- Welcome to The CYBER5 where security experts and leaders answer five burning questions on one hot topic and actual intelligence enterprise. Topics include adversary research and attribution, digital executive protection, supply chain risk, brand reputation and protection, disinformation, and cyber threat intelligence. I'm your host, Landon Winkelvoss, Co-founder of NISOS, managing intelligence company. In this episode, I talk with this sense CEO and co-founder Jon Iadonisi. While many people think of open source intelligence use in identifying and mitigating threats for the security team, we dive into how it's used to drive revenue. We talk about what role social media and open source intelligence plays in marketing campaigns, particularly around brand awareness, brand reputation, go to market strategy and overall revenue generation. We also discuss what marketing teams can learn from open source intelligence trade craft, and security teams and vice versa. Particularly when there are threats to the brand's reputation. Stay with us. Jon, welcome to the show sir, would you mind sharing a little bit about your background and certainly what VizSense is all about? - Yeah, well look, thanks so much for having me Landon, you've established quite a reputation in this industry and I'm honored to be invited to the show, so just happy to be here. So VizSense is a marketing solutions company that we focus predominantly around building brand cultures. So we take an immense amount of data and we use that data to uncover key characteristics around a particular brand. And then from all that we build highly effectual micro influencer campaigns, where we are driving, not just brand recognition, lifestyle adoption around a particular product, but of course sales and the performance of it on the shelves and whether that's clicks or bricks. We like to say whether it's online or in store is irrelevant to us, but that's what we do. We build these holistic campaigns and we use a lot of technology and we have an amazing tech platform and tech team that allows us to conduct these campaigns worldwide. Me and background. Let me just make a summary. So, computer scientists by trade went to the Naval academy, went to the Navy, spent some time in the Navy doing a lot of different stuff, was in the seal teams on a ship, then went into the intelligence community for a little bit, and then started in a couple businesses. And really for me, I really enjoy looking at problems in new ways and trying to develop technology that solves them. - This is absolutely fantastic. You know, we've certainly known each other a long time and I'm glad to certainly do this. And one of the main reasons I was, you know, excited to kind of do this is, you know, certainly coming in from your background, your military background, and then even into your marketing background, I don't think many people can make that pivot. And I certainly think when we think about open source intelligence, I think a lot of people hear open source intelligence and think security team, right? Risk management function. You're taking that to another game with this sense where you've taken that open source intelligence and you're using that to really drive revenue. And I'm so interested to kind of dig into that. And I think that's, you know, so nuanced and I think a lot of security, even a lot of security team members can take a lot of value from that. So kind of like starting off and kicking it off. You know, when people think open source intelligence, they think cyber threat intelligence, they think physical security intelligence, they think the security operations team, you know, how do you guys see it differently? - Well, a lot in that question, let me back up and reframe it. So I've been involved with computers. I mean, I built my first computer when I was 9 years old, I was on the internet as a seventh grader, an eighth grader at MIT playing around, trying to stay outta trouble, got in trouble in school a little bit. So, the term cyber is really morphed in what used to be a specialized industry now can cover everything from social engineering to root kit analysis, to signature reduction, right? This term cyber incorporates so much. But I would say that the open source intelligence was really a side car that was born because a lot of things were digitized. And now we have this little boutique area called OSINT, and then there's like, I think there's now SOCINT. I don't know that, I wasn't around when I was doing this stuff, but at the end of the day for me, I just try to take a widespread look and I say, look, there's data, there's insights you can get from data, and then there's intelligence. Okay? Raw data itself may not be that useful. Insights are ways that we as humans cognitively induct or deduct based on that data, and we conclude some insights. Then intelligence is more of a refined product where you are actually adding context around that information. The advent of OSINT though, I believe as it relates to the national security paradigm and now really relates to any business out there. And in many ways the Navy, Army, Air Force, Marines are businesses, right? They have brands, they have people that join them, there are people that they wanna attract into them, and then they have adversaries that are trying to kill them. The same thing happens in the business world. But I think the line of demarcation from my perspective was probably May 1st, 2011 on the Bin Laden raid. And I'm not sure how much you followed that, but we were following that. Of course I was serving in a little bit of different capacity that it was not, it was really government intelligence support. But one of the things about that raid that I saw trying to take an outsider's perspective was the way the information went from data insights to intelligence, very fast. In fact that envelope was solved by locals in the area that really had no background in that. And what we saw was on the raid, you had a local guy that posted the following tweet. He said, "Large black helicopters overhead, huh! That's weird for Abbottabad something along those lines." I have actually the original tweet and we did a lot of mining around this tweet, and we found out where it spread, and we traced it back to one of Don Rumsfeld assistants re-posted that guy's tweet, which then got picked up by Brian Stelther as we went viral. So, we had the world knowing that this operation was unfolding in many cases before our people, our operators actually where wheels down on the compound. That in itself, major national security implications. So every human being now is a sensor. They can post what they see. They can refine the data into insights, into intelligence, with open source tools. And we have our, an industry was born. So as we as national security interest people have look across that, and we're seeing it now with a lot of the investigations going on now where the open source world is becoming a signals in intelligence world, no different than radio intercepts during Pearl Harbor. Right? So I think that it's important to look back how this industry's evolved, where it came from, and how social media itself really has become the mainstay in a lot of these open source methodologies and ways people and adversaries and allies alike make intelligence. - Taken from that perspective. So let's kind of, you know, bifurcate the conversation to two mechanisms. You know, I think that everything that you just mentioned is really on the national security stage and that's, let's bridge it between security and then let's bring it toward revenue and like marketing. Right? Because I think that's probably so, so critical. So I guess first off, let's talk about the go to market function. When security professionals think about OSINTs, like they just said they think about malware intelligence. They think about law enforcement actions. They think out security controls even, right? A lot of risk management function. How have you seen that's used to actually, you know, make drive revenue? - So let's talk one about the role of brand as it relates to threat intelligence, right? Threat intelligence from many people is trying to be on the inside when the next zero day comes out. Or, "Hey, this guy's working on this." There's another aspect of threat intelligence though, which is around the brand. I mean, a lot of these groups, it was Titan Rain back when I was doing stuff. I mean, a lot of these groups have identifiable names and that brand has sort of power to it, right? If you get a threat or ransomware threat from Joe Hacker group, you may not take as much note as a, you know, Grumpy Bear or one of the known Russian or Chinese hacker groups, right? So the brand affiliated with the threat is something that a lot of people need to take note of. And that brand itself is something you can track. You can see are people excited about this brand? Does the brand have a good reputation or not? You know, who is joining it? What are they taking credit for? What are they not taking credit for? We saw this with ISIS and Al Qaeda, right? I mean, and Daesh, you now, and all these other brand names, but at the end of the day, the attribution to a particular organization is what is needed for that organization to continue and to get fundraising, et cetera. Whether it's a hacking group or a terrorist group. And as it relates to driving revenue. So the social science research that I've done, and a lot of the literature out there has supported the fact that there are three elements to inducing influence on a person. They are persuasive content, that is delivered from a credible voice, into a network or an audience that has a high engagement rate. Those three aspects, okay, it's called the CINET framework, content influence and network. Those three dimensions can apply in any industry, and they induce a behavioral change. So let's take this right into driving revenue. So, we had a company come to us and they said, "Hey, we have a new type of lipstick that we want to put on the shelf at a store." And I said, "Okay, what do you know about the people that wanna buy that lipstick?" And they said, "Well, we use." You know, I'm not gonna say the name but, "We use this company and they gave us focus groups and our audiences largely white females ages 22 to 27." And I said, "Are you sure about that?" And they said, "Yes, you know, we did all this research." And I said, "Okay, we're not gonna assume that. We're just gonna mine data." So we went and mine data around that particular brand, and we analyzed the data, and we use AI and ML and some mods around that. And we found three unique things about this, not just this brand, but actually the lipstick itself. Number one, there was a lightweight nature to it, I.e it didn't cake to people's lips, which is a property I guess, I don't wear lipstick. I probably know too much, but that's true. It's a property that people, there's a lightweight nature to it as is what I'll say. Number two, the matte color was very popular. And number three, 54% of the conversation was in Spanish. That in itself, those three attributes were discovered because we mined data. Those three attributes were used as parameters into our entire micro influencer lexicon, which then resulted in a 200% sales lift and a 300% unit lift in 10 days of the product. - Taking that case study right there, I guess, I'm just kind of curious. Going down just as a security rabbit hole for just very briefly here, what can security teams learn from go to market teams, using social media, open source and even closed forums? Because I assume, you're mining data, when you say mine data, kind of curious what that means, but, and then also what can kind of security teams take and learn from that perspective? - So mining data is what it sounds like. You're basically crawling scraping information. You have to though set up an entire data architecture. So, because garbage in equals garbage out. I mean the stats 101, right? If you're pulling data from a PR site that has nothing but great things to say, you're not getting ground based data, right? So you need the full bell curve distribution of data. So what can security teams? Teams that launch new products, there's a lot of people talking about those new products, and the people that are credible, i.e the micro influencers, look, celebrities get your attention, but they don't compel a behavior. You're more likely Landon to follow somebody that's more like you than somebody that, you know, lives in a billion dollar house and doesn't share a lot of your characteristics. That's just that familiarity is a big aspect, right? So, let's say a new phone's launched, or a new laptop is launched, there's obviously conversations around security. I mean, you know, one of the hobbies I do is I do a lot of blockchain research and I do coding and blockchain and I've built my own tokens. And Intel has SGX, which is an internal encryption enclave. AMD has an analog, right? When these things are released and these things are newly developed, there are people in the space that are talking about them. You should probably know what they're talking about. You should probably understand what they're seeing as vulnerabilities, et cetera. That is a way that security teams can start to harden their architecture or their product line, or learn about what crowd knows about them from the open source data. - Because I've talked to a lot of different guests and a lot of people say that, "Intelligence teams really need to live outside of the SOC." And I think that because, and they're still in this security paradigm where they're just looking at a risk management function. Like, how do you see what, how this, the future of this industry is going to go? - So, there was a point in time when I was on active duty and doing stuff where there was a transition where everything was trying to default towards remote, right? Like we can use a drone for that. We don't need humans on the ground. We don't need to expose our people to areas that might be dangerous. You know, we can do everything electronically, we'll just bug his phone, bug his house, bug his thermostat, bug his refrigerator, and we'll get a complete pattern of life around somebody. Yeah that's all possible. But there's a certain level of dimension that you can only ascertain when you talk to people. And that in itself, that HUMINT stuff is I think even more important now than it was. So you have a convergence where the human dimension is converging with a tech dimension. In a true holistic hybrid model is needed for a threat team. If you're building a threat team on the oil rigs in South Dakota, you're probably gonna want somebody understanding the local geopolitics on the ground just as much as you're gonna, somebody wants somebody at the SOC monitoring comms that mention that company, right? So this holistic hybrid approach is gonna require people that aren't just like, "Hey, I know R, congratulations." You can do a regression analysis. Like it's not just scraping billions of bits of data, but it's actually my making sense of that data. It goes back to the data versus insights versus intelligence paradigm. Like let's use oil, somebody mines the oil, that's the data. Right? They can refine it to get many different properties. And then like the final product like gasoline or kerosene or JP5 or whatever is the intelligence, right? So that paradigm, I think, needs to be brought in. If you're managing a security team, that is how I believe the future successful security teams will operate. - Do you feel that security teams ultimately then need to integrate better with the business for what you're just describing there, right? - Yes, like when cyber first started, it was always a bear to go try to win business, because they're like, "No offense sir, we don't need, you know, we're secure." Okay, we don't want us boards are unlikely to spend the money until they get hacked. Starting to see that now. Because insurance premiums are being based on a certain threshold level of security. So that paradigm is finally being broken, which I think is saving a lot of people. But at the end of the day, I do believe that more and more groups are gonna continue to wanna innovate in this space and they're gonna have to adopt to those types of approaches. - On your side with the go to market approach, to using open source intelligence to drive revenue, what are the common outcomes that you seen based on, the brand of intelligence sharing that you're kind of just talking about? Cause you mentioned a key thing like you sold 200% revenue increase. I mean, is that, go ahead. - I would say it's broken down into quantitative and qualitative buckets. Quantitatively, we see numbers increase for sure in revenue, in engagements, in sharing, a hundred percent. The other side is qualitative. Like you start to see frequencies of search around that product increase. You start to see, you know, this elusive thing in the marketing space. Everybody's like, "A brand equity, define what that means." It's elusive, right? I mean you have to put together a somewhat of a social science model to measure brand equity pre and post. There's a lot of different measurements you can apply. And a lot of models work. It's not just one size fits all, but at the end of the day, there's a lot of qualitative aspects around a well designed brand intelligence apparatus. So I would say the quant and a qual side are two major takeaways by understanding and having a really smart data team. You know, in the brand world, they're not talking about like brand intelligence. In fact, I've had a lot of brands that told me privately and I don't know why, they just don't, they don't wanna sound too militaristic or too spooky. And I was like, "You do know that like TikTok influencers are talking about your products, like all the time." You know, so I've seen other qualitative stuff that actually I found pretty interesting. We saw information about the products that the brand didn't know themselves. Like, it was, one was a health drink and you know, I call it the crowd. The audience was saying, "This thing sucks. It's like made out a cardboard and it keeps breaking in my gym bag." Well the brand's like, "Well we're sustainable. So it's great for the environment." Yeah, but the consumers are like, "Dude, you need to reinvent that because it keeps leaking and I'm not buying it anymore." You know. That's a feature that was extracted because the company had a good data platform and we did the entire data analysis around that, and that's what we found. We also found with another product that it was using coconut drink. And you know, we found that where these coconuts were sourced was a very important part of the product that they weren't talking about. So through this data, through this having a brand intelligence model, you can really extract not just what people are thinking about your product, but you can understand how the product's performing, and then you can actually design and build future products. And that's what's kind of cool too, is the crowd will tell you what they want, and they don't have yet, and you can use is that data to build future brands. - Man, that's really very helpful anecdotes there on the qualitative side, on the positive influencing side. So now I think it's probably just natural that since, you know, we're talking about kind of where security and go to market teams can kind of converge a little bit. I think it's, well, let's talk about the negative side of that. Because I think that's truly where they can and converge. Right? - We've seen what we would call like, smear campaigns about from competitors. I mean, we've seen, obviously we are in a very tight NDAs but like, I've seen a product that was mass produced and copied, like completely copied in China that was pushed out. It had toxic chemicals in it, and people started talking about, and they're like, "This skin cream is irritating my skin." And the manufacturer was like, we didn't like, "We don't ship to that area in China." And they're like, "What?" So now, like this team has a crisis, right? They have to reeducate, like don't buy the product that looks just like the product. You know? So we've seen that happen. We've seen take down drills where we've seen, I mean, we see it in the media, right? Like we've seen companies hire newspapers and then they'll go spin an article and some people, you know, they see something on Buzzfeed or whatever and they're like, "Oh my gosh, that really happened." And you're like, "No, this is called big business." They're trying to, they happen to just sign, let's say they signed a contract with a Walmart and a Costco. They're trying to induce uncertainty into that brand's ecosystem. So there's a lot of warfare that goes on in this world that's not talked about. - Wow, interesting. I have to assume like disinformation is a key part of that as well. I gotta assume, right. - Hundred percent. And the question is really will define disinformation, right? I mean, it says who, you know, so I would also say adverse effects are something that's very real. Let's say you have a new shampoo and you give it to somebody and their hair turns orange. Like that's very difficult to walk back from, especially if that's posted on Instagram, you know. - Or if it's true and if it's true, if it's not true either. - Yeah, I remember, I don't know if you watched 'Billions', but like, I think Bobby Axelrod played a pretty good trick. Like there was a hedge fund company that invested in like a yogurt shop in Midtown or something like that, and they wanted to destroy it. So like, they spiked everybody's drink that went in there and everybody was shown vomiting outside of the yogurt shop. Well people started saying, "Oh my gosh, this place is like sick." And everybody started posting it and it created, I mean, it was a blip, but that blip can impact minds, you know. - And those kind of things happen in the real world every single day. - Hundred Percent. - Yeah, it's funny that you provide those kinds of examples of disinformation case studies to degrade the brand. I know we at Nisos investigate those types of allegations pretty frequently. I think that when people think about disinformation, they just think about what's happening on technology and social media platforms because that's what's in the news. But really when you talk about the world of big business and the ability to disrupt markets, you know, by even a couple percentage points, people will be surprised to know what happens really behind the scenes to really negatively disrupt a brand in a coordinated fashion by either adversaries or competitors. And I guess, so from that perspective, you know, what are the outcomes and remediations often look like from that, on that negative side? - My recommendation, and you know, when we talk to some of these big brands, billion dollar multi-billion dollar brands that are global, I try to impress upon them. You really do need a perspective inside your company that is more than glitz and glam, but actually like, what is the, how do we protect this house? How do we protect this brand? How do we make sure that we have the ability to communicate to the audiences, in what does our audience really care about? And that synergy is becoming more and more important and it's not gonna be achieved by simply signing up for a dashboard where you get a bunch of click data. You need to work with professionals that are gonna actually work through with you in understanding this data and making it part of your overall marketability. - We've talked a lot about how marketing or how security teams can learn from their consumer, you know, go to market teams or consumer facing teams within the business. What can marketing teams learn from security? - Today more or than ever, security, privacy, Where's my data going, who owns it, is a probably I would say, well on electronic devices is absolutely the number one thing that people wanna know. You know, is it secure? Second to how much does this cost? And marketing teams and security teams, the closer they can collaborate, marketing needs to know if their product has an immense amount of security, that dialogue and that narrative needs to be part of the marketing campaign. Likewise, the security team needs to know if it's an element of development, if the marketing team comes back and says, "Hey, a lot of people are commenting that that's a cool product but it's not secure. I thought this was secure." You see what I mean? So, the more a marketing team and the security team, whether that's an internal red team, whether that's the RND guys, the more that they can collab, the better the overall brand will perform if it comes against competitor headwinds around the issue of security. - Now that's very helpful just because I can't tell you how many enterprise VPs and even Chief Information Security Officers within the security team. And I think that at the CISO and VP level, you know, there's certainly that business aspect of how they make money. I've even, I've seen it where like the director, the senior manager, you know, the rank and file within the security team. I don't wanna say that they don't have no idea, you know, how the company makes money, they certainly have an idea. But they're just not in that day to day grind of the revenue generation product. - Right. And so many times the only time the CISO and the CMO, Chief Marketing Officer talk is after a breach, should not be that way. - You had a good case study that you rattled off there. And I think we've talked a few case studies. Two part question, I guess, curious of any other additional case studies and I guess more broadly, I guess. Do you see certain industries being more aggressive about your approach and others are a little bit more slower to take on it? Like what industries are ahead of the curve, what industries are still catching up. I'm just kind of curious, you know, more broadly. - So industries that are ahead of the curve, beauty, skin, fashion, you know, new types of consumer products, they always are ahead of the curve. Financial services behind the curve. Real estate, way behind the curve. Some of these other companies, they just don't see the perspective. I mean, look, if you're an E-commerce accelerator out there and you're trying to launch a brand on QVC, like, I mean, come on, Landon, do you watch QVC? - I do not. - So, like I know my mom doesn't, I mean, so, you know, there's a lot of people though that grew up in a generation and they don't wanna accept the fact that brands are made on phones now. Right? So I would say, but the best example I can really give for creating a complete, I wanna say buzz or a complete industry out of vapor is like, should study how velvet became popular in the fashion industry. Velvet's been around for quite some time and royalty wore a lot of velvet outfits, but it wasn't really mainstream. And some of the forefathers and the people that started the morale operations branch of the OSS left and they opened up Madison Avenue PR, I mean PR in this country, guys like Ed Bernays were from the OSS, you know. And these guys aren't dumb people, they know how to incite activity on behalf, you know, get people to do stuff. And at the end of the day, they created a entire campaign around this luxury item velvet, and an entire industry around it because they chose the right fashionistas in Paris. They chose the right people to roll it out to at the right time, and then when to really spread that, in that time it was print media, then it became TV media, and they knew how to stage products. You see it now with brand staging products in TV shows, in movies, you know. It's all about building a product to make it part of a lifestyle, and then hoping that lifestyle spreads like a digital brush fire. So, it's a larger example of a case study where that's shown. But in terms of people that we've worked with, I mean, some of the stuff that we're able to see around how people are using products, I mean, you know, you work with soft drinks and you're like, "How the hell can you sell soft drinks now because they're sugary." And I get all that. But when you look at the data, like, there's a nostalgic aspects to soft drinks. People remember when they had their first type of soft drink as a kid, they look at flavor profiles. I mean they look at all different dimensions and you're able to use that information to really roll out the brand in a way you like. You know, when you're working with a peanut butter whiskey and you think that people are gonna shoot the thing and you find out that most of the people using the drink are using it in their milkshakes, you can build an entire campaign around how to use milkshakes that have peanut butter whiskey in. And that data goes back to the brand. So, those are some examples of using the data and have it impacted. - I'm just curious, you know, very helpful impacts here. I mean it seems marketing in general, would you agree that that is very much an establishment type, like you mentioned focus groups and things like that that are done, is that kind of like the old way to do things? - In my opinion, so I do believe that focus groups providing their selected in, you know, control for select and bias and stuff like that. I think they can add a value. I'm not gonna trash them in general. But there's a much better solution. Because here's the deal with focus groups. You know, you get a focus groups in that comment on beauty product, they're likely the same people, like, they're professional focus group people. They're gonna be commenting tomorrow on tires. And then the next day on some sort of hair product. They get the end of the day, you have a much better opportunity with larger data sets. So you can go get a million points of data, and why not use a large data set as opposed to seven people in a focus group for half a day. - I see. Are we just at like the 25 yard line on this kind of evolution of-- - Yes. And the reason why is, you saw social listening and a lot of your listeners know exactly what that is, like, social listening sort of came up and peaked, and there's only a couple of companies that do it now. Because that only, like, that gives you one aspect of it. But that's like the data and maybe some insights. I mean, you can do a keyword analysis like, "Oh, you know, they're mentioning NISOS group." Great, but really it's, you gotta have a more robust data lake. So the data in needs to be stuff beyond just Instagram posts. And that is really a burgeoning area that we've really pioneered. Our company's really pioneered, is building a truly holistic distributed collection of data sets by which we can actually provide insights and very powerful micro influencer campaigns which the brand gets multiple benefits. So they may they get a rise in sales, which is great, their brand will elevate surely, more people will get exposed to the product surely, but they're also getting all this other data, like future RND that they can use. Like, maybe they need to add a moisturizing element. Maybe they need to change the flavor. Maybe they need to change the packaging. Maybe the cellophane stuff is hard to open. Like all these elements you extract when you have a rich data team. - John, this has been very fascinating. I can't thank you enough for joining the show. Congratulations on certainly all the success over the years. I don't know a whole lot of, I've met a lot of three letter agency types that get out and, you know, it's probably the easy thing to go into the security space, certainly very inspiring, and certainly it's very interesting of how you've kind of pivoted that and go to market space and, you know, congratulations on all the success and, thanks for joining the show. - For the latest subject matter expertise around managed intelligence, please visit us at www.nisos.com. There we feature all the latest content from NISOS experts on solutions ranging from supply chain risk, adversary research and attribution, digital executive protection, merger and acquisition diligence, brand protection and disinformation, as well as cyber threat intelligence. A special thank you to all NISOS teammates who engage with our clients to conduct some of the world's most challenging security problems on the digital plane, and conduct high stakes security investigations. Without the value the team provides day in day out, this podcast would not be possible. Thank you for listening.