This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors.

Chris Glanden: Welcome to Barcode. I’m your host, Chris Glanden. And today I have the pleasure of being joined by Curt Vincent, a cybersecurity maverick and entrepreneur who has dedicated his career  to helping organizations minimize risk and derail attackers. A retired US Army Lieutenant Colonel with tech heavy deployments, including Desert Storm and 9-11’s Global Network and Security Operations Center, Kurt has also founded and led Morgan Stanley’s 400 person cybersecurity division for over 15 years. Today, he is a well-known senior consultant to C-suite and Boards.  spending his free time as a musician and also restoring vintage microphones. Kurt, welcome to the show, 

Curt Vincent: Hey, it’s an honor to be here, Chris. Thanks for having me. 

Chris Glanden: Thank you and first off, thank you for your service. If you don’t mind, I’d like to start there because you have a very interesting origin story which led you into the military. you don’t mind, share that origin story with us. 

Curt Vincent: Yes. Absolutely. used to be ashamed of it, the older I get, the more I am proud of it. But I had an upbringing where I had a tenuous relationship with my father. And when I got to be about 16 years old, he felt I was being too rebellious. And so therefore he grabbed me by the scruff of the neck and on my 17th birthday, forced me to quit high school. And he walked me down to the recruiter and put me in and told the recruiter, “I don’t care what he does, but he’s all yours. And that turned out to be the best  thing that ever happened to me because I ended up going into the army and I enjoyed an environment where yeah if you do something wrong they kick you in the butt and they tell you got to fix that but if you do something right they also pat you on the back.  tell you, go do that again. And so that’s what happened to me. And I spent my first seven years in the Army, years that my father forced me to sign up for. But then as I was going through that three years, it was part of growing up when everybody else is saying, sucks. I started looking around and go, does it? And I suddenly realized, this is not a bad gig and I’m being treated really well. So I re-enlisted for another four years while I worked on a degree. At the time I was working on aeronautical engineering.  because I was a helicopter mechanic. And one of the things that I want to be able to state that came out of that was the fact that I learned how to troubleshoot. And troubleshooting, when you’re troubleshooting a turbine engine, there are certain things, you just don’t go trying things randomly. You have a very set of procedures and you do one thing at a time, see what the results are and you try something else. And you follow a troubleshooting guide. Well, why am I mentioning this? Because later when I got out of the army for a little while and went to college engineering school, I also learned how to program. I had to learn because of the academic background, electrical engineering.  And my coding technique also included troubleshooting that I used from being a mechanic. It was the same exact sort of procedure.  Same sort of logic. And also when we were in the lab in college, the other students are trying to build the circuits and they’re not doing a great job because they don’t know, they didn’t have the experience. And there’s nothing wrong with that. It’s just that my circuits went together much faster than everybody else because in fact, I would troubleshoot them with that same sort of discipline. So anyway, from there though, I ended up, I mentioned, I got out and went to college, went back in as an officer.  And very first thing that I fought to get into was this organization Army Computer Engineering Center. This is a long time ago. I like to say after I got off the arc, let’s get that off the table. I’m an old guy. But the thing is, is that the Army was trying to consolidate all the different operating systems and different platforms. So they built this group that to be blunt, it was elite. There were only seven Army officers and you had to be interviewed by a three-star general.  And  I had the honor of being picked to be part of that organization. So why do I mention that? That was the beginning of my cybersecurity experience. And that was about 1985. And it was right after TCPIP designated as the for the internet, which was defined in 1983, released, and then everybody had to start moving from a different protocol to TCPIP. And I got to be the guy.  I’m the guy used to keep this quiet, but for this podcast, I’ll share it. I’m the guy at the Army Computer Engineering Center that helped debug TCP IP for the Army’s applications. And we got a standard going, which there’s a big difference between when you got written standards and then practical. So we got that all sorted out. And the thing I wanted to say is back then it was all Unix machines, which was pre Linux.

Curt Vincent: And the big thing there is just the fact that there was no such things as security people. The security people back then  were the people that maintained the passwords and they issued the If you had crypto links between two points, it didn’t matter if it was radio or if it was internet, et cetera. They managed, they were crypto custodians. But the main thing is that if you had a computer on what was the internet, was back then, it was all compartmentalized. And this was part of the ARPANET and the MILNET.  computer that you were responsible for, which as I had a handful of them, all Unix based, were the cybersecurity guy. Now we didn’t call it that then, Chris, but you were responsible for the security of that device and it was no central type of authority, which didn’t come for a long, long time. Makes sense? 

Chris Glanden:   So you are  really solely responsible for the security there. 

Curt Vincent: Yeah, and so were my friends who worked around me. If they had machines, that’s an important point. If they had machines that were exposed to the ARPANET or the MILNET, internet of the beginning, then you were responsible for doing the security yourself. And one of the things that we would just say culturally is, don’t screw up because want to experience something negative because you’re a mistake. 

Curt Vincent: And so it was just  cultural. You didn’t want to make a mistake. 

Chris Glanden: then after your military service, you pursued a degree from Widener University and then later transitioned into the corporate world. Okay. 

Curt Vincent: Close, close Chris. What I did  was, I had, after the seven years as a helicopter mechanic, I got out, I went to Widener, went back in, also got a graduate degree, and continued my career like 15 I made Lieutenant Colonel and got out, and then I went to Wall Street. 

Chris Glanden: Yes. Okay.  yes, let’s hear about that experience. Okay. 

Curt Vincent: Okay, I’ll make it brief. I’ll  make it brief. But I was in the right place at the right time. I can’t say I did anything right. It’s just that I knew Unix, which is what old sun machines ran on at the time. And so I knew Unix and I knew networking inside and out. So therefore, when it comes to adopting technology, it’s always Wall Street first. 

Curt Vincent: They’re willing to take the chance. They’re willing to put the money in. So I ended up going to Wall Street, and I ended up first to a startup that led me to Goldman Sachs, I did some stuff. But I ended up primarily at Morgan Stanley. And I had done some work at Morgan Stanley as a consultant, and the CIO said, look, I think this internet thing is going to be big. And we laugh at that now, but this is 1997.  And so he said, , I really think you should build us an IT security group.” We didn’t call it cyber security. And let me just get the table really quick. The term cyber security in its current state is only about seven years old.  The term’s been around, but in terms of what it really means today, it’s only been around for like seven years. So back in like 97, we called it security, the whole world did. We called it security and it was focused on geekdom. It was strictly the firewalls and the SOX proxies and things along those lines, as well as some of the cultural aspects.  But this guy was smart enough to say, think this internet thing is going to be big. Here’s seven people. Keep hiring until I tell you to stop. So I did. And the first thing I did was I built an engineering group. It was kind of there already, but I kind of formalized it. Then built an operations group. And then we online operations center, if you will, that is more like a soccer or a knock today to be able to respond, an incident response group. 

Chris Glanden: Okay. 

Curt Vincent: And then from there, we partnered with another group that was responsible for what we used to call, like, it’s the governance, the GRC stuff. 

Chris Glanden: Okay, got it. 

Curt Vincent: and governance  regulatory compliance. That was actually a different group. was another managing director and he had a small group of 25 or I had 400 to do all the geeky stuff. But we were best friends and we were partners and that is what we today call cyber security between the…  people component, is, you and I need to talk about that. That’s a mess. The people component, the regulatory component, GRC, Governance Regulatory Compliance, and then the geeky stuff, the technology, which, from my experience in watching this whole thing take off since 1985, everybody wants to focus on the technical. Yet, as you and I talked previously and we should discuss, one of the things I discovered from insurance companies is it’s not so much the technology. 

Chris Glanden: Right,  right. Well, going back to this team that you had built up at Morgan Stanley, I’m curious because this was, what timeframe was this? 

Curt Vincent: This was the dot com era. Most people were around long enough. From 1997 on, it’s still alive today. 

Chris Glanden: This was.com era. still.  Yeah, so back then as you’re building this security function into the business, what was the overall perception or response from the other lines of businesses that you worked with there? 

Curt Vincent: I am so glad you asked that question. First of all, we were told to build our own organization to be able to do the cybersecurity. And initially I was okay with that and we started to build it. We got some really, really, really smart guys. And number one thing that we did was is we understood patching was critical.  So we started working with like the Microsoft guys and the Unix system administrators to be able to make sure that everything was patched up. And we took responsibility for making sure that we’re patched, but we didn’t do the patching. We were the oversight in that regard.  And so we started to build a little bit of a resentment when we’re always on the hook to make sure Patch Tuesday comes out, how we doing, what’s the plan, how long is it going to take, when’s it going to be patched? so we built that kind of a relationship. And our group continued to grow. We ended up with a lot of coders for doing cybersecurity coding, if you will, security type coding. this is also, laugh, but it’s also when certificates started to come out.  and you wanted to be able to have HTTPS. And so we had people at Understood X 509 and such to be able to secure sites in place. And we hit about a hundred people in the organization and I was told to keep hiring. Yet I realized, I thought we made a huge mistake and nobody had ever done this before. So the other guys on Wall Street were friends. I was friends with all our competitors because we used to say a breach on Wall  of us is a breach on all of us and so therefore we worked together behind the scenes as one. was before the ISEC had come out. 

Curt Vincent: And one of the things that I wanted to do was to be able to start putting people in the various groups and embed them. That’s a really, really important point. And if I can just take a second to be able to make a joke to make the point is that the way I see it is that any application, I don’t care if it’s hardware, software, or even just a human procedure, it’s got to be able to do something functional for the company.  And then it needs to be debugged so you’ve got redundancy and you’ve got such sort of systems to make sure it’s very, very stable. And then the third thing is the security aspect. And that would be us. Now here’s the thing. The thing is, Chris, is that as I like to joke, nobody created the office of stability.  so that various groups would come up with software, hardware, whatever they had, and then they’d go, we got to work in it and take it to the Office of Stability and say, here, make this stable. That’s absolutely absurd. No, that’s your job. You make it so that it’s functional and it’s stable. But yet they would bring us these applications or even procedures that were so far down the line that they didn’t have our input that retrofitting that caused a lot of problems. 

Nobody created the Office of Stability, but they expect security teams to fix unstable applications after the fact. That’s a fundamental flaw. Share on X

Curt Vincent: And we got known as the Just Say No people.  you would get different groups that want to be able to rush a particular financial product and get it out on the web. But they would then bring it to us and say, here, we got to get this thing out. You got a week. It’s like, that’s impossible. We can’t, we can’t go back and retro. So we need to be able to embed people. And it had more to do with the efficiency of being involved at the beginning, as well as the relationship that says we’re partners in all this. And it’s just that we would then, I saw our  group not getting up to 400 people. saw our group in an vision when we hit 100 people to actually be smaller and to be able to have people that are embedded into much more of an oversight and more of a, I hate to use the word, but more compliance oriented. To be able to keep the vision going and to be able to keep things flowing so that people aren’t bringing stuff to us and we’re going, you got to stop, we to take 15 steps backwards. No, this is not going to be done in two weeks. You’ll be lucky if it gets done in two months. 

Curt Vincent: And  so the relations were not good. But when I brought, yeah, you’re still seeing it, yes. But I’m saying not to be a genius here, but I saw this way back in like 2000 and said, we’re going in, we, cybersecurity are going in the wrong direction. We shouldn’t be building these. 

Chris Glanden: Yeah, and it’s unfortunate because you’re still seeing that. You’re still seeing that happen. 

Curt Vincent : third-party groups that remind me of some Soviet department that keeps an eye on folks. So that’s just something I think we’re doing wrong in cybersecurity today. 

Chris Glanden: I agree, man. I definitely still see it and something I think that is still challenge for many organizations. You also talked about the challenge of translating cybersecurity for senior executives who may not understand tech lingo. I see this often as well as an advisor. I’m just curious, what insights have you gained into 

Curt Vincent: gosh. 

Chris Glanden: sort of fixing the disconnect between CISOs and the C-suite and how can leaders better communicate the business aspect of cyber risks and priorities. 

Curt Vincent: basically, I also do public speaking. And there’s two different groups that I speak to that I have two different.  presentations that I do. And the one is called demystifying cybersecurity. And what that one’s about, it’s for senior leaders, primarily, C staff and boards that cannot understand they’re cybersecurity people that they’ve hired. And this is because of the fact, as I mentioned earlier, usually your top person who’s running the cybersecurity group is the smartest guy or gal in the room. 

Curt Vincent: they’re your smartest person, came to like Klingons, you kill your boss and you get promoted, right? So you’re able to demonstrate that you’re the smartest, cybersecurity person in the room. And you’re then trusted with the cybersecurity group.  And one of the things that I’ve noticed is that when some sort of breach happens, usually the smartest guy in the room knocks the other guy out of the one who discovered the issue, knocks the guy out of the chair, sits down and tries to fix it because he or she is the smartest guy in the room. That’s a problem.  I am not a sports fan, but I will use a sports analogy and that is when you become the best quarterback, that’s great. You’re the guy on the ground making things happen, but you get to a certain age you become a coach. And when you’re a coach, you’re no longer handing off the ball. You’re making a lot of the calls. You’re making a lot of decisions as the coach, but you’re not doing the work.  so since senior cyber security people are so smart and they only think in those lines, they cannot talk to the C staff. And as many of us have said, and it upsets people, you’ve got the title of Chief Information Security Officer. So you’ve got the title of the C, but the way I like to put it is, it’s like Thanksgiving and you’re at the children’s table. 

Curt Vincent: You’re not at the big table because you’re not able to articulate what’s really going on, translate, give analogies, calm down a little bit and stop doing two things that we all do. And I’ve done it. I had to change to be able to adapt. And that is stop with the FUD, the fear, uncertainty and doubt. And then also getting back to my other point, always go into the CFO and saying, we need more money because we need to buy more software, we need more hardware and I need more people. 

Curt Vincent: A lot of CFOs and CEOs that I talk to are really getting frustrated with the size of the cybersecurity budget. And my own personal belief is that we, cybersecurity in general, are not doing a good job of managing those budgets, let alone being able to discuss things.  with the senior. Now you take that even farther, Morgan Stanley we had 70,000 people. So we were of course responsible for different programs for education and all. And if we were to get in front of a thousand people and be geeks, they’re going to just glaze over these days, just go right to the smartphone and tune you out. 

Curt Vincent: So the  big thing is, I think as a senior cybersecurity person, is having the ability to come up with analogies and things that can help folks understand what’s going on. Can I give you a quick example? Okay, good. One of the things I like to do when having a discussion on cybersecurity with people that don’t get it, but don’t want to spend any money on it, I say, everyone take a deep breath. 

Chris Glanden: Yeah, go for it. 

Curt Vincent: Okay, now let it out. Did you smell any smoke? No. All right, that’s good. Then that means we don’t need fire insurance. We don’t need smoke detectors. We don’t need fire suppression systems. And we don’t need to waste time on fire drills. Why do we need all that? There’s no fire. Well, it’s the same thing when I go talk to a CEO and say, hey, how’s your cybersecurity program? Great, we haven’t had a breach. It’s the same thing. They don’t smell smoke.  So therefore they’re not willing to put the funding in and they’ve also kind of got blinders on because we all know it’s not a question of whether you’re going to have some sort of cybersecurity event. It’s a question of when. And that’s not the time to find out. As I like to joke, if you want to learn about Bitcoin, doing it in the middle of a ransomware attack is not the time to learn. 

Chris Glanden: No. Well, I think that’s a good segue into what I want to discuss next, which is cyber insurance. I know this is an area that you, you focus on as well. so 85 to 9 % of cybersecurity claims involve you, the human element. And you mentioned that. So I want to speak to you about that for a moment. , what does that actually mean? And then also, how do you believe organizations can focus on 

Chris Glanden: this particular vulnerability and address it more effectively. 

Curt Vincent: Absolutely. Okay, I want to take a step back and explain my thinking with all this. And this is from a career in the military of doing both cybersecurity and supporting intelligence organizations, where we use the technology to support the Intel guys. I learned a whole lot more about how they think and what they look at. And they just want results. They just want truth, if you will. And so one of the things that I like to say is, is that if you want to be able to understand where the attacks are,  then you really probably need to look at insurance claim data. And it’s the claim data, because what is that? It means you’ve got a cybersecurity insurance policy and you’ve had some sort of event. And now you want your insurance company to be able to help pay you to fix it. That’s what they’re there for.  So this is why when I learned that the actual numbers are 82 % of all cyber security claims are because somebody did something they shouldn’t. We’re not judging whether they’re good or bad people. Just they did something they shouldn’t. As I like to say, they clicked on something they shouldn’t.  And then another 8 % are of claims. I’ll explain why I’m pushing that really hard. Claims are like either people that join the organization to steal something on purpose, and usually that’s part of organized crime and we’ll say nation states, or the other thing are disgruntled employees. I’ve seen it where you fire somebody and they tear up your organization on the way out the door. what’s the point? 

Curt Vincent: point is, 82 plus 8 % is 90 % of the threat are your own people. Big, big eye-opener for me.  And I started to ask other cybersecurity, which means only 10 % then, the remaining 10%. The claim data are such things as breaches or with data loss and such or ransomware, but it’s only 10%. So here you’ve got these massive budgets that are focused on the 10 % and you’re leaving the barn door wide open in terms of the people. 

Too many companies focus 90% of their budget on the 10% of threats, while ignoring the biggest risk—their own people. Share on X

Curt Vincent: So you asked me what companies should do. Well, first and foremost, the Chief Information Security Officer needs to get his or her head out of the geekdom and realize the problem is the people and to be able to start focusing as a leader to say, I need to protect my company. And with this insurance data, I need to be able to start educating the unwashed masses, if you will, to be able to help them understand better.  And the very first thing that I always recommend, the very, very, very first thing is to be able to put some sort of email or what do call, phishing attack type of.  company, a proof point or know before and be able to put those in the place because the first thing that happens is, and I’ve seen it over and over, this is industry standard, it’s not me, but this is a known before statistic, which is published so I can use this. What you first do is, is that you come in, a company says, especially the CEO, we’ve got no problems in this company, we’re a great company, but we’re going to humor you. so we do what’s called a baseline. And that means an email is sent out to  everyone or different forms of it are sent out to everyone and you see who bites. And that just gives you a baseline of what your company looks like.  And invariably, the statistics are staggering. The statistics are actually 27 % of your company will click on something they shouldn’t in this baseline test, which is approximately one third. So one in three people are clicking on something you shouldn’t. So you go to the C staff and you go, hey, by the way, look at this. You said you were in good shape. One in three people can take you out given the right situation.  And I’m just going to digress really quickly here because there’s something I’ve seen that I don’t like is that many times when companies, Proofpoint, Noble Four, these types, those are the two biggies. When they come in, they will ask if the C staff want to be exempt from the baseline test. And I always, if I’m being brought in to consult, I say absolutely not. 

Curt Vincent: Because if you,  usually if you think about it, the C staff has got the most, the most access to different assets within the company. And number two, if you’ve got someone with that much power and you don’t know that he or she is clicking on something they shouldn’t, that’s a problem. And that’s really bad leadership if you don’t want to be able to come out in front and be able to state that. 

Chris Glanden: You really should test the  C-suite harder. 

Curt Vincent: Yes, in fact, it was a company that they brought me. This is a total of four years ago. They brought me in to a big $750 million a year government contractor in Silicon Valley. had just gotten a ransomware breach, very expensive.  Just think of a big number and it was twice as big. And they did not have a cybersecurity program based on what I was telling you earlier of we don’t smell smoke. They just had their CIO was responsible for that. And he’s a good guy, smart guy, works his tail off, but he wasn’t a cybersecurity guy. So he had no idea what he should be doing to be able to build a program. And so we brought in NOB4 first. 

Curt Vincent: and no before asked me that question. I went to the COO and I said, look, you’re being asked, I’m just following the procedure, but I really strongly recommend that you do test the C-STAT. And he says, absolutely. He says, given our situation, absolutely. And what came out of that is the CEO got hit. So we were going to keep that quiet.  But then at the next town hall, and this is 3,000 people, the next town hall, and I was invited to all of them, we’re doing the town hall, we’re giving the updates and such, and then the president gets up and he says, Kurt would never tell you this, but I’m going to tell you, I got hit on that baseline.  If I can get hit and I’m willing to admit it, then you will all embrace the fact that this is something we need to really learn how to control. So I applaud that person off the charts. that’s the first step is just to be able to admit you have a problem. 

Curt Vincent: And the baseline, yeah, if you got one in three, you can then say, okay, now can we start talking? Because no, you can’t smell smoke, but you can see you got oily rags in the corner waiting for a cigarette to be flicked into them, 

Chris Glanden: Yeah, yeah.  Yeah.  Well,  for the for the ones that don’t admit it or for the ones that just don’t care, do you get that message across? Like how what other actions can you take that would resonate with someone at that level? 

Curt Vincent: Gotcha. Here’s something I’m going to say, and I’m going to keep my foot implanted on this one. Yeah. 

Chris Glanden: And it could go back to repercussions too. So I wanted to add that in is that it could go back  to repercussions. And I’ve heard a scale from nothing to termination with different organizations, I’m sure it could work at, different capacities, but just curious to get your take on that. What actually works and then, , what, what is the point where it goes too far? 

Curt Vincent: Yes, because I was going to say what I put my foot down is, is that I’ve learned to stop being Don Quixote and trying to be screaming about windmills that are dragons, okay? And if they don’t, if the senior leaders don’t see it or the senior leaders don’t care for whatever reason, then I disengage as a consultant. 

Curt Vincent: Because I’ve never worked in an organization as a W-2 that had that situation. I’ve had a number, number of consulting gigs where, the reason is, and I got to tell you the reason. 

Chris Glanden: Got it. 

Curt Vincent: I have watched companies, this really turns my stomach, what I’m about to tell you. I have watched companies that have hired young people right out of college with a brand spanking new cybersecurity degree, which by the way, I’ve taught as an adjunct professor and some of what they’re teaching, I just smacked my bar and said, this is not going to be really useful in the real world. But they hire these people and they say, okay, now you’re our CISO. And they do this.  Because once they have an event and the board turns and says, how could you let that happen? Who do we need to fire? They fire this young person that they brought in. They’re strictly a scapegoat. And that to me is just awful. They’re doing it for all the wrong reasons. 

Curt Vincent: So to answer your question, what I do is I usually go in behind closed doors with the senior leadership and I say, look, are you people serious about this or not? Do you have my back? Do I have the power? And one of the ways I test it, by the way, this is something I developed pretty recently is I do this after we do the baseline and we’ve got statistics that says, yes, you have a problem. say, okay,  you  need to put something in place that you’re not going to like. We need to pick a number. And that number is, if people miss, let’s just say three times they get hit on a fishing exercise, and they get hit three times in a year, you need to either terminate them or get them off of the network. And either they get it or they don’t. There are a lot, I’m seeing it more and more and more now. 

Curt Vincent: I got a lot of companies in my head, I’m not allowed to use the names, but big, big, especially financial companies that are saying, we don’t care if you’re the janitor ordering paper towels, or you’re the CEO. If you have three failed fishing exercises in a year, you’re out. We just cannot take the risk. They recognize it. Now, why am I mentioning that? That has to come from the top. Any sort of cultural shifts that you have,  will not, I’ve learned in life, just in life, even if you have a grassroots approach or trying to do something different, it’ll hardly ever bubble up.  A cultural shift has to happen from the top down. So that’s why I say go into the room with the C staff and say, “Do I have your authority? Do I have your backing? Are we all with one voice going forward with this program? Because the big thing is, is that the fishing exercises with a proof point or any of the like know before, that’s only a starting point. 

Curt Vincent: And that’s why I say I just use that as a, you got a problem, let’s go talk about the other stuff. And One more example that is really a problem are the number of people that want to use their cell phones for business.  And it’s real obvious when I tell you in just a couple seconds, especially with some of the guys that are on the business side of like Morgan Stanley and on the banking side, they’re doing stuff with their cell phones and then they leave the company, whether they get fired or they leave for another opportunity or retire, and they take their phones with them. Now there’s an investigation. You don’t have access to 

Curt Vincent: a lot of the threat. Whereas if it’s email, I’m an employee, I work for you Chris, I’m an employee, I decide I’m going to take an opportunity somewhere else, when I leave my email is still with you. You still have an audit trail, you still have the proof that you need to be able to survive some sort of, we’ll say federal investigation. But the point is, that if you don’t have it as a cultural,  activity saying no keep the deals in email or whatever then you’re not you’re not shifting the culture and that’s why you need the leaders. 

Chris Glanden: Yeah. If you don’t see that cultural shift happening, is it possible to become over aggressive in that effort? Or do you feel like the ones that aren’t connecting with that new culture require more aggressive fishing tests and things like that? 

Curt Vincent: Yes, good question. And I will tell you that when you think about what I said earlier about the top cybersecurity people, super smart guys and gals who can’t communicate, and then they become aggressive, and then the staff can’t handle it anymore. And some people that are even responsible for briefing the boards, I’ve even seen boards fire. 

Curt Vincent: CISOs because they’re like you’re pushing too far and we don’t know what the hell you’re talking about 

Chris Glanden: Interesting. 

Curt Vincent: only trying to say that what I’ve learned at an advanced age is that it’s not about the technology, it’s about the people and it’s about leadership. And so you have to be able to start demonstrating that you’re no longer the quarterback, you’re the coach. And number two, I’m going to use analogies to able to talk to senior people and the people within the firm that don’t know what you’re talking about. You may be able come up with things and you have to make them feel good about that. I always start off my pitches with a guy who changed my life. He lived back in the 1930s. Will Rogers, an American philosopher and he had a quote that I learned this as a mechanic. Back in Germany, we had a poster in the operations, and it was a poster of him, and it says, everybody’s ignorant just on different subjects.  And I get a shiver even now thinking about how profound that is because it means if something that I don’t know, I shouldn’t feel stupid. And there were plenty of people in Morgan Stanley working deals and derivatives and all this kind of stuff that go way over my head. I don’t understand, but I don’t need to feel stupid. But by the same token, if I know something and you don’t, I shouldn’t be arrogant. 

Cybersecurity isn’t just about technology—it’s about leadership and communication. Share on X

Chris Glanden: Right. 

Curt Vincent: And so I  start off with that quote to be able to do a level set to say, look, this is my area of expertise. I’m not talking down to you.  I am excited about it because I see it. still see, I don’t think this field is fully developed yet. I really don’t, and that’s a topic for later maybe. But basically, I want everyone to understand I’m passionate. I want you to understand why, and I want you to understand what’s going to happen. And I’m not chicken little if I’ve got insurance statistics, that if we don’t do something different. So the main thing is that you have to understand how aggressive you should be 

Curt Vincent: in terms of watching the response, number one. And then number two, you’re the one that’s got to change. Otherwise, you’re going to be gone. 

Chris Glanden: Yeah, yeah, and you want to implement that before it’s too late, which is far too common. 

Curt Vincent: It’s too common and the easiest thing I’ve found is produce lots of analogies. Analogies help people understand something that’s going on. like we’ll say, there’s some sort of, let’s just talk just ever so briefly, just about what happened with Cloud Strike and where there was a huge outage. To be able to make a simple analogy of what happened.  to be able to keep everyone calm in the overall situation as opposed to overreacting, which a lot of people did. 

Chris Glanden: Mm .  Yeah. And I mean, there was a very small percentage of people that weren’t impacted by that in some way, whether you were at the airport or whether you were working from home. I think that resonates, too. When you’re directly affected by, catastrophe like that, you can see how that could impact you. 

Curt Vincent: Yes.  Yes.  Yes. Yeah, and that’s why I say we’re coming up with analogies to help people understand. You’re speaking to them not as children, but as partners, but with a different language because they don’t speak cybersecurity. So you have to be able to translate for them. 

Chris Glanden:   All So I love your perspective on things. For those listening to this, where can I direct folks to find and connect with you online? 

Curt Vincent: The easiest way is to just use my email which is curtcurt.com That’s the easiest way to find me. 

Chris Glanden: Okay,  and that’s your website, curtvincent.com. 

Curt Vincent: Yeah,  that’s actually my speaker’s website. And I maintain my consulting practice kind of behind the scenes. My website would not attract anyone for the consulting. It’s all word of mouth. 

Chris Glanden: Okay.  Got it.  Got it. So last time you and I spoke, you mentioned you’re back in the PA area as am I, but you’ve done some traveling in your day. So, know, I’m just curious. was the most unique bar or bar type venue that you’ve ever been to? 

Curt Vincent: Yes. Yes.  the most bizarre one was a sex club in Germany. And here I am. not naive. I’m not a prude. 

Curt Vincent: But yet, I was blown away. It was a bar, and it was a high end, a very classy, classy place.  And of course it’s all in German, but you can read between the lines. And it was a high class place and a group of us had gone. It was a reward, if you will. And so was a group of us that go out and it was men and women. So I was sitting there just completely, know, red faced, if you will. As I said, I’m no prude, but when I’m sitting next to a woman colleague, it’s like, just want to like slink down in my seat with my beer. 

Curt Vincent: , but that’s Germany. Yeah. The only point being is that Europe has a totally different approach. And once again, that’s cultural. They have a different approach to things like that than we do. So. 

Chris Glanden: Yeah, you see an entirely different side of them.  Yeah, yeah,  yeah. When you talk about aggression, you’re walking into a place like that. That could be aggressive, especially when you’re sitting next to a colleague. 

Curt Vincent: colleague.  It was a colleague. Yeah. 

Chris Glanden: All  I just heard last call here. Do you have time for one more? Okay, if you decided to open a cybersecurity themed bar, what would the name be and what would your signature drink be called? 

Curt Vincent: Sure.  would be the bar Stuxnet. And just to see if anybody would ask what’s that mean? Let me tell you the story. With a from drink with an umbrella in it called Silk Road. Yeah. Absolutely. Smooth as silk. 

Chris Glanden: Love that man and that drink goes down smooth.  Well, Kurt, thanks again for stopping by, man. I really appreciate you telling your story and sharing your expertise with us. 

Curt Vincent: Just like good malware.  Chris was a pleasure and yet this is a wonderful, wonderful podcast. Thanks for having me. All right. 

Chris Glanden: Thanks. Take care.