- Welcome to "Cyber 5," where security experts and leaders answer five burning questions on one hot topic and actual intelligence enterprise. Topics include adversary research and attribution, digital executive protection, supply chain risks, brand reputation and protection, disinformation, and cyber threat intelligence. I'm your host Landon Winkelvoss, co-founder of NISOS, managed intelligence company. In this episode, I talk with senior intelligence analyst at Okta, John Marshall. We talk about, building a threat intelligence program to protect executives, particular nuances around being a security company. We discuss a risk-based approach for protecting executives and the data that's important to aggregate and analyze. We also talk about success metrics for intelligence analysis when building an executive protection program. Stay with us. John, welcome to the show, sir. Would you mind sharing a little about your background for our listeners please? - Absolutely, my name's John Marshall, I'm the senior intelligence analyst at Okta. My background is military. Started in the Marine Corps in the infantry. After I got a degree in Linguistics focusing on Mandarin Chinese, what I did was I commissioned in the Navy and served as an intelligence officer until October of 2020. Part of that time was in the reserves. I was also a program manager for an IT company. And then when I decided that that wasn't really the route that I wanted to take anymore, I transferred back over into the security realm. So here I am as a senior intelligence analyst for Okta. These are my opinions of John Marshall as a previous military member, not the opinions of Okta or anybody that is over me in the global security operations center. - It's always great talking to folks that served. It's certainly also, you put that combination with security companies whose primary product is security. I think it brings quite a bit of nuance. And today we're gonna be talking about, building intelligence program to protect executives. Walk us through building an intelligence program from soup to nuts, to when you're talking about protecting executives for a company. You're in day one, you start, you got to probably have a 90 day plan, kind of where do you start and kind of, where do you kind of want to build? - Yeah, it's a really great question. I mean like it's, so it's not really as straightforward as it is in the military, is it? I mean, the, you don't really know what tech billionaires don't know or what they do know about their security realm. I mean, they know cyber security very well because this is the place where they grew up in the place where they came of age in, most younger people. I mean, I'm 45. And so most younger people know about that type of security, but you know, when it comes to actual tech executives, I think the first and most important thing is a connection to the executives. You have to be able to have someone in your chain of command that has their ear, which I think is imperative. What that provides is your priority intelligence requirements. And if you have good PIR's, priority intelligence requirements, that will giving you your way forward and allow you to create that 90 day plan. And I will say this again and again, when it comes to building something from scratch and that's plan of actions and milestones, it's a word that we throw around and in the military a lot, but it's, it is invaluable in the civilian community too. So POAM, POAM, POAM, where are you going? What are you doing and how are you going to get there? So I think that those two are, are kind of built on one another. The next thing I would say is that it has to be a tiered approach. You know, you have to look strategically first, then operationally and then tactically. The strategic big picture is making sure that people who work for you understand that this isn't the military and that you're focused on three main things, the security of the people, the security of the places, and the security of the brand. Not necessarily protecting the brand, but monitoring reactions to the brand. That's what you do. So PR people with marketing people protect the brand and put the brand name out there, but we're the ones who are going to monitor it and find out what people are saying about it. And then with all those things in place, you need good platforms in place to onboard people where, and whether that's collecting current events, private investigation, travel tracking for your executives and a company-wide messaging system that you can actually reach out and grab somebody and talk to people in the company with. I think that these all together, these five things are the most important things, building a, what you would call a security program from the ground up for, for a new tech program. - And so when you think about that approach, and I think you made a couple of key observations there in terms of executives, certainly known tech platforms. They certainly know the cybersecurity space, especially for their in this cybersecurity space, but they might not know what they don't know, you know, around their own personal protection understanding when you're building that type of platform and all the different platforms that you're trying to protect against. Like you just said, I think we could probably all agree that, you know, intelligence certainly has a place for that. But look at it, like you said, as we're in the military intelligence ultimately feeds some type of economic military or diplomatic decision, this isn't military. So it's going to ultimately formulate a business approach. And then I think for that business approach, it has to be a risk-based approach to executives. I'm kind of curious in that 90 day plan, so to speak, how do you think about using intelligence to formulate that risk-based approach to executives and do they buy off on that? What kind of needs to be the sell to get them to go forward and go along with that? Because I think you, as you said, you got to know your executive and at the executive, if they don't want to have their pattern of life altered, that can be sort of challenged there, walk through how you work through that. - Well, again, I think that this is a really great way to approach something when you have that connection to an executive. So you can get kind of like that boots on the ground, field, someone in the office, or someone close to the office with them to find out what is actually important. I know Okta focuses on its people. We are a cloud security company that provides single sign on login anywhere work from anywhere type of business model. And for that to happen, we can't always be focused on the places where the headquarters are. So we have to be focused on the people. And so it's presenting to the executives, things that are going to keep your people safe in and keep them in the know. Now, whether that's on the weather side, whether that's on the civil disturbance side, whether there's protest or riots in a location, whether that's on the natural disaster side, earthquakes, tsunamis, anything of that nature, or whether it's on the current events side, things that are may or may not affect someone who's doing software engineering for you, that's close to the Ukraine Russian border. So these are the things that we'll go into that first 90 day plan is finding out where the people are, finding out not only where everybody is, but are the large groups of folks and how can you best protect them and what assets do you have or do not have, or what assets would be better platform-wise to protect those people and, you know, make sure that they can get to work every day to make sure that they can log in every day, make sure that they are, you know, make sure that they are safe and sound. - When we talk about negative sentiment, you talk about rallies, you talk about different disturbances, physical security disturbance. that kind of just mentioned there. I think at the end of the day, I think we probably both agree that you're ultimately probably trying to assess a potential target of attack or target of opportunity. What's your thoughts around that and how are you getting to those answers really quickly? And ultimately, what are the typical outcomes in terms of escalation for each? - This is a really interesting question and I had to think about my response to this. And so this is one of those things that's much different than in the military. In the military, you have different intelligence functions that you can call on, whether that's COMINT, ELINT, MASINT, SIGINT, HUMINT, but it, it kind of muddies the waters a little bit because you have experts in every field. And then you have to kind of go when you get consensus and you have to take from a little bit, and that's what makes it really good, all source intelligence professional, right? But for, for the civilian community, I think the two main key things and the most important things to watch when it comes to targets that could impact our targets of opportunity are background searches. It's social media. Especially as a military intelligence professional, I was not ready to count on social media as much as I actually do because people in the 21st century, you know, we, as a people, we really enjoy posting what happens in our day to day lives. And that really establishes a fantastic pattern of life for almost anybody who's willing to watch. I mean, this could go anywhere from, you know, the big three Twitter, Facebook and Instagram to places like Blind or LinkedIn. You know, I mean, if somebody's posting one thing constantly, and then all of a sudden they, they start posting another, usually it's because they changed jobs, but if they didn't change jobs, what else has changed in their life? You know, I mean, did they get divorced? Did they lose a family member? Did they lose someone close to them? Are they suffering from some sort of mental illness, whether that be PTSD, do they require medical assistance, anythings like that? And you can grab so many little tidbits of information off just the pictures of some light posts. I think that those are integral to establishing that pattern of life and, and identifying who should be targeted, who should not be targeted and what kind of security threat that they may pose to any executive. - Which you mentioned there is certainly around, you know, targets of opportunity where have you come across, where somebody, you mentioned social media, you know, as being the big data source, when you talk about a target of attack. So let's talk through, you know, if it looks like to, somebody is saying, you know, we are outside of your house, we are going to throw a paper bag, that's a burning paper bag, into your yard and you see this on social media. And you're like, okay, well, this actually could be targeted. This actually could be a little bit more of a targeted attack. Not just somebody who's a malcontent who's, you know, not all there. How does that response look, look a little bit differently? - That's when the law enforcement gets involved. I, and obviously that's the one thing that we lack, you know, that the military does not the ability to feed it to an action arm, to an appropriate action arm. I mean, we can feed whatever we need to, to law enforcement and that's hands down. And obviously we, you know, we have ways of, you know, saving what we need to save. And when we perform background searches, regardless of the platform that it's performed on, you know, all that information gets turned over to the proper authorities. And then of course we have messaging apps, whether it's, you know, something like Everbridge or Send Word Now or Worldcue that we can utilize to actually reach out to that executive hands down and say, Hey, are you here? We need to find you, where are you at? Because this could be happening. And this is why it's happening. And this is why it could be dangerous, And that being said, usually things don't really go that way. Do they? When you think about it, they're usually signs leading up to that, that paper bag, that rock that gets thrown through a window. Now, whether that's escalatory rhetoric on, you know, someplace like Blind, where they think that, you know, most people think that they're an anonymous user commenting on Okta or commenting on Twitter or commenting on Facebook or commenting on any number of other publicly traded companies, but it's there it's, it's the internet and the internet doesn't delete anything. And it never forgets, right? And so sooner or later that, that rhetoric will escalate to something public because people want to be seen. People want to be seen as taking that action. And, and that's, that's really what, we're, what we're counting on. I mean, if you just look at some of the protests that there there've been over the past year, you know, whether that be in relation to police brutality, your relation to COVID restrictions, you know, I mean, people are posting these. I mean, there's always someone there with a cell phone and as soon as it goes live, that's a trigger. That's definitely a trigger. So, I mean, it's the ability to have a 24 hour watch folder that can watch out for those things. And the ability for someone who's in a position where they run a G SOC, where they manage a G SOC, or they manage an intelligence threat intelligence arm of a G SOC to get those priority intelligence requirements to the analyst, to the operators as fast as possible, and as complete as possible. - That's certainly very valuable. It leads to just another thought when you're talking about coming from a public sector background, like you did, there's no shortage of data with regard to almost wanting anything. It just kind of almost falls from the sky in so many figurative ways. It's not the way it is in the private sector, which I guess kind of has me curious from your perspective, from your side, what is important data to be used and how do you turn that into intelligence? - I think it's really important for someone, you know, especially if they have a background in military intelligence to kind of put everything through the intelligence cycle and the intelligence cycle is, is not difficult. It's five steps: plan, collect, exploit, analyze, and disseminate. You can Google it, try it online. It's got a nice little Venn diagram or bubble diagram, whichever one you, you know, that you choose to go with. But I think it's identifying, being able to focus long enough on whatever task is at hand to realize that this has an impact on whatever agency you work for. Now, whether that's anything from a private sector tech company to a public sector, you know, natural disaster reaction force, like FEMA, what is important. And I think that, that it all loops back around to your first question. What does building a program look like? It looks like that POAM. And if you have a POAM in place, if you had that good plan of actions and milestones what's, you're supposed to do when you're supposed to be doing it and who you're supposed to be doing it on, with, or for, then these kinds of things kind of fall into place for themselves. The priority intelligence requirements is not just an acronym. It's not just a pretty word. It is marching orders for lack of a better term. I mean, it is our bread and butter. I believe that if you can respond to at least one or more of your PIRs throughout the day and answer some of that mail for the people above you, then I think that, that in, in my respect, it, what kind of looks like success. - On that success criteria, right? I mean, intelligence security is a risk management function with an enterprise. There has to be metrics. There has to be measurements and, you know, realistically you and I could probably both agree any successful. And then how do you do that at scale? I think from a leadership perspective, you're always looking for your subordinates to ultimately rise up to yourself and hopefully take your job so to speak and be okay with that, and kind of be able to train and mentor folks to take your job. I'm kind of curious, what does success look like everyday and how do you measure that? - So I think you're right. A hundred percent is that it's a sliding scale. Obviously coming from the military, some, some days are boring. Some days are just reading through the news and trying to find something that's applicable to your company or to your division or to your department in those days. Or I don't know, I, after a lot of action, you want them to be kind of few and far between, but then you don't want to get too bored because then people kind of fall off their game. But I think success looks like being able to pinpoint the right type of event, regardless of what kind of event that is, whether it's a target of opportunity, whether it's an ongoing threat, whether it's a pandemic, whether it's a natural disaster and you bring that information, not the news, because anybody can read the news. That's not what we do, right? Our job is intelligence professionals. It's that, you know, that intelligence cycle we, we plan, we collect, we exploit, we analyze, and then we disseminate that analytical information. The so what? Why am I telling you this, right? And if I can, liken that, back to the department that I support then to me, whether that's on a small scale and I, I help one person get out of a traffic jam because traffic is backed up on the 2-67. And I, you know, it was a boring day and I sent an email or I sent a text out that said, "Hey, watch out, there's a car fire on the 267 take another route." Some guy comes into the office and says, "Hey man, that saved me 15 minutes. Thanks." That's to me, great success. Another one is, you know, some kind of a getaway, some kind of a company retreat, you know, when there's a hurricane blowing through and we get those executives or we get those company personnel out of there before that hurricane hits, that's huge. I mean, that's, that could be anywhere between five and however many executives are in your company that are going to that retreat. I mean, to me, that's, that's an even bigger success, but on the sliding scale of size, but regardless it's still win, still wins. So I think that's what it looks like to me. - That's pretty motivating. And I guess from that perspective, when you think about how you measure that, is it just keeping a log of all the successes or is it, it looks something more programmatic kind of like, is it just a monday.com board of everything that all the different tasking that you have to do and assign and how it gets assigned and how it gets executed? Or is it that sliding scale that you just kind of just touched on? - Well, so for for record keeping in the military, we do one evaluation a year. Now, whether that's an eval, a fitness report or, you know, whatever, they call it in different services, you get that one time a year. I don't know if a lot of people, if a lot of military folks keep these anymore, but we used to have something that was calling to love me binder, and it was all your wins. And I think it's important not only to save your wins, but save your losses too, because then you can actually get something that you can learn from. And then you can get something that you can do better because the intelligence cycle, like I said, is it's only five steps, but it goes in a circle, you know? So I mean like, what can I do better next time? How can I get this faster? How can I get it to more people? Even if it's one minute, 10 minutes, 20 minutes, 24 hours quicker better. And how does this equate to my next event that could pop up that's similar, but not exactly the same, right? And so I think with that continual improvement is one of those things that, that I always hark to anybody that I'm mentoring on. Keep your wins, because you're going to need those when somebody asks what you do. Because like I said, in our initial interview, security is one of those things that it doesn't make you any money. There's no return. You know, I mean, we're not creating anything, but no company is going to sell their own personal data. It's not a moneymaker, but it's not a black hole either because we provide a service and it's, and it's an important service because we are keeping those people who make the money safe and we are keeping them at their computers and at their jobs. And we are keeping them whole and interested in the company that they work for. So I think that tracking your wins and your losses for continual improvement's sake is, is one of those things that's, that's critical to any security professionals kind of cycle of what they should be doing. - So well said. And I think that there's also an element as well, that I think anytime a company, and it's also a testament of Okta's success as well, because I think any small company let's call it a company under a hundred million dollars. A lot of times that security program is very compliance heavy, and therefore for them to win contracts at that level, they have to execute against a security program to make them compliant so they can ultimately do work for the big boys, so to speak, right? So they can get contracts with big banks and big tech. And, you know, those types of companies. When you are at the size of Okta, I think then it becomes a new, a new, I guess, a new paradigm. So to speak kind of a, what we've been talking about the past 20 minutes, where now you have to really show your successes, show your failures, look where you can scale more and do more with less, but like still be able to execute for cause obviously executives are going to be a bigger target because the company's bigger and therefore they're going to be a bigger target, not only from their, you know, cybersecurity, but from their physical security. So it's certainly a testament to Okta's success. It's always interesting just to see how those things scale, you know, as they get bigger. - That's one of the things that will be interesting in the future to watch how other companies that are in the security realm or the tech realm and how they've progressed over time and how that security function grows. It's going to be very interesting, but it's, it's one of those things that I really value being in all in what I would call like the ground floor that creating a, an into shopper and, you know, an intelligent shop as it were. It's exciting. It's it can be, you know, just like if you stand up a new command in the military, it can be maddening at first. Cause you have to get all your strategic items in place, you get the big stuff and then you start working on them, the little stuff, and then you work on minutia, but once it's up and running and you have those right people in there to be trained, like you said, you're, you know, you're always preparing somebody else to take your job. And that's what you want to see. Right? You want to see that person and say, well, I don't, no thank you. I've got this. I can do this. Did it go? You do it, get it up there. And I think that's what growing a program and mentorship is, is pretty much all about. - I can't thank you enough for your time today. Congratulations on building a great program. Congratulations on the successful transition out of the military and thank you for sharing your thoughts today. For the latest subject matter expertise around managed intelligence. Please visit us at www.nisos.com. There we feature all the latest content from NISOS experts on solutions ranging from supply chain risk, adversary research and attribution, digital executive protection, merger and acquisition diligence, brand protection and disinformation as well as cyber threat intelligence. A special thank you to all NISOS teammates who engage with our clients to conduct some of the world's most challenging security problems on the digital plane and conduct high stakes security investigations. Without the value of the team provides day in, day out, this podcast would not be possible. Thank you for listening.