E.36 - Don Cox: The Risk Lens

AlchemistX: Innovators Inside

E.36 - Don Cox: The Risk Lens

Published on

June 24, 2022

"I've always found that being reactive is so much harder than being proactive." - Don Cox

Listen on:

Follow on:

Show Notes

Rachel Chalmers:

I'm so happy today to welcome Don Cox to the show. Don started out in the US Army before becoming a police detective specializing in fraud and computer crimes. He's been a special agent for the US Secret Service and an IT program director for the US Department of State. Most recently, he has been chief information officer for Nova Corporation, a Navajo Nation-owned firm that provides IT to federal agencies, and for the Substance Abuse and Mental Health Services Administration. And he was Chief Information Security Officer for Mednax, a national medical group, and he has worked with American Public Education, Inc., a provider of higher education. Don has been named one of the top 100 health care leaders and top 29 CISOs by the peer list community. He has a master's in science and an MBA from the University of Maryland Global College. Don, thanks so much for taking the time to talk to us today.

Don Cox:

Yeah, thank you for inviting me. Looking forward to it.

Rachel Chalmers:

You must have so many stories to tell, but if I had to pick one to ask about, it would be this: Was there a single incident or event that led you to choose cybersecurity as a career? When did you first realize its potential for good and for harm?

Don Cox:

So actually it chose me. I haven't traveled the most traditional path to get into IT. And even since I've been in IT, my path hasn't been traditional, especially towards the cybersecurity side of things. And just a short story there: I was a police officer in Montgomery County, Maryland, I was (and this will get into a later story) but didn't do so well in high school. So I had to go into the army and then the army paid for my college and I took some night courses. And over time I saw that even though my degree was in criminal justice, I saw the coming of technology and I thought it was exciting. So I decided to take some classes in web design and development. And so one day I'm injured as a police officer and I wasn't going to be on the road for three months. Rather than letting me sit at home for three months and collect a paycheck, they wanted me to do something else. And they found out about my IT background and put me in the fraud and computer crimes unit. I did so well in there – the three months I was in there, they decided to make it permanent and move me into that group. And once I got in there, it was the law enforcement that I had never known existed. It was using technology to help chase criminals to prevent crimes. In some sense, when you start getting into the child abductions and the online social media and so it really chose me. But I've never looked back and said I would have done something differently from that perspective.

Rachel Chalmers:

Was there a moment that opened your eyes to the potential of it for these kinds of preventative and proactive services?

Don Cox:

Oh, absolutely. As an investigator, you're the person or the group that businesses call and people call when they've been victimized by somebody online or their child comes up missing or just any scenario where technology has evolved, where detectives are trying to solve who committed this crime. Bomb threats or email threats or what have you. And then to be able to prove it in court as well as to use it for intelligence purposes. So it was kind of then when I… and this I'm in the very beginning of when technology started to become used by law enforcement in the mainstream, it's probably always been used by government agencies and other entities. But you know, we're talking back in the mid to late nineties as I started in 1999 and you started seeing how technology, how seizing a computer out of a criminal's house or taking their PDA or their iPhone gave you an insight into everything that they did, who they talked to and why they talked to them. And then later on, when I actually [joined] government agencies, I've worked for seven over the course of a period of time working with the Immigration and Customs Enforcement and being able to take people's information at the border because of some legal law, some law that was in place. You're able to start picking out who people are talking to, where they're going, what they're doing. So, there's a lot of different scenarios that I've come across that led me to believe that on the one side, it's great to help prevent crime or to arrest people that have committed crimes. On the other side, though, I've seen the dangers that can come from it if all of this information is put in the hands of people that aren't ethical and are using it for other purposes.

Rachel Chalmers:

Yeah. We recently had a very high profile case in Australia where a woman's personal details, which had been divulged to the police, were shared with her violently abusive ex-partner. And this has been something I've been involved with for a number of years. I was on the executive board of a group supporting women in technology right at the time that Gamergate exploded and Zoe Quinn became the center of that storm. And so we had a sideline in helping women lock down the laptop and their phone after they had escaped from an abusive relationship. Or if they were targeted by harassers through Gamergate. And we would find ourselves talking to local police who just had no idea of the scale of the problem. So it's fascinating that you were working on the other side trying to educate people as well.

Don Cox:

Yeah. Speaking of that, and I hope this isn't a derogatory term, but when I was learning computer forensics, there was a group called the International Association of Computer Investigative Specialists. And we had people from all around the world come and teach the classes. So people from England, people from Germany, we even had Australians and we refer to them as our Aussie friends. They were so cool. But yeah, they would come to the US and it was two weeks of intensive training. So I actually haven't talked to them in such a long time. But I have some friends that were Australian police or law enforcement. They would do criminal investigations. They were a blast. I loved listening, just listening to their classes.

Rachel Chalmers:

It was challenging, though, in the early days of Gamergate to impress on police the seriousness of the online harassment that some folks were facing. They thought it wasn't a real world issue, but we had people having to leave their houses. And I think that's become more apparent over the last few years. But have you seen that that trajectory among law enforcement of having to accept that what happens online is actually real?

Don Cox:

That's depending on the location, right? So when you're talking about the bigger cities, they see more of it. And they have people that are more equipped to train and handle it and they have more resources to deal with it. So in the cities, you'll see it adopted and most things adopted more often. Like human trafficking. I know in 1998/99, I'm sitting in a class and I'm kind of like, “You know, we're in Montgomery County, Maryland, just outside of Washington, D.C. We don't have human trafficking.” Two weeks later, we stopped our first truck in the middle of downtown and we have human trafficking. It was an eye opener. 
So the same thing, you know, talking about stories. I had a lady… and I used to teach classes to to parents. The PTA would ask me to come out and provide classes to parents on how you can protect your kids or how can you find out what your kids are doing? I mean, I used to go to the elementary school, six grades in middle school, just to see what the kids were doing, because they're the ones that I need to learn from. I need to learn what they're doing online and how they're doing it so I can help protect them or how I can talk to their parents. And I'm seeing kids hacking into the school grades. I'm seeing kids online. Well, you know, this one young person… her mom was doing everything right with AOL's online security, which was a really good product back in 1990s and 2000, probably one of the best.
And unfortunately, this young lady was going through her friend's house and using her friend's computer to talk to an online predator. You know, she meets this person. Next thing you know, she's out in the state of Washington from Washington, D.C. and it was only because the people on the other side were like, she got introduced as his girlfriend. They're like, “She looks 16.” And so they looked online to missing kids and that resulted in a call. And luckily the family was concerned about it. But I'd say Montgomery County Police, their groups that they have there that deal with youth. They've been actively online with the state police and and all the other groups within the United States and probably overseas through Interpol, trying to thwart these crimes that occur online against children on social media. When it comes to adults and harassment and, you know, there's a lot of famous ones out there now. I think it really is just what laws are on the books and what you can enforce that limits what police will get involved with and do and do. So a threat is a threat, but unless you can act upon the threat, it's really not a crime. So that's, I think, where the laws haven't caught up with technology. You probably hear that a lot: The laws have not caught up with technology.

Rachel Chalmers:

Yeah, it takes a little time. So from the police, you moved into these federal agencies. Tell us about that part of your career. What was that like?

Don Cox:

Yeah. So again, it shows me I didn't choose it, but, you know, value for it. So as a result of one of the things that happened, as a police officer, I had to have surgery which resulted in the police department retiring me. And it just so happened that through that international association that I had made some friends that had some government contracts. So I jumped from the police department directly into a role supporting the government (It happened to be the State Department) in helping them to use technology to prevent passport fraud, to help look for a whole other host of things – financial crimes. 
In 2005, I had gone back to college in order to get a master's degree. I knew that if I was going to testify in court, it's a combination of training, education, certifications, experience that allows you to testify on a witness stand as an expert witness. So you can give your opinions. You can give all those kinds of things, which helps in the types of criminal investigations that I was involved in. So over the course of six years, I had over 300 investigations that I was responsible for – Small units, you had to do a lot. And it was murders, rapes, robberies, car theft. I mean, it was a whole host of things, you know. And to that end, a lot of it was innovating. Nothing existed at that time. So we had to come up with the tools, the ways of… You know every iPhone or cell phone was changing every six months. The operating systems are changing, the technology was changing. So it was a huge kind of… How do you take what's happening and turn it into being able to obtain the information, prove that it could be reproduced, following that scientific method and then being able to to testify to it in court?
So there was a lot of that. All right. So while I was in my graduate program, unbeknownst to me, it was actually a chief information officer program that would give me a certificate to be a CIO in the federal government. Also, a certificate had the competencies to be a CIO in commercial America. And at the time, because CIOs were actually becoming a C-level position and getting paid the big bucks, I figured, what the heck, I'm 39, 40 years of age. I could use a six figure income compared to what I was making. And so I started going down a CIO path. I listened to a recruiter who said, ”In order for you to become a CIO, go take every position a CIO must manage and then you'll be able to speak to it.” I never lost the passion for cybersecurity, and that's kind of why I'm in the CISO role today. 
Some would say it's a step back and I say it's. For some it may be, but for me I don't see it that way. I can take the business acumen and move it into the CISO role, and I can also help be an innovator because as a CIO, that's what you have to be. You have to work with the chief technologist, chief technology officer. You have to work with the business. You have to work with everybody to innovate and consistently be innovating so you can stay competitive and stay afloat.

Rachel Chalmers:

Yeah. I mean, to me in some ways that the CISO role is the pointy end of innovation because security really is an arms race. You know, in the CIO role, you have competitors, in the CISO role, you have antagonists. It's where innovation really matters.

Don Cox:

I have some sayings I've acquired over the years that I use. Most security departments have always been seen as a “no” department. “Can't do it because it'll commit this or create this vulnerability.” I'm the exact opposite, and I don't know whether it's a combination of law enforcement and just knowing what's out there in the real world and how insecure everything really is and it just comes down to risk and risk avoidance and putting controls around or whether it was being a CIO. And I have a funny story there that I won't derail about my first CIO role in what happened to me. But I really… it comes down to (and I stole this from one of my more senior people and mentors) I'll never say no to somebody. I'll just tell you what percentage of yes I can give you.

Rachel Chalmers:

That's great.

Don Cox:

And it's because either the person… this is what they want and say that's 100% in their mind. But when you actually give them what they need, you might give 60%. So you call it a win and you move on, right? Because there's always that gap between requirements gathering and reality, you know, the whole conversation. So yeah, so that's like one. And this is where I think technology has gone wrong. I think we jumped too quickly into “We own everything that's technology.” I have practiced and preached in my last few roles. I don't own technology, I implement it. I'm a partner. The business owns technology. You tell me what you want to accomplish and what you need. You put it in your budget, you fund it and I'll implement it for you. Well, the first time I did that, I tried to get security to a zero budget or actually all of IT. I didn't get Christmas cards from my peers that year. They were a little annoyed at me that their budgets shot up. But you have to do that in order to get them a seat at the table, get them involved, get them concerned about everything, IT and security. I mean, security is everybody's responsibility, right? We hear it all the time.

Rachel Chalmers:

So, yeah, you can't be a cost center. You've got to be a support to the business.

Don Cox:

Yeah. So my funny story was, you know, years in law enforcement and I always get mad whenever I go into companies and they stop the threat from happening. And, you know, because I wasn't able to collect log files and people didn't know how to collect log files. And so my first experience at the Department of Energy is where I kind of really jumped into – 

Rachel Chalmers:

Full, low stakes…

Don Cox:

Yeah, yeah.

Rachel Chalmers:

You know, nuclear weapons.

Don Cox:

Yeah. Not nuclear weapons. Right. The power grid, which we hear about, you know, water, you got everything there. And so I used to tell people when we interviewed them, it's like dog years: You're at energy for six months. It's like seven years in the real world because you're just you're getting… everybody wants your technology. And that's where I kind of learned it's not just the company that owns the technology that the threat actors are going after. They're going after anybody that could touch that technology or that name or, you know, law firms and all kinds of other things.
So my team comes to me and they say, “Hey, we have another entity that's a contractor who supports the government and it relates to all of our travel type and there's a lot of malicious traffic coming off their network.” 
And so I said, “Well, what's it connected to and how does it impact us?” And when we got through the whole conversation, I go, “All right, shut it down, call them up and notify them.’ So first I get yelled at by my security team because I shut it down. It didn't keep it going. It didn't set up honeypots and didn't do all these things. And, you know, my first question was, well, “Did you brief us on these honeypots and how we should take care of this and do this?” And of course, they didn't have an answer for that. But then interestingly, when we called the company that was providing the service, they didn't believe we are who we say we were. So I was like, “All right, how am I going to deal with this, right?” Call the switchboard number. You get off the Internet and have them route you to us. You know, it was really weird. So we said, look, we're just going to send you an email from an official, you know, DOE email address with what's going on from there. And you know, it's on you. We've notified you. Yeah. So it was pretty interesting.

Rachel Chalmers:

Wow, that's funny. The risk lens is really interesting because I'm using it a lot in my innovation practice now. I go to clients and say, “Don't think of this in terms of the billion dollar businesses you might build. Think of it in terms of the billion dollar businesses your competitors will build if you don't stay ahead of the status quo.” So using that risk lens and going through all of their activities and saying. “Well, what's the worst thing that could happen here?” Actually turns out to be really useful when you're thinking about innovation because even your remediations, even even the interventions that you're making, you can create the risk and then you can assess the danger of standing still versus the danger of moving forward and make some kind of mathematical decision based on the comparison of the two. 

Don Cox:

Agree. I've always found that being reactive is so much harder than being proactive. And what I mean by that is if I'm out using the latest and greatest technologies that are out there in our technology ecosystem, well, the technology hasn't been out there long enough for the threat actors to actually figure out how to exploit it in some senses. Or a known vulnerability will come up, but there's no exploit for it at the moment. And so I actually – not through my law enforcement days – but post I've come to know some hackers and people that have spent time in jail and had a lot of great conversations with them. And this is like the one thing they agree on: There're not many good hackers that are going out there inventing new types of hacks. They're just using the ones that exist, but finding out where it would be effective for them. So it's a little bit of effort on their part. So I see innovating as a way of securing your organization as opposed to being reactive. There's some stress on the implementing and getting it integrated and the like, but that's where you stop going with 16 different products and you just try to find one company or two companies that can help you do all the work and take the risk. So I see innovation as a benefit. I also see it as a cheaper way of doing IT because it's an innovative product, I've always been on the forefront of new products. That was kind of my cornerstone in the government as I was always willing to take those projects or or talk to vendors. That's another CIO. When I was at the Department of Energy, where I got a lot of my kind of the one CIO that was there helped me along the line.
One of his sayings was, “IT should be baked in ice, not iced on.” So I used to use that one a lot and now I've stopped using that one. But he used to make us as IT leaders. He used to make us walk around and talk to every vendor on the floor of a CIO conference just for a minute. I mean, they're paying big money to be there. But think of what you can learn from talking to each one of them and bits and pieces. And I found that very valuable. So I set aside like every Friday and I'll meet with vendors for 15, 30 minutes at the most. And I tell them, that's all you got is 15 minutes. So impress me or, you know, try again some other time. And I've come across some really great security products, a couple that I'm on the board for. You know, I have the stock that's worth nothing when they give it to you. And hopefully, you know, they become the unicorn. But there are some cool ones out there that it's taken them a little while. But they'll get there. I mean, things like breach and attack simulation. Well, there's a company out there that's doing breach in breach and tech emulation. It actually emulates all the tools that are in your environment. So there's defense in depth and it'll tell you where the tools in your stack are failing. CIOs and CISOs never had that. They've always had to just agree that the vendor or the tool is doing its job or the combination are doing their job. So I love innovation and I love implementing new products.

Rachel Chalmers:

Yeah. And I sort of came to risk from the other trajectory. I was always in love with new products and oh, shiny. And look at all the stuff we can do with this. And it's been 25 years of hard experience of learning to think, “How would a bad actor take this and exploit it?” And incorporating that into my practice has made it a lot stronger.

Don Cox:

Yeah, and when I hire for security engineers, it's one of my questions: “When you approach how you're going to implement security, how do you implement it?” And the first answer is best practice. And I go “Wrong. What are you trying to prevent?” 
And they go, “Oh we’re trying to prevent somebody from exploiting the system.” 
“Okay, so what types of… let's just call them Hats… What types of hats are out there?”
“Well, you know, black hats and white hats and gray hats and…” 
“Okay, good. So are you trying to engineer a system to keep people in, to keep people out? What are you trying to do?” And then eventually they answer it and I go, “So really, what should your mindset be?” 
“Well, it should be that of a threat actor and/or an inside vulnerability.” 
Because a threat actor inside or outside is a threat actor. But inside you have people that just do things. They make a mistake and they open up ports and they, you know, especially with the cloud. Oh, my God. You can read in the newspaper all the people that are implementing cloud and don't know what they're doing. And data is flying out of AWS S3 buckets and it's crazy.

Rachel Chalmers:

When you look back over your career, Don, what are you proudest of?

Don Cox:

What am I proudest of? Okay. Even though you sent me that question in advance, it's still stuck because there are just so many things there. So, you know, I'm actually most proud of the people along my journey that I have helped grow into more senior roles. I mean, just the last company I was with Mednax, the team that I helped build. I wouldn't say I built right, but I helped build. They've all been promoted to managers and directors and some of them didn't even think of themselves as that. So I'm most proud of the teams and the individuals that I've built that are actually being productive members of technology, and not even technology too, because I can look back further and [during] my short time I was at the Department of Labor, there are some people there, some ladies that were BAs and now I'm seeing they’re vice presidents of companies. 
I was a professor for the University of Maryland Global College, which used to be University of Maryland University College, teaching project management. And some of the people that are there are CEOs of companies and not that they attribute their success to me. But, you know, that's what I'm most proud of. In some way. I might have contributed to how they're successful. So I think that's the most you know, for me. That's it.

Rachel Chalmers:

Yeah. Creating space for people to grow. There's nothing else like it.

Don Cox:

Yeah. And that's part of my philosophy. And, you know, I'm on LinkedIn, you can go to my LinkedIn page. I mean, the last like 16 people, it's all about, “How he empowered me or he enabled me or, you know, gave me the runway, the bandwidth.” You know, to me, there's no good news and bad news is just news. So let's figure it out, right? I tell people, I'll never yell at you. Let's figure out how we move forward from here. You know, it's always do what you think is right at the moment and then if it's the wrong thing, hey, we learned from it. So it's all of those things. And I think that helps foster trust. It helps foster a better working environment by empowering people.

Rachel Chalmers:

If you had one do over, what would you do differently?

Don Cox:

So I thought about this and it's probably selfish, but I probably would have done better in high school. So that said, I wouldn't have a 2.3 GPA and I might have been able to play professional baseball for a little while because…

Rachel Chalmers:

All right, so I'm going to play this one for my kids… high school is important.

Don Cox:

Yeah! And actually, I got – if that's proper grammar – But I was able to obtain a copy of my high school transcript ninth, 10th, 11th and 12th grade. And it took years before I showed it. I have a 22 year old son, and a 19 year old daughter, and they're both doing really well in school. You know, one's a straight-A student and the other one is the 3.25 sometimes this year.

Rachel Chalmers:

But Cs get degrees!

Don Cox:

Exactly. They're both very successful in their own way. And it's lucky that I had the experiences, I had the education, the wherewithal to read about rearing children and mindsets and all of that, to understand that they're different and they need to be treated differently. They still frustrate you, you know? But in the end, it's a great thing. 
I wonder if I was recruited by some top colleges to go play baseball, but they didn't want to take the chance on my 2.3 GPA average, even though it's 1985, which I thought sports were, you know, the big thing. And, you know, my childhood was similar to what you would see in probably families today, which is sad but back in the eighties was becoming commonplace, was mom and dad divorcing. And so my parents divorced when I was 10 and mom couldn't afford to pay for college. Dad wasn't helpful in paying the bills, and so my mom really wanted me to have an education. She had me when she was 18 and had her life's set over. So I think it's those things or maybe it was just something else inside of me that wanted me to succeed.
But there was nobody there to push me through school and I didn't see the value like my wife and I do with our kids. You know: “School is important. We'll help you get through it. We'll get your teachers and after school help. We'll get you whatever you need.” And also understand that a C and a B are okay, you know, but you have to get A's in other things to help with that. And yeah, so that's my maybe if I had a do over, but here's the caveat the star. But if I did that and I really liked it and I did get to play Major League Baseball, I'd still want to come back and live the life that I lived now because the people I've met, the things I've done, the places I've got to travel, all the stuff, I want to say I wouldn't give it up for the world. And, you know, no amount of money, nothing because it's been absolutely amazing the things I've been involved with, seen and done.

Rachel Chalmers:

That's great to hear. We've talked a lot about innovation and all of its benefits and how it can underpin a good security posture. What do you think makes innovation so difficult? Why is it so hard to get people to adopt new things?

Don Cox:

Well, to your conversation about risk, right? People, if they don't understand it, if they don't see the business value, and sometimes telling stories is hard for some people to do, and so being able to take... 
So I guess from an IT perspective, they've never really had to do that. An example I've learned over time is if you're trying to sell an IT capability that would help prevent a threat actor from getting inside the organization, then figure out a way to equate it to a business need that would help increase their ROI or position them in the market so that people would be more attracted to do work from them. So, one example was, getting a SOC or an S-O-C – I can never remember what SOC stands for – but SOC type one or type two that sort of certification or attestation or high trust or, you know, just get compliance in some way. You're getting a third party to say that you have achieved these results like ISO and the rest. And then from that right, the business can then use that to go sell their services and get…  Same thing with CMI and the rest of it. Also I think it's an unwillingness of the people inside to put resources against it, with everybody not able to hire all the people they need, don't understand how to use project management, and roll contract resources in and out. Leaders not being able to manage external resources/oversee resources.
I mean, that's some of the biggest problems you see in technology is this, “I have to have a button/seat, right?” And I think covid actually, which was a very bad thing, also helped us get over that hump of finding leaders that can manage resources that aren't sitting in your office and also help projectize, saying, “Look, you've got 20 hours to get this done, get it done.”
 So I think it’s the fear factor… probably. It may also be cost. So when you're trying to innovate, people with their planning of future needs and resources, they're not willing to take that risk on a new technology, because if it doesn't pay off, then, you know that’s sunk cost. And nobody wants sunk costs, especially when you're publicly traded your risk, your stakeholders don't like it. So it's a combination of things. It could just be on the part of the people that have the innovative technology not being able to explain how it can help your business. I can't tell you how many times everybody tells you they have the new, latest, greatest product. And when you sit down and you talk to them, you're like, “Okay, but how is it supposed to save me money? How's it supposed to secure me better?” Just ask the five whys and if they can't get to the end, you're like, “Yeah, you're not for me.” So I think it's a combination of things.

Rachel Chalmers:

How would you distill all of this experience into one or two lessons for our listeners?

Don Cox:

Oh, it’ll never happen. Never happen. Oh, one or two lessons. All my experience and knowledge. Wow. That's yeah...

Rachel Chalmers:

We ask the big questions here.

Don Cox:

So great question. Kind of thought I was able and ready to answer this. But, you know, give yourself some time to think and you change your answers. But I think one one way would be to surround yourself with people that are willing to learn, willing to take chances… their open mindset versus closed mindset. They're not clock watchers. 
And this is when I interview people. I ask them, “How do you learn?” And then just from that perspective, continuing to challenge the status quo, “OK we got here today. But what's next? How do we make this better? What's different?” So I think that would be one, is the people that you put around you would be a great one. 
And then I don't know if this is the same thing, but always be looking at what's next in technology so that you can get an idea or a sense of what you may need or what what the business may need or what direction the business may want to go. And as I mentioned earlier, technology is not about the IT department, it's about the business. And so putting yourself at the hip of the people that are within your business. And to that end, I always look for the innovators in the business, right, to use your word. There are some technically savvy people within the businesses that are just dying to have input or to help guide or direct or to test out. 
I mean, some of these people, like when I was working in the healthcare field, there were doctors that were like, “Well, this product's better than this one. Well, why?” And they've already done the research and told you why. So I think, you know, the two lessons that I would really talk about would be just people right on your team side, people with an open mindset, willing to learn, willing to succeed, not worried about failure, willing to take risks and understand that they'll be cared for even if they fail. Fail fast, obviously. Right? That's what you're always told? And then on the other side, the business side to keep it. Along the line of innovation is to partner with the people that are in your organization. And if you can outside the organization. Right. So I'm part of InfraGard, which is the FBI's group that takes in a lot of information and then shares it with other groups about risks and threats and other things. So it's really about the groups and surrounding yourself with groups and people.

Rachel Chalmers:

We touched on this briefly, but how do you think the pandemic might affect businesses in the longer term?

Don Cox:

Well, it'll definitely create new businesses and it'll close down some businesses. I think when you talk about it from a corporate IT perspective, it is going to force companies to change the technology they use to provide services to their employees. Most companies have figured out how to provide services to their customers via e-commerce and some other things. But they haven't figured out how to do that for their employees at a large scale and then how to measure their performance. That seems to be one of the things from the day that, let's say March of 2020, where everybody started going off-site. It is the first question: How do I measure the performance of my employees? Well, you should have been measuring the performance of your contractors, which is contracts and tasks and everything. So why can't you translate that into the same thing for your employees? Because really, you have a contract with your employee to do work. So how do you start measuring that? And there are some tools out there to do it. So I think that's going to change. Obviously, security is going to change. I mean, if anything blew up, it was my log files because now I start having people logging in from all over the world.
I had one employee who, every week, moved from city, to city, to city. And I'm going, “What are you doing?” 
And they're like, “Well, I'm in my RV.” I'm like, “What are you doing?” 
“Well, I'm just hitting up different national parks that I've never hit in my life.”
 And I go, “Oh my God, what a great idea.” You know, use this time to travel. Yeah. So it creates that, right? So there's an opportunity for them to see something, then it spawns innovation. So you start looking at the companies who can say, “How do I get this person to submit into a dashboard that says – like you do with your credit card – I'm traveling and I'm going to be in New Mexico this month?” So now when you start charging in New Mexico, your credit card is not getting shut off. So it creates that kind of innovation. And there's a whole host of other things that are collaboration tools. How do you allow people to collaborate? Whiteboards. There's a whole host of things that I see that are very positive out of this.

Rachel Chalmers:

You've worked in some of the most stressful and intense parts of our industry. How do you avoid burnout?

Don Cox:

Exercise. Vacation. Those are all the things that you're supposed to do, right? I mean, how do you avoid it? Well, I'll tell you what happens. I mean, people start drinking. People start doing a whole bunch of things that aren't very helpful to themselves. So how you avoid burnout is you have managers and you have people that are actually watching out for your workload. I found, especially with people being remote, not being so… I guess, confined on the 8-5 workday. It's like, “Hey, get your work done and be available.” In the day and age of cell phones. And I mean I'm available 24 hours a day, seven days a week, unless I turn my phone off at night. But there's always backups if they need to get to me. So I think helping people have a work-life balance. People come to you and say, management style, past organizations… “I have to go to a doctor's appointment.” Okay, well, don't take leave. Just go to the doctor's appointment because you probably work more than your 40 hour workweek. So just go to your doctor's appointment. If you need to be at your kid’s event, then go to your kids event.
I always impress that on my teams and the individuals and I say, “Listen, this is a job that pays for all of the things that you do when you're able to take leave or on your weekends or things like that. This is not your life mission and you're not the only person.” And that's the other thing I do with my teams is I overlap them. So if one person leaves, I don't have a huge gap. And then if you want to take vacation, it's not like the world is going to come to an end. I mean your job is not going to stop getting done. So it's putting those things in place. It's also telling the team that those things are in place; it's showing them that those things are in place by tabletop exercises or, you know, ”Hey, Jose, you need to take a day off today. Go. Do not answer your phone, because if I catch you texting and answering your phone, you know, then I'm not going to be happy with you.” And they understand that I'm, you know, joking, but they also know that I'm serious.

Rachel Chalmers:

So it strikes me as very characteristically done that I asked about your burnout and you started to talk about how you prevent burnout in others. 

Don Cox:

Oh, well, yeah, unfortunately, you know, I thought I was immune to burnout having been in the military, having been a police officer and other things I’ve seen and that I've done. I thought I was immune to it and I thought it wouldn't impact me. And it wasn't until (and I won't say where) I was actually one of those people that was drinking probably too much or it was every night I was having a drink and I was stressed out. My blood pressure was up and, you know, thank goodness nothing came of it, but it's a real thing. 
There was nobody around me to say, “Hey, are you okay? Are you burnt out” So I didn't have a peer, I didn't have a mentor. And it was probably just happenstance that I'm no longer there, that I was able to go, “Oh, yeah, I did have a problem. Or, you know, it was leading towards a problem.” So. That's probably the part that's the hardest, right? The saying is that the closer to the sun you get, the faster you get burned. There's not many people to look out for you. So, when you look for a job and when I interviewed recently for a job, it was one of the hard questions I had to answer because it was like, “Okay, I want to go to work. I want to be a CISO; I want to do these things.” But I asked the question, “Are you interested in me growing? Are you interested in mentoring me and challenging me and, you know, me being seen as a peer, and you looking out for my best interest and not abusing me?” And the person that was interviewing me, they were like, “I don't think I've ever been asked that but the answer is yes.” And it was so honest and genuine. It was like, “No, I'm just as interested and concerned about you as I would want my boss to be or I want my wife to be or my friends to be. And you know, honestly, I want you to do the same thing for me. If you see me acting in a certain way, get me some help. Pull me aside.” Because there's no HR program out there that really can watch you and track you and see what's going on.
There might be technology out there that the government owns, they could tell you. But you know… I'm always cognizant of and maybe it's through my education, training, learning experiences that I'm very cautious and concerned of the people that I work with and helping them to be happy and successful. Part of that is promoting them for the or getting them paid for the work that they're doing. How often have I been in companies where we pay somebody $80,000 a year to do a job, that we hire somebody six months later and we're paying them $140,000 a year. It's like, why are we doing that now? When you go ask HR to start paying them? No, we have a policy that says they can't make more than 10%, so I have to let him leave the organization for six months to come back in. It's something that he deserves or she deserves. I go, “That just doesn't make any sense.” And you're frustrating people, but you know, they have a wife and kids, or a husband and kids. That's not right. So yeah, it's trying to make all those things.

Rachel Chalmers:

What does the future look like? As you look at our industry, if you could wave a magic wand and everything for the next five years goes exactly the way you hope. What do things look like in 2026?

Don Cox:

Automation. Less people making decisions about security. It really is. I mean, at the rate by which attacks are happening. If we as a society… let's just say Australia as a country, you know, United States as a country and Germany and whoever else it may be. Right. Israel has done this really well. You just look at all the technology that's coming out of Israel these days. We really have to get to a point where we start letting computers make decisions to prevent bad activities sooner, because if we don't, we're stuck with the, How long does it take for a human to realize it's a threat and stop it? And can they? So if I could wave a magic wand, there would be some automation out there that's intelligent. And I'm not going to use the word artificial intelligence because it's got a whole other… machine learning… that that would get us a little faster towards a more secure environment. We would start looking at our security tools from the perspective of their capabilities and what do they really do and what can they do? That might be another one, because right now the cybersecurity sphere ecosystem world of technologies is just all over the place with so many different things that it's just hard. I went to RSA for the first time – 

Rachel Chalmers:

Oh wow.

Don Cox:

I always… well, it was either I couldn't go because the government wouldn't give me money or I wasn't high enough in the food chain to go or just operational issues. 
But I went the year before the pandemic happened and I was just overwhelmed with the number of vendors that were there. It was so voluminous that the vendors were actually starting to take up space in hotels that surround the RSA event and start having their own come in for an hour or two, wine tasting, bourbon tasting. It was a competition with RSA for vendor space and it was actually really weird to see that. And I think RSA’s got it or started to see that. Not sure. 
Most of the vendors that I saw on the floor I had already spoken to on my Friday events just because it was out there and somehow you get on a list if you're willing to talk to vendors, there's this list out there that you get put on and your box just gets blown up with requests. So the magic wand thing would definitely be automation. I would just stick with automation.

Rachel Chalmers:

And what does the future look like for you personally? You're between gigs at the moment, is that right?

Don Cox:

No, I actually started a new role on May 3rd.

Rachel Chalmers:

Great.

Don Cox:

So the future for me is I'm a CIO or a CISO making $1M/year someplace. Well, one of those big jobs, right? Because I know I can do it now. I've got all the experience. So that's one you always have to have goals and dreams. And look, if I can do it with the company that I'm at, you know, thumbs up. But if I can't, then, you know, that's another conversation. 
Another goal of mine. And I'm tossing this back and forth. I figured out what the right one is to go get a doctorate in either cybersecurity or go to law school. I think with my law enforcement experience and all the things that I've done in the. The technology space. I think I'd be a great asset to... And plus…. Well, I'll say this and I don't mean it in a derogatory way in any way, shape or form, but trying to think of how to say this in a nice way: I'm kind of a champion for the right way things should be done, not the politically correct way. So, you know, I think if a person came in to me and I've had this experience once before, I got hired by a company and I told them up front, I am not going to be used as a computer forensic expert to put doubt in some law enforcement investigation.
I'm just not going to do it. I'll tell you, if the person did it or didn't do it. I will tell you if law enforcement didn't follow a process failed, or something like that. But if I come to you and I say, “Look, this person did this crime and the law enforcement did what they were supposed to do.” I'm not going to go look for an alternative theory for you and sit on the witness stand and testify. My reputation is worth more than any money you could pay me, so I wouldn't do that. And I mean, besides that, just be happy and healthy enough and retire early enough, maybe 75 or 80 that, you know, I can hopefully spend the next 20, 15 years, whatever it is, kind of watching my kids, kids grow, my grandchildren and, you know, having a great time with my wife traveling around the world or something.

Rachel Chalmers:

That sounds awesome. What is the best way for our listeners to connect with you or follow your work?

Don Cox:

LinkedIn. But when you try to connect with me on LinkedIn, you know, put a little note in there: Heard you on The Alchemist podcast and really enjoyed listening to you and love to chat with you. 
If you want to sell me your product, then say, “Look, I'd like 15 minutes of your time,” so that I'll know you listened to the podcast, “to chat about my product.”
I'm not on Twitter, I'm not on Facebook, I'm not on Instagram. All probably bad things, right? Because that's how everybody communicates and there's probably some out there that I should be on that I don't know. So I'd say LinkedIn is the best way to get in touch with me. The other way is just, you know, Google, Don Cox and whatever. And I'm sure I'll pop up on the Internet somewhere with my home phone number or cell phone number or something. But yeah, I'd say LinkedIn.

Rachel Chalmers:

Exercise for the hackers. Yeah.

Don Cox:

Yeah. Like LinkedIn is the best way to get to me. That's about the only thing that I really that's the only thing that I'm on right now.

Rachel Chalmers:

Don, it's been such a pleasure. Thanks again for taking the time to talk to us today. And we wish you well.

Don Cox:

Thank you. And I wish you well also.

References

Nova Corp Where Don was Chief Information Officer
Mednax Where Don was Chief Information Security Officer
Intro and Outro music composed by: www.PatrickSimpsonmusic.com

Recent Episodes

E.38 - Angela Lim: Founder Market Fit

"I think as we continue to go on this journey, the more conviction I have about what we're doing." - Dr. Angela Lim 

E.37 - Carolyn O'Hare: Organic Growth

"Try your best to drop ego early and be ready to have all of your preconceived notions and all of your ideas questioned constantly and be willing to listen to the questions to find which ones are worth keeping and worth throwing away." - Carolyn O'Hare

E.35 - Latrice Barnett: Rock Star

"I get more fulfillment in my everyday life when I can think about the art, the giving back, the human element of the work that allows me to show up my best..." - Latrice Barnett