Offensive Cybersecurity Strategies with Bryson Bort

Intro  0:01  

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels  0:22  

Hi, Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies.

Justin Daniels  0:36  

Hi, I’m Justin Daniels. I am a shareholder and corporate m&a and tech transaction lawyer at the law firm Baker Donelson advising companies.

Jodi Daniels  0:45  

Basil would really like to join your intro, I’m used to it. he outranks me.

Justin Daniels  0:50  

That’s advising companies in the deployment and scaling of technology. Since data is critical to every transaction, I help companies make informed business decisions while managing data privacy and cybersecurity risk. And when needed, I lead the legal cyber data breach response brigade.

Jodi Daniels  1:07  

And if anyone is listening, and this is your first episode, you might be wondering who is Basil? So Basil needs an introduction. Basil is the large fluffy dog that sometimes likes to join our podcasts. Okay, back to our regular program. This episode is brought to you by — hello, what are you doing? That doesn’t work. Oh my goodness, Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, ecommerce, professional services, and digital media. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, and to check out our best selling book, Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com. Well, today is kind of fun. Everyone who is listening is going to need to go to the internet and actually go pull up the video. And why do they need to do that justice?

Justin Daniels  2:10  

Because all of us, including our guest, are wearing a festive festival hat.

Jodi Daniels  2:16  

Indeed we are what kind of hat do you have on Justin?

Justin Daniels  2:19  

I have my pirate hat that one of my clients who was on the show Charlotte Baker gave me that was handmade and completely awesome. And what do I have on my head? I’m not entirely sure.

Jodi Daniels  2:31  

I went shopping in my daughter’s headband collection. And so mine is a blue headband with I don’t know like pointy metal ever even do what these funny things are called boing, boing, the things that are funny on the top of my head. And so you’re going to introduce our guests and then he can explain what he’s wearing on his head.

Justin Daniels  2:52  

I think so. So let’s introduce today’s guest who is Bryson Bort who is the founder of SCYTHE a threat emulation platform, RIM a cybersecurity consultant, see, co-founder of ICS village, a 501c3 for industrial control security systems. He’s also a Senior Technical Advisor at ISP recognized as a top 50 in cyber by Business Insider and sans difference maker awards Innovator of the Year. Mr. Bryson, how are you in? Let’s talk about that hat of yours.

Bryson Bort  3:30  

For those of you who cannot see, I am a unicorn.

Jodi Daniels  3:35  

And why are you a unicorn?

Bryson Bort  3:38  

This is where we get into the whole life story and what series of mistakes led me to both being a unicorn and being on this webcast.

Jodi Daniels  3:46  

All right, well, just to dive right on in. As you know, we always start every episode trying to understand people’s career evolution. So please do share your career journey and unicorn hats.

Bryson Bort  4:02  

Yeah, I’ve never thought about calling it as a hat but I suppose that is key.

Jodi Daniels  4:05  

A unicorn headwear? Yes, it does look like I’m trying to think I feel like I’m a Wizard of Oz like the little boy do you think oh, munchkins. I feel like I’m wearing a little munchkin hat. That’s what it feels like on my head. When I call you. Oh, no, no, you cannot. Okay, but it’s back to Bryson.

Bryson Bort  4:26  

And on that note, I do not just have the unicorn headband. I actually have a number of hoodies in different colors based on what I’m speaking about that I had custom tailored. So I have white, black, red, blue and purple depending on what I’m discussing. So it’s not just headwear.

Jodi Daniels  4:42  

I look forward to hearing more about this because purple is my favorite color. And I’d like to know when the purple line gets pulled out.

Bryson Bort  4:50  

So yeah, I was an Army officer as you can clearly tell. And I was medically discharged during the war as a captain and I got hurt. I wandered the world for a little bit. And then I got recruited into the intelligence community. I helped build a number of teams in the counterterrorism mission, which is where I got the nickname Grimm. And in January 2013, is when I created the consultancy GRIMM because Grimm sounded like a lot cooler name than Bryon’s consultancy that sounded kind of dorky, but Grimm was cool. And I also discovered that the logo was actually like a Rorschach test because folks that were interested in working with us, which was a very niche offensive consultancy. They got the humor, and this matched on this was actually a collaboration I did with a graphic artist from the video game company, Blizzard. And in 2016, Target, whom you’ve all known in shop that I always love the story of Target, because the breach in 2013 changed the industry’s approach to cybersecurity after that it was okay, well, well, we need to do a lot more than nerds need a blank budget in some cases to solve real problems and inherent risk. And that’s where I’d like to point out the Cambrian explosion of investment happened and why we see all the different approaches and solutions in the market. Where I come into the story is in 2016, Target came to me and asked me to build them a one off tool to test their defenses. I was all surprised and I was surprised there wasn’t anything on the market that could do that. So I came back to them with the idea of well, what if I could build you a platform of unlimited, you could you could emulate you could simulate any kind of adversarial payload or behavior, right, you want to be the GRU, you’re the GRU you want to be that particular Chinese PLA unit, you’re like that you want to be Bulgaria and ransomware, you can do that too. They thought that was great. I thought that was great. And I asked keep the intellectual property. And then I spent two years co developing it with them. And so my idea at the time was we call it project crossbow, which is a play off of Target. And the idea was that we would have Granby people, and safe be the tool. And so when I realized I needed help, and I brought in Ron Gula from Tenable and to be true a pair of boots from CrowdStrike on my board to spin out cipher into the market. I wanted to replicate this success of the logo. Because this was such a memorable logo. It’s really a textbook example of how to create something that sticks in the mind. We used to do an annual t-shirt contest at DEFCON, which is the largest hacking conference in the world. And I came up with the idea in 2017 of a little cartoon Grim Reaper riding a unicorn. I just thought that juxtaposition was really, really funny. And the designers blew up. So I’m sitting there, I’m thinking, Well, how do I recreate the magic of grim, I can’t do anything with the gram because that’s brand confusion. And a scythe is boring, it’s just a piece of wood and metal. People are into these unicorns. And this was before, I think what the current trend with unicorns was because this was this is, you know, six, seven years ago. And so I came up with that as our logo, which is the site with the unicorn. The philosophy, I call it as a Disney villain. adults get the joke, kids think it’s cute. And we do in fact, two coloring books. So those are really popular. If you’re gonna be at RSA, we will have coloring books if you’re interested. So where does that transcend into me becoming the unicorn? Until I decided to launch the product company. I was not a public speaker. And I realized it’s easier to sell a product when the first question is, who are you? So I set out to actually go and become known as well as I wanted to drive a lot of the gaps I saw in the way that we looked at risk assessments in the industry. Because my view six, seven years ago was we were going down a wrong path with a lot of nerd driven thinking of let’s do something that’s cool. Not necessarily what does an organization or business need to fill in its gaps. And so the first time I actually dressed in costume, which Justin, I think you’ll appreciate, was a military keynote. So I was the day two keynote day one was an admiral. And they said, it’s gonna be the next day, it’s the morning people are going to need to be woken up, come up with something different. I have a lot of bespoke suits. I actually dressed very nicely when I’m not in my unicorn garb. And so I came out and a tailored black wool suit, black shirt, black silk tie, red pocket square, I had these really nice black and red Italian leather shoes, and wearing devil horns. And so what happened is they they announced me up on stage and I’m not up on stage. And it was like looking around confused. And I start walking from the back of the audience with “I remember when I woke up 6,000 years ago in Syria,” and I use that as an entire metaphor, visual metaphor for the threat. And what I learned from that talk was, people were so terrified or confused. Both work. Nobody looked away from me for the entire talk. I’m used to go into these talks and you see people they’re looking at their phones. They’re like playing around, they’re doing other stuff. Everybody was either scared or confused to look away for the entire talk. And I of course, was completely terrified that I was going to look like an idiot. But it worked. And so after that, I slowly started stepping into different versions of the unicorn and a very slow testing the water kind of the way. And now I fully embraced it. And it is a full alter ego that I use for great effects. One of the benefits I found, so it was, I can talk about some very complicated things. And because I look a little silly as a grown man and a unicorn, it makes it a lot easier to digest.

Jodi Daniels  10:40  

What an incredibly unique story, I’ve learned so many tips, and I love public speaking, and you can always learn something. And this is not going to be just an episode on great security, but also how to connect with people where they will really pay attention. And what a fascinating story.

Justin Daniels  10:59  

Yes, that’s how I met Bryson. I was at a thing where I was speaking, right? Yes, after he went up, I went up in full pirate regalia, which people didn’t expect the next day. But I really enjoyed his presentation. Because this guy’s up there and a unicorn. He’s like talking about all this cool stuff. I was, had to go learn more. Good. Yes. All right. Now we’re gonna talk a little bit about security. That’s why most of our listeners listen in. So Bryson, can you talk a little bit more about what problems Scythe is really designed to solve?

Bryson Bort  11:35  

Sure. Lots of problems, right, the fun part about the space and this was a joke, we all have unlimited job security if security is not solved. It’s one of the few disciplines where we can look at and there is no quantitative mathematical proof that you are here. We draw lines in the sand, which is whatever our attempts are at people processes technology to defend ourselves to assure our business, something happens. Most of those most of that line gets wiped away. And we’re like, okay, reset. And that was where I know, there’s a follow on question, where did I learn from the military? My time the intelligence community, it never really occurred to me, we always won. Whenever Target we wanted access to, we eventually got access. And I think this is really a learning point for the commercial side, which is, we get too caught into nerd solutions for nerve problems. And we forget, there’s all of these other ways that are not technical, to help be a part of the attack sequence, to break in to do whatever and to accomplish the objectives. And so that’s a lot of where the stuff misses. And so that in summary, means security is defined by the threat, some malicious actor with capability and motive and malice wants to do something to you, what actually would happen. And that’s what the SCYTHE tool does is we allow you to safely do in your production environment, that realistic signal, you think of security as a data science, instead of constantly trying to figure out all the things that you can control, figure out the edges where they’re doing their things. And then from there, build that build off of that you can really build up your protection, detection and response. And so that’s what our tool does.

Jodi Daniels  13:17  

Bryson, you shared that you always won in the military, and you found the points of information to help you do that. Can you share a little bit more about that approach and how it ties to cybersecurity?

Bryson Bort  13:39  

Yeah, I mean, how I ended up breaking it down. So I call this the BAM model Bryson’s Attack Model. So you’ve heard of the Lockheed Martin kill chain, the de rigueur today is mitre attack framework, which is a great vernacular for describing an attack. Although this framework is often abused, because it’s so easy to look at a bunch of boxes and go, let’s play bingo, which is one of my famous quotes: don’t play bingo with mitre attack. So here’s the Bryson attack model. And I break it down into three simple phases. And it ties to something we can understand in our real life, which is, we all live in homes. What would a thief do to break into a smell first, they would try to case the neighborhood to decide which home looks like the best one to break into. Then once they decide, Oh, I like that car. They look like they’re rich. That’s a good pay day. I’m going to study that house. This is building the target package. This is reconnaissance. So I build my target package, how am I going to break into what am I going to break into then the break in and this is where we psychologically as industry are really held up in trying to build higher walls or one of my jokes is, you know what CISO wouldn’t want a shark with laser beams because it’s they read about it in the back of an airplane magazine. And the reality is you can’t keep them out. But psychologically that’s hard to accept. Why wouldn’t I want to continue to spend as much as possible on preventing a breach and the reality is I described earlier, there’s just so many ways in. And the easiest is always through the front door. It’s what email does. That’s what phishing and business email compromised, it’s so successful, because it’s just using a system the way it was designed. The part where you have control is what matters. And this is one of the things you really learned in the military is, Where can I establish control? And I know I have control here, if nothing else, if you’re going to try to do something, you have to contest me, right? We’re gonna we’re gonna have a fight. And so that’s the key in cybersecurity, as well as where can I establish that controls where I know I have a fight. And the reality is, you can do that in the post access space. Back to the thief metaphor, the initial axis is I pick the lock, the door opens, I haven’t done anything to you yet. When I come through the door, that’s when you care, that’s when you want to be able to do something. And now back to the cybersecurity realm. I’m only acting on the computers you have talking the way that they talk that you’ve defined, doing certain things that I want to do. It’s not an unlimited number of things that’s controlled from a defender perspective, if you start to bring visibility, through continuous process improvement and exposure by conducting these assessments in scope. Does that make sense?

Jodi Daniels  16:15  

It does make sense. House analogy? I use that house analogy actually a lot. My analogy, do I’m sorry. So how do you use it? Well, so one of the things, especially from a privacy perspective, I think applies to both. But if you’re a bad person, and you show up at two different homes, one has the big alarm sign that’s there, the other house does not one looks harder to get into one does it which 1 a.m. I going to go to so that’s kind of a simple security one, from a privacy perspective, we want to make sure everyone listening has probably seen those cookie consent banners all over the place, and privacy and security pages, especially if you’re in the tech industry, or the kind of data that you might be collecting. If your customers might question What are you doing with it, the more than you can show that you care about it with language, and it’s clearly articulated from the outside that looks like it’s, it’s well designed. From a home perspective, if you’re putting your house on the market, you probably would want to spruce up the outside, you’re going to plant flowers, paint the front door and make sure it looks nice. Now, you also should have the inside look really well. But from the first glance, you can only see the outside. If your outside exterior looks terrible. I’m going to pass right over your house. If your outside looks terrible from a privacy and security perspective, then I might think you don’t take it seriously enough to have it well designed and communicated here or you can’t even comply yourself with these privacy laws and requirements. Why do we think you’re going to protect my data?

Justin Daniels  18:03  

I like the castle for defense in depth, but I’m listening to what you guys are saying. So. Um, so Bryson, as you alluded to, you know, you have a very pronounced military background. And you know, the Israelis have unit 8200. Obviously, the United States has a robust cybersecurity arm. Can you talk a little bit to our audience and share about how a military background in particular changes how you might approach cyber scourge just in listening, you talking about reclaiming a house and getting through the door? I can tell you just have a different perspective. Could you elaborate a little bit more on that? It’s really interesting.

Bryson Bort  18:41  

I’m sure and I’m gonna also defer to you helping me do that because I’m so inculcated in it, I don’t think about how I think is different. So please, please feel free to help me help pull it out. But we talk about the cybersecurity skills shortage. So I’m going to talk high-level. And I don’t know that I necessarily agree with the numbers that get bandied around. But I don’t think there’s any question we have negative unemployment in the space. And the greatest skilled folks that are put into this pipeline every year come from government in the military, because there’s just so much demand in such a consolidated way. And both the governor the military really go out of the way to spend a lot on training. So you know, you’re getting folks of a certain ilk. And I think that’s where we see a lot of the blended what I would call the militarization in process and verbiage that we see the vernacular that we see in cybersecurity because of that crossover and so much of a mass in it. And then I guess the final pieces, as you noted, is, I have a very objective, attack oriented mindset and how I look at things because that was my job before is everything that I was given was a mission to go into the real world with an adversary or adversaries and accomplish that. issue. And so it’s naturally the way I think. And until you noted it, I never really considered that as different. It’s just always the way I’ve been trained since I went to West Point.

Jodi Daniels  20:09  

Speaking of training. Do you feel that there is a gap in kind of regular corporate training to maintain all those skills? And is there anything that you think companies on the forefront from a training perspective are doing really well that we could share and help? No pun intended, educate the rest of us who might need to learn some of those other training ideas?

Bryson Bort  20:36  

Yeah, I’m gonna be a little counterintuitive, contrarian with my response. I don’t think the amount of money and time we’re pouring into harassing employees to be smart about cybersecurity is the right return on investment. If you think about it, when’s the last time you went through one of these mandatory 30 to 60 day — sorry, 30 to 60 minute annual training, right? You just, you just get through it, you ignore it. It’s so boring, it’s not interesting. And I think that really speaks to the best security that I see as a process. Compliance is an existential foundation. Security is the process that we’re doing on it. So what could be that process to be more engaging, more educational, and more a part of their life? I think that’s a security champions program. First of all, it means security is not the isolated culture of No, we’re not those folks who come in afterward are like, Why didn’t you think of asking this beforehand? Well, let’s try to be more organic and so at a Champions program is doing is what it sounds like, let’s get champions from other functions who want to voluntarily participate in getting extra training and attention with us. And they’ve already nominated themselves for it. So extra training is something they’re gonna be interested in, you’re going to be giving them more than the 30-60 minute boring training is one of the things I like to point out with purple team exercises, which is the collaborative milestone driven emulation exercises. So we plan, we execute, we fix everything in a very open, collaborative manner. With that signal being actual threat procedures that we do. Well, why don’t we invite our champions to be a part of those things, what better way to learn than to actually see how our company catches, responds and does things to a true threat. And this doesn’t need to be a week-long exercise, that kind of thing you can do in two to four hours with some free pizza. And now what you have is you have these champions who now exist in your culture, who are there to represent on behalf of you and write answer questions and help funnel requirements to any of those things that they’re seeing. And it becomes a much more organic process. Again, security is a process versus Hey, the checklist approach if you did 30 minutes of training.

Jodi Daniels  22:43  

I like security champions, I like privacy champions, maybe the privacy and security champions can work together.

Bryson Bort  22:48  

Exactly. That would be a great use of the champions approach for the data privacy.

Jodi Daniels  22:53  

There you go. Justin, go ahead. What are your favorite race? Yeah.

Justin Daniels  22:56  

So I like to say in the technology world, privacy and cybersecurity are the peanut butter and jelly of the technology.

Bryson Bort  23:04  

Actually giving an additional throw out on data? Have you heard of the concept of data care from the Gulas?

Jodi Daniels  23:11  

I am not as familiar with that.

Bryson Bort  23:14  

So Ron, and Cindy Gula, from Tenable fame, they kept looking at the problem of how do we get a broader societal interest in cybersecurity. And the idea they came up with is everybody has data, we individually have some understanding of data. And so it’s not a question of cybersecurity. It’s so much it’s a question of data care. And that the idea being is that something you as an individual would care to buy into? And so that’s been an initiative that they’ve been advocating?

Jodi Daniels  23:42  

Good to know. Thank you for sharing.

Justin Daniels  23:45  

So one of the things I wanted to specifically kind of talk about Bryson is, you mentioned Target as being a real inflection point for the industry. And so one of the macro trends I’ve seen over the last 10 years is we’re seeing increased both privacy and cybersecurity regulation. And I was just interested in getting your thoughts around how you think maybe the new SEC cyber rule might start impacting privately held companies around their cyber hygiene and treating it more like a business risk instead of I’ll get around to this one, I might lose a deal.

Bryson Bort  24:23  

Yeah, I think that is a growing question. The government is coming, and more government is coming. And to me the risk whether you are public or private, is the conflicting standards and requests. The second problem that I see is the SEC, New York Department of Financial Services regulations, which affects a lot of posts because so much business is done out in New York. You now have Circassia, which is out for draft commentary from the Department of Homeland Security, cybersecurity, infrastructure security agency. And all of these are putting very tight deadlines on folks for things I mean, TSA security directive 02, which said, You need to report if it affects you within 12 hours. And the problem you have now is whether it’s 12 hours or sec nydfs or Sissa, which is 72 to 96 hours. What can I really know within that time period? And how do I do that without getting punished? Because there’s this balance of Yeah, I told you something, but I’m still going through incident response. I’m in a high stress situation, I’m concerned about business operations. And somebody is actively doing something in my environment. And that’s, again, an area where cybersecurity is so unique. We are so used to we already have a history of business continuity planning and disaster recovery as organizations against hurricanes and bad weather. But whatever happens there is, you know, it’s called acts of God as we put it into contracts. Well, in this case, you have a sentient malicious actor, not only are they thinking and going through their own OODA loop of what do I see, what do I adjust, they’re also trying to get into your OODA and communications loop so they can even get inside your thinking to get to change before you even make an action just because they can see what you’re thinking is. That’s a really hard problem. Right? That’s a hard problem. And so now I’ve got these different requirements, I’m trying to put stuff out there, and at the same time, fight a fire inside my organization, where I’m learning as I go. So I think it’s putting companies in a difficult position. The final thing I’ll say on that is the theory. And I say theory, because even though they’ve said that this is what they want to do things change is that government is collecting this data to have better data informed regulation coming, because most of it right now is just collection, there’s not a regulatory components, for the most part, there’s no penalty unless you really are violating materiality in what you’re talking about. And so the hope is that that leads to smarter regulation. But I’m going to remain skeptical until I see the smarter regulation.

Justin Daniels  27:05  

Bryson, and I had another follow up based on what you were saying. And I’m just curious for your opinion, I see a lot of heated debates in different cyber circles about what you think would happen if the government just said, You know what, we’re gonna simply outlaw paying a ransom if your network is encrypted, I’d love for you just to share what your reaction is to that idea.

Bryson Bort  27:31  

Yeah, so this debate has been the fact that clearly ransomware and cryptocurrency are tied together, and thereby banning the cryptocurrency component, we miraculously make ransomware less. It sounds good. I’m not sure that’s true. And the reason I say that is, if you look at the ultimate motives behind the ransomware ecosystem, which I believe are primarily state sponsored and state supported, the money part just helps sort of fund the ecosystem for the action. It’s like getting free Intel in military action without having to pay for it because it kind of works itself out with a criminal element. I think that the money would shift some, but it wouldn’t actually lessen very much. So that ecosystem would still continue. And I think we’re also removing some sense of agency from individual companies that have to really deal with what the situation is from their own perspective. So I think it’s a little heavy handed and at the end of the day, I don’t think it accomplishes what we would hope it would accomplish, more than happy to see it, try to work. And I would love for it to work because it goes back to the talk that Chris Krebs when he was director of CSUN. I gave it RSA and 2020, when we call this scourge coming. I hate to say we were right. And I fear that that’s not going to be such a simple fix that a lot of folks like to have a beer and talk around a happy hour be like, well, that’s how we solve this, you know, monumental ecosystem or policy challenge.

Jodi Daniels  29:05  

I know you have a lot of action items for companies to take to try and deal with everything we’ve been talking about if you could pick one or two of the ones that someone listening here should make sure that they’re working with their teams on what might that be?

Bryson Bort  29:24  

Do purple team exercises, do purple team exercises. So much of where I see people holding off on trying to do those is because they’re like, well, that’s extra work. We’re trying to install this. We’re trying to install that advantage of a purple team exercises, whatever change you’re trying to implement whatever isn’t working or is working. It lets you see that and you learn that and so if you’re installing something, it’s the process to really operationally qualify that level. There’s a level of assurance of what it’s going to do or not going to do. And so that is just fantastic process. Most people get concerned about that, because like, I don’t know how to do that, we created a free purple team exercise framework. If you go out to GitHub, search, Purple team exercise framework. And it’s not just my company, we had a number of folks from the community create that. That’s the process. If you’re going I don’t know how to do threat intelligence to do that. Not a problem. There’s free threat intelligence, go to mitre attacks page, there’s a group section, do a text search on that web page for your industry. And it will list every campaign actor tools and exactly what they did pre threat intelligence, then the last question is, well, how do I actually do offensive stuff? That sounds really complicated and scary, there is a free tool for that to atomic red team by red Canary, all three things. How to do the process, how to get intelligence, how to use that intelligence to drive actual procedures in your environment are all available for free. Once you got that, under your hood, you’re going to have a fifth and asterisk process for again, training, educating, validating, building, tuning, improving, and again, in this environment where we don’t just get free budgets to keep growing each year security. You can also rationalize things because you can show that they aren’t working. That’s what I would recommend to everybody.

Jodi Daniels  31:11  

Those are really good. tools that are available, we’ll make sure that they’re free is always the best price, free is always good. Everyone likes free.

Justin Daniels  31:17  

Bryson, when you’re not thinking about purple, teaming, unicorns and your public speaking, what do you like to do for fun?

Bryson Bort  31:32  

Oh, well, I joke people have hobbies, my hobbies, my nonprofit, the ICS Village, we have our own policy conference, the seventh annual one called Hack the Capitol coming up in May. It’s three days back on the training question. We got a philanthropic grant from the gula foundation last year to build out hands-on industrial control system training, going to the fact that we don’t think folks need a degree, this could be an apprenticeship or a trade. We’re actually building that. And we’re going to be debuting that on the 29th of May. And then two days of policy conference. We already have Jenny easterly from Sisa committed, she’s gonna be doing a recording because she’s out of the country. And then representative Bradford stead from Minnesota is going to be in person and speaking. And we’ll be updating you with more VIPs and our schedule as that comes. So that’s mostly what my hobby is. I did during COVID. Since I couldn’t travel so much. I did launch a cooking show for three years called Unicorn Chef. We raised over $40,000 for charity and published about 160 episodes and recipes with folks throughout the industry. So we’d love to have the time to get to do some more of that.

Jodi Daniels  32:42  

Did you have a favorite recipe?

Bryson Bort  32:45  

Um, I’d say my favorite episode is actually the first one with Chris Krebs. He is the director of Sisa at the time of this episode, and what made it so funny is clearly Chris liked to cook and so he wanted to show off. And so he kind of tried to do too much at once. And so you just watch an hour of this guy who is a very senior person in government, trying to keep it together as he tried to bite off more than he could chew. No pun intended. In the episodes. That’s my favorite episode.

Jodi Daniels  33:17  

Okay, um —

Bryson Bort  33:19  

The oyster crisps I thought were really delicious as well, which he taught in that episode.

Jodi Daniels  33:24  

All right. And if people want to connect, where should they go? Or what are you me? We’re gonna let them wasters online.

Bryson Bort  33:34  

You google Bryson Bort, you’ll find everything. I’m pretty well known and I’m everywhere.

Jodi Daniels  33:38  

Okay, well, Bryson, thank you so much. This has been one of the most fun episodes. I love the hat.

Bryson Bort  33:43  

Do it I can’t.

Jodi Daniels  33:48  

Thank you so very much.

Outro  33:54  

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.