Episode 319: TC Niedzialkowski on CISOs and MacAdmins

---

This week’s transcription is brought to you by Alectrona

James Smith:
This week’s episode of the Mac Admins Podcast is brought to you by Kandji. You know where the biggest potholes are when switching device management solutions? It’s not the prep work or figuring out how to replicate your current configuration in the new system. It’s that moment when management is temporarily removed from a Mac, leaving you with no control. From there, you have to rely on users to follow your instructions and enroll their devices into the new solution. Multiplied by hundreds or thousands of devices, and support tickets and errors start cropping up at scale.
Kandji has changed the game with its migration assistant, a seamless tool with completely customizable logic that guides users through enrollment into Kandji’s device management solution, so your support team won’t have to. 100% free for all new customers, Kandji’s migration assistant is just one piece of an overall exceptional experience Mac admins enjoy with the use of Kandji’s comprehensive solution.
To learn more, head on over to kandji.io/migration. That’s K-A-N-D-J-I.io/migration or join the Kandji channel on the Mac Admin Slack to say hi and see what they’re up to. Thanks again to Kandji for sponsoring this episode of the Mac Admins Podcast.

Tom Bridge:
Hello, and welcome to the Mac Admins Podcast. I’m your host, Tom Bridge. And Marcus, is that a sweatshirt? Is it cold there now?

Marcus Ransom:
It’s a beautiful Melbourne winter day, so it’s sunny outside and it’s… Well, I’d say a little bit cold, but Charles would probably suggest otherwise. But being Melbourne, give it an hour or so and it will be dark, overcast, bucketing down in rain. But I do have half of an apple pie that Vicky made last night, sitting on the counter ready to be heated up for some lunch, I think. So, yeah, it’s a little bit cold.

Tom Bridge:
It’s hard to beat a good fruit pie in the middle of winter.

Charles Edge:
You’re not going to have apple pie during Apple’s WWDC keynote because two on the nose, right?

Marcus Ransom:
I just think me trying to cook food at 3:00 AM might annoy the rest of the family or just encourage the cats to be a little more needy than they are normally.

Tom Bridge:
Fair. No, I think that’s respect. I think that’s pretty solid. So, I think the question that we have to ask is, is it colder in Melbourne today or is it colder in Minneapolis today? Charles, where are you at?

Charles Edge:
Oh, goodness, it was 91, so…

Tom Bridge:
Oh, okay. So, you were up above 30C. It’s not 30C in Marcus’s part of the world.

Marcus Ransom:
Yeah, it’s at 15C here at the moment. So, that’s nice summer weather for you, isn’t it, Charles?

Charles Edge:
Yeah. At least spring.

Tom Bridge:
I’m remembering last summer’s trip to northern Minnesota around this time. And yeah, I was going to say it was definitely not much warmer than 15C up on the lake shore. But we’re not here to give you tour tourist advice on Northern Minnesota, although, if you will, I will say there’s some lovely Airbnbs up in Beaver Bay. Happy to introduce you, throw those links in the show notes. But we have an incredible guest today, TC Niedzialkowski, it’s so good to meet you and to listen to you today. You’re the CISO of Nextdoor and so Charles, do you want to do the introductions? I feel like you’ve got a great synopsis here and I think I did…

Charles Edge:
Sure.

Tom Bridge:
Go for it.

Charles Edge:
I do feel like early in the podcast, there were plenty of stories of Mac admins who had contentious relations with security teams, and I feel like we hear less and less of that every year. It still happens, but far less. And we’ve had guests on to tell us how platform teams can work with InfoSec. In fact, we’ve had guests tell us from the platform team how it’s been working with InfoSec and give tips and tricks, and pointers on how to work better. But today we’re joined by a CISO, which is short for Chief Information Security Officer to give some tips coming from the other direction. So, thanks, TC, for joining us so much and agreeing to do the episode. Do you mind giving us a little bit of an origin story? How did you get into the field and once you were in the field, how you became a CISO?

TC Niedzialkowski:
Yeah, thank you very much for having me, really excited, really love your guys’ podcast. And overall, Mac Admins. I just want to say that I learned about it through our IT team at Nextdoor in terms of, “Hey, where are you guys going for information? Where are you learning more?” It’s all about the Slack space. It’s all about the podcast. And so, we’re all super pumped because it feels like the whole team gets part of this in a way. So, I think for me, I think I’m part of that generation. So, I don’t know how this is going to touch base with the rest of you here, but 9/11 was basically a big formative factor in terms of getting into cybersecurity. And I remember reading the Atlantic Monthly article interviewing Bruce Schneier called Homeland Insecurity.

Charles Edge:
I remember that article.

TC Niedzialkowski:
This was my… Okay, yeah, yeah. So, it was my freshman or sophomore year of college and it just put it on my radar in terms of security theater going through the airport, the X-ray scanners, do we want to give pilots guns? If we’d instead funded more in terms of intelligence, language capabilities, could we have prevented 9/11? And it was a way of being very critical, but also constructive and pragmatic in terms of what should we do for security. And after reading that, I actually got a bug in my head. I was still in college, and I started looking up information security startups to go get an internship with.
I emailed Counterpane, which was Bruce Schneier’s company, and they actually bruised through his admin, sent some information back. They said, go get a Ph.D. in Cryptology or something like that. Glad I didn’t. But I found a startup out of California, WhiteHat Security, where at the time it was still the founder and his wife and his best friend from high school. And it was literally a Silicon Valley startup out of the garage. They didn’t have any funding or capacity to hire anyone at the time. But about a year later, I was getting ready to, I was still, I think my sophomore year at university, getting me to start busing and waiting tables for a summer.
And they called me, and they said, “Hey, we’re talking to the investors. We got some funding. Do you know IT? Could IT administration, help take care of the workstations and stuff?” And I’m like, “No, but I’m willing to learn.” So, that’s my out-of-the-gate in terms of IT. And they said, “Okay, well call you back.” And they said, “Hey, do you know Flash, Adobe Flash?” And I was like, “No, but I’m willing to learn.” And so, my first job was at an IT-

Marcus Ransom:
There’s a name I haven’t heard in a long time, I think is what we can say there.

Charles Edge:
And definitely not from a CISO, so…

Marcus Ransom:
Yeah.

TC Niedzialkowski:
Well, that’s making 3D graphs to show the vulnerabilities that customers had in their websites that was my first job. And it was a 10-person startup, and I was there for a decade, and I had just about every role, software developer, operations, penetration testing, customer support, technical account manager, channel sales, business development. And I just learned. When I had the title, it was a weird title, it’s called Global Evangelist. Basically, going around and talking at conferences and talking to customers, but today they call it Field CISO. So, it’s basically more of almost like a sales business development role, but-

Tom Bridge:
No, they get acquired right by NCT or…

TC Niedzialkowski:
They did. Yup, yup. And then Synopsys bought from NTT as well. So, there’s a lot of consolidation in that industry. But yeah, so WhiteHat’s very focused on penetration testing, application security, static dynamic analysis. And I just really had to decide, especially towards my latter end of my career there, I ended up, like I said, more on the almost sales business development side, but that’s not why I got into cybersecurity. And I said, “Do I want to do more of that at another security company or do I want to really gain more hands-on experience in defending a company?”
And so, I went, and I got my CISSP, and I got a job leading the software security group for the Federal Reserve National Incident Response Team. And it ties back to 9/11 because basically after 9/11, they’re like, “What would happen if there was a big event in New York?” In terms of the New York Federal Reserve. And having San Francisco as a disaster recovery site, then having that from a cyber incident response capability for the entire Federal Reserve system as a whole. And it’s tied into the US Treasury Department as well. And so, that was very different going from being at a startup and working with all sorts of companies to being just part of very mature state-sponsored threats, some of the smartest people in the world that you’re never going to know their name.

Tom Bridge:
Hopefully.

TC Niedzialkowski:
Yes. And having that deep capability. But that just gave me that really more the people management experience working at a more enterprisey level, working across such a critical and large institution. And I did that for five years and then I said, “Oh, this is great. I’ve learned so much. I’d really like to work at a startup again.” And luckily, I live in Silicon Valley, and I didn’t think that-

Tom Bridge:
Where there’s a few.

TC Niedzialkowski:
Yeah. There’s a couple. I didn’t think I’d get the opportunity to go into the CISO role, but it was a really good match when I interviewed with a team at Nextdoor. And I’m just very lucky where… Part of your question, Charles, and when we get into working with platform teams and this dynamic, I’ve been very lucky, very privileged in terms of Federal Reserve and Nextdoor where it’s organizations where trust is so core to their identity and their core values.
That’s just a really great opportunity. And then being able to build up a security function organization from the ground up. We went public, gosh, it’s only been there just over three years, so we went public a little over a year ago. But being able to help a startup scale and really have a world-class information security team has been a great experience.

Tom Bridge:
Scaling into IPO, I mean, I feel like the Federal Reserve, I actually got a call about the CTO role for the Fed.

TC Niedzialkowski:
Wow.

Tom Bridge:
And I was like, I don’t think I’m the person you want because that’s more enterprise than enterprise, I feel like. I don’t know if I’m mistaken about that, but that was just my initial gut reaction. Would you say that as a CISO, your next gig might be moving into a CTO role? Or where do you go from CISO?

TC Niedzialkowski:
Oh, yeah. It’s not the question you asked, but there’s this other aspect people have where there’s so much fascination around the CISO role, and I do a lot of work with mentoring, skill development, nonprofits to help people get into cybersecurity and people like, “Oh, what is CISOs this? What is CISOs that?” And I’m always like, “Listen, you can lead from anywhere in the organization and if what you’re trying to do is increase security, increase trust, it doesn’t matter what your title is.”
But in terms of where a CISO would go, I think the path that I usually see is there’s a strong relationship between CISO and IT. So, a lot of times overseeing not just information security but overseeing the IT team as well or stepping into the CIO role. But I think the other thing is that there is just a huge desperate need for more CISOs, for more talent. And so, I think as many CISOs as we have, we need more.

Tom Bridge:
And would you say a CISSP is a semi or a CEH or Security+ then CEH, then CISSP, or what have you, is the path in terms of skills development or would you say going the other direction and more academia and doing an MBA or an MBA with a specific security focus or something like that is the… I mean it’s definitely all of these things have changed since we all came up.

TC Niedzialkowski:
Yes.

Tom Bridge:
I think so. I guess in terms of those who are looking to move into those areas.

TC Niedzialkowski:
Yeah. And I think also for the same person, their view of that certification can change, not only is the industry changing, but their view on that certification can change. And so, right now my view is that it’s a professional certification. You have to have a certain number of continuing education credits; you have to keep it current. You have to have a certain amount of time worked in the industry in order to be able to actually be accredited for that certification.
And so, it’s a great tool in terms of signaling to employers that you’re a professional, this is what you do, and that you have broad exposure across many different domains. So, one of the areas I really struggled coming from this application software security space into getting my CISSP was things like endpoint security, right? Because I didn’t have to do any of that. So, they call it, [inaudible 00:14:17]

Tom Bridge:
But now you’re probably a guru at that.

TC Niedzialkowski:
We’re an All-Mac shop, so I’ve learned a lot.

Marcus Ransom:
Macs don’t need endpoint security; they don’t get viruses. It’s fine, right?

TC Niedzialkowski:
Yeah. But I would say, I wouldn’t say it’s the first certification you get without it… My recommendation in this industry, and I think I’ve worked more for technology-focused organizations is focusing on the technical skills. But if you’re going for a governance risk and compliance or risk management perspective, or if you want to work for a federal institution, one where they have a list of certifications they’re looking for, or if you want to show to the board or to the executive level or to senior management that you can be trusted to run a function, a CISSP is a very strong signal. So, I think it’s more useful for people that are early to mid-career that are trying to make that move up. But it’s not where I would go in terms of getting technical doubt through getting a specialization because it is very broad.

Charles Edge:
Makes sense.

James Smith:
This week’s episode of the Mac Admins Podcast is also brought to you by Kolide. Our sponsor, Kolide, has some big news. If you are an Okta user, they can get your entire fleet to 100% compliance. How? If a device isn’t compliant, the user can’t log into your cloud apps until they’ve fixed the problem. It’s that simple. Kolide patches one of the major holes in zero trust architecture, device compliance. Without Kolide, IT struggles to solve basic problems like keeping everyone’s OS and browser up to date. Unsecured devices are logging into your company’s apps because there’s nothing to stop them.
Kolide is the only device trust solution that enforces compliance as part of authentication, and it’s built to work seamlessly with Okta. The moment Kolide’s agent detects a problem, it alerts the user and gives them instructions to fix it. If they don’t fix the problem within a set time, they’re blocked. Kolide’s method means fewer support tickets, less frustration, and most importantly, 100% fleet compliance. Visit kolide.com/macadminspodcast to learn more or book a demo. That’s K-O-L-I-D-E.com/macadminspodcast. Thanks to Kolide for sponsoring this episode of the Mac Admins Podcast.

Marcus Ransom:
So, in the intro, we mentioned that the relationship seems to be better than once it was between security teams and admins. So, I know that that’s something being at the endpoint, end, of being at the pointy end. I don’t know how we’d say that. There’s often a feeling that security and the users and those different areas can be at odds with each other. So, would you agree with that perception, and I guess what guides your answer in that direction?

TC Niedzialkowski:
Yeah, it is such a hard question. Sorry.

Marcus Ransom:
It depends. This is usually the best answer for these ones, isn’t it?

TC Niedzialkowski:
Well, I think can think of two angles, but I start with this quote, the William Gibson quote, “The future is here, it’s just unevenly distributed.” And so-

Marcus Ransom:
That’s a good one.

TC Niedzialkowski:
I think cybersecurity has only been around for 30 years. I mean, maybe it’s been longer than that, but I think that’s the common in terms of working in the field, information security, cybersecurity, and I’ve been in the field for 20 years, so I’ve been there for two-thirds of it, right? And so, it really has this background and military perspective, military application or financial institutions or hospitals, right? And so, I think it’s something that’s just denial. And this is a cost we have to impose to do business.
And so, I think a lot of times when people are rolling out security solutions, for the podcast, I’m putting quotes around it, “security solutions,” there’s a real cost on everybody touching the system. Just changing your password every 90 days is a great example. And the complexity requirements for passwords that can be out of touch with the security benefit. And that goes back to that Bruce Schneier article in terms of how effective is this really. Is this really making us more secure?
And just as an example, NIST updated their password guidelines because having people make a new password every 90 days result in a less strong password versus [inaudible 00:18:59].

Tom Bridge:
It feels like that happened right before COVID, right?

Charles Edge:
It’s funny because I forgot about that because it happened before COVID, so…

Marcus Ransom:
Wait, was it before COVID?

TC Niedzialkowski:
It’s the mind fuzz from COVID. That’s why you forgot, right?

Charles Edge:
The biggest thing COVID ever convinced us of was that COVID didn’t exist.

Tom Bridge:
That’s an interesting point about the password resets and hearkening back to that Bruce Schneier article. I remember when I read that, I was like, “I got to get to DEFCON more often. And that was an interesting turning point. And I have to say there have been maybe a dozen seminal works in IT in general that came out of the Atlantic, which is not what you would think of that when you look at your news feed. I mean, As We May Think is probably the most seminal in my mind, and that was 1945 or something like that, ’46.
But I can think of a number more than WIRED probably in my mind. So, no diss on WIRED. But when you think of it, I just don’t hear the friction talked about nearly as much between those IT teams and InfoSec on the Mac side. I don’t feel like I ever heard a ton of that on the Windows side though.

TC Niedzialkowski:
Yeah, I think it’s because it’s become more of a business risk. It’s become something that’s more apparent to customers. If those customers are consumers or if those customers are other businesses, things like ransomware, certainly help. So, there’s this phrase I use which is, “Never let an incident go to waste.” So, anytime there’s an incident and hopefully, you look into it and it’s a big nothing, nothing happened, nothing was exposed, everything’s safe, right? But there’s all these lessons learned that come off of that and I think that’s basically been happening in the industry. And if not to you, then to someone else. And so, it’s just some-

Charles Edge:
Yeah. The whole great concept of the retros that go along with any incident there, the post-incident reviews, these are blameless things. These are places where we go through the process, have the conversation around what actually happened and why. And then work to do better. I’ve had the privilege now of sitting in with a few of JumpCloud’s PIRs and listen to our engineering teams and security teams talk through like, “All right, this is what happened. This is, did we get…” My favorite is that what went well, what went wrong, and where did we get lucky? And that last one is probably my favorite because it’s forcing the folks to think about where did we get lucky here?
Because sometimes you make your own luck and sometimes there’s a lesson in that process of making your own luck and building forward a better pathway. And I really liked that, that was something that I’ve taken out of our PIRs and now I’m applying it to product stuff, which is, it’s weird to think about a post-incident review from a product perspective, but I think there’s a there, there.

TC Niedzialkowski:
Absolutely. And if you want to make people laugh next time that comes up, tell them, “Well, better lucky than good.”

Tom Bridge:
I always liked that phrase. I think that phrase has a lot of value to it deep inside because I mean, sometimes it is better lucky than good.

Charles Edge:
Well, especially in business.

Tom Bridge:
Yeah.

Charles Edge:
Well, I mean it’s where the two meet, I guess. It’s interesting. So, Tom, you have multiple platforms to support, and I feel like this next question is really all about multiple platforms. So, it seems like the job of a CISO might have been easier when there was just one platform to support. And in general, most bigger companies were using pretty much all Windows Machines back in the era when the CISSP was initially written, which I think was ’94. And now there’s three in most organizations and these cloud solutions that overlay on top of that, which semi-obviate the security posture of the platform, but not at all. So, how have security teams had to become more, I guess, elastic is the word I’m looking for to deal with that?

TC Niedzialkowski:
Yeah, I think it would be hard to compare if it’s easier or harder, right? Because I haven’t had that experience where I’m at, just a Windows shop and supporting just a Windows shop. And there must have been a lot of really hard stuff people were trying to figure out versus today. And today it’s actually a lot of the cloud platforms, which scare me as much if not more than. If you had to choose between your endpoint or Salesforce you really got to think about what type of data, what the risk is. And so, I think in terms of being elastic, I think you have limited resources.
And one of the things that you need to do as a security team or a CISO or a risk management function is to say, “Okay, well this is the risk. These are the key threats, this is the potential impact to the business across different areas, across different platforms.” And then you need to say, “This is the type of mitigation we have with the resources today. This is what’s remaining. This is what we really need to act on now. This is what we could act on with additional funding.” And the idea here is that the essence of strategy is knowing what not to do.
So, you’re not going to be able to secure everything 10 out of 10. And so, when it comes to multiple platforms, I think you really need to be focused. Coming more from a startup perspective especially or technology company, really what is the data at risk? What is the risk to the business? And then really what are the effective controls that you can have for that platform? And then it’s always going to be the case where the people that manage and run those platforms, that understand those platforms, the experts in those platforms, security is an essential part of what they deliver.
So, whether it’s your cloud engineering team where security is an essential piece of availability and stability and cost-effectiveness for AWS, just like for your IT team, or just like for your team that’s delivering Salesforce that the business builds on. And so, I think for a security team, it’s understanding and articulating that risk landscape to the senior business, it’s relying on and having good relationships with those subject matter experts for those platforms. And then it’s coming up with a strategy in terms of where do we really want to focus in terms of enhancing our current security controls, coming up with a plan, and whether it’s working with the teams because they have the skills needed or hiring to have the skills needed.
One of the most effective hires we made at Nextdoor was someone focused on corporate security or Mac endpoint security on some of these systems like Okta or help us do a lot of automation and implement things like device trust. And so, I think the other piece that I would add to that is the skill that security brings to all those different teams is that incident response, that leading an incident when it really is bad or when you have something that’s an incident and luckily nothing bad happened, but drawing those important lessons from it like Tom was talking about. So, that’s something that you’re going to bring that capability to the team regardless of the platform impacted.

Marcus Ransom:
No, one of the things that was mentioned in the notes was this idea of an asset owner. Now it’s interesting, I’ve seen that with organizations when they’re talking about installation and patching of software, right down to the individual title is having an asset owner who’s responsible for the testing and making sure it’s compatible and working properly. But it’s interesting seeing that in terms of different platforms as well. So, yeah, that idea that somebody who has no understanding of the platform really shouldn’t be the person making the decisions about what’s appropriate for it.

TC Niedzialkowski:
You have to hold the asset owner accountable. And so, when you look at things like CISSP or you look at things like NIST or if you look at things like different regulatory frameworks, you need to have someone identified who’s the owner or the decider or responsible for that platform or for that data. And so, the decision or accountability needs to reside for them. And so, that’s also part of how you’re effective in terms of what should we do to patch this system.
Well, you should really check with a person who is the person managing and owns and understands that system before thinking you’re just going to go ahead and apply this patch and it’s going to make it more secure and everything else is going to be okay.

Marcus Ransom:
I know that’s something we deal with a lot here in Australia with the Essential Eight, which is the framework that Australian Signals Directorate, the Center for Cyber Security has provided where it was written for Windows, but the principles are all phenomenal, fantastic principles that should be applied. But when you see organizations trying to require things that are just simply not appropriate for, and not just macOS, but other platforms or trying to apply infrastructure principles to endpoints and not listening to the asset owner, my observation is it generally results in ineffective security rather than delivering what everyone was perhaps hoping.

TC Niedzialkowski:
Yeah, I think, and it could be because of where I came from in terms of working at a pen testing background where my job is to find vulnerabilities in websites. So, essentially emulating a hacker or working at the Federal Reserve where state-sponsored threats are really targeting them all the time, but really focused on the risk. And so, I think things like compliance frameworks are very important and there’s something that you need to meet from a regulatory perspective or from your customers, from quote-unquote, “industry best practices.” But from a cybersecurity perspective, I really want to be focused on the risk and the risk mitigation and is this the right place to focus for risk mitigation and try to understand the compliance frameworks from that perspective.

Marcus Ransom:
So, what things do you use to determine that risk? How do you approach something like a written framework that perhaps teams are squabbling over and trying to reframe that in risk?

TC Niedzialkowski:
Yeah. So, that really depends on the maturity of the organization. Some of the data they’re handling, compliance regulatory, requirements. So, I think there’s the NIST cybersecurity framework, the NIST CSF. I’m a huge fan of the NIST CSF and I use those functions and that architecture in my head, but that’s not necessarily the right size for a startup or even for a mid-sized or large technology company necessarily. A lot of times people use blended frameworks, but I think a cheat sheet would be just to have some way of measuring essentially what are the risks to the business. What is the threat that we’re concerned about? What’s the potential likelihood, what’s the potential impact? What are the mitigating controls? And then what are we doing about that? Are we fine with that? We just make sure these controls keep operating or are there essential controls that we need to put in place?
And so, having that, so to speak, risk ranked, so essentially impact likelihood, what is the residual risk, and is that something we’re comfortable or not? So, going across the board in terms of… So, what you don’t want to do, for instance, is put all your resources into… What we need to… The current endpoint EDR solution we have isn’t sufficient. We need to replace it with something else, we need more budget, we need more tooling, we need to identify more types of use cases, really focusing so many resources there while you’re ignoring something like the security of your SaaS applications like Salesforce.
So, I think it’s really understanding across the board what is the residual risk and what areas you want to strategically or tactically pick up next to drive down risk within the organization, or are they at a good place where really what we need to make sure to do is that those controls that you rely on are in fact operating effectively.

Marcus Ransom:
I remember hearing an organization here in Australia describe their security approach as being these amazing granite pillars with five steel gates between them, but there was actually no side or back to the wall at all. They, interestingly, got popped a couple of years ago as well with some ransomware, which has nothing to do with me. And so, I really like the way you framed that. It really is about you can throw lots of money and resources at a particular area, but if that’s not where people are focusing on attacking you, it’s pointless really.

TC Niedzialkowski:
Well, it’s dynamic. So, one of the big threats in the industry, one of the proudest things, it’s been a journey here at Nextdoor is device trust. So, the idea that essentially identity is the new perimeter for a lot of companies, so especially during COVID. So, it’s not just your username and your password, it’s Okta running on your phone and getting a 2FA code. And so, if you get DoorDash, Uber, CloudFlare, not to pick on anybody, but basically a lot of companies have been targeted and suffered security incidents because either someone clicks on an email or clicks on a text message that appears to bring them to a page that is asking them to enter their 2FA code and they go and they get it from their app and enter it.
Or the other one is, yeah, I’m going to forget the name, it’s push fatigue or basically you’re getting, “Hey, click approve, click approve, click approve.” And I think in the case of Uber, it was ostensibly, the IT team reached out to one of the engineers over WhatsApp and said, “Hey, you’re going to keep getting this until you click approve.” And when they clicked approve, it essentially authorized another device for access. And so, that idea that you could have all your controls in place, what Marc was saying you can have all your controls in place be spending a lot of money, but then also the attackers change their tactics. And so, now something that you thought was state of the art or sufficient, so using 2FA for authentication is no longer sufficient because the attackers have changed their tactics.

Tom Bridge:
I hear you loud and clear on the fact that identity is the new frontier, right? If we think about that, I work for an IDP, so I’ve spent a lot of time thinking about these problems of identity access and essentially spending a lot of time thinking about how, “Hey, what’s the right way, what’s the solid way for us to say it’s not just about the trusted identity, it’s about the trusted identity on a trusted device.” And to being able to align those two things very, very closely in such a way where you can say, “Hey, look, you can have a really easy time of it when you’ve got a company-managed device on a company-managed user account.”
And Apple gives us all of these really great tools for this now. The Secure Enclave is a great place to create a key pair and to essentially say, “This is this device and only this device.” Because it’s not like you can pick up that key pair and walk away with it anymore. And so, being able to do those things and combine those with managed user accounts and to try and figure out, “Hey, what’s the right combination of friction-lessness for those situations?” And I was going to say, we’ll have more to talk about that and JumpCloud here probably in the next month or so, but I don’t want to give away the ghosts too much.
But we talked about it last week at MacAD.UK and I can see that being hugely helpful for us as a community and to be able to say, this is that person on their company-issued device.

Charles Edge:
And one step further, this is that person who’s actually on the device and this isn’t a synthetic click, which is the power of pass keys in a way. Not only is it the person on the device, but it’s the person on the device and they’re real.

Tom Bridge:
And getting that user verification identity bracket around whatever, they’re doing is really crucial.

Charles Edge:
Having said that, to address something TC said, my bank will pass through a two-factor auth code to a third party, and then I enter my two-factor code into the third parties, and this is a standard, I’ve done it with three different banks now. And I enter this into a screen that is an iframe. And so, I can think of 10 different vulnerability places with that whole flow, but that’s getting away from the point of this whole episode. So, I guess, TC, speaking of controls, there seems to be this myth I feel like, and maybe not a myth, just a general feel sometimes that InfoSec teams do the interpretation of requirements and of NIST publishes a guideline, and then we all think that it’s the InfoSec teams sitting there looking line item by line item and saying, “These are the ones that we need to deal with.”
So, would you say that it’s the InfoSec team doing that or that their attorneys and auditors, often third-party auditors brought in when they put check boxes on forms and validate all that stuff? Or would you say it’s more of a collaboration?

TC Niedzialkowski:
What I would say is that, and again, it depends on the culture of your, so again, that quote, “The future is here, it’s just unevenly distributed.” And it’s not that the right endpoint, the right maturity state for every company right now is the same thing, we’re just waiting for everybody to catch up. Companies are really different based on their culture, based on their risk. To take the example of the Federal Reserve versus a tech startup. But I think information security plays a critical role in terms of translating risk to the business. And so, there’s that risk focus. And so, when you think of things like compliance, when you think of things like legal IP or brand risk, these are similar business risks that need to be managed, but then also being very close in terms of the engineering and the architecture of the organization.
So, working with the IT teams on securing the endpoint, working with the application development teams on the application logic. So, I think, I know in my experience, I spend a lot of time helping work with the legal team or the compliance team to understand requirements. So, to understand what those requirements mean in terms of what does that mean that we should do about them, but also to help understand what’s going on, on the engineering side and what’s a good fit, what does this proposal or what does this solution mean in light of those requirements.
So, I think you need translators in business or else you’re going to end up not doing something right or maybe not doing it in the way where it could be as effective or it could be as cost-effective, or where you could minimize the impact to the implementation of those controls.

Charles Edge:
Great response.

James Smith:
This week’s episode of the Mac Admins Podcast is brought to you by Alectrona Patch. What would you do with your time if you no longer have to spend so much of it on packaging and deploying updates for a third-party app? With Alectrona Patch, you can install or update over 300 Mac applications automatically to keep your users protected with the latest security update. Alectrona Patch works with your existing MDM solution by simply deploying a package and a configuration profile for ongoing management. It’s cloud-native so no server or package hosting is required, and the latest updates are delivered directly from the software vendor. You control which apps are installed or updated, so you deploy only what you need.
Alectrona Patch is customizable to ensure your users can update without interruption, so you can keep your security team and your end users happy. Alectrona is a proud charter sponsor of the Mac Admins Foundation. Check out Alectrona Patch at alectrona.com/patch, that’s A-L-E-C-T-R-O-N-A.com/patch to learn more and to book a demo with our team. Thanks to Alectrona Patch for sponsoring this episode of the Mac Admins Podcast.

Charles Edge:
So, talking a little bit about validation and compliance for those interested, are there some workflows that you’ve seen out in the wild that help automate that process? Or maybe for the macOS environment, for our audience who’s really familiar there?

TC Niedzialkowski:
That’s so funny. One’s come up recently, is just such a blessing in terms of putting something from a compliance perspective that’s just going to make everybody thrilled and make their job easier and make them faster. And I think that’s Okta’s Identity and Governance Administration. So, Okta IGA, the ability to really automate and get the right approvals, provisioning the right level of access, maintaining that right level of access to a resource. So, I think for us, when GitHub Copilot rolled out and we wanted to get our engineers hands-on access, all right, I’m working with one of our CIS admins with John Spencer from our IT team.
It’s like, “All right, let’s set up a Google form, let’s go and have people give their information.” Because you don’t want to… When they just rolled it out, it was basically $19 per user per month, and there was no enterprise pricing, so you don’t want to pay for it if people aren’t going to use it. So, let’s do a Google form, get people’s information. And he said, “Well, hold on a minute.” And he basically turned around and used Okta IGA to automate that whole process in terms of just click this form, click submit, it gets your management approval and it’s done. So, the ability to take something from essentially a spreadsheet, people entering information, us needing to go through and load it up manually to putting a whole automation workflow in place that was integrated through Slack.
I mean, that’s really how both IT and security can basically make the company operate in a safer manner, but also increase people’s productivity. So, that’s a wonderful tool.

Tom Bridge:
So, did he use Copilot to write the integration to Copilot?

TC Niedzialkowski:
It’s interesting because there’s so much functionality in these tools. I think one of the things I try to do from a security perspective, and then I think probably you guys, I imagine would be able to answer this more maybe from an IT administration perspective is to almost in a way live off the land. So, using the tools and the workflows that are already there within the organization in order to add functionality or automate things. And so, I think that’s why it’s such a blessing as well, this Okta IGA tool that it’s something that if you have Okta, you already have access to it. It might be a different skew, you might have to pay for that addition, but basically, it’s part of this tooling that you already have in your organization instead of adding something new and integrating it into your environment.

Marcus Ransom:
Love it. The world of IT is certainly a lot more interconnected than it was previously and being able to manage all of those interconnections and at least know and understand. I’ve seen some horror stories and I’m sure there’s even more out there that I haven’t seen where from a purely financial point of view, organizations are paying for things that they signed up to and have no idea if anybody’s actually using them. And sometimes someone’s just going to keep paying for something rather than going down the dead end of trying to find out who’s using it for something and the financial implications of that are bad enough.
But the security implications of having all of these connected services that if you don’t know if anybody’s using them, how do you know who is actually using them and if they are the people you don’t know, not using them? So, certainly having that understanding of what’s being accessed. And I think back to the old days when we used to deploy iPads at schools and trying to work out if was anybody still using these apps that we were deploying out to these iPads that were requested two, three years ago and thinking about that in a broader scale as to the cost and the logistics.

Tom Bridge:
Remember Sassafras, it was an old licensing server key server for the Mac. But back then it wasn’t a security issue. It was like, “We don’t want to pay for that Photoshop license if we’re not using it.” Now that’s another cloud skew, right? So…

Marcus Ransom:
Yep.

TC Niedzialkowski:
Yeah, it’s like a cheat code. You can reduce your attack surface by turning it off.

Tom Bridge:
Yeah.

Charles Edge:
Oh, so many of those things are that way now. I mean can not only reduce your attack surface, you can save a ton of money in the process. And figuring out what’s useful and what’s not, and what people are using and what’s not is a big part of any identity provider’s work. And surfacing that appropriately is all about making sure that the value proposition that you have as an IDP is really met by what you’re able to save your customer base.

TC Niedzialkowski:
Well, that’s a way, I mean right now given the economic environment, it’s a good time to rationalize SaaS spend and that’s also just another area where IT and security can work together in terms of understanding what the impact is to the business, right? Because if your job is to write code or if you’re marketing the organization, having two or three tools, or having a tool that you don’t use but the company pays for might not be that important. But when it comes to administering that tool, paying for that tool, or thinking of the security consequences of that tool being compromised and do they really have all the features set that we want for the non-existent use cases or use cases that are in there?
So, it’s a good alignment between IT security teams to be able to enable the business by reducing cost, reducing complexity, and then putting those resources into the tools that are actually being used.

Charles Edge:
I do feel like reducing complexity, making it where there’s less buttons to click on, it feels like a big thing is really just having empathy for our coworkers and a lot of this stuff that we’re talking about. And as Emily has said a few times on the pod, and she couldn’t be here tonight, but thinking of them as coworkers. So, in general, security teams don’t just sit around trying to think of new ways to make someone in another part of the company or team’s jobs suck. In fact, I don’t think anyone except… Never mind, I’m not going to pick on any department specifically, accounting, but it does feel like they have more work in front of them than they can actually get to. So, do you mind taking us through some of the responsibilities that we haven’t talked through that an InfoSec team has?

TC Niedzialkowski:
Yeah, so I think there are definitely compliance and daily operational things that security teams need to worry about, but when I think of attacks, there’s phishing, business email compromise, there’s cloud infrastructure, there’s applications that are being developed, there’s the SaaS applications, administering those SaaS applications. And then I think also the incident response piece, again, going back to what Tom talked about earlier, there are a lot of near misses within an organization or maybe everything operated exactly as it should, but we should still take a close look at how it operated to make sure that there’s nothing additional that we could do that’s proactive or preventative.
And so, I think going across again, all those different potential attacks, what teams do you need to coordinate with or what’s your strategy to implement new capabilities? And then I think once you have tooling and capabilities and operation maintaining those, so the security team like an IT team or a platform team, we have a lot of tools and services and SaaS applications that we need to maintain and that we need to make sure their configurations stay fresh. I think it’s hard, the stretch between implementing new things to drive down risk versus maintaining the tools or the controls you have or slowly maturing those tools.
And I think that’s something that again has to do with the level of maturity for the organization. Sometimes what you really need to do is you need to pick that new big risk, implement that new capability to mitigate that risk, get it into a place that’s comfortable and then move on to the next one. You can’t just keep swimming with what you have because there’s too much risk out there that you need to still go out and tackle for the business.

Marcus Ransom:
So, that’s not just something we see as Mac admins with security tools that are not coping with Apple’s annual cadence and keeping up with that, that’s something that you see broadly across other areas of the IT world?

TC Niedzialkowski:
Yeah, I’d say one that’s really snuck up on me is SaaS applications and the security of SaaS tools. And that’s something where there’s a lot that we do to stay on top of them. I think one of the things I would say for almost everybody that would make sense is having a Bug Bounty Program for some of your internet-exposed SaaS applications. Because I think it’s a challenge in terms of as they add more and more functionality, complexity gets integrated more and more into the business, the roles and responsibility model between the SaaS provider in terms of what are they responsible for, how do they ensure the security in terms of the actual operation.
So, just if you think of Salesforce as an example or maybe Google Workspace or whatever, now we don’t need to talk about WordPress, right? But whatever that SaaS tool is, as it gets further and further integrated into your business, really realizing that you are the one that’s accountable if something happens. And so, what can you do to stay ahead of it and be proactive and preventative?

Marcus Ransom:
So, one of the other things we’ve seen a lot of, not just recently, but over the time we’ve been doing the podcast is as the understanding of how to secure the Mac world or the Apple world grows, people that understand how to do that from an endpoint perspective moving into security gigs because they understood the underlying technologies better than the people who were trying to work out how this all fit fits together. So, as things have gotten easier in a lot of ways, do you think that trend will slow down, or do you think there are many things that still need to be automated or understood in securing the Apple space, or are we maybe overthinking what we are trying to do?

TC Niedzialkowski:
That’s interesting. So, whether you think it’s going to be a solved problem, then you move on to something else, is that?

Marcus Ransom:
Yeah. Are we going to stop losing our best Mac admins to become the best security admins out there?

TC Niedzialkowski:
I think, again, it depends on the size of the organization, but if you don’t have a security team if you don’t have an internal security team, it’s probably your IT team that is doing that corporate security role. And so many of those systems, things like Okta, things like G Suite are so critical to the security of the organization, they’re so closely tied. I think you need to be a very large organization before you have someone that just does Mac endpoint platform management. Yeah, I don’t know. I can’t predict whether it’s going to be a solved problem or not. But what I do think is happening is that there’s certain trends across security and across IT administration where things like being able to automate processes, whether it’s through a typical software development pipeline, having code in GitHub, putting it through the CI/CD pipeline, getting it deployed or using the functionality core to some of these applications, we talked about Okta IGA.
Or maybe there’s a space for low-code, no-code solutions to do some of this automation. But I think really having a vision, and I think there’s always progress to be made in terms of automating processes for the business. So, having a vision in terms of how can we be more efficient in our resource usage? How can we essentially provide a better service at a lower cost? What does it take to get there from a technology roadmap or a capability roadmap within the team? I think there’s a shared skillset there between IT and security. And so, I think it’s going to keep making more and more a lot of sense for people to be able to go from one to the other.
But I think it’s splitting IT in a little way between a help desk function versus a CIS admin function. So, I think that the CIS admin function is very close to a lot of the skill sets needed from a security engineering side.

Charles Edge:
Especially when you get into the really big deployments where if you’re pumping out software or operating systems to 50, 100, 200,000 endpoints, the level of internals that you need to understand, I feel like that translates really well into a security role in a way. That’s just always been my perception I could be totally wrong about that though.

TC Niedzialkowski:
Yeah, I would say people that I really empathize with, not just in terms of their job but also the role they play in the organization are people that are in a DevOps role or a system engineering role where they’re the ones helping everybody else in the organization be more efficient. A lot of times those people are essentially wearing the security hat, but also there’s so much, they know how much more work can be done in terms of automation, increasing quality, providing a better service at scale.

Marcus Ransom:
Because automation’s all about trying to avoid having to do things. And I guess having a big incident response after something’s happened is what you’re trying to automate not having to do, or…

TC Niedzialkowski:
Or even, I mean, just as an example, if say you do an incident response, there’s probably a lot of logs that you need to pull to do the analysis. And so, that takes time. So, if you’ve had that type of incident before, maybe you could automate the process of pulling those logs and doing those analyses so that next time you have that incident, you’re essentially doing the same work, it’s just going to be faster because you’ve automated it. And so, yeah, some of the people that I’ve really enjoyed worked with have that always, “How can I be automating this perspective?” As they go along.

Marcus Ransom:
And capturing data as well. Because if you don’t have data, it’s just an opinion and opinions are great, but they’re often clouded with emotion, like some data is as well, depending on how you got it or where you got it from. But you can make a pie chart say anything you want really depending on… I think there was one out there about pirates that I saw recently, number of pirates per something or other showing that something had increased as the number of pirates in the world had come down. So, that, I think is a really good example of how data can be used as a hate crime rather than achieving good things.
But if people are looking at capturing data for operational reasons like capturing CIS diagnose or information so that you can understand when the ticket eventually filters its way through to you what might have actually been the problem or happening that the same idea can go to security where if we’ve already got telemetry and metrics and logs stored safely somewhere when we get the call to say somebody’s gone rogue or something’s gone rogue you’re in a much better place to actually understand what shade of brown things are.

Charles Edge:
So, if there are any InfoSec, headhunters out there, MacDevOpsYVR is coming up and…

Tom Bridge:
Yes, we’re just a month away, you can still buy a ticket. I was going to say it’s still a great place to go meet all sorts of people on that cross-functional space and hang out with some great people in the meantime.

Charles Edge:
And a great place.

Tom Bridge:
So, buy a ticket, get on out to Vancouver, I was going to say, Vancouver’s an incredible city. I can recommend all of the ramen and that would be my recommendation, so…

Charles Edge:
I guess one more question and then a bonus question. So, for those who still have troubled waters, what are some of the things that you can think of that they can do to make a better environment with their CISO or InfoSec team?

TC Niedzialkowski:
That’s a really tough question to answer because I think we talked about it earlier, it depends. So, it depends on the culture of the organization, the team, the leadership, the people that you’re working with. And on the one hand, if someone’s in troubled waters and they’re doing all the right things, it might not be enough. And I think you don’t want to be unhappy in your job. And so, I think there’s a lot of people where either they work with a security team and essentially the security team doesn’t have any empathy and really makes their life hard for them, feels like they’re in an impossible situation.
On the other hand, there’s a lot of people that work in security where they feel like they’re not listened to in the organization, they’re not really… They have an opinion, but it might not be listened to essentially. And so, they don’t feel effective. And so, they’re asked to do the work, but nothing comes from the work that they do, or nothing comes from the recommendations that they give. And it’s not always an option for people to be able to say, “You know what? This isn’t making me happy. In fact, it’s making me very depressed and angry. I think I’d be a lot happier if I went somewhere else.” That’s not always an option for people.
So, what I would try to say is go back to the mission of the organization, go back to the values of the organization, really try to articulate what it is that you want to accomplish. So, if you see a risk in terms of, “Hey, this is a security risk, we’re not doing anything about it, and I think it’s bad.” Go back to the business impact, go back to the mission and the values of the organization. Or if you’re being told to do something by the security team and it’s just not something that you can do or doing this would have a drastic consequence, go back to the business impact, go back to how that impacts your customers or how it aligns with your organizational strategy.
We can do it, but we can’t execute on our roadmap for the next six months because we’re going to be busy building this thing for you. But I think that’s why it’s so important to have a collaborative environment, to have a mission-driven environment where you’re all on the same team and you understand how it is that your strategy or your high-priority objective relies on me doing something or not doing something or changing what I’m doing. Empathy and collaboration is really important to understand that impact.
And if you’re in trouble waters and you’re giving direct feedback to the person that you’re working with, you’ve told your manager, you’ve talked to the manager from the other team, maybe it’s even gotten to the executive level and you still feel like you are being ignored or not listened to my heart goes out to you. But I think what I’d see a lot of times is that people don’t connect it to the business impact. And so, they might have a concern in terms of implementation, but they’re not able to articulate what the consequence is.
And so, I think that’s that unfortunately, a lot of times communication skills, do become very important when it comes to helping get business alignment. And so, maybe you can find someone that can help you articulate it. I don’t know if it’s putting it through ChatGPT, but maybe sitting down with someone and being able to write it down in Google Doc just, “Hey, here’s a concern, and here’s why, and here’s the impact, and here’s what I suggest and why I suggest and what I suggest.” I think writing it down might be a way to deliver that feedback. Not only does it do a little bit of CYA in terms of if you are not listened to, but it can also maybe help you with the communication aspect and make it clear where it’s not coming across in meetings or in person.

Charles Edge:
Yeah. If I can connect two of your dots there. Sometimes you used the word priority and then you were dancing around feeling heard and seen and listened to. Sometimes we can hear someone, but we prioritize something we need over what they’re saying and to be able to communicate why, I think that’s where the mission and the vision and the values type of stuff comes in. And yeah, sometimes it goes up to the managers and then up to executives beyond that or what have you, according to the scale of the org. But I think sometimes just on a really personal level being like, “I totally hear you, but I got this other thing and I got to do the thing and that’s the way it is, and I’ll try to do that other thing next.” Or whatever, but…

TC Niedzialkowski:
It’s two ways, right? Because you’re sharing what you think is important, they’re sharing what they think is important, and sometimes what’s needed is to disagree and commit. I don’t agree that that takes priority over this, but let’s do it. Let’s get it done.

Marcus Ransom:
One of the things that I’ve seen create silos between the IT and security is the concept of accountability and responsibility. Where it’s very clear that you are responsible and accountable for something, misinterpreting that then means it’s your black box to be totally responsible for and missing out on the collaboration side, collaboration is not detrimental to responsibility and accountability. In fact, I’ve seen where there is a great collaboration, it makes it a lot easier to be responsible and accountable because you are then equipped with the right people to inform you on what to do and how to do it.
And I think that that comes back to what you were saying before about maturity where if people can understand the power of somebody else’s point of view or information or a different perspective on something that makes it a lot easier for them to make decisions. The decision, as you were saying, may not be the one that everybody was hoping for, but at least it’s been considered. It’s something I see with endpoint security where the security team are responsible for endpoint securities. They’re like, “Well, we’re making the decisions as to what goes on these devices and we’re not going to enter into you our build times and our application has now gone from five minutes to three weeks and we’re not able to update our software and we’re not able to do all of these things.”
Met with, “Well, we make the decisions here and this is what’s going on there.” And I’m sure people in slightly ineffective organizations see that in other areas as well.

TC Niedzialkowski:
Yeah, I think that’s why you need to be very clear on your success criteria. What is it that you want out of this product or service? What does a successful product or service look like? But then also if there are limitations of, “Hey, we want to make sure the build times, so one of the areas I’m familiar with in terms of a CI/CD pipeline, listen, we need this scan to finish in under 10 minutes if we’re going to have it run as part of the CI/CD pipeline.” So, use whatever tool you want, but it needs to finish in 10 minutes.
And if there is an impact in terms of, “I can’t provide this level of assurance,” let’s say that you can’t provide the level of assurance within 10 minutes, just really updating that from a risk register perspective. “Hey, we do this limited capability.” But then there’s one of the things I like about cybersecurity is you can get creative. There’s almost always another way to go about mitigating that risk. And so, when it comes to the solutioning, what are we going to do? You can have a nightly scan kickoff on a certain version and spend… This is more of a legacy issue in terms of application security where you would really need 12 hours for a scan to run.
But something that a lot of companies did was they just had a nightly scan that ran and then updated the results in the morning if they weren’t able to fit it within the pipeline.

Charles Edge:
That’s a great example. Well, thanks for going through all of these. Tom, we have a bonus question.

Tom Bridge:
Here at the Mac Admins Podcast, we want to say a special thank you to all of our Patreon backers. The following people are to be recognized for their incredible generosity, Stu Baku, thank you. Adam Selby, thank you. Nate Walck, thank you. Michael Tsai, thank you. Rick Goody, thank you. Mike Boylan, you know it, thank you. Melvin Vives, thank you. Bill Stites, thank you. Anoush d’Orville, thank you. Jeffrey Compton, M.Marsh, Stu McDonald, Hamlin Krewson, Adam Burg, thank you. A.J. Potrebka, thank you. James Stracey, Tim Perfitt of Two Canoes, thank you. Nate Cinal, Will O’Neal, Seb Nash, the folks at Command Control Power, Stephen Weinstein, Chad Swarthout, Daniel MacLaughlin, Justin Holt, Bill Smith, and Weldon Dodd, thank you all so much, and remember that you can back us if you just head on out to patreon.com/macadmpodcast. Thanks, everybody.
We’re big fans of the bonus question here on the pod. And so, you’ve opened the door a little bit when you mentioned ChatGPT and Copilot. So, low-code or no-code is one thing, but in what specific ways might AI impact InfoSec?

TC Niedzialkowski:
Yeah, it’s interesting because obviously we’re at a very important moment, a Cambrian explosion in terms of AI and those capabilities, and we’re playing with a lot of those tools at Nextdoor. Some of the examples that I’ve heard are, “Oh, we’re going to be getting these really super sophisticated phishing emails because of ChatGPT.” Yeah, I don’t think so. I think you already have a lot of very smart, motivated people that have a large corpus to draw from. And earlier we talked about, I think Charles, you were talking about your bank teaching you a bad pattern as far as where you put your 2FA code. We teach people a lot of bad patterns when it comes to email.
So, there’s not an area that I’m worried about right now when it comes to what we’re seeing with ChatGPT and generative AI from an information security perspective, I’m more concerned from a platform trust and safety perspective. So, things like the ability to generate tons of comments that look like it’s coming from real humans, from a misinformation, disinformation, abuse perspective. Just making it harder to sort out what’s legitimate, real content written by a human versus not. And what happens when threat actors, because in the space of misinformation, disinformation, we talked about state-sponsored threat actors for a Federal Reserve. There’s state-sponsored threat actors on social media platforms trying to influence elections.
And so, I think I’m actually more concerned over there. But at the same time, these tools, these large language models like ChatGPT, OpenAI, they also have tools that can be used for good in terms of doing things like content moderation, doing things like really analyzing, making decisions about content, moderating content, and then automating more of those practices. So, again, I don’t know if we’re at a Skynet point where it’s super smart and just ends up connecting a lot of things, but I think from a strategic national security level, that’s where a lot of governments are going in terms of… We’re going over to a totally different area here, but that’s where we already have systems where they can see anywhere in the world, they can touch you from anywhere in the world.
And if they can take in information from everywhere and make decisions instantly, what does that mean in terms of warfare capability perspective? So, I think if I was sitting over there, I’d be really worried about AI, but I’m not working in government war-time defense. But obviously, they’re investing a lot in it, and it’s a very important capability that they’re developing.

Charles Edge:
Yeah. How about you?

Tom Bridge:
I mean for me, the thing that I hope that we get out of this is actually not, I don’t think we’re going to see a proliferation in spam, I mean any more than we already have. But maybe it might be literate. And I mean, that’s been one of the biggest things that we can keep people off on is that like, “Hey, by the way, if there’s more than one typo.” If there’s a weird typo, if there is any number of malformations of the language which you speak, chances are that somebody in a mill someplace is writing that email badly. Now, I was going to say, it’s going to be harder to tell the difference now, although Charles is going to tell us in just a minute that he’s cracked it and that he’s now using generative models to predict things that have been created by AIs.
Because I mean, obviously that’s one of the other things that we’re seeing out there right now is detection of these large language model responses and things along those lines. And so, I think that it’s a phenomenally weird time to be alive friends. And I think that that’s the thing that I take away from all of this is that we honestly don’t have a good policy, a good pattern yet for understanding where we’re going with this, except to say it’s all going to be super interesting and super weird and super uncomfortable at times. But I think there’s going to be a lot more going on. Charles, tell me I’m wrong.

Charles Edge:
No, yeah, you’re never wrong, but-

Tom Bridge:
I’m wrong a lot.

Charles Edge:
Yeah, while you were talking, I had this visualization of you replying to the poorly written spam with corrections.

Tom Bridge:
Totally.

Charles Edge:
And then them deleting it because it got stuck in their spam filter. Yeah. I spent a large part of the flight on the way to and from MacAD.UK working on some code and then wrapping that code into some thoughts about detecting that kind of generative content from images to generative code. As an example, in my CI/CD pipeline, there’s now a script that detects if anyone else in my org is just blindly pasting generative code. I also started working on an Xcode plugin that would allow you to just highlight a function and then automatically write unit tests using Bard because it’s so much easier than pasting it into Bard and then pasting the unit test back into your code.
But if I were to think of the impact on InfoSec specifically, other than the accidental escape defect from auto-generated code or what have you, the maturity of fuzzing tools, the maturity of some of the, not fringy, but not entirely accessible tools, I would say, that you need to know how to write scripts to do some of the things that allow you to try to start pen testing, whether it is a white or a gray or whatever color hat you happen to be wearing. And if that becomes a bit more accessible because at that level you’re not trained to string together more complicated workflows that actually require programming knowledge.
At that level, you can say, “Oh, just crank me out a script. And if it runs, it runs, and if it doesn’t ask a different way.” If that makes sense. So, I think bringing some of the more complicated tools down to a wider audience who can start attacking you with them is really interesting and… Because the people writing those spam emails now, they can do a whole other skillset basically. So, as long as you can read the book about here are the valid attacks, and then you say, “Hey, can you write me this?” And I think a lot of the OpenAI as an example, or at least the Microsoft implementation, they spend a lot of time on that governance framework trying to keep people from doing dangerous things.
Having said that, if you just ask the question differently, sometimes you can make it give you the thing that it was trying to tell you no otherwise, like, “Hey, I’m trying-“

Marcus Ransom:
Just get a teenager to help you ask the question. They know how to get around pretty much everything.

Charles Edge:
Oh, they’ve got all the manipulative questions, don’t they, to get around.

Marcus Ransom:
Yeah.

Charles Edge:
Anyways, how about you, Marcus? You haven’t gone yet.

Marcus Ransom:
So, hearing people talking about how it’s going to replace and it’s going to put people out of jobs, one of the things that I keep focusing on is how awesome and unique the human mind is, and creativity and innovation comes out of people being able to see through all of the fog of everything else that’s around them. And looking at it that way of being able to lift people up so that you can use it to automate all of the day-to-day things, which then allows people to be able to spend more time looking for what comes next or what AI isn’t aware of. What AI is going to be aware of, thanks to the work that you’re doing.
And I’ve been looking at a lot of data sources at the moment. I’m literally the world’s worst Splunk admin trying to work out how to create those searches and queries, and just with one set of data, it’s hard enough. But then when you’re wanting to compare different indexes and different sources of data structured by different people in different ways, my brain just leaks out of my ears when I start looking at that. But just to be able to bark some orders into a tool and have it do all of the hard things, and then I can look at the results that come back and then make decisions from that.
But understanding that it’s automated data and you need to trust but verify, and the verification I feel is something that the creative human mind is going to be something that will not be able to be replaced. That and writing awesome TV shows and movies, which is also not going to be able to be replaced by AI.

Charles Edge:
No matter what the end of the strike reveals.

Marcus Ransom:
Exactly.

Charles Edge:
Yeah. Yeah. I would say I’ve tried to experiment with some of the… I mean, think some of the images are pretty great, but the writing is by and large just entirely voiceless like, “Hey, write me a short story about insert thing here.” And you’re like, “Ugh.”

Tom Bridge:
And then this happened, and then that happened, and then this happened.

Charles Edge:
And it’s repetitive.

Tom Bridge:
And then this happened. It’s very, oh, yeah.

Charles Edge:
Yeah. But I don’t know, maybe it’ll get better, who knows?

Marcus Ransom:
But it’s the same with imagery as well. I think there’s maybe not repetitive, but by nature it is derivative. And what we’re not going to see is creativity, derivative has its place I don’t know [inaudible 01:18:50].

Charles Edge:
Yeah, I’m really curious to see.

Marcus Ransom:
Where that place is, is up for debate.

Charles Edge:
Yeah. I am super interested to see winnowing algorithms. You can get to the point where you can derive where objects were generated from and copyright holders of those objects. And I haven’t gotten into image detection specifically, but I mean, guess you could just say, “Tell me how many fingers the things got.” If it’s greater or less than 10, it’s generative, right? But I would say if I were using a lot of that kind of content and I were a large organization who’s frequently sued because all large organizations are frequently sued, in my mind at least, then I might be like, “Until I understand the copyright implications of this…”
Because I mean, remember living through the different licensing and open sources as they got released, and then all of a sudden, you’re like, “Oh, crap, I have to rewrite all this stuff because all this other stuff has to come out.” Or I have to pay licensing fees or what have you. So, I don’t know. I think at some point someone’s going to have some stuff that is like, “Oh, show me where these were generated from.” And then to see what the courts decide as far as copyright or music. To me, those are the two bigger fields in that regard. But yeah, now I’m just babbling. Sorry.

Tom Bridge:
TC, thank you so much for joining us today. It’s been such a pleasure to talk with you, especially bringing all of the knowledge that you’ve got as a CISO to bear for our audience. It’s just been so wonderful. Thank you so much.

TC Niedzialkowski:
Thank you. Thank you for having me.

Charles Edge:
Yeah, thank you.

Tom Bridge:
And if folks want to follow your work online, where should they go look?

TC Niedzialkowski:
Well, I’m on LinkedIn TC Niedzialkowski, probably the only one. And I do hang out on Mac Admins in the security channel. There’s so much going on, so I don’t follow all of it, but if you DM me, I’ll be sure to respond.

Tom Bridge:
Awesome. Thank you so much for joining us this week. Thanks so much for our great sponsors. That is Kanji and Kolide and Alectrona, and thanks, everybody. We’ll see you next time.

Charles Edge:
See you next time.

Marcus Ransom:
See you later.

Charles Edge:
James, you got to leave that one in.

Marcus Ransom:
Not sorry, James.

Tom Bridge:
Sorry. Not, sorry. Awesome.

James Smith:
The Mac Admins Podcast is a production of Mac Admins Podcast LLC. Our producer is Tom Bridge. Our sound editor and mixing engineer is James Smith. Our theme music was produced by Adam Kodiga, the first time he opened Garage Band. Sponsorship for the Mac Admins Podcast is provided by the Mac Admins.org Slack, where you can join thousands of Mac admins in a free Slack instance, visit macadmins.org.
And also, by Technolutionary LLC, technically, we can help. For more information about this podcast and other broadcasts like it, please visit podcast.macadmins.org. Since we’ve converted this podcast to APFS, the funny metadata joke is at the end.