57: Shred with George Gerchow

This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors.

Chris: As Sumo logic’s chief security officer, George Gerchow brings over 20 years of information, technology, and systems management expertise to the application of IT processes and disciplines with a background that spans security compliance and cloud computing disciplines. George has gained many years of practical experience in building agile security compliance teams and modern day socks in rapid development organization.

Chris: He’s been on the bleeding edge of public cloud security and privacy since being a co-founder of the VMware center for privacy and compliance. He serves as an active board member for several startups and as the coauthor of the CIS QuickStart infrastructure benchmark version one, and the MISTI fundamentals in cloud security.

Chris: George is also a faculty member for IANS and the cloud academy. George it’s an honor, man. Thanks for stopping by!

George: Hey, Chris. It’s my pleasure. And I’m blushing over here, man. And for some reason, it’s like when you hear about yourself in that way. No, no, no, no, no. But anyway, thank you so much, man. Appreciate it.

Chris: Definitely, man. It’s quite an impressive lineup you have in terms of, you know, what you accomplished and what you continue to accomplish in this industry. Although for the people that are listening that may know about you but haven’t had the privilege of getting to know you on a personal level yet, would you mind just taking a moment and talking about your journey and what led you into the security?

George: Yeah. And I love that by the way because I always hope that maybe someone can learn something from it because there’s just no direct path. There was no way if you would’ve asked me 20 plus years ago, that what ended up being a CSO or a CSO.

George: I would have never seen that coming. I just started off with a little bit of a development background, with things like cobalt, Turbo Pascal…. showing my age here, obviously. I was in finance, and this was back before there was actually formal IT, and there was really no security back then.

George: It was more of a risk management type department. Dude. I was supporting apps all the time and then it became interconnectivity and then it was networking. And, you know, I like to talk about big breaks that I got. Oh, so one of them was, I was doing contract work, hooking up all the Jesuit universities, like Regis, Boston college, and just putting them together.

George: And some dude who was a teacher at Regis approached me one day and said, Hey, how would you like to be a network engineer or interview to be a network engineer with my company? That company turned out to be Northrup Grumman. And so Chris, I was standing up networks like all through the Navy and through the air force to the DOD work with a great crew of guys, it was like eight of us.

George: We were just savages. We would just fly into these different bases. Stand up these AD networks. We we’re switching over to AD and Cisco networks, replacing older hub type technology.

Chris: Gotcha. So it was a natural progression for you then to get into security and you haven’t looked back yet.

Chris: So I’m curious being in the industry for so long, what keeps you going? What is it about the security side that you love the most.

George: That’s a really important question you just hit on, which is what keeps you going and that changes at different times in your career. So one of the things we didn’t talk about is I’m actually lucky enough to serve and support a larger group now.

George: So it’s, it’s called RISC, so it’s risk in Real estate, IT, Security and Compliance. And so my role has expanded kind of going back to where we started with it. I believe those two functions should be together and I don’t think they should roll up to a CIO. And so that’s part of my charter now, which is like, how can I effectively bring together these three different lines of business to be able to drive growth and serve and support our organization or our customers, but what really keeps me going more than anything right now, Chris is just giving back in any way I can, whether it’s mentoring people within my team, within my company or outside of the.

George: Any piece of advice that I can give someone that can hopefully progress their career or progress their life in some way or another is what’s important to me.

Chris: Yeah, that’s so great, man. And it’s so needed in our industry because it’s far too common that we all become mentally siloed at times.

Chris: And we just get distracted from giving back to the industry. So one thing that keeps me going. Is just the constant evolution of our industry. And it’s more so the constant evolution of the world, right? So for instance, where in a global pandemic and for the last two years during the pandemic, and even now as we continue to phase out of it, Supply chain attacks have increased due to just the increased interconnectivity within organizations and continue to be a major concern.

Chris: From your perspective, what do you feel like needs to happen in order to minimize the supply chain attacks from. Yeah,

George: That’s a great question. And that’s top of mine and should be top of mind for everyone. You know, and it’s something that I’ve actually been talking about since before the pandemic, but it’s gotten worse and here’s why I think it’s gotten worse.

George: Whenever you have times of high anxiety, high stress. It just seems like it’s the perfect mix for bad actors or bad people to do what they do. And now that we’re mostly working remote people are dragging to cloud. We’re moving away from this perimeter security notion of hard shell soft center. It’s just the perfect opportunity.

George: And plus Chris, like you and I talked about before. Zero accountability. Really like all we really do is have these questionnaires that we’ve been doing for years that are a CYA for compliance until things become real and so bad actors know that. And it’s going to take, I think, a deep conversations, better understanding of how people operate a lot of transparency and then some, some technical pieces to truly evaluate your supply chain fend.

George: It’s not going to go away anytime.

Chris: Yeah, absolutely. So you mentioned zero perimeter. So we’re looking at ZTA, right? Or, or zero trust architecture.

George: Absolutely. And that, by the way is a never ending journey. So a few things I’m going to go off on a tangent here. So feel free to interrupt me vendors, come back to all the time with resells zero trust that it’s like, no.

George: There is no one stop shop, right. That kind of marketecture drives me nuts. And I’m going back to RSA this year, by the way. So I know I’m going to see it there. It is truly a concept. And like you said, it’s a framework where you hit it with bits and pieces and especially as much as technology changes.

George: As we move forward as we evolve, but it’s a never ending journey. And so you have to just be careful about where you invest, how you start, how you progress and then making it seamless to your organization. Because one of the great things about security these days, Chris, and this is why I love talking to people like you is again, transparency.

George: When I came up in security, you ran from security people, cause they always said no. Or they were just hardcore about it. Now we have to learn how to get ourselves out of the way so much that people don’t know that we’re doing it. And to me, that’s one of the big concepts of zero trust is implementing this perimeter less security without people knowing that you’re doing it.

Chris: Definitely run ZTA in stealth mode. Right. And again with supply chain, Implement transparent ZTE both internally and externally to help you provide protection on both sides.

George: Yeah, absolutely. You know, and it really, I think it starts with, like before we talked about infrastructure and supporting infrastructure and infrastructure, infrastructure security, now we have to really lean more into data and apps, you know?

George: So one of the things that I love to say, you know, cause I did security at VMware, you know, before we’re coming to. Was back then, of course, everything was about data centers and now we’ll data centers are going away because you’re moving to cloud service providers. So I like the flip that to “center of data” because you really just need to focus on where that data is.

George: Who’s accessing that data and that making sure that collaboration with control is taking place. And so if you can have that kind of maniacal focus, it’ll help out tremendously while you’re establishing zero trust. To really look at your supply chain end to end.

Chris: That’s a great perspective. Focused on securing data itself and then apply your access control and your other ZTA controls.

George: Yeah, absolutely. I mean, we’re, we’re pretty much doing everything we always wanted to do, which was like defensive depth. That doesn’t go away, As well as starting to make sure that that access control is correct. Cause we’re, we’re in this age now of, “Hey, let’s share everything. You know, the G docs is cool and office 365, look, I can work on these dots and share them out so quickly”.

George: So I believe that to really start with zero trust. And then when you’re evaluating your supply chain, Just starting with simple things. Like IAM, SSO MFA. Those things are a must today. And if you start in that area first and then have visibility through things like logging, you’re setting a foundation.

George: Cause I think that’s a hard part. Christmas people don’t know where to start. I mean, they just really don’t and that’s why supply chain gets them.

Chris: Right. One aspect I often like to hit on is smaller organizations in this particular instance with Supply chains and it’s, it’s really a challenge for them because a lot of times they don’t have the resources to look at ZTA or have the knowledge of bringing someone in to really get their environment stood up with that type of framework.

Chris: So what are some of the, the quick hits that, that you can suggest for SMBs? Possibly, even if it’s as high level as, proper vetting of who you’re working with.

George: So, first off, I love that focus because like everyone just always talks about the enterprise and the enterprise and SMB is like, that’s our bread and butter, you know?

George: And I mean, it’s kind of like the backbone of our industry in our society in general, because that’s where most people are. And, and for me, like one of the first things that I always tell people: Move to the cloud as fast as you possibly can, because if you’re in a smaller organization trying to support infrastructure, which is not your core competency.

George: And then on top of it, trying to support the applications and the data that serve and support your internal and external. That’s a lot. So take it off your plate, man. Like move out to at AWS, to a GCP or to an Azure and get that shared responsibility model in place. Now that comes with other challenges.

George: I’m not denying that, but if you at least have the knowledge and do your part while they’re doing their part, it puts you ahead instead of managing infrastructure.

Chris: And then you also achieve those native controls within the cloud platforms as well. And gain support that you may be lacking in-house on the SMB side.

George: Yeah, absolutely. And that way you can, I mean, you don’t have to have the staffing to be able to scale. Let’s just talk about, you know, for example, cause we talked about it a little bit before, you know, when we’re talking about G docs and office 365 back in the day, we would support. Exchange infrastructure have to patch it, manage it all the time operating system level upgrades and all this other stuff that we had to do.

George: Just to provide an email back to our customers or to be able to communicate with folks. Now, if I just move out to a platform that has it all built in, then I can focus on SSO, MFA, RBAC and all the things that really matter to have that collaboration with control and I’ve eliminated that infrastructure piece.

George: It doesn’t mean that I don’t need to monitor it. And again, with supply chain. I got to made sure that whoever I’m doing business with is actually doing the things that they say they’re doing on the behalf of the shared responsibility model. And so I think it’s a great place to start. You know, one of the things I was going to mention is like something I actively look for.

George: If I’m an SMB and I’m sitting in their shoes, I’m doing business with running a bug bounty. Bug bounties were a bad word and they still are in our industry for a lot of people. Like “why would you pay someone to hack your environment?” Because I want people to break stuff like traditional pen testing do just doesn’t do it.

George: You know, it’s a methodology usually to reach a compliance goal around things like PCI or SOC two or FedRAMP or whatever it is, but a true bug bounty encompasses social engineering and true hardcore thinking on how to make an organization better. And I’d rather have them do it but have a bad actor do it.

Chris: And it also brings a Forced mindset to think outside of the box. So, yeah, I’m a big advocate for bug bounty programs.

George: Yeah. And the other thing that it does too, is it, it catches the attention of developers, right. Because, you know, before, when I mentioned like how great cloud is. One of the scary things about it is as you make the move to the cloud, developers are really the ones that are pushing those workloads, right?

George: I mean, you have an SRE team, site, reliability engineers who are hands-on all the time. And, and you know that there’s always some friction between security and development. It just naturally exists. And it’s important to build those bridges. And so what a bug bounty can do is start showing, Hey, here’s where deficiencies are in the code.

George: And we can start getting some KPIs around how you guys can start improving that process or how we can improve it together in the beginning, baking security in from day one. And it’s such an important thing, because then there I start opening like, wow, we had to pay that much out. I never want that again.

George: I never want to see my name associated with that story. It is a very important thing that I’d look out for if I was in SMB, as I partner with people as I increase or make changes to my supplier.

Chris: Yeah. Yeah. It’s a great perspective. And I really do appreciate that advice because often SMBs are overlooked, and we just need to make sure that that they’re secure as well.

Chris: So I’m going to stay on interstate zero here, but I’m going to switch lanes real quick. And let’s talk about zero days, which also aren’t going away in your opinion. What’s the best way to stay ready for a zero day. And how can we get in front of zero days to help minimize the impact? And George, I know one way is going to be bug bounties cause we just spoke about it.

George: No dude, you’re headed completely in the right direction. I mean, it’s just shifting to that. So, so first off, let me just say that being a security, as long as we have. It’s like selling insurance, right? I mean, that’s really what it feels like a lot of days where you’re talking about what if scenarios look, would happen and, and we need to get out of that mindset.

George: And it all starts with support at a board level and a C level. They shouldn’t be about what if, because it’s a matter of when, which takes me to the best thing you can do to prepare is become susceptible to it. I can tell you now, and, and again, I’m super transparent about where. We’ve always done a really good job.

George: I feel like, but when Log4J hit, there were some learnings my brother there that we needed! We had acquired companies and we weren’t one platform anymore just sitting in AWS. And so when that hit and because we do leverage open source so much. Did we learn so much on the job as usual, and I’m grateful for it because we thought we had a great IR plan and, you know, we thought our comms were down cold and boy did we learn.

George: And so what it did for us was, I mean, just talking about Log4J, we had a narrow focus. So we looked at four things. The first one was our service, a hundred percent in the cloud. Where is it running? Nowhere check, but let’s continue to update our assemblies, which is not easy. Those configurations and rotate them as new cause you saw this.

George: I mean, there were new versions coming out every day. So that was the first thing we did. Second thing was our collector. Our collector did leverage log4J but it was for internal audit. Meaning Chris made a change. So the type of data being collected that was being audited. So we felt really good about that.

George: And remote execution couldn’t hit our collectors at that point. The third one goes back to supply chain. Like we only had an 18% response rate from our trusted vendors after like a month, you know, and a big shout out to people like PagerDuty who responded right away and were transparent right away.

George: But that was tough. And then the last one was our open source library sitting in Artifactory and other places too, that we had to make sure we rotated there. So by having that kind of focus was really good for us. Now, let’s talk about where we were. Comms dude, awful. Internal, external. My team did way too much.

George: We were handling like with legal, like all of the comms across the company and trying to keep people informed. And we had a lot of panic going on and slack was blowing up and so shifting years would happen to us. Was. By time, the Okta. And again, I’m going to do this in air quotes breach because it truly wasn’t really a breach, but it goes back to supply chain came around, we crushed it.

George: Like our comms were so good or everyone did their part ownership within the organization, which is huge. And I know you’ve seen this too. You’ve got to have cross-functional ownership. Development, you know, from HR, from marketing and legal, that has to happen. And so I think the best thing people can do is truly simulate a zero day, like really do it.

George: Or you’ve got to just learn it on the job with one that hits you, because it’s just hard to scale that out, dude.

Chris: Yeah. Yeah. Agreed. With those comm issues that you mentioned. I’m curious to know what adjustments were made to help prevent that from potentially happening again in the future.

George: So I go back to that ownership, but I’ll give examples, like real life examples of what happened.

George: So when Log4J was going on, customers started reaching out to our sales folks and saying, what are you guys doing? All we did in preliminarily was dropping slack in an announcements channel. Hey, we realize that it’s going on. We’ll have some answers for you sin. Well, that’s just really not good enough.

George: Not impactful. So then we started having, like people drop in there saying we’re not moving fast enough, blah, blah, blah. We’re trying to work on the problem. And then, you know, all this noise is going on and it’s. Not the motivating, Ricky moralizing, a lot of like my sock and not team members. We caught a GOC by the way, a global operation center.

George: So I had to jump into that slack channel and say, Hey, stop it, knock it off. Know you’re not helping, but it was a learning moment. So our CRO who’s a total bad-ass, Lynn, just immediately like, was like, “Let’s schedule a go to market call tomorrow morning, eight o’clock in the morning. Everyone gets in. George, here’s the slide deck that we started preparing for you jump in”.

George: And so we did this presentation to the whole go-to-market team, and it’s settled everything down. Then we did the exact same thing externally, and that helped a ton, Chris, because we were just giving people the play-by-play live of what was going on, what we’re working on, what we’re doing, and it stopped the noise.

George: So by the time off the team around, we had it down. Yeah. Yeah. And repeated the same pattern over and over again. So comms is usually where things break down. Then there really is.

Chris: No, I agree. A hundred percent,

George: but can I flip that just for a second to talk about the Okta piece? So one of the things, and this is something, every security practitioner needs it to hear.

George: So my man David, over at Okta, their CSO, he got crucified. Because he was trying to give time updates in his blog where there some mistakes made about, you know, the communication. Yes. But we gotta be empathetic to that because you can’t have it both ways. You can’t say, Hey, gimme, gimme, gimme, gimme information and been, if some of that information is wrong.

George: Later on through the, you know, chain of custody, post-mortem you can’t crucify someone for that. So either you get it, or you don’t. And, and I really felt for that guy, you know, so I was lucky enough to talk to him the Friday after. And he walked me through the whole series of events and that’s the one thing he said.

George: He goes, I am so afraid that we’re going to go back to this tight lipped mentality across our industry, because when we try to be transparent people, judge, if you make a mistake in real time,

Chris: Yeah, you can’t hold it against them. What would you prefer? Would you prefer the transparency?

George: Absolutely.

George: Absolutely. I mean, this is, this is a motto that we live off of that Sumo is transparency is everything because what it does is a big security, more approachable. You know, like we, if people make mistakes and inadvertent data share, like self-reporting is so important, but they’re not going to do it if they’re going to get in trouble.

George: So. Transparency in our industry is just so needed, but we can’t like judge people for making mistakes. It’s just going to happen. I’ll make them all the time. I mean, I’ve had some beauties in my career, brother.

Chris: You and me, both man. And the need for transparency is so needed. We, as security professionals should do more to support and encourage.

George: Yeah. Yeah. And it all sorts of vulnerability, right? Like if you’re vulnerable, so I’m going to give you my biggest bonehead move ever. So when I first started at Sumo, I sent out a security patch update to about 200, 225 customers.

George: And then being a knucklehead, I am, instead of putting them in the BCC, I put them all in the CC.

Chris: I think we’ve all been there, but yes; I know where this is going.

George: Oh yeah. So somebody took a screenshot and tweeted it with swift on security, you know, or like, look at this idiot. That’s VP of security, like exposed everyone’s emails and blah, blah, blah.

George: And so, you know, what I did was I opened it. Then I went and said, yeah, I did that. And, and I did like this internal lunch and learn at the company, talked about what I did, but then I also talked about like how it takes a lot of information to string things together to truly, you know, perform an attack and why you shouldn’t do it.

George: But if you ever do this, this step forward with it and showing that vulnerability, Chris, I think was really important to set the tone within the company of, I find, make a mistake. I can come forward with it. And that’s really what.

Chris: Dude. I’m so glad that you said that and you know, that’s a prime example of transparency that you just provided.

Chris: I mean, you’re an inspiration to many and to talk about a situation where you straight up owned it, I think will help others realize it’s okay to.

George: no, totally this too, like as an industry as well. If, if I call you up and I say, Hey, Chris, man, I’m seeing this, I think it’s a zero day or I’m dealing with a supply chain problem.

George: If I have that safe space to talk to another professional, like you and, and, and be open and honest about it, and then you are as well, that just helps us prepare for what the bad actors are doing before in the past. We kept those skeletons in the closet and then legal would kind of prevent us from talking about a lot of it.

George: I’m sorry, I’m talking about it because the more that people can learn from the mistakes we’re making or attacks that we’re getting the better off we’re going to be as an industry.

Chris: Great. So I want to hit on this killer product, Sumo logic. And for those that aren’t familiar with Sumo logic, would you mind explaining where you guys fit into the security stack?

Chris: Because it’s a unique space your in.

George: Yeah, it really is. And thank you for saying that. I mean, you know, so the product has been around for 12 years or so, and like I mentioned before, and this is really important. It’s multitenant. cloud native product. Why does that matter? So much scale data is not going anywhere. It’s just increasing. And I understand that a lot of times in security, we’ve done a security by budget. Like I can’t consume that data source because of the costs. And we’re revolutionizing that as well, too. But to narrow it down the scope where a two clouds. And so we do a lot of data analytics based off of multiple sources because it takes a fabric to be able to secure your environment.

George: We have a SOAR product that’s embedded into that as well, too, that we help people with compliance and audit at scale. Easy to set up, easy to use, but the biggest thing is the at-scale piece. Like it just, the platform makes such a difference and turning that back to something like log4J the reason why we were able to take care of things quicker than most, even though we had those comms issues is because it’s a standardized environment.

George: You know, it is true cloud. So I know what version of Ubuntu is running across, you know, our 25,000 different instances worldwide out there. And so that really matters when you combine architecture and then the feature functionality that our platform provides to secure modern day applications.

Chris: Awesome, man.

Chris: So where can we find similar logic online? And are you guys going to be hitting up any conferences?

George: Yeah. So dub dub@sumologic.com and you could run Sumo free. All you need is credentials to get in there and sort of demonstrating the value. But I love what you just brought up, which is “where can you find Sumo”.

George: Well, so for years, my brother, for years, I used to complain about going to RSA. I can’t wait to go back. I can’t wait to go back. And so we’ll be there full strength in San Francisco at Moscow. And in fact, com come check out the panel that I’m doing. It’s going to be at the St. Regis. There’s a small African museum inside of there.

George: It’s going to be a swanky event with drinks and appetizers. We will definitely be a blackhat as well, too. We’ll also be at re:inforce. And then you can catch me like on ions as well, too, because I do a lot of stuff for them, but I want to get back in person then I really just do, and I, I get it for those of you that don’t, but I need that.

Chris: I know I’m with you. I’m with you. Unfortunately I won’t be at RSA, but I will be at blackhat. So let’s definitely link up there,

Chris:I don’t know if you know Jeremiah Grossman, he runs a, a, an MMA clinic at black hat and I hear you’re an MMA fan as well.

George: A huge, huge, huge fan. And one of my favorite moments insecurity was I was in Hong Kong doing a keynote at a conference called rise. And who did I look out and see? Miesha Tate!

George: She was VP of operations for ONE championship. So I got to hang out with her for like a whole day and just got the skinny on so many fighters from her perspective, but yeah, a huge MMA fan and John.

Chris: That is so cool, man. I’ve had a, I’ve had multiple guests on this podcast. Jeremy Miller was recently on Jeremiah Grossman, obviously Tyler Bohlmann, Jeremiah Batac, and there’s so many different parallels between our industry.

Chris: It’s endless.

George: It’s just endless, right? Constantly ready. How that the attached shift all the time, it just watching the sport evolve from hoist, Gracie, all the way to Khabib has just been insane. And I kind of stopped at cubby because I still think he’s the best in the world, but a shout out to my favorite fighter, Rose Namajunas.

George: She’s just amazing. And I love her.

Chris: Oh yeah! Combat sports in general, I love it, man. I love the mentality, the discipline strategy. And you know, for me, not even being a practitioner, you know, a lot of those core values, I apply as well.

George: Agreed. You know, and you said it so well, and it’s also the evolution.

George: Like my favorite fighter of all time was GSP because I never saw one person evolve more than that. And plus he’s a class act just like you.

Chris: Well, thanks brother. I’m no GSP, but I’ll take it. GSP is up there on my list, man. I have to go with Anderson Silva and I know he’s getting older, but Hey, with passion to stay relevant and stay active, it’s difficult to walk away.

George: just like us!

Chris: Exactly!

Chris: So, George man, I did not, I know we’re running up on time and I didn’t I didn’t mention this yet, but as I was looking at your LinkedIn recently, I also noticed that you serve as a CEO for a nonprofit organization called the X foundation. And if you don’t mind, I’d like you to share with us a little bit more about that, the support that you’ll be providing through it, and then also how we all can support you in the process.

George: Oh man, Chris, thank you so much. Like, I can’t tell you how much I appreciate this. And, I could get a little emotional here, so I apologize. You know, like I always mentioned, like helping people and giving back. If someone were to define me and if I was to define myself more importantly, it would have been as a family man.

George: You know, I raised two kids on my own and I just put everything into them…two amazing children. And unfortunately on March 12th, 2021, I had just come home. I was actually up in the mountains. I’d been snowboarding. Came home, saw my son Xavier, which is his name. And, you know, got a chance to eat dinner with him and stuff.

George: It was day like any other. He had been lifting a ton of weights, playing basketball, getting ready to come out of school, you know, he’s 17. So a couple of months before graduation. Went to bed, like any other night. Gave him a hug, told them I loved him. Went downstairs, had a few snapchats throughout the night.

George: The next day, worst day of my life. Come to find out, he had a buddy over that night, which no fault to this kid. You know, Xavier was a little bit sore. And so the kid was like, “Hey, I got a Percocet on me. You want to split it?” And so X the half and it killed them on the spot. It turned out to be 99% fentanyl, 1% cocaine.

George: So it was a fake street script. That’s a major issue. I mean, Chris, I didn’t even know what fentanyl was, you know, as I was talking to the coroner detective. H was such a good human, just an amazing musician, played five different instruments. He was a basketball player, with a deep love and passion for the Nuggets and for family.

George: Crushed our lives, you know, like just crushed us. We are still going through the grieving process. It’s been a little bit more than a year, but I can’t take things like this, sitting down. Again, getting back to helping people, the X foundation is really based off of a few things. So the first one is raising awareness around the opioid crisis and specifically fentanyl, but there’s other things coming right behind fentanyl.

George: It’s 100 times powerful than morphine. It’s being put into fake pills all the time, even Advils, so we want to raise awareness of that. But while doing that, we’re also putting uniforms on kids that want to play basketball, football, whatever else it may be. Cause he was an athlete, but he was also a musician.

George: So we’re providing instruments and stuff for kids as well, too, within the community, all for the opportunity, just to be able to speak more about the opioid crisis. So it officially launched today. We are having our first event on May 21st at a place called Brass Tap. One of my favorite bars, good friends there. We are going to have an astronauts come in and do some guest speaking, and we’re just going to raise awareness and kickoff the foundation and take some donations. And really just start driving those three things: Putting uniforms on kids, musical instruments for the underprivileged, and raising awareness around opioids and fentanyl.

Chris: George, thank you for sharing that. And first off, I’m so sorry for your loss, man. I can’t imagine the pain that you’ve been through throughout this process, but what you’re doing moving forward is amazing. You know, this push to bring awareness to a war that a lot of us here aren’t familiar with or don’t even know exists.

Chris: What is the website that I can point listeners to, to read more about this foundation, to understand more about the war on opioids and, and also about the event as well.

George: Cool. So for those of you that are, want to help the website is xfoundationx.org.

Chris: And tell us again, the details of the Brass Tap event.

George: So it’s May 21st from 2-5PM. And I mean, it’s dude, it’s going to be awesome. We’re going to auction off some things. I actually almost even hate saying awesome because it’s such a horrible thing that happened, but if we can save just one life or make one person aware of street scripts and the cause and effect that they have, we’re doing the right thing.

George: The event at Brass Tap is going to be a great, great launch because to your point, I just had no idea what fentanyl was, although here’s a couple of things I do want to say around it. One, immediately when someone sees fentanyl, they call it an overdose.

George: Well, how is it an overdose if you don’t even know you’re getting? It’d be like putting arsenic and coffee and giving it to someone so people don’t know what’s coming. And so people kind of get written off as drug addicts and that’s wrong. The other thing, too, is let’s face it. A lot of people are still going to do this.

George: And so arming them with testing kits with Narcan, which helps revive people after fentanyl’s happened is important too, because not everyone is going to just not do it. So this education and awareness is just so important.

Chris: George. Thanks so much, man. I urge my listeners at a minimum to visit the site and educate yourself.

George: I can’t tell you how much I appreciate that. It’s a nonprofit corporation that filed for 501.3c, which means tax exemption as well too. So any support we can get is appreciated, but more importantly, go to the website to learn. I just don’t want this to ever happened to anyone else and for people to go through what my family is going through.

Chris: For sure. For sure. Now geographically, you’re based in the Denver area. Is that right?

George: Yeah, so a little bit outside of Denver, in a small town called Frisco Colorado.

Chris: Awesome. So after a long day of security, and I know you, George man, you are, you work nonstop and these long days often go without much sleep for you.

Chris: So in those small windows of time, or if I were to come out to Denver and catch up with you and hang out, what are some good bars in or around Frisco, Colorado?

George: So the classic bar in Frisco, Colorado, for those of you that come here and go skiing and snowboarding, Frisco is like 10 minutes away from Breckinridge, Vale.

George: It’s in the middle of a bunch of resorts, sleepy town, but there’s a bar called the moose jaw. You walk in and your feet start sticking to the ground. They serve great local beer. It’s just an amazing, incredible place. Well-priced and locals mainly go there, but if you come, please visit because it’s fantastic.

George: There’s several other places around here too. Ollies and others, but just remember the moose jaw, like that’s the place to go. Like if you showed up Chris, we’d be rolling into the moose jaw.

Chris:  Alright. Well I’m in. It definitely sounds legit. If your feet are sticking to the floor, that’s serious!

George: Dude they even got a sign up. It’s so funny. It says we “We don’t call 911”,  and it’s got a real gun hanging from the ceiling!

Chris: Love it, man. That’s awesome. So George, I just heard last call here. Do you have time for one more?

George: Absolutely.

Chris: If you opened a cybersecurity theme bar, what would the name be and what would your signature drink be called?

George: So, I would call it Risky Business, and the signature drink would be Risky Sour.

Chris: Risky Sour! Ok, I love it, man. You got the whole risk theme going on.

George: I do, because look, these are two things that I absolutely love and I enjoy. Going to a nice dark bar at the end of the day, chilling, relaxing with friends, family, whatever. I also enjoy that drink too. But at the same time, it takes me to also back to security our businesses based off of measuring risk. That’s it.

Chris: No doubt, George. I want to thank you again, man. Just for hanging out with me at the bar today, sharing your insights, sharing your story with all of us. Really appreciate it.

George: Anytime man, anytime. And I look forward to not only seeing you, Chris, but everyone else in person here soon. And just be safe, take care and be good humans.

Chris: Thanks brother. Take care, man.