 So, without further ado, bringing on our next speaker, JC is a hardened, bilingual, cyberhuman with the scars to prove it. He loves planting seeds of knowledge and flowers and making tea leaf predictions. Greatest professional accomplishment? Book Club founder, not your grandma's book club, unless your grandma is Grace Hopper. He's cybersecurity professional and a U.S. Army colonel retired with over three decades of security leadership experience and 17 years specializing in cybersecurity operations. Ladies and gentlemen, please welcome JC. Thanks for taking the time. The most valuable asset you have is your time and sharing it with me. I truly appreciate it. I'll go over the quick disclaimers. I do work for IBM. I am required to put these things up. Everyone saw them? Good. All right. So how to level up immersive learning through gamification. If you read the abstract, we're going to go through some of this. And why are we doing this? So as we go through this, you heard about me already, so we don't cover that. But how did I get involved in this? About six years ago, seven years ago, I was meeting with one of our senior leaders, General Hernandez. If you don't know who he is, he started the Army Cyber Command. And he said at that time, we need, he got assigned to start this new organization of all the Army Cyber Warriors. He said, bring them all to me now. Now that I'm the commander, three star general, bring them all to me. And his aide says, sir, there are none. Like, what do you mean there are none? We don't have any guys who do cyber warfare by job description and assignment. Okay, great. Bring me the leaders. That's what we do in the military. If you don't, if something's wrong, you bring the people responsible for that. Bring them here to me. Sir, we don't have those either. Nobody was available. We did not have an infrastructure for cyber warriors. So we ended up getting involved. And how do we create this? How do we create a cyber warrior, a cyber secure specialist throughout the organization? Not just those who do cyber, but those who do their day-to-day job with security in mind. We aren't there. What we're proposing today is a way to get there. Many of you are involved in cyber training. And I'm not saying one is better than the other. I'm saying there are options. Regardless, we're not getting there right now. So let's talk about what I'm proposing here. Storytelling, theater, and gamification. What does that have to do with cyber security? We know the threats that are out there already, all right? We know that there are some universal truths that we are living in an unsecure environment. Yahoo, 3 billion accounts lost. Uber, 57 million accounts lost. Friendfinder, 412 million accounts lost. But did any of those touch you? Well, let's get into some of the more recent ones that you know about. Equifax, okay? What is it? Holly Madison or what's that website called? I didn't want to bring it up because that might have affected you. So there's that one. But now that the threats are getting a little bit more nefarious, they're going after the soft targets. You have Baltimore, the city of Baltimore. You have Lakeland, Florida. You have the court system in Georgia. You have Atlanta. And what just happened recently in the last couple of weeks? Louisiana, the school system, four parishes, four counties, I'm working with them. They have to re-image thousands of computers right before school starts. This is our problem. It's a big problem, though. We don't have enough throughput or the right throughput to meet the demand of the community. And we're not on a trajectory to get there either. So we're kind of in this together. And so we're proposing that we find a new way of doing this. But why? If you look at how you went to school, how I went to school, how many of us went to school, we didn't focus on the why. We focused on what we had to do to get this class because I'm just have to get to the next phase. But for those of you who are not familiar with Simon Sinek, he has this concept of the why, the circle. Why are we into cybersecurity? Why are we trying to learn it? And why are we discussing it all the time? That may be unique to all of us, but we share this environment, this common threat. So as we talk about this, that's what I want to focus on is getting to the why in a new method. So I'll quickly go through these here. We already talked about the supply. We talked about the demand. We talked about the trajectory. But I'm trying to get you, your students, your colleagues to dig in, not just the cybersecurity professionals. You're already in it. It's everyone else in the community as well. So we're here to inspire. So here's our proposition. Outcome-based education. Are there any educators in here? When I talk about outcome-based training, it's different than your traditional class where you have a syllabus. You get a project. You get a goal. You get an end state. In this case here, we're talking about the end state is how do we secure something? And we're going to go through a little scenario here. How do I prevent a catastrophe from happening, a cybersecurity incident from starting at one point and getting worse? Because we can do better than we're doing now. And I'm hoping this method here is going to be inspiring to help those that we work with dig in. Who's our audience? Our audience are both the technicians. But one of our most significant audience members are the executives, the leaders, the guys who are funding you to be here or who decided not to fund you to be here and you're paying your way to get here because they don't see the importance of this community and what we're doing. But here we are. So let's talk about this here a little bit. Let's get in this scenario here. We're this company. You are all part of this company. We're Bain and Ox. We're a company that focuses on education. We process everything from student records to employee payroll. And we do it better than anybody else. Our goal, because we're the security professionals here, is to increase security and lower the risk. And we have roles. So one of you is the CEO. Joe, you're the CEO. Who's our CFO? Phillip, you're the CFO. Siso, someone over here. Combs chief, someone over here. Remember these kind of roles. When you get up there, you're going to be playing a role. Our goal is to prevent something negative to happen to the company. If it does happen, how to keep it from getting worse. With that, we use this concept of the boom. For those in the military, this is not a punchline. This is when a vehicle is traveling down an alley and there's an explosion, an IED, an improvised explosive. What you can do, the decisions you get to make before you get to that boom are unlimited. Let's talk about a couple. Number one, you can decide, I'm not going to drive that route today. You can decide that I'm going to use some type of electronic warfare to prevent that boom from happening. You can take a different route. You can harden your vehicle. You can say, you know what? I know there's going to be something dangerous there, so I'm going to have medical personnel near me. So in case something does happen, we can do something about it. Almost sounds like the cyber kill chain. All the different things that we can do, left of boom, my right, your left, all the things we can do to prevent something from happening. Before the incident occurs, before it gets released to the media, there is so much you can do. And you have to start thinking about that right now. So how do you think about that? How do you do that? You start to practice. You start to get immersed in these different environments. So speaking of that, you're this company now. You're in this role. Ring ring, ring ring, ring ring, ring ring. Okay, who's going to answer the phone? Ring ring, ring ring. Who's going to answer the phone? Hello. Right here. Hi, is this the Bannon-Ox Security Operations Center? Yeah, yeah. Good to talk to you. This is Andy Greenberg calling from Wired Digital. We have a research that we're doing on a story we're about to go live in in about 10 minutes. We're looking for some comments on the ongoing security incident at Bannon-Ox. What can you tell me? No comment. Now, we're about to go live with this story in about 10 minutes here. Are you sure that there's nothing you can tell our readers? It seems that we are finding 75 million of Bannon-Ox customer records on the dark web. I'm sure that your customers are going to want to know what you're doing to resolve the issue. Send us the evidence other than that. No comment. Is that a good response, anybody? Can you do better? How about over here? Let's go over here. So, we're being told that there's an ongoing security incident at Bannon-Ox. Is this something that you can tell us more information about? How did this start? We have no comment at this time. So, does that mean that the organization is not aware that the incident is going on? We have no comment at this time. I'm sure that the customers of Bannon-Ox would want to know that their information is being treated with a high priority. You have the CEO right behind him there. Is this the state of your organization that you're out of control and this information is leaked onto the web and there's no information that you can even provide? It sounds like you were not even aware of this. Is this the first time that you're hearing about this incident? We're currently investigating the situation and we'll provide more details as time moves on. Excellent. We're very grateful that we can confirm that there is an ongoing incident at Bannon-Ox. Thank you very much. We would love to know now that the incident is ongoing, what is the investigation found? No comment. Doesn't sound like they found much at Bannon-Ox. I might know more about this than the organization does here. So maybe public resources, public relations can give me a response. You're getting to the people who said they didn't want to participate, so we'll break there. All right. All right, so here we found this information. Here's what we found. That you have student records, you have employee records that are out there. Has anyone ever had to deal with the media on a crisis like this? So we brought in the media one time to go over our training to see what we do. And one thing they said is they have 90% of the story already completed and they're just looking for validation. And who are they going to call? Anybody that's going to answer that phone. You're all part of some organization. Do you have media training? That has to be across the organization. What are you authorized to say? What are you not authorized to say? So best business practices, what you do is you can refer them. I'm not authorized to speak about this. I'll take your name, your number, and we'll get back to you and contact you. But we're cybersecurity guys. Was that even a valid call? Was that the hacker? Which you said no comment. You didn't grill him. So we talked earlier, you're a media specialist and my line about they have the story already and they're looking for value. And it doesn't matter from who. So the idea about getting the people involved and getting the storytelling is you have to first create this environment. You have to hook your audience. Now, was anybody at all a little bit nervous that he was going to come bring the mic to them? Okay, have some head nods there. Now you're in the game. Now you're in the scenario. One of the best storytellers ever is the gentleman here on the slide, Walt Disney. He tells his story, but it doesn't stop there. It's not just on paper. And we all know the stories. He put it into videos or movies back then. He also immersed you in the environment. Anyone know where this place is? What's the song that goes along with that? Now you're stuck with that in your head for the rest of the day. So the idea is he puts you in this environment. You're immersed. His message, world peace. What do we do with that? How do we do that in cyber? Well, there's a few different ways we can do that. But with that, you need a little bit of theater to really get into it. Good examples of that that you see here right now are look at the villages. If you go next door to the biohacking workshop there, you'll see gurneys. You'll see that this looks, resembles, like a hospital. Go to the lock picking area. Go to the ICS. Go hack the cars. You'll see vehicles there. You're really in it to win it. And so the idea is that you use that storytelling. You create the setting and the people who are doing it, they're walking around in lab coats. They're not instructors. They're performing. They're characters. And they're using stagecraft to really get you involved because now you have their attention. When you were taking your annual information assurance cybersecurity training, were you at all interested in learning? Or were you interested in just completing that training? You didn't give a damn about it. As a person who is responsible for that training, I want you to learn, but I'm just not getting through. So there's different ways to do that. This is how we do it at my organization. We have a fusion center, call it a range, call it an operation center, and we bring it to life. Down to the lighting. The lighting changes colors as the scenarios change. They adapt. When things are going really bad, it turns to red. In the calm before the storm, it's in blue. But not everybody can do this. We take it on the road. This is a tractor trailer that's in Europe right now and we take it to different organizations. But you think, yeah, that's not me. I can't do that. This is a hotel room. I just gave you examples of where they took a little banquet room right here, and it looks like a freaking hospital. It's how creative you want to be. How much do you want to put into it? So we talked about the storytelling. We talked about the theater, but that's not enough. The gamification. Has anyone seen The Wall of Sheep yet? You know what I'm talking about, right? It's a lot of fun. Has anyone tried to purposely get their stuff up there? My first time going, we were trying to get all that, see if we can get it all posted and put a lot of interesting pictures and stuff like that. But what you start to do is you start to incentivize behavior. You want people to do the right thing, and there's ways to do that. You can reward people. For those of you like me, who came from the government, I couldn't reward you with money, but I could reward you with other things. I can reward you with time off. I can reward you with things that may matter to you, a parking space, privileges. What matters to your organizations? What are some of the rewards that you see around this room here that you see people walking around with? Oh my gosh. You look at all these people. You give them a little piece of bling and they're like heroes. So who has the highest level in here? I'm level three right now. So I don't even know how to play it, and I did, but hey, I'm level three. I'm proud of it. I'll be four by the end of the day. The idea is that you start to give them a challenge. You give your audience a challenge. They're trying to solve that problem, and there's consequences. There's consequences for doing something right, and there's consequences for doing something wrong. It may change the outcome. Just like that boom. As you're driving down the road and that IED goes off, there's going to be real consequences. As you're preparing for your cyber worst day, there are going to be consequences. The Wallace Sheep emphasizes what not to do. The other pictures that you see there are CTFs. Who's been in a CTF? Now the idea is, were you better when you were done with it than before you started? Did you know the things that you needed to learn that you needed to dig in on? I had a weakness in this domain versus that domain. As instructors, I could only help you so I can facilitate your learning, but I can tell you my best students that I had. The best ones were the ones that went outside the classroom who realized I only know this much and I'm going to go do something else. You are part of those students here. You're here today. You're here learning. No one understands why you're here and some of you paid a lot of money out of your own pocket to be here. And I applaud you for that because you're that group that we want others to emulate this. So the idea is create that environment, create that story, the theater, and the gamification. But it's not just for you, it's for your team. There's what the individual has to do, but I and my organization have multiple roles. I have individual responsibility. I have responsibility to my teams and the team of teams in the large organization. So imagine putting your leaders through this type of training, this type of immersive experience, and they're coming back to you saying, why aren't we doing this? We've been wanting to do that all along. We just needed your approval, your authority, your resources, your money. This is a whole of business response, a whole of business training. This is not just the individual coming in and saying you know a lot more about security and you're going to go back. What's your reach? The guy sitting left and right of you? You got to reach that larger team. Using this gamified experience helps you do that because now the team wants to level up. So we're back to business. We're Bayna Nox. And here we are with the challenge. So you know the breach, we confirm the breach did occur. We know those records are out there. Ring ring ring ring. Back play. You're in it. This is Mark, the CFO at Bayna Nox. I'm very concerned about a wire transfer that we just put through. As you know, our CEO is on a business trip to Japan right now. He sent me an email earlier today asking me to make sure that by the time he lands, that $2.5 million was wired to an account that I thought I was familiar with, but now I'm not so sure. He told me the real reason we are going to Japan is to save the company. If I didn't process this transaction, Bayna Nox is not going to exist by summer. So I did. I sent the wire transfer, but I'm not able to confirm the deposit. I can't get in touch with the CEO because he's on the plane right now. And oh God, the email has his exact signature and everything. Can you help me? I've sent you a copy of the email so you can see it. What do you think I should do? What are our next steps? I'll get back to you. Can anyone else help me with this email? We need some help, guys. Come on, step up. Contact the bank and freeze the wire transfer. It looks like it might be a phishing email. The email address is different in the subject as it is in the signature. The email address is different in the signature. Where did you see there? It's baynampasandox.com and baynandox.com at the top. Oh my goodness. I knew that there was something that seemed a little bit fishy here. Is there anything else that anybody can help me find that seems... Yeah, there are a couple typos in there too. There's some cybersecurity professional. We got someone here nodding right here. Right up here. Who's nodding? Right here. Anybody see anything else? If you said you couldn't get in touch with them, but how is he sending an email from being like while he's on the plane? Little clue. So what are our next steps now that I'm feeling like this is probably a fraudulent email? The funds have already been sent. What should we do? Someone said call the bank, but contact the FBI field office for wired fraud. Why is that? Why do we contact the FBI field office for a wire fraud? So let's get into that here a little bit. You're all experts in cybersecurity. Do you know who your FBI contact is for your area? Does anybody know who their FBI contact is for their area? Michaeline DiDiego for Boston. When I was in New York City, Leo Taddio. Who's your FBI contact? What's that? I'm off the top of my head right now, but I have this contact information. So the idea when you're talking about this submersive training for cybersecurity is you can't just focus on your team. I said individual, your team, and your team of teams. Those team of teams are often outside of your organization. But what else do we know about this? We got to see, you guys are pretty good. So let anybody see anything interesting up here? Where is it going? Germany, the DE. This would never happen, right? $2.5 million transfer. CFO is going to make that transfer. Anybody who worked for a bank, $2.5 million is not unusual. It may not require higher authority to do that. That is chump change for some organizations. So the idea that this is still a multi-billion-dollar operation, compromised business email, this is a reality. So the idea of training your personnel, notice the two examples that I gave you were not cybersecurity people. It was people who were going to influence that environment. And the idea that you have to get your organization prepared for this, because there's a lot you can do left a boom. Once the story breaks, you're now beholden to whatever team you have on the playground at that time. It becomes a pickup game, or it's your Super Bowl that you've been preparing for all the time. So the question I ask for each of you, are you treating this experience as if it's a pickup game on the playground where you have two plays, run 10 yards, turn right, and I'm going to throw you the ball? Or are you going to be Tom Brady? And you have multiple plays where the ball is in the air before the person ever makes a break. How ready are you for this? Using this technique is not going to scare off your leadership. It's not going to, this is actually fun. People enjoy it, and they're learning as you're going through it, if you do it right. So our proposal is using immersive experiences for experiential learning through storytelling, theater, and gamification will help achieve the outcome that you're trying to reach, and that is to create a cyber secure environment and be ready for that eminent cyber bad day. That's all I got. Thank you. Any questions, anybody? About how we do this, how many people we put through? So I actually don't work in security. I'm here on behalf of a client of mine, and her interest is right now in cyber secure awareness. She's actually struggling with what I think is a unique scenario is where she's trying to get security on the mind of an old, or how should you say it, a more experienced generation of employees and they don't, I mean, they're already resistant to technology overall, not to make broad stroke statements, but that's what she's experiencing. So I mean, I think my generation is more perceptive to it, I guess, but is there any other, do you still think that the same approach is effective for that generation? So let me address first a couple of myths. The older generation doesn't understand technology, and the younger generation does. Okay, the older generation understands how things work. They were fixing cars, they were fixing carburetors. When's the last time the younger generation fixed anything? So they understand parts and pieces, they understand systems. What else do they understand? Senior leaders. You must have mature senior leaders. They understand risk management. Notice we said security to lower risk. Talk in their language, you're the communicator. As far as the younger generation understands it. Do you even read the EULAs? How many apps have you downloaded here just to get to this conference here? The fricking hacking conferences, you're downloading the apps for a hacking conference. Okay, so a myth is that the younger generation is more aware and that the older generation is unaware. You have to talk to them in their language. Approach them in a way that they will understand rather than cookie-cut it. I talked about in the storytelling, you got to engage. Engage them at their level. You had someone up front here? Yeah, so currently with IBM you go out to larger companies and you war game or strategize and play the role playing with them. We've handled everything from nonprofits to municipalities to large banks. We look at it from a perspective of if we help everyone with security, the security awareness will help everyone around us because if you're insecure, remember this is an ecosystem. If you have a weakness, you might be what's going to affect me. We have to work together on this. So the best scenario is that team of teams, you go in there with your team, but you also bring in the partners that you have dependencies on. So you don't do it alone. What I'm showing you here is not something that's cost prohibitive, believe it or not. We can talk about that afterwards. I'm not pitching IBM's cyber range. I'm pitching the concept of how do we do this and you can do it in a room next door with a bunch of volunteers. It's freaking awesome. It's not about the money, it's about the will. Question in the back. Do you have a world situation, like crisis response in any way? So I came from the crisis response world and yes, when we have an incident that we see is affecting a large part of the ecosystem, we will stand up our own crisis response to monitor it. But it's not just us alone. There's many organizations that do that and we work with partners across the discipline. We're calling what you may think our competitors, but we look at them as partners. We share the same environment. Their threat, you heard about the Equifax breach and Jamil had a great conversation yesterday. So imagine all of us get the same ransomware attack and I stop it. You think I outran the bear and you got stopped. But the idea that we share this ecosystem, what I just did is I just diverted more resources to you and now you're in a world of hurt, but we're sharing the same environment. The market may be affected by any one of us being impacted, not just me. So that idea of us working together and standing this up in real life, yes, that could be stood up for a real life incident. Yes.