From Music Educator to Cybersecurity Consultant and Mentor

Patrick Spencer (00:01.014)
Hey everyone, welcome back to another Kitecast episode. I’m your co-host. My partner in crime, Tim Freestone, couldn’t make it today, unfortunately, because he’s going to miss out on a great conversation with Jerod Brennen. He is based in Columbus, Ohio, and he has a really interesting background. We’re going to talk a little bit about his music, how he started off in a music education career and how in the world he got over to cybersecurity.

He’s currently the vice president of cybersecurity services at Site Channel and the CSO, virtual CSO for a number of different organizations. We’ll talk about what he’s doing on those fronts. We’ll also talk a little bit about his prior roles where he served as a strategy and solutions advisor and architect over at CellPoint among other assignments. Jerod, thanks for joining me today. I’m looking forward to this conversation.

Jerod Brennen (00:52.97)
I appreciate the chance to be here, Patrick, have the talk. Big fan of your stories.

Patrick Spencer (00:57.442)
Yeah, well, thank you. We’re looking forward to talking a bit about your background. Before we jump into the music stuff, my daughter’s a professional violinist, so there’s always an area of interest when someone has music in their background. But before we get there, let’s talk a little bit about your current role over at SideChannel and what you’re doing there and then the Vsiso roles that you hold.

Jerod Brennen (01:21.154)
Sure, I’ve been with SideChannel for a few years now. Originally started in a 1099 role and then made a move over to full-time employee. Now I’m in a VP role where about half my work is internal to the company, helping us build out practices and standards for how we do what we do. But the other half of my time is serving as a virtual chief information security officer for a handful of companies.

Over the years I’ve been here, I’ve had healthcare tech companies, I’ve had educational technology, data analytics, labor relations, manufacturing. It’s a potpourri, right? If you’re a Jeopardy fan, it’s a little bit of everything, but that’s the trend that Brian Hobley saw. He’s the CEO. Is that we’ve got a lot of companies who need security leadership and need to understand

Patrick Spencer (02:04.79)
Run to you.

Jerod Brennen (02:21.176)
How do we build resilience into what we do? But they don’t have the pockets to hire these 20, 30 year CISOs who’ve been doing it in the field and have actually built programs from scratch. So the fractional model or the virtual model gives us a chance to come in and help either as a peer advisors, which is where we might do an assessment, design a roadmap, hand it over and then just.

you know, regular touch points, help them keep them moving forward. We’ve got an entire engineering team of folks who can come in and do the hands-on work if organizations need help with it. And, you know, it varies the level of involvement. You know, sometimes we have budgetary responsibility, sometimes we don’t. Sometimes we’re in front of the board and the other executives, and sometimes we’re just helping them build their team. But the benefit is whatever these organizations need to do,

do what they’re doing, right? The products they’re making, the services they’re delivering. We’re here helping to lend that quality and resilience to their organization by just making sure everything’s smooth sailing from a security standpoint.

Patrick Spencer (03:33.506)
So you brought up something that I found interesting. You’re partially responsible for fixing the operational processes. So these are internal to site channel or you develop an operational practice in terms of how you approach your clients or maybe it’s intertwined. Yeah.

Jerod Brennen (03:50.208)
intertwined. No, that’s, a good call out because SideChannel is a company and we don’t eat our own dog food. We drink our own champagne, not a fan of dog food. But if, if we’re going out and telling an organization that they need standards and how they do security, then even from an operational perspective, we need standards and how we practice every client that we work with has a different risk appetite, different needs, different capabilities, different budget.

And so we need to maintain a level of independence and autonomy and flexibility for the CISOs in the field to go in and do what the client needs. We don’t want them to get kind of a cookie cutter box. We’ll just throw it on top and force it to work. That is not our approach. But at the same time, we have to have standards for how we onboard new VCs. iChannel has been growing pretty quickly.

And as a result, we were finding that we need, we can benefit from more efficient processes in the time from finding a CISO who’s going to be able to help a client to getting them in and effective and just keeping track as we grow, just like any growing company runs into keeping track of who’s stolen what and are we hitting the mark? Those are some of the things we’re doing internally.

Patrick Spencer (05:13.282)
Interesting. So you work with a wide array of different industries to your point. Organizations are at different levels of maturity. What size are these companies typically? There’s one question then associated with that is, what are some of the, as you go in, you assess risk within each organization. What’s at the top of the list? You know, two or three things a year repeatedly. This has to be fixed, okay? Same thing has to be fixed in the next company. It’s not just a checklist you guys follow, I’m sure, but.

There’s a series of different controls that you have to assess and certain things become repeated on a regular basis, I suspect.

Jerod Brennen (05:49.11)
Right, right. No, that into the question about controls, there are repeat offenders. I’ll get to that in just a moment. There are standard, we know before we sign a contract with a client that the likelihood of them needing a handful of what we call like cybersecurity hygiene controls, that foundational healthy base is, it’s pretty common. At the same time, the other question around

size of the organization. It’s all over the place. We really exist to serve the small and medium business, small and medium enterprise space. And when we talk about the size of an organization though, if I’m talking in terms of number of people, I’ve had organizations that have had 300, 500. I’ve had organizations that are as small as 20. I think one of our CCOs has a client that’s got maybe five people.

But their revenue is pretty significant and they have a business that they’re building that needs protection, that needs a security program. So the need in that SMB, SME space, when we look at the American economy in particular, and we look at how much of the American economy is fed by small businesses versus large corporations.

Patrick Spencer (07:11.51)
Peace.

Jerod Brennen (07:12.392)
It is the lifeblood of what keeps things functioning. And the important part for me, my dad was an electrical contractor, passed away quite a few years ago, but he had his own business and he had people he employed and they came in and they did work and they were out doing large installations. There’s a mall, I’m going to date myself here when malls were new. He and his company were out doing all the wiring for this.

mall in the city near where I grew up. I know firsthand what it’s like to live in a family where you’ve got money coming in and it’s either there or it’s not. And you know, the notion of resilience when I use that term, when we look at modern businesses, if you’re starting up a donut shop, like the one here in Hilliard where I live, Little Donut Factory, fantastic donuts, but they might have a website, they might have online

e-commerce, know I can doordash their donuts, which is no good for my sugar intake. But if they set up a website and they want to take orders at e-commerce, then suddenly they become a target. And so that need for that value of lending stability through security has changed over the years since I was a kid watching it from that small business perspective. far and away, those are the clients that we serve.

Patrick Spencer (08:39.753)
Interesting. Well, digitization changes the landscape dramatically because if you think about payroll and how you get with third parties, how do you collaborate on the same file when you’re working with the third party or even internally? Right. So there’s more digitization that happens, the greater, greater the risk.

Jerod Brennen (08:46.987)
Yeah.

Jerod Brennen (08:53.432)
Sure.

Jerod Brennen (08:58.472)
Well, and I should point out to Patrick, we’ve got a lot of clients who are publicly traded. When I’m talking, we’ve got clients who they’re small businesses. I’m talking their multimillion dollar revenue streams each year, billion. If, if, if the rumors are true, they, we’ve got some clients that are, you’re making a pretty significant mark. And, it just, for me as a builder,

It presents a unique challenge for if I’m going to a small organization that’s highly non-technical and they might have one or two technical resources that are never have never done security. That might be a client that I work with in the morning. And then in the afternoon, I work with a data engineering company that every data scientist and engineer at the company knows more about coding and building and deploying cloud native solutions than I’ll ever know in my life.

But, both clients need security. And so we have to understand what does it look like for each client? How do we interpret the decades of experience that our CISOs have and then translate that into something meaningful and useful.

Patrick Spencer (10:10.102)
You what, you know, you look at these small businesses, who is typically responsible for security in them? Because they’re bringing in you as a VC. So to supplement, augment their staff so they don’t have someone who owns security, I suspect in most instances, it may vary, but there’s someone who wears multiple hats and security just so happens to be one of

Jerod Brennen (10:33.448)
That notion of ownership, unfortunately, tends to be a little scattershot. We’ve got, I can point to one client that I’ve worked with where security is now a function that falls to the CTO. If I’m looking at the CTO-CIO relationship in an organization, that’s very common.

Someone in that function, although depending on the size of the organization, if they have a VP or a director who needs help, then they might bring us in. I have another organization that it’s more of a director of IT technology that I support where they have a CTO function and they’re building out an application. And we do a lot of application security work, a lot of cloud security, a lot of identity security.

But the ownership of security, the onus really falls to this director. And I did have one organization I was helping that had, they had someone on staff who was an information security officer, but they didn’t want to promote that individual to chief information security officer until they had some time working with a CISO in a mentoring capacity. there, that was a fairly,

Patrick Spencer (11:49.014)
Interesting, yeah.

Jerod Brennen (11:52.532)
large organization by comparison in terms of staff and teams. But the role that they needed was not just the security assessment, the understanding of where they were, the roadmap, some support around things like SOC 2, which we get a lot of questions around SOC 2 type two initiatives, but also how do you enable my people to be able to do security after you’re done here?

Because sometimes someone comes in with a short-term plan and says, look, we need you for a few years to help us build this function out. And then as we grow, we’ll take it from there and maybe lean on you in a pure advisory capacity after, where others have more of a long-term plan to say, we want to maintain the relationship and stay the course. So we adjust.

Patrick Spencer (12:40.226)
So, you you brought up an interesting point. You mentioned SOC, which is one of many security standards out there. Are you finding that those security standards are driving organizations to harden their security measures, to look outside their organization because they don’t have a level of expertise in ISO or SOC or, you know, even FedRAMP if we start talking about organizations that do business with the federal government. You know, is that one of the driving factors behind your engagements?

Jerod Brennen (13:09.236)
It is, it’s actually a very significant one. Not just the SOC 2 type 2, but the SEC compliance, the rules around security and threat detection. That’s driven quite a bit of conversations from organizations that are publicly traded that might say, well, we’re not quite ready for this. What does this even mean? And then it’s not just a matter of going to a consulting firm.

Patrick Spencer (13:22.828)
Mm-hmm.

Jerod Brennen (13:38.656)
And saying, tell me what we need to do. And then a consulting firm drops a report and walks away, but it’s, no, now that I know what I need to do, what’s the day to day execution look like? How do I actually move the ball forward? so that sec, compliance is driving a lot of conversations. The, the sock two discussions tend to fall in more of, like a competitive market conversation. Well, I supported an organization that pursued.

their certification. It was more in the healthcare space, not the SOC 2 specifically. The reason though they pursued that specific certification was because their competitor did not have it. And for them to be able to go to market and say, we are taking security seriously here, we’re protecting your data, you can trust us. And it’s not just the sales and marketing team telling you that we’ve been independently validated.

by CPAs who have rules that they have to follow to make sure that they’re asking the right questions and acting with integrity. And they’re the ones saying that we’re doing this right. Who would you rather buy from us or the competitor? So it’s driving in my experience, the more forward thinking C level execs who understand that security has become a market differentiator. It is a competitive advantage.

It may not be as significant as some of the other factors, but it is definitely a factor, especially in B2B transactions that your customers and your prospects are considering.

Patrick Spencer (15:18.43)
We found that true with our business, but we’re selling to highly regulated industries that all want to see soft. They want to see ISO. Some obviously want to see FedRAMP moderate or even FedRAMP high in a few instances. those are competitive differentiators for us. We find that there are some in the marketplace that will say we’re FedRAMP like. That means they haven’t gone through the 400 and some controls, right? Are you finding some of your clients want to

Jerod Brennen (15:41.624)
Yeah, yeah

Patrick Spencer (15:46.466)
skip that step and say they’re SOC 2-like, but they didn’t necessarily go through the actual audit.

Jerod Brennen (15:52.792)
That’s the benefit of the SideChannel relationship. Every VC, so who steps in is putting their integrity on the line. And so if we let our clients take shortcuts or skimp on controls, we don’t come in and be unreasonable. We take a very intentional approach to helping organizations implement controls that are appropriate for their organization. Knowing that if you’re going to demonstrate compliance with like a SOC 2 framework or an ISO framework.

that there’s a list of things you gotta do. And if you’re not meeting that basic list, you’re gonna have a tough time proving to a third party CPA, somebody outside of the organization that you’re performing your due diligence. But we don’t let our clients, how do I say that? We don’t let them misrepresent.

Patrick Spencer (16:45.282)
You sure? Yeah.

Jerod Brennen (16:46.328)
It’s at the end of the day, it’s really about helping an organization build the kind of resilience that’s going to enable their customers to get what they need. It’s going to enable them to keep their people on staff so that they don’t have some sort of incident or event or some happening that could have been avoided that results in a reduction in force or, you know, a change in their staffing model. It’s a very personal thing for me, and I’m very transparent with the clients I work with.

I take care of my people and the notion of if you’re one of my clients, by extension, you’re one of my people. And then the people who depend on you for paycheck, the people who are buying from you, they’re also, it’s my responsibility to do right by them. And I’m fortunate that that’s a pretty common sentiment here among the team. It’s a good company. It’s a good group.

Patrick Spencer (17:37.452)
That’s great. That’s the right philosophical mission statement to have for sure. CMMC is, well, the final rule was just passed. goes into effect, what is it in January, but it’s now a done deal. Anyone who does, you know, is in the defense industrial base. You think defense industrial base must be missiles, planes, tanks, jeeps and so forth, battleships. But you know, the supply chain, when you talk about the

Jerod Brennen (18:03.682)
Yeah.

Patrick Spencer (18:04.226)
is much, much greater than that. There’s healthcare provider, there’s financial institutions and so forth. Are you beginning to see CMMC percolate to the top? it has been, hopefully it’s been the last couple of years with your clients. And how do you work with them to guide through that process, finding the three CPA, that they need to have to do the audit and the certification. What are you seeing on that front?

Jerod Brennen (18:29.676)
Yeah, that’s an interesting question because I’ve actually had one of my clients, they needed help specifically in preparation for the certification. So it was more of what I call pre-audit. And I was able to come in and help them examine their system security plan. went through all the poems, the plans of action milestone that they put together.

all these artifacts that they developed, every policy that they built. And I was able to read through that as an old gray beard who’s been doing this for 20, 25 years now and say, you’re spending too much money on this. You are not doing this at all. But if you go to this system and make this change, it’ll bring you into compliance with this control and just give them a really simple to understand roadmap on how to get from here to there. And then we were able to give it back to them and say,

we’re here to help. You can use us to help build out the program from a leadership perspective. You can tap into our engineering team and they can come in and help you build out of the controls. Or you could just keep us on the hook and ask us questions after you put controls in of whether or not we agree that you hit the mark. And that relationship positioned them to go on for more productive conversations with all the powers that be on the CMMC side. And again, I’m

I am not a CMMC expert personally. And they knew that they brought me in to help them just get that basic security hygiene. When they had a second location that they wanted to run through the same process, we did bring in our CMMC expert because the other benefit of having a group of ECSAs as large as we have here is we’ve got people who’ve worked in every industry.

and not just, you know, heard about it or read a couple of reports, but they’ve been in the hot seat building these programs, facing auditors, talking to the board. and so understanding what the client had and what their needs were going forward, I was able to go internally and say, Hey, do we have somebody who can help them build on top of what I’ve already done? And one of our VCs, yeah. And that was just one we’ve actually got multiple on the CMMC side, but,

Jerod Brennen (20:52.534)
Yeah, it has driven some of those conversations and I’ve seen it firsthand.

Patrick Spencer (20:56.802)
That’s interesting. Well, the advantage of an organization like yours is you have this whole community of former CISOs that belong to it, and they all have different levels of expertise. So you’re not necessarily stuck with just Jerod. You get the entire team.

Jerod Brennen (21:13.024)
If anything, Jerod’s just the point person. I’m the, I’m the single throat to choke if you need anything. But if you have a question about literally anything you’re doing in your environment, we had a client who went through a migration from a COLO data center to AWS and we were able to help them out because we have AWS experts internally who were able to give them some guidance on what they should build out. And now we’re looking at what they’re doing in AWS saying, you know what? There’s an opportunity for you to.

make this even more efficient, not just from a security standpoint, but cloud operations. Because that stability of a cloud environment, in that one example, bleeds between security and operations and kind of a DevSecOps, like a true model. And we recently hired Dutch Schwartz, deep AWS expertise, was working at AWS for years. And we brought him over and he’s building out

practices internally to help clients there. So as we’re looking across the board at what our clients need and where we’re able to help them. Sure, they get one person as their point person, but anytime a question comes up, if we don’t have the knowledge internally, I guarantee you it’s a conversation among leadership, should we? And then we end up bringing somebody on board. It’s fun to watch.

Patrick Spencer (22:36.768)
Interesting. So I asked this question a little bit ago, but we got sidetracked, I think, in regards to what do you see as one of the most pressing issues when it comes to cybersecurity? And I’m curious specifically when you look at data security and the sensitive data that’s being exchanged, you have collaboration taking place, you’re sending documents to external third parties. What does that risk look like? I assume that’s part of your assessment process you go through with your clients is where is their data?

which is sometimes very difficult to figure out. What type of data is it? Who has access to it? Who doesn’t have access to it? What’s that process look like for you?

Jerod Brennen (23:17.366)
and do they still need it? That’s the other conversation I’m having at all my clients. The data security challenge is definitely very real. We run into that with each of our clients in terms of, it might start as an executive saying, we need data loss protection. And then we say, okay, you’ve heard that somewhere at a conference, let’s unpack that for a bit. What are we trying to accomplish?

Patrick Spencer (23:19.138)
perfect

Patrick Spencer (23:25.356)
challenge is.

Jerod Brennen (23:44.194)
What’s the need, what’s the goal? And everything you mentioned, Patrick, of who has access to my data? Do they still need it? Are they using it appropriately? Those conversations, given my background identity, access management, I take the path of understanding who has access to what, and then looking in the space that we’re in, what technologies do we have available that can help us accelerate this analysis and start to put those.

those puzzle pieces together. The question of transferring data and trust, that tends to fall under conversations around third party risk management. Supply chain security, just as you mentioned with CMMC is every single client that we work with has to deal with it to some level. I was supporting a client who’s heavily invested in on-prem and they’ve made a conscious decision to minimize their cloud footprint.

a data security perspective, they’ve taken almost a bastion model to say it lives here, doesn’t leave here, and we’re going to keep it safe. With my cloud native clients, it’s not even a consideration, right? We can’t say we’re just going to keep it in one place. And so we have to do some vetting of our third party service providers. We had to put standards in place about what is okay.

for different data use cases and what’s not. Sure, it might be convenient if one person wants to use O365 and somebody else wants to use Google Drive, but if we’ve got a standard as a company that we manage one environment and not the other, then maybe we need to start porting people over. I can look at all the file exchange services in the market and everybody’s got a reason that this one is their favorite.

But really, if we’ve got to standardize, unless we’ve got the ability to control all those connections, that’s where we start. But it’s that notion of controlling. Even as I said that word, I had a bad taste in my mouth. Because it’s not the intent of security. It’s about enabling the business to do what they want to do. And when I say want to do, it’s the goods and services. It’s the growth. It’s the

Jerod Brennen (26:03.498)
revenue that ends up paying for the salaries and the benefits and everything that helps the employees have a stable, safe life at home. And when we look at these questions, it’s okay, you tell me what you want to do. I’m going to tell you my recommendation for doing it securely. And then we work the conversation from there about what investments do we need in people to help us manage these processes? What investments do we need in technology to help automate?

some of the management. But as long as we can see it and we have the ability to either enforce policy proactively or to detect on the back end who’s doing what with the access they have, we’re able to get a little closer to what we consider a stable and resilient organization.

Patrick Spencer (26:53.41)
You brought up an interesting point about your client that was bringing everything back on-prem. Are you finding that that’s a trend and is it associated with cost? Is it with these hybrid or multi-tenant environments? Is there risks there that has them concerned? What’s driving that movement? First of all, do you see a trend in that direction? And if so, what’s driving companies to make that decision?

Jerod Brennen (27:17.164)
Sure. With that client in particular, they have always taken that approach and they again made a decision some years ago to say, we’re going to be intentional about what doors we open, what windows we open in the environment. And they’ve been pretty tightly controlled. Now they do see that there’s a benefit to the automated processes, the spinning up, spinning down, spinning out resources.

You know, they have a very specific business model. and when I say that, I know every organization has a specific focus, but with what they do, they don’t need to, to leverage everything that the cloud has to offer. Now by the same token, the client that I have been working with, who’s building out cloud native solutions. they do clearly understand what the cloud has to offer and how they can benefit from it.

not just in terms of delivering their solution, but also in building it. And in those environments, the question of what’s driving decisions around what they do in the cloud is it always starts with cost, always. It’s even clients that have built the cloud solutions out and now they’re trying to maybe rein it back in because they’re overspending or didn’t realize that if you don’t turn budgets on, suddenly that bill creeps up.

Patrick Spencer (28:18.53)
Hmph.

Jerod Brennen (28:45.092)
but then, you know, when I have, a client who hits a certain level of security and operational maturity, they’ll take a look at what they’re doing in the cloud and say, okay, how can we build out in a stable and responsible fashion? and where, you know, they may have had a single cloud tenant that had dev test prod all, you know, inside, and they were trying to manage all these different networking rules to, keep the environment separate.

Instead of building out that kind of flat network in the cloud, they’re able to spin up different subscriptions, tenants that are entirely separate from one another to truly preserve the integrity environment and the data within. So yeah, it’s initially driven by cost almost always. That’s been my experience. But then there comes a point where the more mature organizations are saying, wait a minute,

Patrick Spencer (29:37.527)
Yeah.

Jerod Brennen (29:42.922)
Is the cost worth it? Are we actually seeing a benefit here that is helping us accomplish our business goals? And then the cost conversation switches to one of, okay, how do we build out with stability? How do we add things that inevitably include security modules and controls?

Patrick Spencer (30:04.027)
Are you finding some of your clients want single tenant because of the risk associated with multi-tenant? And then what types of solutions are they pointing, directing to single tenant versus multi-tenant when they’re a cloud environment? Even if they’re using a third party SaaS, they may be vetting them based on, okay, is it something that’s multi-tenant or is it single tenant and there’s risk associated with multi-tenant?

Jerod Brennen (30:27.414)
Yeah, the trend I’ve seen, and I’m going to draw a distinction here between multi-tenant and multi-cloud. I do have clients who are, I had one client I was supporting who was in a multi-cloud situation because they had grown so rapidly through acquisition that everybody was doing their own thing and nobody really had time to say, let’s bring this all together.

Right. We’re one company now let’s act like it. and that was before I came on to support them, I was very fortunate in the time I was there to see them kick off that centralization effort and say, all right, we’re, we’re going to put this all in one provider. Right. And so, but even then the, notion of separate tenants for dev test prod sandbox QA, that practice, is one that you’ll hear every

you see so a SideChannel encourage. And so we are seeing the, if I could call it a multi-tenant approach from that perspective of building out separate tenants for the purpose of different internal use cases. Now, if I’m looking at it from the other perspective, because having worked at product companies in the past, I know that single tenant solutions versus multi-tenant, when you’re looking at it through the customer lens, it has a slightly different

connotation or different angle. But I know from a security standpoint, that back behind the curtain, we’re encouraging all of our clients to separate out into different tenants based on data security and data availability requirements.

Patrick Spencer (31:58.773)
in Dresden.

Patrick Spencer (32:14.048)
Now, we would concur with you on that best practice. We certainly see a number of our customers wanting a single tenant environment, which is what Cutworks is outside of our business package. It’s all single tenant because there is risk associated with it.

Jerod Brennen (32:28.459)
Yeah, yeah.

Patrick Spencer (32:30.083)
Now your background in education is interesting. You’ve taught over at the Ohio State University, I think. Have I read your resume correctly?

Jerod Brennen (32:38.104)
I’ve done some guest lectures there. I wish I could spend more time as an adjunct and shout out to the folks who have, they have a course called Hurting Cybercats. Roland Kreml is the instructor currently, the professor. Initially it was Helen Patton. think that was her course. was a CISO when I worked there. So I spent a couple of years working in the centralized security organization that served the entire university.

Patrick Spencer (33:08.042)
Interesting.

Jerod Brennen (33:08.332)
which if you could imagine being a, a security expert or professional, hate the word expert security professional who is supporting 42 separate businesses. Every one of them has their own goals or in risk appetite. And if you’ve ever worked in higher ed, everybody’s pretty headstrong about what they want to do and how they want to do it. But we were the central function to help them all understand and implement security.

so yeah, I did that and I did teach, I was very fortunate that Helen and then Gary Clark, who was, my director at the time, Gary, gave me the go ahead to teach a course on it and ethics for, it was a dual enrollment program through, college. So high school seniors who were getting college credit, by having a couple of days a week where I would

Patrick Spencer (33:38.966)
Interesting.

Jerod Brennen (34:07.83)
drive over to their school and talk to them about the ethical implications of what we do. Loved it, absolutely loved that. I could do that all day.

Patrick Spencer (34:16.226)
There’s not, you I think every university has some type of legal or law or ethics course that they make their undergraduate students go through. I’m old like you, so maybe they don’t do that anymore. Our daughter just graduated from MBA and I she was baked into one of her legal courses, if I remember correctly. So there’s probably not enough conversation that takes place around the ethical dimensions of just…

being in business in general, then cybersecurity takes on a whole new level of implication, I think, when you start talking about these.

Jerod Brennen (34:49.932)
Yeah. I’ve actually, I have been fortunate. I did a lot of volunteering early in my career to do public speaking as a way for me to scratch my teaching bug, because, know, maybe it it was been in my LinkedIn profile with one of those while I originally went to school to be a music teacher. which is not uncommon for people in cybersecurity to have just ended up here and then wondered how, how did this happen? But I.

have sought opportunities to educate throughout my entire career, whether it’s building out internal training programs or more outward face community based work. But all my public speaking led to a relationship with Pluralsight, who’s now part of a cloud guru, where I built out a couple of courses on open source intelligence gathering. I worked with MIS Training Institute to build out courses to teach.

cybersecurity concepts to auditors and bank examiners. And then that led me to LinkedIn Learning, which is I’ve been working very closely with them for the last few years, building out courses in their library. And I’ve actually got two courses on ethics that I built specifically to help close that gap. One on ethics for information security professionals. I think that’s the title.

And then the other is more applied ethics, where I look at some emerging technologies that are in everyone’s purview right now, right? The AI, everything is AI enabled. And so I decided, well, let’s talk about AI and ethics. Let’s talk about quantum computing and ethics. Let’s take a very practical approach to this very big, heavy concept. But all that said, Patrick, I agree a thousand percent.

that ethics should be standard fare for anybody in this field. There are lot of ethical questions that you don’t even realize you’re gonna bump up against until you’re in the middle of it. And that’s.

Patrick Spencer (36:52.738)
Yeah, you’re spot on there, think. You know, and when you bring up AI, so AI, can’t have a podcast nowadays in cybersecurity without at least touching on the subject. What are you seeing with your different clients? You know, what issues does AI present from a risk standpoint? Does, as we both well know, but it also, you know, on the flip side of the coin, it offers organizations the ability to do some things

from a risk management standpoint that they just simply couldn’t do before AI was available. What do you see happening on both of those fronts?

Jerod Brennen (37:29.12)
The biggest question that we’re getting, not just from our clients, but it’s also an internal discussion among these instances, is around generative AI, chatbots in particular. And can our clients share data with chatbots knowing that many of them already are and just haven’t told anybody internally that that’s what they’re doing? And if so, how can they share that data safely? What’s okay to…

type into a prompt in co-pilot or chat GPT. So that conversation around the secure use of generative AI is often driven by the notion of what happens if that data ends up in the wrong hands. Whether somebody is able to launch a prompt injection attack and kick back even short-term history, which hopefully,

all the chat GPTs of the world are building controls in to keep that from happening. But then in light of the 23andMe bankruptcy discussion, which I know this is outside of the world of AI, but has a very real implication for companies that are building an emerging technology that may not quite have a market fully defined yet or a customer base defined.

Chad GBT can say, you know, we’ll protect your data all day. and we can sign whatever agreements and put contracts in place. But if, if they fall on hard times and then they sell to a third party, the question of whether or not that liability, you know, is, is transferred contractually to the third party or whether they can make up their own rules is something that people who are using 23andMe are, are scrambling to figure out today. So the notion of, okay, we, we’re going to do this.

What’s the long tail of us doing this? What might happen in three years or five years if things change?

Patrick Spencer (39:32.77)
Do you think, are they thinking through, this is an interesting point, we believe that they aren’t and that solutions are needed in the marketplace to control and track the data that you’re loading into those public AI tools and moreover, there’s a play for private LLMs at the same time. What are you seeing with your clients? Do they know that it’s happening? They’re guessing it’s happening? Are they concerned that it’s happening? Where are they at when you have the AI conversation?

Jerod Brennen (39:53.174)
Yeah.

Jerod Brennen (40:02.806)
If we have a more mature client who’s got, pardon me, a deep technical knowledge in house, if they’re building a product, for example, and we’ve got a lot of data engineers and data scientists and such, they might have the capability of building their own LLM. My brother-in-law works for a very large multinational financial institution. And I was just at his, well, one of his daughters soccer games.

a couple of weeks ago, and he was talking about the internal LLM that they had built. Not on his team, but he’s in a technical role, but he’s one of the consumers of this internal solution. If you’re, if you’ve got that much money, yeah, maybe you can throw a couple of people at the problem and say, build it out. Google Notebook, and what’s the LM they’re building out? I know you can build your own with Google Notebook.

Patrick Spencer (40:51.458)
Google notes.

Patrick Spencer (41:00.514)
Mm-hmm.

Jerod Brennen (41:00.806)
I’ve not tried it yet, but throw like 50 PDFs in there and build just a very elementary. Yeah, that’s, that’s an option, but realistically not for many clients. Like in our world, when they’re trying to figure out how to keep up with patch management and how to embed security into the application development life cycle. Right. And they, they might be building applications, but not actually testing the security of the apps.

as thoroughly as maybe they should. The notion of building their own LLM internally is just off the table. So we are working. I know we’ve talked to folks internally, part of being a VC society, we’re meeting new vendors on an almost weekly basis in the market. Who’s doing what and how are they leveraging newer technologies to solve some of these problems?

and I’m, so I’ve seen vendors, through those internal conversations who provide, a little more security around generative AI in particular. I’m a big fan of like Hera out of Switzerland. They developed the Gandalf tool, or game. And, when it dropped, I was hooked right away. And it’s just, it’s a, an intentionally vulnerable generative AI chat bot.

And your goal for each of the eight levels is to trick it into telling you a password. And, it gives you as a security professional, a developer, an engineer, if you’re thinking technically, how did they build this thing? Which is what leads you to, how can I get around the controls that they build into this thing? Then you can start to see some of the patterns that an attacker might take or some of the ways. an end user might.

unintentionally expose sensitive information. I really like their gamification approach. And it’s just, I wrote up a whole walkthrough on it I’ve never done that before, but I had such a blast doing it that I thought I’m going to put this together, throw it on LinkedIn. I’ll obfuscate all the passwords so that people at least have a chance to give it a go, but really love the work that they’re doing.

Patrick Spencer (42:59.905)
Huh.

Patrick Spencer (43:12.982)
And so your training classes are all available or many of them probably are available in LinkedIn. I assume that’s where our audience can find them. Yeah, many others.

Jerod Brennen (43:20.748)
They are. If you were to go to linkedinlearning.com or linkedin.com slash learning, or I think if you go to my profile, I’ve got a link out to my author page that will show you all the courses I’ve got published. And I want to say the current number, like the user facing number is something like 16 or 17. What I see from LinkedIn,

Patrick Spencer (43:37.602)
courses you’ve developed interesting.

Jerod Brennen (43:48.504)
from their communication with me is something like 40. Because I developed my two ethics courses. I developed a course on soft skills, big advocate for the non-technical side of what we do. Go figure a guy who wants to go to be a music teacher wants to talk about the non-technical stuff. But they’ve translated those courses into multiple languages to give learners outside of the US, learners who aren’t English native speakers, a chance to

dig into the same concept, same ideas. So yeah, I love here in about a week, next week, actually, I’m heading out to their studios to record another class. It will be a big one, too. I can’t talk about it yet. But

Patrick Spencer (44:21.942)
So how do you?

Patrick Spencer (44:30.679)
and rest.

I was about to ask you, you tell us the topics?

Jerod Brennen (44:36.064)
No, I can tell you very generally that I’ve built multiple courses on LinkedIn learning around application security. And this course will fit very well in that collection. That’s about all they’ll let me say on it right now.

Patrick Spencer (44:44.482)
Mm-hmm.

Patrick Spencer (44:51.938)
Well, after it’s published we’ll throw it into the web page and the pages on some of the audio.

Jerod Brennen (44:58.916)
I’d appreciate that. think your viewers, your listeners would really dig it, especially anybody in the app sec. Yep. Yep.

Patrick Spencer (45:02.37)
So I would be remiss if I didn’t ask you one final question. How in the world did you get from music into cybersecurity? Was that a process or did it happen overnight? What prompted it?

Jerod Brennen (45:15.672)
I’ll try to keep this as short as I can. This is one of my favorite stories. I got kicked out of my student teaching experience in my senior year of college. I gravitate toward the troublemakers and I was studying music education, which was voice choir. And when you see 300, 400 kids a day, you can’t just focus on two or three.

Patrick Spencer (45:36.876)
Mm-hmm.

Jerod Brennen (45:43.989)
But I’ve always been the one to see, the reason they’re being troublemakers, at least in some cases, is because they have a potential that’s not even being addressed, right? You don’t even see what these kids are capable of because you’re busy focusing on everybody else. And so I, after a disagreement with my cooperating teacher and then my academic advisor, they said, look, you’ve got enough credits. You’ve been here more than enough. You’ll graduate.

but I don’t want you coming back. And then I graduated and thought, well, now I don’t know if I want to teach. If that experience was going to be what I’m up against every day, I’m just going to get fired in the first year. Is there anything else I can do? So I delivered flowers, I mowed grass, filed medical records, taught piano lessons. I spent a little bit of time in seminary doing youth ministry. That’s another little side. But my wife and I started a family and I

asked myself, you know, is there something I could really sink my teeth into that might have a career potential to it? Because hopping from from one job to another, it wasn’t giving me the opportunity to generate the income I wanted to take care of my family. And I found a job doing hardware repair for computers, because I’ve always been a nerd. I, I was doing little shortcuts on the Apple 2E over at my aunt’s house to try to get it to spit out memory.

on screen, I had no idea what I was doing, but I’m like, I made it do that. And so I thought I’d try the computer thing. And then that led me to a customer support job in IT, phone support, which led me to an interview with an enterprise that used the software I was supporting. And thank goodness HR teams don’t always use the same criteria to describe their employees because at the call center, I was a level one tech.

which meant I was brand stinking new and didn’t know anything. At the company I was interviewing with, Level One meant you were the top notch, like knew everything. And when I got in for the interview, I found out that the hiring manager wanted to cancel the interview, number one, when he realized that GAF. And number two, because he couldn’t wrap his head around how somebody in music could step into an IT role.

Patrick Spencer (47:54.786)
That’s fine.

Jerod Brennen (48:10.462)
And I’ve long held that music and math are, it’s the same patterns in our heads, right? It’s just two sides of the same coin. And there’s so much math to the technical side of IT that I walked in with a portfolio of programs I’d written and things I’ve worked on. And I was very fortunate that the director was also a musician who had ended up in IT and he outranked the hiring manager.

It was you know, those those events, right? But being very confident in the interview to say, look, I haven’t done this, but I can. And I’m not just blowing smoke here. I hear things that I’ve done, right? Having something to show them to give them some sense of assurance and trust, because that’s what every interview comes down to. Can I trust that this person is going to be able to come in and do the thing I need them to do? And then a couple of years into my job in this was EDI. So for viewers and listeners,

If you don’t know what EDI stands for, we’re not going to spoil it. You got to go look it up. But that was my job day in day out.

Patrick Spencer (49:09.954)
In the podcast you gotta Google it

Jerod Brennen (49:14.07)
Got to Google it. I had an opportunity to move to security within a large public utility. And my interview consisted of this. Hi, nice to meet you. I’m the hiring manager. Do you know how to do Unix command line? But yes, as a matter of fact, I do. You’re hired. That’s how I got my first job in cybersecurity. But then the, you know, right or wrong, I’ve said yes to a lot of things over the years just to

Patrick Spencer (49:37.25)
That’s interesting.

Jerod Brennen (49:44.076)
Can you do this? Yeah, sure. I can do that. And then I panic and go, I have no idea what I’m doing. but I’ve, I’ve tried really hard to figure things out. and I’ve learned through beating myself up to be very forgiving with other people who were figuring stuff out on their own. I’m very much an advocate of giving folks a chance if they don’t have that background, that experience, because if my director at the public utility hadn’t given me a chance, you and I wouldn’t be having this conversation today, Patrick. So.

My, my VCO clients wouldn’t be benefiting from, well, I, hopefully they’re benefiting from the work. I’m the way they might still be working with SideChannel. Just I wouldn’t be here. So yeah, it was just a weird set of circumstances, but it was a desire to do something where I felt I could have this is going to sound hokey, but have a positive impact on the world. And I firmly believe the work we do in cybersecurity.

Patrick Spencer (50:12.215)
Very-

Jerod Brennen (50:40.824)
I’ve done the math. I have helped millions of people over the years. I’ve helped avoid outages in public utilities. I’ve protected their personal information from identity theft in my time doing consulting and identity. There’s so many people I’ve had either a director or a direct impact on, and they have no idea who I am. And they never will. And that’s okay, because I know that the time I put in protecting them, their information, their online presence,

the system, we get it, we get so caught up in what we’re doing day to day. But if you step back and say, am I helping people in cybersecurity, if you’re doing the job right, you’re yeah, you are. And so that that drive that motivation kept me pushing through and through until I got here today.

Patrick Spencer (51:29.184)
Interesting. Well, this is a fascinating conversation. Our viewers and listeners are certainly going to find it beneficial. We can go on for another hour, I think, Jerod. We’ve been going on for 15 minutes. I appreciate your time. Good, good, sorry.

Jerod Brennen (51:39.32)
Okay. Okay. No, what? Yeah, I was gonna say what I would offer up if anybody wants to connect with me on LinkedIn, I am very accepting. As long as you’re not trying to sell me something. If the only reason you’re connecting is to sell me something, chances are I’ll move your message to the other inbox and move on with my day. No offense. Just a lot to juggle. But I do like helping people. do like teaching.

And I’m happy to offer up. Like if you wanted to take any of my courses on LinkedIn, hit me up because as an instructor, I can give you links that let you take them for free. So you don’t even need to sign up for the premium profile. I can help you out. So if I could do something to help somebody out again, that’s that’s time well spent. That’s important to me. So Patrick, incredibly grateful that you reached out and we had a chance to have this conversation today.

Patrick Spencer (52:30.794)
I appreciate your time. The question I was about to ask is where we can folks engage and ask you more questions in case they are interested chatting about your LinkedIn courses as well as SideChannel as an option if they’re looking for a virtual CISO. So Jerod, fascinating conversation. We’ll have to do this again for our listeners. Thank you for joining another KiteCast episode. You can find more at kiteworks.com slash KiteCast. Have a great day.

Jerod Brennen (52:56.322)
Thanks.