Navigating NIST CSF 2.0: Guide to Frameworks and Governance

View Show Notes and Transcript

In this episode, we sat down with Lukasz Gogolkiewicz, an Australia-based Cybersecurity Leader and former pentester, to explore his journey from offensive security into cybersecurity leadership. Lukasz, also a speaker coach at BlackHat USA, brings valuable insights into what it takes to shift from being technical to managing compliance, governance, and broader security programs in industries like retail and advertising.Throughout the conversation, we dive into the specific challenges of transitioning from a purely cloud-based tech company to a bricks-and-mortar retail operation, highlighting how the threat models differ dramatically between these environments. Lukasz shares his unique perspective on cybersecurity frameworks like NIST CSF 2.0, essential for building resilient programs, and offers practical advice for selecting the right framework based on your organization's needs.

Questions asked:
00:00 Introduction
03:00 A bit about Lukasz
04:32 Security Challenges for Tech First advertising company
05:16 Security Challenges for Retail Industry
06:00 Difference between the two industries
07:01 Best way to build Cybersecurity Program
09:44 NIST CSF 2.0
13:02 Why go with a framework?
16:26 Which framework to start with for your cybersecurity program?
18:33 Technical CISO vs Non Technical CISO
25:37 The Fun Section

Lukasz Gogolkiewicz: [00:00:00] In my mind tends to just allow you to measure yourself against something saying it's almost like a checklist. When you go on an airplane, I'm sure the pilots flown many times before. And they probably think I don't need this checklist every single time. But because there's always something that you might miss and something you need to consider as well.

Past Lucas being a pentester and a red teamer, if he could see me now, would kick my butt sort of thing because, I'm looking at PCI compliance and, intricacies of the detail and, as a pentester, you say, Oh, you're PCI compliant. Cool. I still bypassed everything and got, whatever you got.

So I think, yeah, if you're really big, then probably. less technical. But if you're still pretty close to, the coalface and your team is quite small or the organization is quite small, I think being from that technical background tends to help a lot.

Ashish Rajan: If you are looking to speak at an event, which is like a black hat conference, and you perhaps are a CISO yourself or trying to become a CISO in an organization, which is probably has never done security before. or in an organization which is retail, advertising, [00:01:00] and perhaps what are some of the challenges if you are a technical CISO, which I started off as a technical CISO. And now we've moved on to knowing about frameworks and governance and why is that even important. In this particular conversation, I had Lukasz , who is a CISO based out of Melbourne, Australia.

He is also a speaker coach at BlackHat Conference in the USA. He helps a lot of first time speakers and experienced speakers have their story told really well at BlackHat, but also on his day job, when he's not helping out a lot of BlackHat speakers have that best time on the stage. He's also a technical CISO like myself, who's solving challenges in the retail industry.

He's come from an advertising space. Before that, he used to be in the offensive security space. Being a pentester, coming into the world of being a leader. We spoke about what are some of the changes he noticed between security challenges in the retail industry to the advertising industry that he came from before.

We also spoke about is there advantages to be a technical CISO or it has become harder if you are not from that GRC background when you start becoming a CISO for the first time. We also spoke about our shared love for having more people become [00:02:00] CISOs. What's the right way to approach this? What can you expect as a CISO?

What are the good frameworks to start with? Talking about frameworks, we also spoke about NIST CSF 2. 0 as well, which only came out in 2024 and was a great walkthrough of how he implemented that into his organization and what you could look into if you are starting off as a CISO. in a new organization and trying to build that program, what you could be looking at as well.

If you're someone who's trying to become a CISO or looking into implementing a cybersecurity program for the first time and it's their first role as a CISO, this is definitely a conversation for them that they should be listening into and watching. If you are someone who's looking to speak at a conference as well, and wants to hone that in, this would definitely help you from a public speaking perspective.

Overall, I think it'd be a great episode. As always, if you're here for a second or third time, and if you're watching this on YouTube, definitely give us a follow, subscribe, or share this with other people who may enjoy this episode as well. But if you are listening to this on iTunes and Spotify, definitely give us a review and rating.

It definitely helps more people find out about us as well.

Hello, welcome to another episode of Cloud Security Podcast. Today, we are at BlackHat USA 2024. And of course, Lukasz, welcome to the show, man.

Lukasz Gogolkiewicz: Thank you very much for having [00:03:00] me.

Ashish Rajan: We've been talking offline for a long time and we've known each other for a while.

Could you share a bit about yourself to the audience who may not know who you are?

Lukasz Gogolkiewicz: I'm Lukasz Gogolkiewicz. I just go by Lukasz because my surname is not too easy to pronounce for most people. So for me, I kicked off my career in a more offensive security space. I initially started off as a bit of a sysadmin network engineer.

Then moved into the offensive security, so pentesting, red teaming, social engineering. And then I was found myself at a bit of a crossroads of, I remember you and I were talking about this way back when I'm like, do I go down the security leadership CISO kind of pathway or do I continue on down this consultancy route and maybe start up my own consultancy?

I eventually just said, okay, let's get on the CISO route. Yep. Had a chat to a bunch of CISOs and said, Hey, what's it like?

Yeah.

And they gave me their feedback, positive, negative, everything between. Like a full assessment. Thankfully, no one was crying at the time. So that's pretty good. But so from there, I had a chat with one of my ex bosses now, and he said, Hey, if you really want to do this thing, I can help you get into the role.

I'm looking for [00:04:00] a head of corporate security, but I can train you up to be a CISO at one point. Yeah. And then you can get a lay of the land, get a full understanding. And eventually you'll be in a position either you can backfill my role, because I've moved on, or you can find your own opportunity.

And that's what I've done.

Ashish Rajan: All right, and at the moment, as CISO obviously there's different industry that you've worked across, you've had the starting off as an offensive person moving to an advertising company, tech company, and then now in the retail industry space as well, what are the challenges on the security side in a advertising kind of company, which is tech first?

Lukasz Gogolkiewicz: Yeah. So in a tech first company or a tech company or any kind of ad company, the challenges are essentially your entire profile is online. So in the cloud, right? So everything is cloud first or digital native or cloud native, whatever terminology you want to use these days. So everything's centered around the cloud and you're more kind of traditional corporate assets tend to be just. tools and pathways or roads and bridges used to get to the cloud eventually. So for me coming initially from [00:05:00] that, we want to call old school, a background where I was a network admin or network engineer and moved into pentesting. I was predominantly pentesting, traditional networks and the data center and stuff.

Yeah, making that transition was super, super interesting, just because everything's in a cloud. Yeah. Yeah.

Ashish Rajan: So as now that moving from a tech advertising company onto the retail side, what's been the difference there in terms of how the challenges are?

Lukasz Gogolkiewicz: Yeah. Moving from your entire stack being entirely online and in the cloud or utilizing a multiple SaaS providers and services, essentially moving through to bricks and mortar.

So you talk to any person working in retail, they'll say, yeah, we have stores, actual stores. Yeah. Like you go in, you go pick up something and pay for it at the checkout or point of sale. Yeah. So that also presents a very unique threat model, because all of a sudden you have to genuinely think about physical security as something that, you have to incorporate into your cyber security [00:06:00] program.

Ashish Rajan: Are there challenges from a consumer side a bit more obvious or highlighted a bit more compared to an advertising company?

Lukasz Gogolkiewicz: I remember one of my first jobs when I was in high school was working for a retailer. Oh, and in Australia, it's big W. Yep, yep. It's like a big, Walmart type of.

I didn't care about cyber security or anything. I just wanted to get my, whatever it was, an hour and then get my paycheck and go home sort of stuff. And hang out with my friends on the weekend. So that was never on the forefront of my mind. And that's what I've taken into that role as well.

Saying we hire, 15, 16, 17 year old, people who are high school, cybersecurity is not in the forefront of their mind. They know what they need to do in terms of some regulations that there are in place and stuff. And things like from loss prevention perspective or PCI perspective, there's all sorts of training material.

They have to pass in terms of assessment. There's that, but other than that, they're not really worried about phishing emails or scams or smishing or vishing or anything else. They're worried about their high [00:07:00] school grades or whatever.

Ashish Rajan: Yeah. And the threat actors, are they dramatically different between advertising industry? So as a CISO obviously a lot of you're trying to make programs that are, based on threats, potential compliance and other things as well. You've obviously moved into a role and you've now come from an offensive security background for people who are building a cyber security program today. And I think you've gone through this journey recently yourself.

Are there frameworks that you were tapping into that were helpful to start building that? Obviously, one framework may not be applicable to everything. So I'm sure you have your own take on this as well. What was your approach to building a cyber security program? And the reason I ask this is because a lot of the people who are listening to the conversation we have in terms of our practitioners probably want to be CISO one day as well.

And a lot of people want to know what happens in the first 90 days, or am I just basically because a lot of people may not even land in a place where there is an established program. So they might have to build one from scratch or have other duties around it. How would you describe the best way to approach a cybersecurity program?

Lukasz Gogolkiewicz: There's a saying I like where [00:08:00] frameworks are like armpits. We all have them. Everyone has them. They all stink. You just pick and choose components of each single framework that. are applicable to your specific area, right? So if land on NIST CSF 2. 0, which kind of, really came in this year.

And I was actually quite fortunate because it was really good timing because when I took my new role, the Verizon Data Breach Report came out. Oh, and as NIST CSF V2 was shortly before that. So it was perfect timing for me to say Let's just align everything. I'm new here. Let's align everything to these things.

And being in a very specific vertical, there's a lot of data, fortunately, especially in the Verizon breach report or any other report like CrowdStrike have them, S1 have them as well, right? You read all those things and there's very specific vertical around retail. Oh, okay. You can easily start zeroing in saying, Hey, what's applicable to me.

And it's primarily things like e commerce. Attacks like with Magecart and Thread Actor Group sort of thing. Where they'll plant themselves an e commerce website and try to siphon credit card data, pretty much.

Ashish Rajan: Oh, so it would be like a , almost like [00:09:00] a copycat.

Yeah.

Yeah. Okay. Oh, because and for context for people, we spoke about retail being a lot of physical stores, but they have online stores as well.

And that's where the e commerce side that you're referring to.

Lukasz Gogolkiewicz: Yeah. Within retail, depending on the business, Yeah. you might have one e commerce platform and that's it. Okay. And, think of something like Kmart. com or, target. com, right? They'll have primarily one e commerce website, but when you go a level above and you have a group that owns a whole bunch of companies that might have multiple or dozens, maybe even more.

So there's an e commerce footprint you have to worry about. There's a physical store footprint you have to worry about. And in certain circumstances you might have some kind of wholesale or B2B type of footprint as well to be concerned about.

Ashish Rajan: Was there something about the NIST CSF 2. 0 that stood out because compared to the previous version, were there things that stood out for you in the 2. 0 that made more sense? Oh, okay, that because I guess a lot of people have done the 1. 0 version, they may already have a bias from it. And fortunately, you were not you didn't have that bias in the beginning. So you could [00:10:00] come with a clean slate. What was it that stood out for you? And was it easy to go down that path of implementing it? Or at least using that as a measurement?

Lukasz Gogolkiewicz: Yeah, the first thing that stood out for me, because it was relatively new, there wasn't really a lot of information out there. Yeah. So unless you went to a, like a specific big four or, consultancy that does this day in, day out, and for years has probably been training their staff of, hey NIST CSF 2.0 is coming out.

And some of this stuff would probably included in that conversation of how to frame it going in. As like doing it in magic time of researching what the new CSF framework looks like, it's really difficult to do that amongst everything else you have to do across the board, right? So for me, the thing that stood out to me was the lack of information, which is great, fantastic.

You jump online and there's a few people that did. Some short presentations. It was primarily, Hey, here's what's changing. And by the way, you can get our services if you like. Oh, okay. Fair. Okay. Yeah. Rather than the actual value part of how do I implement this? Yeah. A hundred percent.

So there's LinkedIn learning is actually pretty good space for a lot of these. Hey, [00:11:00] I need to implement PCI. I need to implement this or that. Then they're really good resources for saying, okay how do I not look like an idiot when I'm entering conversation? Or what do I need to know is that I know the last one.

What's the new one? I said, that was a component. Which heavily stood out for me, but also they took a lot of the, what was typically like, that was that chef that does the salt thing. Oh yeah. Governance was scattered all over all around the categories that kind of pulled that out and put that into its own data category around governance.

Ashish Rajan: So it's not just identify.

Lukasz Gogolkiewicz: Identify, detect, protect, respond, recover.

Ashish Rajan: It sounds like people should just get a tattoo of it. So I was going to give you the tattoo of NIST CSF. But so what is different about Govern then?

Lukasz Gogolkiewicz: It's just a lot of governance control. So the thing that stood out to me, and it was like really difficult to articulate and also A, to my stakeholders, but also difficult to measure.

It was a few areas and it was like, is essentially cybersecurity taken seriously in your organization? And that's, as someone new coming into the organization, it's really difficult to rapidly wrap your arms [00:12:00] around it saying, Oh yeah, it is, everyone's saying the right things. So a tactic that I employed was I did almost like spot quizzes with people.

Oh, as I met them saying, Oh, this is Lukasz. He's just joined sort of stuff. I was, almost quizzing them at the same time. And it was just like banking that in my little scratch pad in the back of my mind and saying, Oh, Hey, do you know where our cybersecurity policy is? I'm trying to look for it.

Or do you know where this is? Or do you know what? Hey, if you. Clicked on a phishing email. Do you know what to do? So those kinds of things of is the education awareness there is the governance there around where do people know where everything is? Yeah. I, started to build that little mental model, but I think for someone that's been there a lot longer, probably going from the old NIST CSF to the new one, then I think that's going to be a lot easier to make that transition.

A), the data's there. Yeah. Done. It's a lot of work to do it yourself. Yeah. The data's there. It can make that transition quite easy because you're more instilled. You can actually answer those questions a little bit easier as well. And then on the flip side, because you're more instilled, you're more likely to just breeze past certain things like, oh, it's not that bad.

And coming with fresh [00:13:00] eyes obviously has its, perks as well.

Ashish Rajan: Because a lot of people who probably are aspiring CISOs would not even understand the value of a framework for why does it matter? Why can't I just look at all the exciting threats that are coming out on the internet, and I look out for the fact that I'm mitigating those threats or not.

What's the importance of a framework in the context of an organization?

Lukasz Gogolkiewicz: You can do that. You can definitely very much do whatever you want, right? And I'll bet the framework, in my mind, tends to just allow you to measure yourself against something saying it's almost like a checklist. When you go on an airplane, I'm sure the pilots flown many times before, and they're probably thinking, why do I need this checklist every single time?

But because there's always something that you might miss and something you need to consider as well. Same with the framework and whether that's NIST CSF or CIS or any of the other ones floating around, there's many. Absolutely. For me, NIST CSF was the one that kind of. Zeroed in on them.

Yeah. And the reasoning for that was, and actually it was a really good tip provided to me by someone I know quite well. He said that, [00:14:00] Hey, when you're going to that role and you're trying to choose a framework, have a look at the board of directors because ultimately you're going to be reporting on your program to the board and do some OSINT and find out what other boards they sit on because typically board members will sit on multiple and reach out to their CISOs.

And say, Hey, what framework do you report on to the board and you might find that they all report on NIST, fantastic. So then you only have to explain it once or they already know whether, if they all report on CIS, but you're going NIST, you might find yourself trying to explain some of the concepts and lose time in that board meeting.

Ashish Rajan: In the context of applying this across the board from a NIST CSF perspective or CIS. Not everything would be applicable for sure, and you may have to pick and choose, but from a regional context, like Australian context or New Zealand context, people may look at that, but that's an American framework. We're definitely different.

I'm sure many, and that's just not Australia, New Zealand, but I'm sure on a broader landscape, why the NIST CSF or CIS? Why are there no local Australian frameworks?

Lukasz Gogolkiewicz: No there's really good ones [00:15:00] around like the ACSC and ASD is like essential eight. Yeah. And when you have to pick eight versus, I can't remember how many there are off the top of my head with NIST, but there's a lot more than eight.

You think, Oh yeah, we'll just do eight. That's a lot easier. And it's a great framework and it's been renowned across the world as something really good to aspire to. But for us specifically, it doesn't really tailor for our business or a lot of businesses. It's really good if you want to stop ransomware, stop spread of malware and whatnot.

Fantastic. But it doesn't incorporate some of those wider things like security awareness, governance controls, those types of things, which typically make for more robust kind of framework. I think the best approach or, quite, it's a lot of work, but you can definitely adopt a multi framework approach. approach to your cybersecurity program.

Ashish Rajan: Oh, Pick the one that you like the most.

Lukasz Gogolkiewicz: Yep. I can't remember off the top of my head and I'll have to look it up, but there's a really good terms of like overlap for NIST CSF and then CIS and Essential 8 and ISO. And Yeah, it goes.

Ashish Rajan: So someone that's you done that mapping [00:16:00] already.

Lukasz Gogolkiewicz: Someone's done the mapping and the gaps that each one because there's gaps between CIS and NIST because the organizing bodies that you know, that's more relevant for us and not so much for the others. There's a real understanding of what those gaps look like. So you can actually pick and choose and you can tailor it to your business because.

You can't just make one framework for all cyber, for everyone all around the world, because, you might operate critical infrastructure, you might be in finance, you might be, a university, or you might be retail, or you might be a tech company.

Ashish Rajan: If I were to think about levels in terms of, I'm a CISO, I've walked into an organization, I may not have the best knowledge on NIST CSF, or I may not be the most technical person out there.

I don't have an offensive security background to come from pentesting to have an attacker mindset. I come from a compliance background or whatever the use case may be. I feel like if you were to think about different levels, level 0 could be a essential 8 to start off with. And then you build up on, okay, now that I've done that, I can build up on, should I pick CIS or should I pick NIST?

I don't know if you have some thoughts on what's a good level to start with if you don't have anything to go with.

Lukasz Gogolkiewicz: Oh if you honestly have nothing to go with, the best [00:17:00] one is whatever you is in arm's reach or whatever is within the expertise of the team. So you might have a vague understanding of CSF or vague understanding of CIS.

That's the good one to pick and choose. For me personally, I found a lack of open source resources available for the CSF framework specially 2.0 to measure it. There's a lot more info out there and the Center of Information Security, CIS, do release like a tool you can use and it's fantastic and you can use that to measure yourself against the framework, and it gives you pretty graphs, another thing you can use for your reports and say, here's where we're tracking. So to answer your question more specifically, it's just genuinely the one that you have available to you. If your organization can't spell security, then, obviously you're starting from a very low maturity.

So that's the assessment you do saying, what do we need to focus on for first, read something like those D B I R reports, and then understand your threat landscape and say for me, I'll come from a very specific mindset of a pen tester and a red teamer. So I'll come from [00:18:00] like a threat driven approach to cybersecurity saying who's likely to target us, how are they likely to target us, and how are controls commensurate with what they're likely to target us with.

So if you have a threat actor that. primarily focus on e commerce. Then obviously you want to tune your security controls towards things more around web application security. So do you have dependency management? Do you have pentesting? Do you have EDR on the underlying platforms themselves? Or has that been all outsourced?

Do you have a WAF? You can roll off so many acronyms.

Ashish Rajan: Me personally as a technical CISO, I see you as a technical CISO as well. Is there an ease or probably In the way we are moving with technology these days, whether you want to throw AI at it or anything else at it, do you feel that divide that we have in the community for, hey, technical CISO is better than a non technical CISO and all of that?

Do you find that you had an advantage being a technical CISO coming into a role either in your advertising industry or the retail industry? Like being a technical person, does that help or is it a [00:19:00] disadvantage?

Lukasz Gogolkiewicz: I think it really depends on the industry. So there are certain industries, like you think of someone, Like the CISO of a massive company I'm sure they're not really digging these days into code or reverse engineering or anything like that. That may have come from that background. But I think when you're operating in such a huge company and a huge kind of area, you tend to be more leaning towards more like a business driven type of CISO, right?

You understand the business, you understand the landscape. You understand things like compliance requirements, regulatory compliance, and legal kind of frameworks you have to adhere to. And then you tailor, you probably have CISOs that report to you, might be like a global group CISO. And then you might have, CISOs that report through to you that might be a little bit more technically minded or technically aligned.

So I think, yeah, if you're really big. then probably less technical. But if you're still pretty close to, the coalface and your team is quite small or the organization is quite small, I think being from that technical background tends to help a lot because you can, it can be that little, [00:20:00] blow off valve for your team sort of thing, right? they're starting to burn out because they're on a lot of things or there's a lot of incidents. You can take that burden off them for a little while. Yeah. And then, once they. get an opportunity to rest, you can say, okay, cool, tag your back it I'm going to go back to my spreadsheets.

Ashish Rajan: Yeah, being a technical CISO in the scale of the organization, definitely relatable. But the also other thing I found is the depends on the companies for example, , probably a startup they will care about technology, but they would not care about the fact that I need to be SOC compliant or ISO compliant or whatever, then it doesn't make a difference.

At that point in time, because I want to survive as an organization. They get to a point where, Oh, I need to have compliance because I'm doing B2B sales, whether it's a virtual CISO or CISO head of security, whatever the role may be, I find that at least at that stage, it's great to have a non technical CISO, but a technical CISO would still do a good job.

In my personal experience, I found that even those organizations are starting to expect people to be technical and I think I personally lean more on the technical side just because the bias that I've come from. Do you find that people who are watching [00:21:00] or listening to this if they're from a technical background? Is there a shot where because they've never done GRC? And it's a very specialized skill set.

So that's why I use that example specifically, that there's a reason why they exist and they're doing an awesome job. Is that easy to pick up on that part?

Lukasz Gogolkiewicz: Past Lukasz being a pentester and a red teamer, if he could see me now, it would kick my butt sort of thing because, I'm looking at PCI compliance and the intricacies of the detail and ISO 27001 and NIST and CI, all these kinds of frameworks and compliance requirements and whatnot.

And naturally as a pentester, you don't lean into those things because as a pen tester you say, oh, you're PCI compliant. Cool. I still bypassed everything. Yep. And Got you. Whatever you got, I warned you . Yeah, that's right. Yeah. So you tend not to put a lot of onus on those kind of frameworks, but I think they genuinely do provide a really good Yes.

Sense of guidance. Yeah. And a really good North Star to go to and also provide that ability to use that. As a bit of a stick with some of your stakeholders saying, we have to [00:22:00] do these things. So for me, coming into the role or, I was fortunate that is, I picked up things as I went along over the past few years.

And that's what was one of the things that was building me up to, to eventually get into the role that I have now or any kind of head of security or CISO or CSO type of role. Yeah. As you build up those types of, I would almost call like a catalogue in the back of your mind. Yeah. Just things that you know, and things that you can lean on compliance is definitely one of those things, but it's always like legal kind of matters.

So in Australia, we're on the cusp of maybe changing our privacy laws because after the last few issues that we've had, for the past 12, 18 months, that's been a bit of a catalyst for some change, for things to update. Now, if you agree with it or not that's your opinion, I think it's potentially a little bit overdue in terms of updating.

I think the. Privacy Act. Don't quote me. I think it's like last update in 98. There's probably been amendments and all that kind of stuff like that, but I think it was created in 98. So it's probably due for a little bit of a refresh or polish. Yeah, of course. And then we [00:23:00] see, over in the U. S. as well, a lot of changes coming through with, from the SCC and some legislation changing around that around liability for CISOs and all sorts of things, which is scary, but you can definitely appreciate where it's coming from.

Yeah. And chatting to a few CISOs, at BlackHat not a lot of them Agree with it. And I think rightly because a lot of the time you're not really involved in the decision in that decision, and probably not even allowed to make the decision as well. And sometimes yeah, so if you go up to your board or your executive team and say, I need X, because I need to solve this problem, and I say, we don't have budget, because this person over there, we're going to be doing a push to this region, we need that capital to do that push for marketing or whatever else.

Yeah, Fair enough. It's the business decision. That's right. But ultimately the business, I think, should be accountable for a lot of those decisions as well. Yeah. It's a collective accountability, right? Yeah, that's right.

Ashish Rajan: And I think that's where the clarification or maybe the education and awareness needs to be built up as well, as much as yes, it is right, but it goes back to the framework question.

I think for me personally, the [00:24:00] importance of a framework was that allowed me to have an actual metric for, This is where the industry should be, or at least considers as a good standard or an okay standard. Let's just not even go for the best standard. Okay, standard. And this is where we are. As long as you have the awareness that you're making a decision based on the fact that, oh, I can't put the money on this, whatever this X problem is for a solution.

Lukasz Gogolkiewicz: It's based on the fact that this is where we stand and you agree to it. I think I'm cool. Yeah. And on that, I think. And this is something we don't have, and I think we do need. Not to be fully transparent with the maturity of each organization, because that might be, that's probably going to cause a lot of legal issues.

But what, tends to happen at conferences like Black Hat, or any other ones like RSA around the world, is you do tend to be in a little bit of a room with a lot of CISOs. Yeah. And I always zero in on, hey, who's in my specific sector? Yeah. And I ask them very pointed questions saying, oh, not, fully into the detail of, if they're uncomfortable with it.

But after a period of knowing them and building that trust, you do tend [00:25:00] to ask them the questions like, hey, where would you stand on this CSF for this type of control and why and what are the issues you're seeing around it? Then you can build up that picture of Hey, here's where I am and here's where I am according to my peers.

And then you can use that as a bit of collateral to report back to your senior little stakeholders saying, Hey, you know what? We're not doing too bad. I'll talk to this person and that person, we're fine. Or wow, we are really behind.

These are the types of attacks that they're seeing consistently. It might just be a matter of time before we see those things, when they raise You know, shields up to, or crank up security to 11 or whatever. Yeah. We might see they're too much of a hard target, so they might come after us instead.

Ashish Rajan: That was most of the technical questions I had. I've got three fun questions for you as well, man. Oh, here we go. First one being, what is something that you're proud of that is not on your social media?

Lukasz Gogolkiewicz: To be honest I like switching off and I really enjoy things like woodworking. We've talked about that a lot.

And so I'm quite proud that I can, I spent like almost 10 years of my life being a pentester, breaking things. Yeah. And I quite like building things. [00:26:00] So woodworking and just building just random stuff around the house that my wife says, I need a new shelf, or we need this. I'm like, I can do it.

I got this, honey. I got this.

Ashish Rajan: What do you spend most time on when you're not busy doing this CISO work, how was your downtime like?

Lukasz Gogolkiewicz: Yeah, downtime, definitely spending time, with my wife and my little puppy, my old puppy, not always a puppy. And definitely spending a lot of time in the workshop, just building things.

It's just random. Check out my YouTube channel. What's the channel called again? Richmond Woodworks. Richmond Woodworks. I'll plug that in there as well. Final question.

Ashish Rajan: What is your favorite cuisine or restaurant?

Lukasz Gogolkiewicz: There's foods that you have that you're like, if that's in front of me, I will eat all of it.

And there's two. Oh, okay. Okay. And my old team always paid me out about this. Cause in my old company, we had an ice cream fridge. Oh, okay. So if there's ice cream I'm there. And the second, every Friday night, if there's no major incident, which tends to be on a Friday night, every Friday [00:27:00] night, my wife and I sit down, watch a movie and we'll have a call it pizza and beer night sort of thing.

So Yeah, I will finish that pizza. If it's a small pizza, I will finish it. If it's one of those ginormous family size. Yeah, there's New York style like ginormous things. I will finish that too. Oh, oh, wow. You hold no prisoners for that. No. And then my wife turns around and says, do you regret it? I'm like, I really do.

Ashish Rajan: But at the same time, I enjoyed it.

I do want to call out because you've been doing mentoring and you don't talk about the career stuff at Black Hat as well. Do you want to share about that as well?

Lukasz Gogolkiewicz: Yeah so here at Black Hat, I was fortunate enough to be asked to be on a panel around careers. Yeah. So I've, I've been around for almost 20 years in this field and it's fantastic.

I still love it. I'm still highly passionate about it. And it, that entire journey kicked off because there's been a handful of people along that journey that said, Hey, why don't you try this? Or why don't you come over here? Or, asking, I've asked for help and they gave it to me. So I feel it's like naturally my duty of sorts to, to help the next generation or help others to get into this [00:28:00] industry, whether they're coming from outside IT, outside cyber from nursing or whatever else, and I want to get into the industry. So I was fortunate enough to be asked to be on the panel to talk about that.

Yeah. And specifically what my journey was like to be, the peak person within an organization responsible for cyber security.

Ashish Rajan: Yeah. And you're doing the helping the speakers as well. Yeah.

Lukasz Gogolkiewicz: So again, someone, Put me under their wing and, gave me some tips and stuff like that for public speaking and whatnot. And I also do the Black Hat coach training program. Oh, okay. So it's it could, it's open to anyone. So if, when you submit for Black Hat CFP You're asked if you want to have a speaker coach and some people opt in. Some people say it's like, Oh no. I feel that as an embarrassing. That's fine. You do you. We've had some seasoned speakers and I'm not going to say who, because, of course we've had some seasoned speakers that literally just come up and say, Hey, Can you help me polish this thing or just literally, I need a sounding board for a couple of sessions all the way through to this is my first time presenting.

I can't believe I got selected at a [00:29:00] wonderful conference like Black Hat. Yeah. And I am nervous. I am super nervous. Can you help me? You have everything between, which is fantastic as well. So I do like to do that.

Ashish Rajan: So with that note, I guess for people who are obviously in this space, are there any top three tips that you have for people who want to be, you can totally help them get into become a Black Hat speaker if you can.

If they do find themselves to be lucky to get selected for something like a BlackHat, or maybe even like a general conference that they're really super excited about. Any three tips that you have for them to prepare themselves to speak at a conference, their first public speaking event perhaps?

Lukasz Gogolkiewicz: Yeah, absolutely. So there's a few conferences around the world and a lot of them are starting to Do this a lot more, which is fantastic to see. I think B Sides Melbourne does it as well. So I'm also affiliated with BSides Melbourne, and we have a coaching program. Yeah, I was going to shout out to the team as well there.

Oh yeah, absolutely. So yeah, we have a speaker coaching program for BSides Melbourne as well. As well as hey, do you need some help with your CFP submission? And, shout out to Lidia Giuliano, who really is awesome. Really is awesome. Is the driving force behind a lot of these community based [00:30:00] initiatives.

She's part of the Black Hat Review Board. Yes, that's right. Yeah. As well as she does a lot of the work behind the scenes around some of the community things as well associated with Black Hat, associated with AWSN, which is the Australian Women in Security Network, BSides Melbourne, and any other BSides that pops up.

Anyone says, Oh, we want to do some more for the community, everyone always says, talk to Lidia. That's right. She's the one. Yeah. But the top three things, and this is coming from Lidia. So I'm paraphrasing in my experience as well, really understand what you want to present on. And by that, have a compelling story.

I think BlackHat I can't remember the statistic. I think that had something like 1700, 1800 submissions this year. And that means that someone or a bunch of people need to sit down, review that, So they take time of, and they're all volunteers. They take time of their day to review your submission.

So if you don't put in the time, they probably won't either. I'm not saying they won't, but they, I feel it's unfair on their time to not put in a [00:31:00] time as well. You should, sit down. Actually put in the time. Don't leave it to last minute. Take a week off. Think about the content you want to come across and then have a re review of your submission.

Reach out to someone that's presented a BlackHat in the past. Ask them to maybe say, Hey, can I buy your coffee or can I buy your virtual coffee? And you mind doing a zoom or something like that where we can talk through my submission or, so many kinds of other people on the internet as well that you can actually reach out to.

Reach out to me on LinkedIn. I'm more than happy to help. And here comes a thousand submissions. And I'm like, Lukasz, help us get into Black Hat. But yeah, so we also do run as part of BSides and it's also part of Black Hat. And then also part of some of the other conferences as well. We do run sessions where we say, Hey, you want to present at a security conference?

Here's the things you need to know. So here's your submission. And when you do get accepted, there's a thing, there's things that you also need to consider like the structure, the story. I always say to the speakers that I'm coaching, you should have a beginning, a middle and an end, just like any [00:32:00] other storybook.

Take that person on the journey. And if it's something super technical, which is fantastic, we've all been there as technical people where you're like, I found this vulnerability. There's something here and you start scratching the surface, you scratch more and you scratch more before you know you're digging the massive, hole sort of thing.

Take people on that journey and you can put this in your submission as well saying, I found this little thing. And then this. Is what I came up with and take them on that story as well. Yeah. Because there's no doubt people in the audience or people that are reading your submission as well that have also found that little thing and said, I've been in that exact same situation.

And the final thing I would say is title. because the title is what you read. If you have a look at the Black Hat app, you read the title. Immediately, it's not available, like what the, description of or abstract of the talk is. So you got to hook them at the title. Oh, yeah. Actually, that's true.

Ashish Rajan: Because if the title is more enticing enough, you would not even read the description.

Lukasz Gogolkiewicz: Yeah. And it should be as simple as descriptive as possible without being a mile [00:33:00] long as well. And not a clickbait as well. And not clickbait. Yeah. Lose weight now, ask me how kind of thing, right? If you don't click on this right now, you'll be hacked.

Yeah, exactly. So probably not that. I think that's going to be really difficult a bit. There could be something like, have you ever wondered what's Satellite security looks come and join me or have a look at this session or something is like a bit of a next step. Yeah, and it could be anything else, right?

Have NIST CSF 2. 0 framework, what you need to know.

Ashish Rajan: That's a very good one. And I'm glad you shared this as well, because a lot of people even sometimes struggle to even come up with a topic sometimes. And sometimes it's just as simple as what they might think is not important. And people. probably think that the world knows about it.

I would just say scratch that surface a bit more and you might find that sometimes you're the only one who has the answer to that particular thing in the world who has gone something, done something, research on it. Yeah, exactly.

Lukasz Gogolkiewicz: And everyone's going through the security journey. It's not like it's a linear thing, right?

For everyone in the world, we're all on that same linear path. Exploit development [00:34:00] was really popular, way back when. Now we're over it. There's still exploit development. People are learning exploit development, right? So at every level, at every conference, not just Black Hat. Black Hat, is in our industry, like the place you want to present it, which is fantastic.

There's also other places as well, like you've got your DEF CONs, you've got your B Sides, SecTalks, all those others as well, and local meetups. And don't make the assumption that every single individual in the audience already knows everything there is to know about security because chances are 20, 30 percent of that audience is going to be made up of people that it's their first time.

It's their first year in cybersecurity. That's right.

Ashish Rajan: Yeah. And I think that's where finding a balance between you want to remain technical so you don't lose a really advanced audience, but at the same time, not too basic that you feel like, what the hell is going on here? I think I came to a very intermediate beginner talk, which is a hard balance to find, I imagine for a technical talk as well these days.

Lukasz Gogolkiewicz: Yeah. And that's precisely why I go to conferences like BlackHat is to keep up to date. I can't [00:35:00] possibly spend every single waking moment reading what the latest white papers and researchers are reading every single article. And I come to conferences like BlackHat, like BSides, like DEF CON to keep up to date.

And I can also. depending on the organization I'm, working for or the industry or the vertical, I can tailor the conference talk I go to accordingly. Awesome. And thank you so much for sharing that. With that said, I need to put your linkedin in somewhere so we can flood thousands of questions for, Hey, Lucas, help us get into BlackHat but thank you so much for coming on the show, man. I really appreciate this. This is an overall great conversation. I'm glad we could do this. Thank you for listening or watching this episode of Cloud Security Podcast. We have been running for the past five years, so I'm sure we haven't covered everything cloud security yet.

And if there's a particular cloud security topic that we can cover for you in an interview format on Cloud Security Podcast, or make a training video on tutorials on Cloud Security Bootcamp, definitely reach out to us on info at cloudsecuritypodcast.tv By the way, if you're interested in AI and cybersecurity, as many cybersecurity leaders are, you might be interested in our [00:36:00] sister podcast called AI Cybersecurity Podcast, which I run with former CSO of Robinhood, Caleb Sima, where we talk about everything AI and cybersecurity.

How can organizations deal with cybersecurity on AI systems, AI platforms, whatever AI has to bring next as an evolution of chat, GPT, and everything else continues. If you have any other suggestions, definitely drop them on info at Cloud Security Podcast or TV. I'll drop that in the description and the show notes as well so you can reach out to us easily.

Otherwise, I will see you in the next episode. Peace.

More Videos