The Art of Storytelling in Cybersecurity

This episode of the “CyberHero Adventures: Defenders of the Digital Universe” show focuses on answering the question, How do you use stories to distill complicated cybersecurity information into digestible bites? Our guests include Jen Tisdale, principal, Cyber-Physical Systems Security Programs at Grimm; Dave King, CEO Goliath Media; and Nina Alli, executive director of the Bio-Hacking Village at Def Con.


Gary Berman: Hello, and welcome to the “CyberHero Adventures: Defenders of the Digital Universe” show. Today’s show focuses on answering the question, “How do you distill complicated tech and cybersecurity information into digestible bites?” Stay tuned to find out.

I’m your host, Gary Berman. Our mission is to shine a light on the people and organizations who keep us safe online while at work, home, and school, and to serve as a business to business networking platform for the cybersecurity and IT communities. We’ve learned that 55% of human communications is nonverbal. That’s why we include a video feed, so that you have the option of seeing our guests or simply just listening. You never know who you’re gonna connect with and how you’ll be able to maximize opportunities resulting from hearing from our guests.

As the victim of a series of cyberattacks, I’ve learned that the only time that you hear about hacking or cybersecurity is when the criminals win. Well, not anymore.

Let’s begin by saying thank you to today’s panel of unsung cyber heroes, who represent the countless people who toil in anonymity to keep us safe at home, work, and school.

Jen Tisdale is the principal Cyber-Physical Systems Security Programs at GRIMM. She’s a subject matter expert in distilling complicated cybersecurity and technology into effective internal and external communications. She has a wealth of experience in cybersecurity research, testing and consulting in automotive, heavy vehicles, ICS, robotics, aerospace, critical infrastructure, government, advanced mobility transportation, cyber business, and cyber economics. Jen is known for building trust in a trustless industry.

Hi, Jen. Welcome to the show.

Jen Tisdale: Hey, thanks for having me.

Berman: Well, my first question is, when do you sleep?

Tisdale: Nobody in cyber sleeps, I don’t believe. [Laughter] We just get accustomed to it. But yeah, I mean, our particular vertical within cybersecurity is all-encompassing. So, it certainly grows exponentially, it seems, with every year and every new product release that’s out there.

Berman: We’re gonna talk a lot about that soon. In the meantime, our next guest is Dave King, a founding member of the Cyber Support Alliance, Creative Director of Jot & Tiddle comics, and owner of the Governing Goliath Media. In these capacities, Dave serves as a trusted advisor to enterprise executives, nonprofits, and small business owners. Dave specializes in cybersecurity risk management, data breach and ransomware response, and ________ current industry compliance.

Hey, Dave—welcome to the show.

Dave King: Hey, Gary, thanks for having me.

Berman: Let’s welcome Nina Alli. For the past five years, Nina has served as the Executive Director of the BioHacking Village at DEFCON, overseen the phenomenal growth of the Device Lab, Speaker Track, and Hands-On Lab. Prior to that, Nina spent 16 years in health care building and breaking security, electronic medical records, connected medical IoT devices, and working in the citizen science area on microfluids.

Hi, Nina, welcome to the show.

Nina Alli: Hi, Gary. How are you?

Berman: We’re gonna learn a lot about what all of you do on today’s show, but I like to begin by asking why do you do it? What’s your mission? Tell us your origin story, Jen.

Tisdale: I think the mission of the company is to make the world a more secure place and to be—to provide a platform for education, for not just our clients but for the consumers that our clients are marketing to.

So, we do this because we really want to advocate for cybersecurity within the products that we are buying and integrating into our everyday lives. To have a smarter consumer makes for a smarter device.

Berman: And what about you personally? You know, tell us about your origin story.

Tisdale: Well, I think I have—I don’t think anyone I know chose this path for themselves, we sort of ended up here. Certainly, cybersecurity was not in my vocabulary when I was going to school. It didn’t exist yet, right? The types of things that we’re looking at today didn’t exist.

But I started down a path working in DoD on the acquisitions side and in a background with Department of Justice where I worked in the criminal crimes unit for computer crimes. And that slowly led me down a path of working with small businesses trying to take their technology and innovate it so that they can commercialize it to a government customer.

That somehow evolved over time into what I call cyber economics, which is not really a label that I’m aware of that exists anywhere else, but it was taking the cybersecurity technologies and rolling that into an economic development strategy. So, prior to my role with GRIMM, I worked for the State of Michigan under the previous administration, and I was tasked with growing the cyber economy in our state, hinged on automotive and defense applications.

And so slowly, over time, that really grew into a niche that we now refer to as automotive security. It has a direct relation to some of our government customers that are looking at automotive security in much the same way that our industry commercial clients are looking at automotive security.

And so, the thought behind it is, is you don’t really know how to make something more secure or stronger unless you know where it’s weak, and that’s where a company like GRIMM comes in, right? That’s where we get hired to find that weak vulnerability within the system and harden that system so that it can be improved and more secure, more resilient, if you will, prior to going to market, whatever market that might be.

Berman: But Jen, you know, one of the things that really caught my attention as I was just listening to you is SMBs, small to medium businesses. Are they really just kind of sitting ducks as things stand right now?

Tisdale: Well, I mean, I think it highly depends on the type of SMB we’re talking about. So, if you’re a small manufacturer and you’re maybe a second or third level in the supply chain, you are unlikely to have a robust IT department. Your business is manufacturing, your business is production, your business is not cybersecurity, per se, and you are unlikely to have a budget allocated for cyber. You’d be lucky to have a budget allocated or an IT person, quite honestly.

So, in that regard, the supply chain is, in my opinion, always going to be a target. And I think we’re seeing a big push right now, especially if you’re a defense contractor with some of the new NIST requirements that are out, NIST 800-171, to be specific, is requiring that, if you’re a defense contractor, you must be cyber secure, right? It’s a little bit nonprescriptive, so there’s room for interpretation, but I think that will become firmer over time. But a lot of these defense contractors, if you’re a manufacturer, it’s something that you have to get serious about and you have to do it pretty quickly.

So, there’s a learning curve for them, and until they can figure out what they need to do to become compliant and how to maintain compliance over time, it’s definitely a threat, it’s definitely a threat.

Berman: So, Dave, you and I met because of our shared passion for comics. Please share the origin story for Jot & Tiddle. What is it?

King: Sure, sure. Thanks for having me, Gary. Right, so, I’m the Creative Director of what’s called Jot & Tiddle Comics, and Jot & Tiddle actually has a, you know, it kinda started with my mentor who was an audit partner of mine at UHY Advisors. He, we were going to this very rigorous, we were about to perform this very rigorous IT controls audit on this very large set of data centers. And he said, “I want to leave no jot nor tiddle unturned.” And my colleagues and I were like, “What the hell? What does that even mean?” You know?

So, he actually, in his spare time, he does a lot of—he knows a lot of very random facts. And as it turns out, the term “jot and tiddle” is actually an ancient biblical audit term. So, a jot is a term that we still use every day. So, for example, we jot things down. So, what he was saying is, he was saying, “I want you to look at the footnotes of everything that we’re auditing.” A tiddle is actually the dot at the top of an i.

Berman: [Laughter]

King: So, when we say, “Make sure that you dot all your i’s and you cross all your t’s”—so, Jot & Tiddle started out with this, “leave no jot nor tiddle unturned.” And I thought it would be a really cool idea, and it kinda started as a joke, but I tend to go down the delusions of grandeur path with my jokes sometimes. And I said, “Wouldn’t it be cool if I created a comic strip where the two auditors, they’re cybersecurity risk management auditors and one of them is named Jot and the other one is named Tiddle?”

So, I kind of went down that path and it kind of led to this neat little comic strip series that I use to promote, you know, bringing highly complicated topics such as cybersecurity risk management down to much more layman’s terms.

Berman: And before that, you were working at a pretty high level at PwC regarding incident management. Can you share a little bit of real-life incidents?

King: Sure. I mean, I have NDAs floating all over the place, but I will say that one commonality that’s been on every breach incident engagement that I’ve been on is that a human control element was exploited before the technical control element. And then sometimes, the technical controls were operating just fine and the cybercriminals just wound up exploiting the humans.

So, for example, sending an e-mail to an Accounts Payable Department saying, “Pay this invoice” and the invoice goes out, you know, or the invoice actually gets paid, the dummy invoice. So, we see that happen all the time where the technical controls are actually working just fine, you know, especially to Jen’s point in the SMB sector, the small business sector, where the technical controls are actually operating just fine, it’s the human control that gets exploited. And what I like to say is that systems are actually very complex and they’re very difficult to exploit, but humans, as we all know, are rather easy to exploit, because trust is in our nature.

Berman: Yeah, and we work in an industry called zero trust.

King: Right.

Berman: Speaking of trusting someone, from the moment that we met, Nina, I knew that you were an incredibly creative and high energy person. Then you told me about your military service and your amazing journey to healthcare cybersecurity and I just had to have you on today’s show. So, tell us your origin story.

Alli: So, part of my origin story is that I’ve never had blue hair. I just listened to the greatness of all these people and I am very humbled now. So, I don’t know what to do with myself.

The super-short version of my life is that I’ve worked in hospitals for 16 years. I came to this rationale, realization that hospitals don’t really have controls, metrics, standards, laws, rules, regulations. A lot of stuff is guidance, which is cool, but also, a guidance is, “You know, you don’t have to, but we want you to.” So, that becomes an issue for me, anyway, when it comes to patient care. Because protocols are, “You have to do it this way.” It’s not a guidance, it’s not a, “You know, you don’t have to give this 1 milliliter, you just kill that off, do whatever.”

So, when it comes to health care, I’m kind of with David, but I’m not. I’m gonna pick on both of you a little bit. Human immune systems are really hard to infiltrate, for what it’s worth. The human person themselves, they are that factor, they are the insider threat to what all of this is. And just listening to Jen’s, I’m just—I’m small compared to you, oh, my God. And you’re right, ICS runs across all the things and health care is one of all the things that ICS is part of, because it’s that 365, 24 hour, 365—366 on a Leap Year—effort for patients to come in and tell their story to the doctor or to the person that they need to have that conversation with. And it’s amplified by emotion, it’s amplified by duress.

So, we were coming in here to talk about storytelling, and when this got my calendar, I kept thinking about, how do patients tell the stories of what’s going on with them, and how does the physician tell the story back so that they say, “I understand. More than that, this is what I think you should do to do not feel this way, or feel this way, whatever needs to happen.”

Berman: That’s incredibly insightful, and I remember the first time you told me some of the great things you’re doing and just how you go about communicating and distilling complicated technology information—it’s amazing. What has your role been pertaining to the BioHacking Village?

Alli:  I am the Executive Director of the BioHacking Village for the past five years. I am not one of the original founders, as opposed to popular thought. I am the one that took it from nine talks to three different villages under one umbrella.

Berman: Wow. And what’s the mission of the BioHacking Village?

Alli: I’m so glad you asked that. Something along the lines of making biotechnology tangible and not resourceful, but capable of taking care to make patients better.

Berman: One of the other things that you said to me, Nina, was—that really stuck to me, you said, “This is literally life and death.” How do you relate your cybersecurity insights into storytelling and enlightening people who may not be as sophisticated?

Alli: So, I’m gonna tell a story about you and I, one of the conversations we had after I had done one of these with you. You were trying to come up with the name of the character that I would be if I should ever become one of the characters. And we were talking about trust, and you decided that I would be Zero-slash-Trust. Because in health care, you have to trust the person that you’re having that conversation with, even if it’s that first time and you have to give them a complete data download of your life so that they can help make the best decisions for you.

But simultaneously, you can’t trust anything because everything in the health care situation, because it’s so technology-heavy now, you have to completely and always be aware of, it’s a zero trust environment still, right? Trust but verify, trust but verify constantly. So, that’s how I consider all of health care, that was the explanation that I gave you and then you ended up calling me Zero-slash-Trust.

Berman: Jen, the title of today’s show is, “The Art of Cyber Security Storytelling.” Why don’t you share the story of how your company got its name and logo? And can you tell us about the unicorn whose part of your team?

Tisdale: Boy. [Laughter] I seem to be surrounded by unicorns, and I’m sure Nina can vouch for that at all of the DEFCON villages.

So, GRIMM was founded by a gentleman by the name of Bryson Bort, and he is GRIMM. Some might say that it is his persona, but I think the actual story is, it was his Army call sign, his handle when he served in the military. So, that name stuck and he founded this company, named it after his handle, and GRIMM was born.

And it was born out of the necessity to have a company built by an engineer, for engineers, to do really cool stuff within cybersecurity, right? I think—I’m paraphrasing Bryson’s words. He has since spun out another company called SCYTHE, and I would call it the tool side of GRIMM, right? You take a look behind me, I’ve got my little GRIMM guy back there, that’s actually a Halloween decoration, but he serves my purpose well. And so, the SCYTHE is his tool, but GRIMM is the person, he’s the personality, the service provider. So, those are the two companies coming hand in hand together.

And the unicorns, I think, it was something that was born out of, really, the need for highly skilled and qualified talent in cybersecurity as a general rule, not just within our company, but industry-wide, right? And to find that perfect unicorn, which I might say, both of you fellow panelists are true unicorns, right? And the reason being is, it’s so hard to find somebody who has the technical skill set and the ability to communicate the mission outside of their demographic, right, outside of their community of technical professionals into that business. That’s what really constitutes a unicorn, in my opinion.

And so, GRIMM has sort of built some side branding, if you will, around unicorns and our search for qualified talent to advocate the really cool experts that we have within our company as well. And on occasion, you may find our founder dressed as a unicorn from time to time. [Laughter] Just to lighten the mood on a very heavy topic, right? Because it is zero trust and it is, I always refer to it as the dark cloud on the technology parade, but it’s a necessary cloud.

So, in terms of automotive or aerospace or medical devices, you know, the dream, the innovation that the technology brings is fantastic, but we always have to be mindful of the security vulnerabilities and the security needs behind that. So, to build an autonomous vehicle is amazing, but I’m not getting in it unless I know it’s secure, right? And I don’t think many people would.

And so, that’s really how everything comes together into that perfect rainbow unicorn story that I think we like to tell, as an industry, not necessarily just for GRIMM.

Berman: And so, your logo, can you describe it for the audience? Ah, there’s the skeleton, the logo. That’s a great shirt.

So, Dave, speaking of imagery and graphics, what role do you think they play in distilling complicated cybersecurity and technology information?

King: Yeah, I think comic strips, and really, comic strips is just a, it’s a venue for humor, right? And I think that humor plays a very important role in building trust and also to distilling complex comics into topics that people can easily understand.

You know, an example of using humor to build trust, I think that there seems to be almost like this ever eternal war between the IT audit/governance risk compliance side of the house and the IT side of the house, right? So, it’s very difficult, usually, for auditors to build trust with that IT side of the house, because they’re like, “Is this a performance review? Are you gonna tell my boss all these things that I might be missing in this highly complex environment?” You know? Are you on a—I call it a turd find so, you know, you’re gonna expose this turd that I just can’t do anything about because of lack of resources, right?

So, usually what I find when I start my audits is that the IT side of the house has a very protective, defensive posture. And I kick off every new meeting by just calling it out, right? So, I like to say that words never assembled and spoken by humankind, and then I talk a bit about how systems are difficult to exploit, humans are much easier to exploit. And that’s how I believe, you know, I can have more thorough audits performed and I can add more value to my clients by just very easily—again, by using humor, kind of placing that overlay of governance and why it’s important on the IT stack, and everyone kinda comes on board at that point.

Berman:  And Nina, what has your experience been and how would you advise our audience about the role of humor in health care cybersecurity? Does it have a place?

Alli: I am so glad you asked that. I literally had this conversation yesterday. So, I love statistics, and I think it’s 65% of doctors don’t believe women’s pain scale. And then the other statistics was, 5% of doctors in the United States—this is all United States related—5% of doctors in the United States are African-American and 5.8% of physicians in the United States are LatinX in some sort of fashion.

For me, I have a much better relationship with women of my physicians who is a Latin woman, because I don’t know, I have this thing where I can talk to her like she’s an aunt of mine or she’s something like my mother. And it’s, we have fun, we laugh, we legitimately laugh, and she shares some of her experiences in life with me when I see her. And we have that very open discourse which, to me, is extremely important. Because the physician I had prior to her was not a kind person and kind of told me what I should be doing with my life instead of listening to what I was doing and how we could work together rather than just pointing a figure and telling me, you know, “Do the thing. Listen to me because I know everything.”

A lot of it is about sharing the same experience, right? Because you’re in that room, you have 15 to 20 minutes to have a very intense conversation, and when people start laughing about whatever is going on, they start to kind of open up, but there’s that truth in jest moment. So, you still have to, as a physician, move around and know where—I don’t wanna say know where your place is, but know where your place is in that person’s life well enough to say, “So, I see what you’re doing and I kind of want to dig into that a little deeper, because that’s a conversation we need to have. You pointed something out, but then you kind of reneged on it—how do we get into that a little more?”

So, it’s also about understanding each other just as humans rather than just that relationship where I’m the physician and I’m have that hierarchy and you’re the patient and you need to listen to everything I say. Because, at the end of the day, the patient is still that autonomous body. And if you give me the receipt—not receipt, that’s what it is in Spanish—the Rx, prescription, if you give me the prescription, that doesn’t necessarily mean I’m gonna do it. I have to have that trusting relationship with you to say, “This person knows what they’re doing. They’re looking out for my best interests, I’m gonna do the thing.”

But again, every relationship, just, David, I don’t know you, so, I’m gonna—but we’ll know each other soon, it’ll be one day. But Jen and I have had conversations where we “ha ha” and it’s great and we have our serious moments where we have to get work done. Gary and I—same thing. And there’s the truth in jest and there’s the “ha ha” of, “We just have to get stuff done, guys. It’s gonna suck and it may be hard, but we’ve still gotta do it, and we’re gonna do it together, and at the end of it, we’re gonna be together, and I’m gonna drag you through it if you don’t have the fortitude, but we’re gonna get through it.”

So, having those hard conversations are part of what health care is about, but knowing how to have that hard conversation and making it fun and willing and part of the relationship is where it all comes together.

Berman:  You know, now with additional reliance on telemedicine, I don’t think people know that people have torsos, you know? How is all that gonna work out? How do you convey this empathy, this understanding to patients through telemedicine?

Alli: It may just be me, but I move my hands a lot, and I know I also don’t have a torso, but like, if I was talking to you or if you were talking to me, I can see a reflection, there are windows on the other side of you. I would say, “Okay, you’re getting enough sunlight, what else is going on with your house?” Earlier, we saw people walking the grounds, so I know you have communication. There are a lot of things I can just observe from your surroundings and bring that into the conversation, the same way I’m under the stairs and these are real stairs, this is not a background.

Constantly, people make fun of me that I’m in the Harry Potter phase of my life, just waiting to go to Hogwarts, but that’s also an opening into further conversation of, “Why do you sit under the stairs when you’re working?” and then I can go on and tell them whatever the story is. And you may or may not have a torso, I don’t know, but maybe if you go get water, maybe we can see what you’re doing, you will then get up and I will also note that you have working legs, so—options.

Berman: [Laughter] And Jen, when I went to RSA this year, I was really just overwhelmed when I went to the exhibit area about the sheer number and the lights and sounds and intensity of all the different vendors talking about their products or trying to get people’s attention. What’s your assessment of the state of things regarding marketing communications?

Tisdale: That’s easy—we start a hacking village, just like Nina. So, we have co-founded the Car Hacking Village and work hand in hand with Robert, who is the founder, so we support him quite a lot around the country at all of his Car Hacking Villages, and we bring what we call our 3PO, which is our car hacking workbench, right?

But what that enables and empowers us to do is to get that face time. Because now, we have wizardry, we have a gadget, something that draws people in and they wanna know, their curious minds are, “What is this thing with all the guts of a car hanging out of it? You know, what’s going on with it?”

So, we let the visual tell our story for us, right? And that’s really what, I think, one of the major keys to success. Yes, our people. Yes, our talent, of course. But providing that visual draw to bring people in, because something like hacking a car is very intangible, it’s very abstract. Cybersecurity in general, right, is very abstract. So, how do you provide a visual that tells that story or helps amplify your story?

So, much like the BioHacking Village or the ICS Village, right,  it brings the story to the people and it draws the people in. And that, for us, has been like the stars and the moon. It’s everything, it’s the galaxy, it’s drawing those people in. Because, to Nina’s point, when we’re talking about relationships, we’re talking about being relatable right?

Berman: Mm-hmm.

Tisdale: So, whether it’s her doctor—and I got news for you, it’s not just auditors people don’t like; they don’t like consultants, either. [Laughter] You know? So, when we go in and we have a conversation, I work on the business side of the consultancy; my team works on the technical side of the consultancy. But sometimes, for me to have that same discussion with a C level person about not having enough budget allocated to do a pen test or whatever the case might be, that’s a very different conversation than what the tech team would be having. Because engineer-to-engineer, they understand. But telling a compelling story for why somebody needs to give money to something that’s never truly gonna be fixed is a very different conversation.

So, having those visual aids at RSA, having that sensory overload—if you can draw them into you instead of you handing your business card out to every Tom, Dick, and Harry in the room, you’re gonna be far better served, right? Bring them in to you.

So, that’s how a small business like GRIMM makes a large impact with a relatively—I don’t wanna say low effort, but relatively low effort, right, is we can bring them into us.

Berman: Well, speaking of conferences, for the foreseeable future, at least for a little while, they’re gonna be put on hold in person, and they’re going to be virtual. You have been involved with a very cool conference. Why don’t you tell our audience a little bit about that?

Tisdale: Oh, my—yeah, my conference. So, in my spare time, I volunteer with an organization called The National Defense Industrial Association. We are in support of the DoD mission and the defense industrial base. So, my annual conference, we will be hitting our sixth year in 2021, we’re really excited about it. It’s focused on cyber-physical security for military platforms. So, again, that can be anything. It traditionally has been about ground vehicle military systems, but we take a look at things that fly and roll on the ground in other formats than just vehicles, and industrial control systems is a major piece of that conversation, as is critical infrastructure for our Department of Homeland Security friends as well.

So, within this summit, traditionally, it has been a two-day affair. That might change for 2021, being a virtual event, but traditionally, it’s been a two-day affair where we fly in people from military, industry, and academia to talk about the really cool research and cyber security initiatives that they have in this space. And what it does is, it helps translate, if you will, things that are really important and have a certain air of mystique around them for the military, and translate them into something that’s more recognizable for industry. So, if you want to pull industry up and have them support you, do the research with you or for you or provide you a product solution or whatever the case might be, you have to talk to them.

So, it really kind of closes that delta between government and industry and academia where they can come and just have this really great conversation for two days about things that they’re passionate about. And it takes the red tape out, you know, nobody’s worried about, “Am I going to get a contract, am I not?” because you’re talking about the research.

Berman: Just even the expression that you use when you talk about things that fly and roll around, it’s just terrific.

So, Dave, as we’re winding up here, is there anything else that you’d like to add to amplify your mission?

King: Yeah, sure. Circling back to the small business sector, you know, I have a bold claim—I do a lot of public speaking as well. So, I have a bold claim that tends to cause my audience to kind of gasp when I initially say it, so here goes.

I think when it comes to consumers and to small businesses, we’ve already lost the war on cyber security, or we’ve already lost the cybersecurity war, right? We’re spending—the reality is that the small business sector is the hardest hit, because they’re the highest, you know, they’re the weakest and they’re the most likely targets by cybercriminals, yet they just don’t have the budgets to, you know, bring on cybersecurity risk management consultants or even full time IT staff. And I think a lot of the cybersecurity industry is really focused on generating profit, and there’s nothing wrong with that, right?

So, it turns into a mouse trap exercise. You know, how can we build the best mouse trap to add the most value to our customers, most value to paying customers, right? We’ve already said that in that, in very small business markets, family-owned businesses, less than 10 employees, and individual consumers—you know, our data already exists on databases on the dark web, right?

So, they already have our PII data that we can’t change like our dates of birth and Social Security numbers, yet we still spend a lot of time trying to coach, train and preach, you know, protect your PII, which we still, you know, I have to pay homage to the act that, yes, we do have to protect our PII. But the reality is that, because this is such a complex topic, combined with the fact that it’s a topic that requires revenue and a budget in order to really add value to businesses, you know, that’s why we find a lot of the small business sector is slipping through the cracks.

So, Nina will get a kick out of this. I love numbers and statistics as well, and I’m a huge Malcolm Gladwell fan. I get his books the day that they come out and I just read it cover to cover, right?

Berman: Well, I mean, by the way, since you mentioned Malcolm Gladwell, one of his first books, Nina, was called Blink, but I digress.

Alli: [Laughter]

King: Well, there’s this—in one of his books, David and Goliath, which is my favorite of the Malcolm Gladwell books, he applied this cybersecurity risk management lens to this one statement that he has in the book. And it’s a really short statement, I’ll read it to you, because it’s impacted me profoundly, and it’s what led me to develop Governing Goliath Media, which is a YouTube channel that I started earlier this year.

It says—I’m gonna read this off-screen, here—“What the Israelites saw was an intimidating giant. In reality, the very thing that gave this giant his size was also the source of his greatest weakness.” And I thought—ah ha, you know? Here’s how we beat the cybercriminals, right? There’s an important lesson in that, for battles with all kinds of giants, the powerful and the strong are not always what they seem.

So, I thought—okay, well, here’s how, here’s the magic bullet to defeat the international, you know, trillion and a half dollar cyber-criminal economy. We just have to look at the sentence, “The very thing that gave the giant”—international cybercriminals—“his size was also the source of his greatest weakness.” So, I was like—so, what is international cybercriminals, trillion and a half dollar economy, what’s their greatest weakness? You know, what’s the pebble in the slingshot thing that all we’ve got to do is just shoot it and then they go away?

So, there isn’t one, right? I can’t think of one yet. We’ll get to you in just a second, Nina. I see you there, I see you there.

Gave up hope and despair and there was this follow-up sentence where he says, “The powerful and the strong are not always what they seem.” And I said, well, that—that’s the statement that I have to go after. It’s not, you know, the giant size was the source of their greatest weakness, it’s that Goliath isn’t international cybercriminals. Turns out, Goliath is our use of technology. And if we can apply governance to our use of technology, that’s the next step to hopefully win the next cyber war.

And I got—my whole YouTube channel is Governing Goliath on YouTube, I post twice a week, and I just hit on all these topics around Governing Goliath.

Berman: Well, thanks so much for that, Dave. And the final word to you, Nina. Do you have a favorite superhero, and why?

Alli: Please. [Laughter] I’m drawing a complete blank because I have comments, I have other comments. They will be so fast, I promise. So, I’m doing this because, on my screen, you’re under me. David—I think people are that one strength and weakness. So, put people in, into that sentence, and I think it makes sense.

And then, going back to Jen’s statement with the government, because I sit on a tech transfer board, and one of the things that they do that drives me crazy is, there’s a—they need three different ways to communicate the same thing, which is the four quad. It’s not called the four quad, it’s called the quad chart, and then there’s the BLUF, bottom line upfront, and then there’s the information paper. And it’s the same information just done in different places and ways so that different people can intake that information. And it drives me crazy, because it’s like—why can’t we just have one where everybody takes advantage of this one thing? So, that was my thing.

Tisdale: I know. [Laughter]

Alli: But my last piece of commentary, I don’t have a favorite superhero. I have a lot of favorite books, but my favorite piece of information that I share with every single person I meet, I think it’s super important, is—we listen to reply, we don’t listen to listen.

And coming from the background that I have, that’s always been the more important thing in my whole life where, if you came to me and you said, “I have a problem,” I will never answer you directly, I will continue to ask you more and more questions to get to your point, and I will never give you a solution. Because you know your life, you know your past, you know your future, you know where you wanna go. The only thing I will say is, I think you have enough to make your own decision now.

Berman: Well, that is sage advice. Thanks so much for that, Nina.

Alli: My old adage.

Berman: Jen, you have the last word.

Tisdale: That’s a lot of pressure. Unfortunately, I do not have a favorite superhero, per se, but in a more generic way, I would say that all of us as storytellers for this critically important industry are my superheroes. You know, I know that sounds a bit cheesy, if you will, [Laughter] but we have such an important role in not just our industry, but in society overall that it is incumbent on us to each go out and tell the story of the work that we’re doing to as many people as we can get to listen. And that’s a superpower—to get people to listen to you on this topic if they’re not technically inclined.

So, good luck to all of you. I know I need it. [Laughter]

Berman: Good luck to all of us and, you know, on that upbeat note, thanks so much to Jen, David, and Nina or this incredible show. If you’d like to be a guest on our show, please send an e-mail to [email protected] Bye, everyone.

Gary Berman

I was the CEO of a marketing company that was hacked and "cloned" by insiders. Unable to receive justice due to the difficulty of attribution, I have pivoted from victim to advocate by creating I'm also the host of The CyberHero Adventures Show in partnership with Let's defend the Digital Universe together!

gary-berman has 4 posts and counting.See all posts by gary-berman