, I guess you could, you could do that. And I guess at that point, like, listen, I use a password manager too, but you could easily just have a notebook that said, you know, Citibank 2 12 9 or whatever, right?
I mean, you could do all those things. You could write them down if you want. Somebody has to cipher first, which is whatever book. But I, for [00:50:00] what it's worth, I wouldn't recommend that folks, because if somebody figures out what your favorite book is, you're probably in trouble. Um,
brian_mohr: So yeah, don't advertise it.
aj_nash: have to go through somebody's whole library. I know people own thousands of books. It'd be impossible. So, um, really cool, man. I appreciate you sharing that. I, I suspect somebody out there is going to decide to start using this actually, uh, with whatever their book is. I think it's a really cool idea.
I've never heard of it before. Uh, you know, one time ciphers, as you said, are really safe. So it's really, you know, it's a neat concept anyway.
brian_mohr: It's also analog solution in a digital world. Like there's, you can't get a book hacked. So as long as they don't know what that book is tracking the personal life. So
aj_nash: analog solutions, as you said. So, you know, All right. Listen, we got to wrap it up here. We're, we're out of time. Uh, I want to thank you, Brian, uh, from, for coming on today. Thank you for taking the time to talk about Intel requirements.
Helping them understand, you know, the value and the importance here. I think you, you brought up some points that I haven't had people talk about too much before. Myself included, frankly. So I think it's really interesting. I think Reqfast is really interesting. I hope people, you know, come and check you out.
Any last thoughts, uh, before, [00:51:00] before we wrap up today? Is there anything we missed? Anything you want people to remember going out the door besides Reqfast. com, Reqfast. com, Reqfast. com? But anything else, uh, you know, for you, man?
brian_mohr: Oh man, I think you pretty much covered it, but just remember intelligence is decision support and a customer service. And as long as you understand those two things, I think you'll do better.
aj_nash: Yeah, man. I, I second that emotion. All right. So again, thanks for the time. Really appreciate you coming on the show. Uh, for those who are listening or watching, you know, if you like unspoken security, please do take the time to subscribe to, you know, to like and, and thumbs up or whatever, whatever all the ratings are.
Right. And, and, you know, let us know, uh, feel free to contact me directly. If you've got feedback, you can find me on LinkedIn or you can find me through emails. Um, and, and let me know how the show is. The show isn't about me, right? The show is about, okay. You the listener, it shows about, you know, Brian and guests like Brian coming on and being able to share things.
So, but I need to make sure it keeps going. So please subscribe, you know, give the, give the feedback, you know, talk to us if you had an episode in mind, you got something you want us to cover, like, let me know. [00:52:00] And we'll see if we can get that in there too. Uh, but until next time, thanks again, uh, for listening and watching unspoken security.
Uh, look forward to talking to you all in the future.