 Paul, and welcome back to the Think Tech Hawaii studios. I'm the host, Andrew Lanning of Security Matters Hawaii, and today we're talking with Bo Monday. Bo, thanks for coming in. Yeah, my pleasure. I know you're a busy guy, man. We all are. But we're going to get into a little bit of school security for you today. Bo's the CISSP. He drives an information group out here in Hawaii, and he's seen some of the issues with trying to tie security to the IT department. I've personally run a lot of projects that aren't integrated well, where I've got facilities who hasn't done projects with IT, or I've got security groups that haven't done work with IT, and today security is really IT-driven, or it ought to be. Bo, thanks for coming in today. Sure, my pleasure. My pleasure. I put out a little thing earlier about school security is this truly heartstring tugging problem in our country, right? We've seen a lot of tragedy, and I don't know of a way to prevent that tragedy. Culture is a big component of security awareness, teaching kids what to look for in maybe their friends who are having problems or struggling. And Hawaii's culture is a big thing on a lot of our campuses here in a broad, different way. I think we're a lot more acceptance out here, kind of a piece of our culture. We want to be open. Open campuses are much harder to secure. Absolutely. For what you've seen on the campuses, it's a good thing to have as a component of culture, but from an IT perspective, what do you think about it from security there? Yeah, I've been in Hawaii for about 10 years off and on, and I've had a lot of experience on the mainland, and I see schools on the mainland. And in Hawaii, they really are part of the community. They're kind of a bedrock of the community. They're a cornerstone. So it's really hard, you know, people need to be allowed to come onto campus and interact with the faculty and the school in ways that they wouldn't normally allow on the mainland. So it presents a different challenge. Unfortunately, we see, as we do these after-action reviews on these school shootings, there's always signs. They look through the children's social media history, and it always seems to be teachers saying, yeah, we thought that kid was going to be trouble. So it really is looking at how the children interact with each other online and also on the campus as well. Usually, there's indications and there's opportunities, quite frankly, for us to correct and to save these kids from either starting trouble or being involved in something. I completely agree. I've always had this sort of thing that, you know, we make them go to school. I guess you can home school, but by and large, there's a law. So if we're going to make you go somewhere, it seems like we need to secure you there because you're really not there of your own volition. The same way employers are required to protect employees and at a job site, for example. So you know, this idea of these kids being there and then us, you know, do you think there's a... I don't know if I want to use the word fear, but I've been seeing a lot of stuff about active shooter training with kids in schools and to me as a security guy, I can't start them too young in the awareness component of that. Do you... Because you've been on some K through 12, and do you see that in the younger kids? Are they afraid or would they rather interact or what's your take on that? I don't get the sense that they're afraid. I do see, you know, we do drills pretty regularly at the school that I'm at. And it just becomes, you know, this thing that you do, it's like preparing for earthquakes or a tsunami or anything else. It's just, you know, one of those, you know, contingencies that you prepare for and hope that it never comes. Sure. I feel like the kids kind of take it in that vein. I don't think they're, you know, walking around, you know, looking around every corner and waiting for it to happen to them. So I think we do a good job of kind of setting the expectation that, you know, this could happen, but it's an extremely rare event, you know, even today, even though we see it a lot in the news, it's really a very, you know, rare event. And we focus our education, you know, we touch on active shooter type scenarios, but, you know, the more damaging I think on a day-to-day basis are things like cyber bullying and things like that. Yeah, bullying. Sure. And these bullies, right? There's a great, there's a great indicator of someone who's kind of got a behavioral issue that we need to address it early in their life, rather than having these grown-up bullies. Wasn't there a, I think there was an incident on a, there was a public school came with the players, the children, the child's parent, like, was fighting with the coach or assaulted the coach or something. So here's a parent who's possibly not modeling the best of behaviors in the home. And so you wonder, you know, about that kind of an impact, do the kids, do they model for each other? Do they call each other out? Do they have pads of reporting? How do you go about that awareness campaign? There's a lot of that. And I say, you know, we monitor the kids to the extent that we can, but a lot of them have private phones and their own, you know, personal accounts. You know, there's, the joke is that there's, you know, the Instagram account that the parents know about. And then there's the other Instagram that they don't know about. And so, you know, there's a lot of, of kind of hidden social media going on. But, you know, by and large, kids are concerned if one of their peers is doing something that they, that they think is harming another child. So we get a lot of kids reporting things to us and giving us an opportunity to step in or to bring the parents in and help us address that situation. Have like a counseling session. That's awesome. Yeah. Interesting that you brought up about how they'll run the dual account. So the kids are often better at all the social media than their parents. I did some of the classes with the state last year where we had that safe, safe and secure week. I forget what the moniker is, but, you know, we had it, we did all the libraries and a lot of the parents brought their kids in. The kids were far more adept in cyber and knew what malware was and knew what phishing was than the parents. I was really amazed. Absolutely. Maybe we need to reverse the learning and have the kids go home and do some homework with their parents and then bring back the results. You know, it's interesting. We see at our school, and I've seen this on the mainland as well, we, we see kids kind of start being curious on cyber probably in the seventh or eighth grade. So it's much earlier than, than most people think. And so they start exploring, you know, at our school, we, we give, we're giving laptops to kids, you know, in middle school. And so now they have the ability. Wow, is that fourth grade or? It's sixth grade. Sixth grade. Wow. So now kids have the ability to install programs and to run things and the, you know, the rules, you know, kind of let up a little bit. So it's, it's easy for us to identify kids that might have, you know, some interest in, in entering the cyber security field and we have opportunities to, to mentor and coach. Yeah, it's good. And I know my wife did the robotics, she's a judge for the competition. She said, these are the most brilliant kids you've ever met, you know. And I was like, what? So, and the Hawaii teams are really strong there. So I think, does your school have a team? Yeah, we had a team that just got back from the mainland. I think they took second place. Awesome. See, isn't it something? So, yeah, it's fantastic. So we shouldn't stop teaching. We shouldn't have fear. So this, this social media component, do you, do you think, because we, we teach about the predators, how the predators watch when they are most, I'm so mad at my mom, or whatever it may be. And do you think there's an awareness of those kids that there, that there are these types of predators that pay attention to those things they say? Or is it, you know, more, more that they're just posting to get a reaction from their friends or their parents? I think it's more the latter. I think they're, they're looking to get a reaction. I think, you know, as you look at, when we were kids, you know, we, we had a small, you know, group that we could probably count on both hands of close friends and people that were influencers for us, right? And now today, they're with the internet and social media, kids are being influenced by thousands of people that they have some level of relationship with. Maybe it's just they're following them on Instagram or something. So there's a lot of, you know, positive and negative influences coming at kids now. And I think that's kind of driving a lot of the frustration. Do you guys teach them about like misinformation, disinformation campaigns? And I don't, if they're not voters yet, I don't know if anybody's really going after them. But I do, I keep them aware of all that kind of stuff. So I don't know, is that happening with the kids as well? Yeah, we do touch on, you know, cyber hygiene. And that's, that's part of it is, you know, looking out for things that are just not true. And that's been, you know, a larger part of the conversation. I think lately in the last couple of years is there's been a lot of focus on, you know, fake news and, and misdirection and things being planted, you know, on new sites and Facebook and all that kind of stuff. So there is a growing awareness that a lot of the stuff that you see on the internet is just not true. Or it's, or it's intended to make you angry, right? Sure. Which is, which is detrimental to a child, right? If, if people are posting inflammatory things just to make this, you know, a child upset, you know, and trigger them into doing something. That's terrible. Or trigger them to stay home from school. Sure. Used to just, when I was a kid, it was just the fire alarm for somebody, somebody, so everybody got out of school for an hour until they figured out what happened. And then now they've got, there's like bomb threats. I've seen, I've seen some incidents of kids calling in bomb threats, these swatting threats, calling in the police reporting something that's not true happening. So we touched a little bit on Hawaii being a much more open type of campus. Does the awareness that you're working off the kids extend out into the community to their parents? It used to be like PTA when I was a kid. I don't know how that's done these days. Yeah, we have some communication through our parent faculty association. We have a parent newsletter that goes out regularly and we try to slip some things in there. So we try to keep, you know, the parents up to speed on on things that their kids might be, you know, facing when they're online. So that's definitely part of our of our program. You know, we only have, you know, the kids for a few hours a day. There's a lot of other influences in their life, right? So, you know, it's part of it is teaching the kids how to behave and what kinds of things they're going to face, you know, while they're at school and then, you know, what they're going to face when they're away from school and what and how their parents can, you know, help protect them. Yeah, I wonder if they're they might be better at communicating than we are. Like, you know, they're they're the far. So do you do you guys monitor feeds like on campus that are from the campus community itself or, you know, incidents, fighting, something's going to happen or something as their capacity to do that? I don't know. Yeah, to the extent that we can. But, you know, the kids are very clever and they know how to get around things. And, you know, it's kind of whack-a-mole sometimes. You know, we're always, you know, kind of chasing down weird VPNs and proxies and things that the kids are using. So they're going like on tour. Yeah, they're they've got, you know, covert channels set up that were constantly knocked down. So I guess you have K through 12. So you do have some more advanced users and again, influencers starting at seventh and eighth grade, they start getting very curious and they start, you know, playing a bit with the computers and seeing what they can what they can do. Wow. So you so you got a little more work going on. So how's that headache for monitoring a network like that? That's I mean, I guess you got some some ideas, IPS going on, but, you know, what's your what's your what keeps you up at night? Well, you know, the unfortunate truth is that, you know, we can't stop everything and kids are going to find ways to communicate that we're not going to be able to listen to. And so, you know, we can only take technology so far. And the rest is talking to the kids and educating them and making sure that they're aware of the impact of the things that they say. You know, it's really an education kind of approach because we're just not going to we're not going to find every covert channel that the kids might be using. So it's really about educating them and their peers on how to recognize when somebody that they're friends with is doing something and doing something wrong. Yeah, it's so important. I I wish we had more funding and more time to teach that awareness stuff. And I know it's trickling down. You know, we were working on the adults who still need to keep working on. But if we can get that broad base of knowledge with the kids where they're questioning each other, questioning their friends, they're going to grow up questioning. I was reading that the like German students are like brilliant. Like you can't show them. You can't fool them because they start. I'm so young to teach them about what's bad out there. And it's so the programs you've been around, are they do they have some legacies of like five years old, 10 years old, or has this been a last few years type of thing? Well, I've always been a strong proponent of of education and security awareness education. So I've been in this business for 20 plus years. So I've that's always been kind of a focus of mine. But the tools have gotten better. You know, now we have the ability to send, you know, fishing exercises to our to our, you know, constituents. So right, we can say this is, you know, here's a fishing email that you might get based on something that we have gotten in the past, you know, and and challenge them to respond to it the right way. And if they don't, if they click on it, then they'll get some education training, right? A little training, right? There's videos now. There are several companies putting out cybersecurity focused videos, particularly content that's consumable for children. So I think that's great. I think the recognition over the last couple of years is that kids are ready earlier in their education for cybersecurity training and not just, you know, here's what to look out for. But, you know, here's here's some things that we do in the cyber community that you might want to do as a profession, like as you as you grow through your educational career. Awesome. Yeah. So we're with Bob Monday. We're going to take a break and pay some bills. We'll be back in one minute. Aloha, I'm Cynthia Sinclair and I'm Tim Apachella. We are hosts here at Think Tech Hawaii, a digital media company serving the people of Hawaii. We provide a video platform for citizen journalists to raise public awareness in Hawaii. We are a Hawaii nonprofit that depends on the generosity of its supporters to keep on going. We'd be grateful if you'd go to thinktechhawaii.com and make a donation to support us now. Thanks so much. Aloha, I'm Gwen Harris, the host here at Think Tech Hawaii, a digital media company serving the people of Hawaii. We provide a video platform for citizen journalists to raise public awareness in Hawaii. We are a Hawaii nonprofit that depends on the generosity of the supporters to keep on going. We'd be grateful if you'd go to thinktechhawaii.com and make a donation to support us now. Thanks so much. Aloha, we're welcome. We're back at Security Matters Hawaii. We're with Paul Mundy today and we've been kicking around that social media influence, teaching kids, creating awareness. The kids aren't the only problem. We got this adult user problem. You have perhaps faculty you've encountered. You have facility folks. You have security folks. You have a lot of different stakeholders. I'll try to be gentle with my terms. So those stakeholders need training and help. How have you seen models that work? Let's talk about that. I think there's a growing awareness just like at the children level. There's a growing awareness just of people in their daily lives. How big of a threat, cybersecurity, you know, threats can be. So I think there's a growing awareness. And, you know, when I was at Hawaii until many years ago, we were doing weekly articles, monthly articles in the newspaper. So I think doing that kind of stuff, just putting things out in the community and not necessarily targeting any particular user group, because I think that, you know, adults of all fashion get approached in some way or another, whether it's a skimmer on a gas pump or an email. I mean, there's there's a hundred ways to scam somebody out of their money. So the challenge. Yeah, everybody's trying to take your money. You know, regardless of what you think, there's a lot of bad people. There's a lot of people, you know, think, well, I just own a small business. You know, nobody's, you know, the hackers aren't going to. The Russians aren't coming after me, right? But people don't realize that it's just one big ocean. You know, the Internet is and, you know, the people don't care what kind of fish they catch in their net. Right. Yeah, it was one. So do you allow your users to they? Do they work at home? Take their equipment home as well and come back and so they can be picking up stuff there that they bring to your environment that you're protecting? See, that gives you a larger landscape there. You got to work on. Yeah. So one of the delicate lines that we have to then we have to dance on is is enabling the business to be effective and efficient and, you know, but also protect them. So there's always some kind of give and take. Like you wish that you could just, you know, collect all the computers at the end of the day and put them in a locked safe, you know, so that they don't get stolen or lost or put on a dirty network at a coffee shop. But at the end of the day, we have to, you know, educate our folks and how to, you know, operate that computer safely, with some controls on there, like antivirus and advanced malware. And, you know, just, you know, I hope they do the best, you know, trust, but verify is one of my favorite motto. Sure. Are the in the campus environment that's there now? So are your physical security teams integrated to the IT? I mean, are they on the network with their cameras or their access control? And is that a is that a component of of security consideration overall that that is, you know, got a programmatic, you know, program driving it? You know, it's interesting over the last couple of years, there's much more convergence between the physical and the cybersecurity groups used to be, you know, a walled garden. The physical security folks would be off doing their thing. Yeah. And then the cybersecurity folks would be off doing their thing. But I think the the there's been a lot of recognition over the last few years that there's a lot of, I want to say, mutual benefit, right? For these teams to be working together. And I think not just the physical and cybersecurity folks working together, but cybersecurity has a lot to offer into helping other groups within most organizations work better and more efficiently. You know, things that may not have been advisable five years ago. Are now things that we could properly secure and let the business do if they if they wanted to do that. So there's a lot of business enablement that can happen. There you go. With security, you know, protecting these things that maybe are are not a wise thing to do without any controls, but you can do them safely if you wrap the right controls around there. Yeah. And then also the tiering, right? I see a lot of people, I think, think security is this 100 percent or knocks prison or not. Yeah. And, you know, really, you know, we preach the valuable assets, need the most security and you can work ramp into that. I know that the National System Contractor Association and SIA, some of the larger industry groups have a program called PASS, the Partner Alliance for Safer Schools. And it's a four tiered system that's kind of rolled out across the country and has seen quite a bit of success. And it's kind of it's more physical and electronic security. But the IT pieces as you get closer to tier three and four is tying all that together operationally. Right. And when you look at the NIST cybersecurity framework, which I helped develop, you know, many years ago now. Oh, awesome. Gosh, they're on like their third revision now. But that's a similar thing. You know, there's tiers of maturity that you can attain. And it may not make sense. And in fact, it probably doesn't make sense for you to become the highest maturity across all the tiers. Right. It doesn't necessarily make sense for your business. And it probably is more a cost than what would make sense for the the type of data that you're protecting. So there's always that balance. And one of my favorite sayings is don't let the perfect be the enemy of the good. Right. You just want to you want to that's how I like that. You want to apply the appropriate level of controls and nothing more to make sure that that data is safe. Yeah, we do find that even in land access controls are really good examples. A group at an organizational bring it in. And the first guy who doesn't want to have his car to open the door is the big boss who doesn't want to be inconvenienced. And and cybersecurity works the same way with controls and authentic. I don't have to tell you that. So people all of a sudden can't move or can't get to something. Or, you know, we're we're controlling it for a reason. And that that I walk into a lot of organizations that that reason hasn't been very well defined yet. The the level of risk that's acceptable for an asset or whatever it may be. What's the sort of successful processes you've seen around that that risk guidance or risk development? It seems to be missing in a lot of places from my perspective. Yeah, I hate saying no to stuff. I mean, you know, cybersecurity has the reputation of being the the Ministry of No or the place where ideas go to die. You know, the Ministry of No. Right. So I hate saying no. My preference, my approach is, you know, tell me what you want to accomplish. Let's figure out how to get to yes on on solving your business problem. And maybe it requires an extra hoop for them to go to. But at the end of the day, you know, they're going to be able to accomplish what they're trying to accomplish. And and it is about educating them, you know, this is why you have to jump through this extra hoop is because we don't, you know, there's this level of residual risk on that data that you're responsible for, you know. And if we just, you know, apply this extra little thing, you'll still be able to do what you want to do. And the data is safe and the connections save. So I spend a lot of time and this is where my education kind of focuses has really, you know, brought a lot of value to my approach is that I can kind of walk them through my decision making process. And it's more of a partnership and a give and take than it is, you know, me coming down and saying, no, we're not going to do that. So it's more of an of an infosec approach. Right. It's a risk based approach, you know, trying to figure out how we can get to yes on what they're trying to accomplish, because that's at the end of the day. My job as a cybersecurity professional is to enable the business to do what they need to do. Securely. Securely as Ken. Exactly. When you give the guy the UB key and he's got, you know, the sixty four passphrase thing, you know, they go, ah, but when you show them how you can manage it and why it's necessary to manage it that way. Right. I think that the lights come on and ultimately, like you said, they just want to get to their goal of usage or usability or whatever it may be. Right, right. Very good. Let's let's talk a little bit about we didn't get to introduce your history. So give us a little bit about your background. I didn't know. Sorry, I usually start with that. I got right into the topic. That's right. I've been in IT for a little over 30 years. I've got a degree in accounting, which I've never used. I went to work for a CPA and decided I didn't like that. So I redirected IT. And then when 9-11 happened, I kind of took took account of my history and said, what can I do to make the world a safer place? And so I quit the job I was at and retrained myself as a cybersecurity professional. And that was gosh, almost 17 years, 18 years ago, September. Yeah, we're getting there. Yeah, it's been a while now. So like I said, I've been in Hawaii for almost 10 years on and off. It's been a couple of years lately running a hospital system on the mainland. Oh, awesome. But I'm glad to be back. My family's all here. I got grandkids here. So this is my home. Right on, yeah, yeah. Well, I'm glad you're here working in the community. We need that expertise. There's been a lot of brain drain. You hear about it from Hawaii. I was with the high school kids at Mililani the other day trying to convince them to stay here. There's good work here. There's good training. And hey, learn here, train here, go away, but come back. You know, bring some of what you learn out there. That hospital environment you were in, very difficult environment to work in. It is. A lot of regulatory guidance there. Right. And that's an area where if a doctor wants to do something and he feels like he needs to do it to save somebody's life, we have to figure out how to make that, how to allow that to happen, right? So it's a very, very tense situation sometimes where you have to kind of think on your feet. But we talk about the brain drain. And that's not just in Hawaii. We feel it, I think, a lot more here in Hawaii. But I think that there's something like 2 million open cybersecurity positions in the nation right now. And I think that the work that the Hacker High School and some of the other organizations are doing is really great. Because I think up until the last couple years, we've kind of targeted college kids as they're coming out of college. And we're seeing, you know, being in an education environment, we're seeing kids in seventh and eighth grade getting excited about cybersecurity. And I think reaching them in college is too late. We need to be in the middle schools, and we need to be in high schools. So I'm really excited to see Hacker High School. We had a variant of the Hacker High School program, a three-day session for our high school kids back in January. That's with Bob and Ro. Right. So we're looking at doing some stuff earlier in seventh and eighth grade. But there's not a lot of curriculum out for that level right now. So it's kind of a chicken and egg thing right now. And the kids are so smart. So we got a little less than a minute, maybe a final word of advice. And then I'll close us out. I think, you know, just be careful what you're clicking on. And you know, wherever you can, take the opportunity to teach somebody about the threats that they might face and how they can operate their computer safe. I love that. One of my monikers is always be learning, always be sharing. Thanks, everybody. Aloha.