Share this
dnsUNFILTERED: Joshua Copeland, Unpopular Opinions
Uncover the shocking truths that most cybersecurity experts don’t want you to know and how hiring might be sabotaging your security from the start. Mikey Pruitt sits down with Joshua Copeland to dissect the real problems in cybersecurity hiring, the power of people over tech, and how leaders can read business risk like a fortune teller. They peel back the hype around zero trust and AI, showing why culture and clear communication are the real game‑changers. Listeners will walk away with practical advice to build stronger teams, spot overlooked vulnerabilities, and prepare for the AI shifts that are coming. Key takeaways
- Hiring practices are misaligned; job ads rarely match what teams really need.
- People and processes trump flashy tech in protecting an organization.
- Cyber leaders must grasp business risks, not just technical ones.
- Zero trust is overplayed; real focus should be on patching and culture.
- Knowing your team’s motivations & communication skills is essential.
[00:00:00] Mikey Pruitt: Welcome everyone to another episode of dnsUNFILTERED. I'm Mikey Pruitt, joined by Joshua Copeland today. Joshua, how are you?
[00:00:09] Joshua Copeland: I'm absolutely wonderful. It's a beautiful day.
[00:00:12] Mikey Pruitt: I have been watching you on LinkedIn. You have what you call unpopular opinions, and I think we're gonna prove that they are quite popular opinions, but you're really poking the bear, so to speak, when it comes to cybersecurity and the things we all believe and all these truths we hold so close. Tell me about your your strategy with your unpopular opinions.
[00:00:37] Joshua Copeland: So it really started about four years ago. I was on LinkedIn and seeing what I considered a lot of self flipping ice cream cones where everyone's, everything's awesome.
Cyber series, great, nothing's wrong. We're fantastic. And for me, I looked at it and went, no. There's still a lot of things that we can improve. There's a lot of nuances that we're not dealing with. And instead of just sitting around complaining that nobody was talking about it, I took it upon myself to go ahead and at least start the conversation.
I'm not trying to change anybody's mind on anything. Let's at least have a conversation about it. I might have a different viewpoint than you, but maybe you might have it. Points that I hadn't considered, and just having a conversation makes it us as a community better.
[00:01:23] Mikey Pruitt: Yeah, agreed.
Conversation is the key. I've actually talked with people on this show from adjacent industries of cybersecurity corporate espionage, and the whole time I was thinking like, wow, we should talk a lot more, because these are very related things that I don't think get joined together a lot.
So it's good to see you starting those conversations. What would you say is one thing that people are getting wrong about cybersecurity today? Let's, let me say what are, what is one of your favorite things that people are getting wrong, because you have quite a few.
[00:01:57] Joshua Copeland: I think one of my favorite things to talk about that we're doing wrong is we're doing hiring completely wrong.
So you kinda have to take this back and peel it back in a bit of layers. We have. HR personnel who are doing what they think is best in screening out candidates based off of, very easy delineators things like certifications or college degrees. We have hr personnel managers, the people who are the actual hiring managers who are writing generic job descriptions that don't really tie back to the job, or worse yet, they're just going out and finding another role that's similar to it and copying and pasting the job role in.
You're creating job descriptions that don't match what you're hiring for. So the HR folks are screening the wrong things, and then you have recruiters who are trying to find folks who don't match the job descriptions or who match the job descriptions, but don't match the actual job. And you create this entire circus of everyone's chasing jobs, and there's a ton of talent out there.
And there are positions open, but we can't seem to get the pieces to match together because we have really weird requirements. Like it's a entry-level SOC analyst and they want CSP in five years experience and a master's degree. Now, anybody who sat in a SOC as a tier one analyst knows that you don't need any of those things.
The most you might need is a security plus just to, demonstrate that you have basic understanding of how security architecture works. We put all these extra things in. So what does HR do? HR does what HR is supposed to do. They get a thousand applications. They have to whittle it down and they go, okay, who has the highest credential?
Let me get that to that person. And we get into these positions where we're not hiring the right people for the right roles, and it's because we're doing a lot of things just start to finish wrong. So the very first thing we need to do is, as hiring managers, we need to personally rewrite every job description.
So that you could use that as a yardstick to measure them for an annual review one year later after hiring. If you have your job description and you cannot do that's on you and you're part of the bad hiring practice.
[00:04:09] Mikey Pruitt: What are, so you said that was one thing we need to do to fix that. What are some of the other things?
[00:04:15] Joshua Copeland: We really need to look at? Why are we putting things on job descriptions like we put. Must have a bachelor's degree. Do we really need a bachelor's degree to do that job? Do you really need a bachelor's degree in a particular field for that job? Some of the best analysts I've had over the course of my career came from completely different fields.
My best analyst absolutely ever had their undergraduate degree in marketing, which doesn't seem like it makes a lot of sense for a cybersecurity analyst until you realize that all marketing is a social engineering. True in both cases, they're trying to get you to click the button. One is to click the buy button on their product.
The other one is trying to click the button so I can launch malware into your environment. But it's the same skillset. I had a another one that they had an undergraduate degree, 18th century French literature, and you go, what the heck does that have to do with cybersecurity? But when you sit and think about how do they do their research reports doing that, they have to get into very nitty gritty details.
Dive into the very small minutia specifics of what makes this 18th century French literature writer different from the one next to it, and what the nuances are and how you contextualize that to the timeframe, which is exactly what you do as a so analyst. You're looking at what's this weird thing that's different, contextualize that.
We have folks that come in from military background, law enforcement, they're very good at doing triage, figuring out. What's the most important thing I have to deal with Now, the same with medical folks. That's their lifeblood is doing triage. What's the thing that I need to stop the bleed first?
So we have all these areas that have really big transferrable skills that we don't look at because they don't fit neatly in the traditional box.
[00:06:03] Mikey Pruitt: That is a very interesting way to think of it. So first of all, you have job seekers that are missing the job postings because they don't apply to them because they're so outlandish or incorrect.
Then you have the job posters that don't necessarily know what they're looking for. I'm curious, would it just be crazy to seek. Marketing specialist for a job, write the job description for the marketing personnel and then just change the title to cybersecurity analyst.
[00:06:34] Joshua Copeland: Those are things that you can do.
I, for me it's always been one of those things. When I come into a new organization, I get every job description they have that falls underneath me, and over the course of about, you can rewrite about two or three, two to three months, I rewrite them to what that job actually does. And then I look at what skills do I need to be able to fill that job, and what level of skill do I need for that?
Is this something that these are, three must have skills that I have to have, and these are three skills that they can grow into as we get that person on and bring them in, mature them, get them some education, and just reframe it to where I'm looking at very straightforward, hard skills, not, must have five years experience with this tool and must have this certification and this degree because those things just lead you down the wrong path.
[00:07:26] Mikey Pruitt: I gotta say I'm pretty surprised that you started with hiring. Yeah. But if you look at all the problems in technology and cybersecurity, it is a people problem.
Like the people aren't being matched properly with the roles that are required. You didn't like you, you didn't go into the technology, you didn't talk about like malware, anything like that. You went straight to people as, tell me more about this.
[00:07:52] Joshua Copeland: So when you look at, you have people, process, and technology, right?
Those are your three major areas and technology that's gonna change every few months. The things I was doing as a technologist. Five years ago I would, if I tried to do that now, I would look at myself like I was crazy. Why would you remotely be thinking about doing that? Why are you still running antivirus and not running an EDR?
Are you insane? So the technology piece is always gonna change. So that really means that you need to focus on those two other pieces, people and process. Am I developing processes that are. Document repeatable and what I call smoke proof. So if I pull the person who does that out and make them take a mandatory two week vacation, does everything fall around or can I have somebody use the documented processes in place and move forward and keep working?
And that's important for a couple reasons. One, when you go on vacation, I want you to be on vacation. I don't want you to. You'd have to call you six times because you're the only person that knows how to do this thing. From a security perspective, I wanna make sure that I don't have any single points of failure, just single points of success.
If you got hit by a bus tomorrow, what in my security organization is going to fail because you're not here. If I don't fix that's on me, because that's my job is to make sure that we're resilient. So that's that process. And then looking at the people. How do I get people to come in? How do I get them to stay and want to stay?
I'm a big proponent of I'm going to bring you in and I'm going to train you. I'm gonna mentor you, and I want you to be able to leave and go get a job someplace else. But I want you to stay because you wanna stay, not because you have to stay.
[00:09:42] Mikey Pruitt: Good advice. You have been in a lot of roles around technology and cybersecurity over your career.
Now you're in more of a managerial style role, is you're the director of cybersecurity, so I assume that's very close to a CTO or like a CISO or, yeah, something of that nature. Like you're really in the, like the. Upper management level. And I'm curious when people like your peers, like other executives and presidents and VPs or whatever in companies, when they talk about needing more investment in security, where do you think that money should go first?
[00:10:21] Joshua Copeland: So it really comes down to understanding your business, and this is where a lot of cybersecurity leaders fail, is that we're really good at the bits and bytes. We suck at the dollars and cents and business risk, not cybersecurity risk, but business risk. So that's where you have to transition from being that extremely technical SME into that executive leader is learning the business of your organization.
So I need to know how business operates, what tools that they're using, how they're doing their day-to-day business. Where my risks are associated with that, because that should be driving where I'm putting money towards security. I can go and pull down the, NIST 853 or pull down ISO 27 0 1 or pull down CIS benchmarks and say, this is what we have to do.
But that's not tailored to my business or what my needs are, or what our risk tolerance might be. We might be a startup that's willing to play a little looser than. A Fortune 100 company that has shareholders and has to do SEC filings. So you have to really come back to go, where does it make sense to spend money on security?
Where does it not make sense to spend money on security? And how do you get the balance between the two? It's well known that the more secure something is, the harder it is to use, the easier it is to use, the less secure it's you have to find that kind of happy medium of that friction point to where.
It's enough friction that you're secure enough, but not so much friction that really smart and sometimes really lazy humans find ways around your security, because I'll show my age and go back to, when Microsoft Exchange first came out with file filtering and you could say, I'm not gonna allow zip files through my exchange server anymore.
It took all about 24 hours for folks to figure out if I change the file extension to txt, it'll go through just fine. People will find a way around your security. So our job is incumbent to understand what they're doing and build security around the practices that they need to do in a way that is not so full of friction that I'm able to actually get them to do what I want them to do the right way and not find ways around my security.
[00:12:45] Mikey Pruitt: So would you say the main job of a cybersecurity leader in an organization, whether no matter what the title is it to take the frameworks that are given by the industry and adapt those, groom those so that they match the business use case?
[00:13:02] Joshua Copeland: Absolutely. Ultimately, I look at any, senior leader in cybersecurity as.
First and foremost, your job is to be a translator. Translate cybersecurity problems and cybersecurity risk into what's the risk of the business. Yes, I can tell you that I have, a, critical vulnerability on this server and I need to patch it, and that's gonna take down our operations for, 30 minutes.
But if I don't contextualize that. And go this service actually buried three layers deep behind my defenses. There's fairly limited exposure to it. And oh, by the way, we're a retail entity and it's, between Thanksgiving and Christmas, this
[00:13:48] Mikey Pruitt: Black Friday. Yeah.
[00:13:49] Joshua Copeland: And every minute that we're down is hundreds of thousand dollars in sales.
So maybe my risk tolerance for that during that particular point in time, I can go. Yes, it's a critical yes. The CVE score tells me I should patch this right now, but in my environment it's really not that high. And to my business, it's even worse if I try to fix it than if I wait and fix it when my business demand isn't so high.
And that's the special sauce that really successful cybersecurity leaders and CISOs have, is they understand the business and they can talk business because we're not gonna get CEOs, CFOs, COOs, and all the other. Folks to understand cybersecurity and it's just unreasonable. But we can absolutely and should absolutely understand business because it doesn't matter what you're doing, what your role is, the business is why you exist.
If there is no business, there is no cybersecurity. If there is no cybersecurity, you have no job and no reason to exist. So your goal should be to enable the business and have it operate in the most safe, secure, and sane way possible. That potentially, if you're doing it right, opens the aperture and becomes not a cost center, but a revenue generating center where you can say, because we are secure, because we are better than our peers in this area, and we have these attestations.
Now we've opened up our market and that's a huge differentiator between us and our next level peer, and our customers feel more safe buying our product or using our service because now we have shown them that not only do we take it seriously that we care about their security and our security, we have the kind of the paper trail and the receipt, so to speak, to back that up.
[00:15:42] Mikey Pruitt: So let's talk about a dive a little deeper into translation specifically hype words that we hear a lot these days, like ai, zero trust automations. So what do you think is like very over hyped right now and what is under hyped?
[00:16:03] Joshua Copeland: I think zero trust in AI are overhyped right now. Zero trust because if you really peel back the layers on it, it's least privilege, which is something we've been talking about since before I even entered the field of cybersecurity.
It's just a specific methodology and plan to do lease privilege in a way that we typically have not done it. So I think zero trust is over-hyped in that it's something we should have been doing for the last two decades. Ai, everyone says, now improved with ai. Alright, get under the hood. Show me what AI you're using.
Show me that it's not just RegX with ai. Slap it over top of it as a name. AI's great does a lot of things. I work for an AI company. We're doing wonderful things in the customer experience space. But there are good and bad with ai. You have to implement AI in a way that is. Safe for your organization that has the appropriate guardrails because ultimately everybody has a smartphone.
Everyone. There's AI on your smartphone. You have access to Claude, you have access to open AI's chat, GPT. You have access to Gemini. You can take a picture of what's on your screen and put it in there. How are you using AI in your environment in a way that accelerates your business in a way that is safe?
So are you going in, you know you want to use AI in your business and you want your folks to use it because it's going to get them time back to work on real legitimate problems. All right? Go ahead, get licensing for your folks. Get an enterprise license where you can control what they upload in, what they don't upload in.
You can do some data loss prevention. You can put right and left guard rails around it, excuse me. And that you can actually control to a degree how it's being done. And you can get things like BAAs and, zero data retention policies built with that provider so that they're not using it to train their material on, and that source code that you're having them debug doesn't show up in your competitors search while they're trying to figure out their own debugging.
AI is overhyped, but it is something that is absolutely going to be a game changer.
[00:18:27] Mikey Pruitt: So what do you think is under hyped? What do you think are things that people don't put as much stock in as they should?
[00:18:35] Joshua Copeland: I'm gonna be, maybe it's gonna be an unpopular
[00:18:39] Mikey Pruitt: opinion,
[00:18:40] Joshua Copeland: maybe contrary to some other folks. I would say hatching in endpoint hardening.
Patching, we have routinely done it very poorly. Go to any organization and ask for a report and see what their, mediums and lows look like compared to their criticals and highs. How long it takes 'em to patch. Almost every major breach has been because there were well-known pre-existing unpatched vulnerabilities that there were patches for.
So that's huge. And then we have endpoints that we have out there that there are tools available to do hardening on your devices. There are a. Plethora of standards. Whether you wanna go super intense and do something like a disa Stig, or you want to go something like a CIS benchmark one or two, there are tools that will help you get that and they're super easy to implement.
One of the ones that's absolutely phenomenal is Ion will help you basically harden your entire environment in about 30 minutes to CIS benchmarks. That's something that, that we've typically not done really well. And when you look at all these attacks, you're looking at, unpatched vulnerabilities that get them in, and then they use misconfigured systems or systems that are left in default configurations that are unsecured to lateral through system.
These are basic things that they're not new, they're not crazy, they're not the bright, shiny thing that you're gonna hear at Black Hat or RSA. But they're fundamentals that we've just not really done well because it's hard.
[00:20:20] Mikey Pruitt: You, do you think it's more. I don't wanna use the word lazy, but that's the only one I can think of.
Do you think it's just like patching specifically? Do you think it's just there are more higher priority items on a list than patching? Because I've dealt with this personally. Like we have, everyone's on a desktop or laptop or whatever and their phones and there's always their software update, like every, month or two.
Yeah. And it's usually it reliant most, or probably just rely on the user to do that process for themselves at this point. But then we're talking about backend systems. There's a lot of software that is out there. You can use Showdan right now and find unpatched, SQL servers here and there, and whatever else you wanna find, just all over the place.
But is it laziness or is it just misconfigured priorities? What's going on?
[00:21:12] Joshua Copeland: So I wouldn't say LA laziness because that, that maybe imply, some mal intent, which I don't think there is. I can give you some like specific examples. I know there is a water system in South Louisiana that is running on a Windows 2000 machine that has never been patched, ever and has been rebooted twice since it was installed.
Hopefully
[00:21:32] Mikey Pruitt: it's air gapped or something. Oh my god.
[00:21:33] Joshua Copeland: It's not air gapped, it has public facing ips. You can find it on show, Dan. Oh
[00:21:37] Mikey Pruitt: God.
[00:21:39] Joshua Copeland: The reason why they haven't done anything is because they're afraid that a patch is gonna take down the entire water treatment system, so freshwater and sewage, because they got a blue screen.
Don't they see the
[00:21:54] Mikey Pruitt: alternative for that? Like the alternative is that. Somebody hacks in and does that anyway.
[00:22:00] Joshua Copeland: But then you can point the finger that it was a bad actor that did it, and it wasn't a self-inflicted gunshot wound. It's no different than the school system that had their HVAC for decades running on a Commodore 64 like it was running on a Con 64 because the cost to replace it was like $2 million.
Or we can keep using this thing that has been running just fine for the last 20 years. They eventually had to replace it 'cause the person that had been maintaining it was a single point of failure and was retiring and moving away. So there are instances like that where it's the, we're scared to touch it because if it breaks, we're worried about the second and third order effects.
And there are cases where, to your point, I have 12 things on my list. I'm in a small organization where my IT and cybersecurity team is. Two or three people. I don't have a tool that's doing, patch management for me. I'm just gonna focus on the really important critical server systems and hopefully the endpoints will eventually take care of themselves.
It's not malicious. I wouldn't necessarily say that it's pure negligence, but it's a resource constraint.
[00:23:13] Mikey Pruitt: So we're bumping up against this topic of, the cybersecurity culture or that culture does matter in cybersecurity, instead of the tools and the tech. And I think this is what you, at least what I get across from a lot of your posts your unpopular opinions are really talking more about the culture.
And this al also ties back into the hiring process that you started with. What is it about? The culture and cybersecurity that keeps us vulnerable to attacks.
[00:23:44] Joshua Copeland: I think it's a lot to do with, rightly or wrongly, the industry has what I call a hero complex where everyone, because we're often undermanned and under budgeted, has to work well beyond an eight hour workday.
It's not uncommon to see folks in cybersecurity working 10, 12 hours. Or even longer if there's an actual incident going on. That's gonna lead to things like burnout, which when you're doing that, things are gonna fall by the wayside. If I have, 12 hours to do something and I have 15 hours of work, three of those hours aren't gonna get done.
And that's just gonna keep rolling and rolling to some point something breaks. So until we can start. Working with our business side to really illustrate what the problems are, or document why things aren't getting done. In a way that is what we ideally want. We're still gonna have those problems across the board.
So really it comes down to helping leadership understand why it's important to their business, understand where the risk is to the business, not just. The cyber risk. 'cause I can tell you all day long that I have a edge router with a critical vulnerability because it is a Fortinet that has yet another vulnerability that allows somebody to get root from the outside.
That means nothing to the business. They go, okay, so what Now if I tell you that once they have that, then they have access to all of our traffic, including all of your intellectual property. Magically light bulbs go off and they go, oh, our intellectual property the stuff that we care about and that we can get fined, sued, or get a lose our business over.
That's now all of a sudden important. So it's making that translation becomes the huge thing.
[00:25:37] Mikey Pruitt: Yeah. It's a communication barrier between the le the senior s. Technical cybersecurity leaders and the other business cohorts they have. Scary oh man. I'm curious from your early days of your, like work history, I believe you've worked at at t I'm looking at your LinkedIn right here at and t a few other roles.
You've been in the military. What are some of the experiences. In those orgs and those situations that shaped the way you think, because I, it sounds like more cybersecurity leaders need to grasp things like you do. So what are some of the experiences you had that developed the way you think?
[00:26:24] Joshua Copeland: I have to give a lot of credit to the military, particularly the Air Force for crafting the way that I look at issues because I look at it from that.
Leadership perspective that they're taught from early PME all the way through your senior level pme, where you need to groom your next group of folks. So as a individual in your team, you should know the pers the job of the person below you and the job of the person above you. I should be able to do that because ultimately, if you're the only person that knows how to do something, you're not promotable.
I can't move you someplace else. That will be. More to your liking potentially has better pay, better hours, better benefits because you're the only person that knows that. The civilian side of the house tends to like to hoard knowledge and, create their little fiefdoms where they look at it as job security.
And to some degree that's true if you're the only person who knows how to do that makes a key person in the organization, but also makes it to where you will never be anything other than that person. So developing folks so that they can actually go through the ranks and understand where they wanna go, what they wanna do.
I could have somebody that's a SOC analyst right now, but really wants to do, systems engineering. And if I know that I can vector them to a place where I'm gonna get the most work out of them and that they're gonna be happy. And if I can do those two things, life is good. So by taking kind of that, just that lead with, intent.
Understand that you need to grow your folks, not just necessarily what a lot of organizations are doing now. They wanna hire fully already developed, great, mid and senior level folks, and you can do that for a short period of time, but at some point you've gotta start having a pipeline. You've gotta get folks that are coming in at that junior level to grow that.
So your folks that are the mids can eventually become seniors, because if you don't do that, they're just gonna go someplace else and you're gonna go through that whole process again.
[00:28:24] Mikey Pruitt: Do you think we're losing a lot of the junior talent because of like automations and AI and losing our pipeline of human pipeline?
[00:28:34] Joshua Copeland: AI in that role is interesting in that I think AI is going to be very much like robots were to the automotive industry. 70 years ago, when robots first came out for the automotive industry, people cried that. The robots are taking our jobs. We're not gonna have any jobs left. Seven years later.
We still have people that work in factories, building cars, doing things right along alongside of robots. And then we also created a whole new line of work of people who engineer beer, build, maintain, and program those robots to do those things. So I think it's a case where AI is going to absolutely change the way we do things.
But it's not necessarily going to eliminate a job here or a job there. It's gonna change the way that job is done. I think across the board, and I think this applies to any field, the folks who are gonna do really well in the next 10 years are the folks who are gonna be really good at doing prompt engineering into AI tools.
The folks who can take that and leverage it to a new level. Smart businesses are going to look at AI as a tool to free their humans to do more advanced things. Bad businesses are gonna look at AI as a tool to reduce head count, and eventually that bill will come due because ultimately, I say this a lot, that AI will not testify for you in court, and AI will not do your jail sentence.
Somebody ultimately is going to have to be the person that's held accountable for all the things that AI does. So you have to keep a human in the loop when you're doing any of those things, and that's where the jobs are gonna shift and change is maybe not being the person who's looking at a thousand, false alerts, but verifying that thousand false alerts that the AI said were a false alert.
Actually false alerts.
[00:30:35] Mikey Pruitt: I've been on this mission recently where I'm trying to automate myself out of a job. And I think that's the way organizations are going like that would be, it seems like it's the future is where a person maintains a group of robots or AI agents or something of that nature.
And I think, the timeline is probably long enough to where we can make a transition into that style of work. And like you were saying, the people. Your current position, know what your boss does and know what the people that you're managing do be able to do those. And then also working towards systematizing and automating what could be automated away is seems like where we're headed.
[00:31:24] Joshua Copeland: Yeah. And that goes back to earlier when I'm talking about process. Is your process documented and repeatable? It's a documented, repeatable process. That doesn't require human judgment. That's absolutely something you should automate and use AI for, because that frees your humans to go do all the things that aren't getting done.
I will put money that there is not a single organization out there that says they have enough people in their cybersecurity organization, that they have people that are just sitting around not doing anything. For any portion of the day I would put money on it because everyone's underfunded, understaffed, and by using those AI capabilities, we can get that time for people back to do those things that we just weren't doing before.
Things like patch management where we can potentially have some AI capabilities thrown in there, some system hardening where you might do some AI monitoring and remediation. And you have a person who now is not doing those tasks and able to do three of the other things they weren't able to do, and writing actual real documentation so you can do more automation and create a better ecosystem for your organization.
[00:32:39] Mikey Pruitt: Yeah. We're almost in a place where time is becoming more abundant. Then we can use that if we use that time prop properly to, start dealing with the backlog of things. What I used to call shaving the yak. Have you ever heard that term?
[00:32:55] Joshua Copeland: Yeah.
[00:32:56] Mikey Pruitt: I actually just yesterday I was trying to get a certain, automation done in eight, in which is like a, node based automation platform, Make or Zapier, and I really wanted it to transcribe video or sorry, like reux videos from a very big file into a small file. So in order to do that, I needed F FM P on that server. The Docker container didn't have it.
So in order to get that, I needed to change innate into a Q mode type of thing. And then I needed to build my own Docker file and make like a custom version of N eight N. So I was. Shaving the yak so that I could get to this one place that finally happened, thank goodness. But that it's like annoying.
And I think that it's like daunting oh, to make that work, I actually have to do all these other things. And that is like the not the laziness, but like the burden of having to go back and deal with the things that are. Troublesome or just time consuming. And I think you're building this culture.
And I wanna ask you about the culture that you're building on your teams. How do you maintain like morale when you're like under constant pressure with like alerts and incidents and the news, like the news cycle threats coming out. How do you specifically maintain that culture that you're. That you present so well in your LinkedIn posts,
[00:34:27] Joshua Copeland: Goes back to you have to know your people and that means that you actually have to put time and effort as a leader to actually talk to your individual employees is you need to know what motivates 'em.
'cause what motivates one person on your team absolutely is not what motivates another person. Somebody might be just, you did a great job on that and that's enough recognition for them to, propel them forward. Somebody else might be like, you know what, I seen that you worked, it's Wednesday and you already worked 40 hours this week.
Take tomorrow off. Work's gonna be here the next day. Rest, recharge. Don't put PTO in, just take the day off and. Recharge your brain, giving them, legitimate pathways to where they wanna be and understanding what they want and helping them along that way. Even it potentially means that you're helping them to go to somewhat other part of your organization or another organization altogether.
What I have found is when I do that, five years from now, I might be hiring that person back in a new role. I've had folks who have worked for me multiple times over the course of my career. I had one guy that at four separate roles, he's worked for me. You really, at some point or another,
[00:35:48] Mikey Pruitt: you're really just saying to be more human.
Yeah. And I think all this AI and automation stuff will hopefully give us the opportunity to be more human, because the other stuff will be mostly handled, that's the rose colored glasses view. At least
[00:36:06] Joshua Copeland: that's the rose colored glasses view. The other side is that, we're gonna have bad businesses who're gonna use that to reduce head count and increase stress.
I think long term those businesses will sort themselves out as they often do. And it's just understanding, ultimately cybersecurity is ironically deeply human focused. Everything that we do in cybersecurity revolves around people. Whether it's a person in your environment who is gonna be the person who's a hundred percent of the time gonna click the phishing link, or it's the SOC analyst who has done 200 alerts in the last hour and a half.
It's deeply human because the systems don't run themselves. And even with ai, you still have to have someone validating. Someone has to be able to make that decision be in charge. And until we truly catch onto how human cybersecurity really is, we're still gonna bump up to those things where everything's about the tech.
About the tech. About the tech.
[00:37:15] Mikey Pruitt: What advice would you give somebody that wants to grow into a role, a leadership role in cybersecurity?
[00:37:20] Joshua Copeland: Two really big pieces of devices. Say yes to, to things. When someone offers you an opportunity, if it's outside of your comfort zone, say yes. I'm even in cybersecurity right now because I said yes to a extra duty in my first role in the military, and that's how I ended up in cybersecurity.
It was not intentional. It was not what I had joined the military for. And then the second one is. Spend a lot of time on building your communication and business skills. Those are gonna be the two most critical things as you progress into leadership roles. That will differentiate you from the really smart techie guy compared to the smart techie guy who can speak to the board.
[00:38:10] Mikey Pruitt: Yeah, those are different skill sets. I have one more question. Is there anything that's like on the horizon that you see, like threat wise that you think is scary, something that keeps you up at night?
[00:38:24] Joshua Copeland: I think deep fakes are the thing that keeps me up the most at night just because they are scary, good and they're only going to get better.
There's the viral video that's going around of Will Smith eating spaghetti three years ago compared to Will Smith eating spaghetti this year.
[00:38:42] Mikey Pruitt: And it looks like Will Smith eating spaghetti now.
[00:38:45] Joshua Copeland: Yeah. Now imagine how good that's gonna be a year from now, or two years from now. I've done some cool things with, readily available software of, creating a fake version of my voice from existing podcast clips and things of that nature and generating artificial text of me. There's a video out on YouTube where I'm reading a synthetic story that was created by ai and I'm not reading it. Fake AI me is reading it and.
It's extremely passable to where unless you really know me and know my vocal tone and inflection, it's absolutely passable. And I could probably get through most help desk who have heard my voice and go, yo, that's Josh. Let me just reset his password. And then with the level of deep fakery that we're able to do with video, it's gonna be even more wild.
[00:39:41] Mikey Pruitt: And that's why zero trust is important, even though it's ever hyped.
[00:39:45] Joshua Copeland: Yeah.
[00:39:46] Mikey Pruitt: Joshua, where can people find you on the internet if they wanna hear these unpopular opinions?
[00:39:51] Joshua Copeland: You can find me on LinkedIn. I am, www.linkedin.com/in/joshuacopeland and you can find my book on Amazon.
[00:40:00] Mikey Pruitt: Yeah.
What's the name of your book? I'm just curious how you're gonna say it.
[00:40:04] Joshua Copeland: It is UNPOPULAR OPINION: Burning Down the Bullshit to Rebuild Cybersecurity.
[00:40:10] Mikey Pruitt: I've actually just ordered it. I can't wait for it to get here. Thank you Josh. I appreciate you taking the time to chat with me today. Thanks so much.
[00:40:20] Joshua Copeland: Thanks for having me, Mike.