Join us with Neal Bridges as we dive deep into the cyber world, exploring his journey from a hacker to a CISO, his take on the OODA loop, and personal growth in cybersecurity.
Guest: Neal Bridges, CISO, Query [@QueryAi_net]
On LinkedIn | https://www.linkedin.com/in/nealbridges/
On Twitter | https://twitter.com/itjunkie
On YouTube | https://www.youtube.com/@CyberInsecurity
Host: Josh Mason
On ITSPmagazine 👉 https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/joshua-mason
______________________
Episode Sponsors
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
______________________
Episode Introduction
A seasoned cybersecurity expert with a career spanning decades, from his early days as a curious hacker to his pivotal role as a Chief Information Security Officer (CISO) at a cutting-edge startup, Neal shares his journey through the evolving landscape of IT and cybersecurity, highlighting his military service, where he honed his skills and contributed to the foundations of U.S. Cyber Command, to his impactful work in the private sector, building robust security frameworks for major corporations.
Neal opens up about the personal growth and challenges he faced along the way, including his unique perspective on the OODA loop's application beyond military strategies to cybersecurity and business decision-making.
______________________
Resources
______________________
For more podcast stories from Loops and Lifecycles Podcast with Josh Mason, visit: https://www.itspmagazine.com/loops-and-lifecycles-podcast
Watch the webcast version on-demand on YouTube: (coming soon)
Beyond the Code: Neal Bridges on Cybersecurity, Leadership, and Lifelong Learning | Loops and Lifecycles Podcast with Josh Mason
[00:00:00]
Welcome to Loops and Lifecycles. Today I've got with me, my good friend and mentor, Neil Bridges. Neil, uh, do you mind giving us a quick intro about yourself just for those who, who don't know you, because I could go on and on. I feel like if I do it, it'll take forever.
That's okay. I've, I've been accused of doing the same. So thanks Josh for having me as always. My name is Neil Bridges. Uh, currently the chief information security officer at a startup called query where we're, uh, kind of pioneering federated search. Uh, think of it as like a dataless SIM. But. Obviously, I spent my entire life in, in cyber and I.
T. dating all the way back to the, to the early nineties, where I was a little rugrat causing some trouble on old school bulletin board systems and university networks. Um, you know, you know, playing around with industrial control systems for, you know, a couple of, uh, um, You know, power companies here in North Carolina area before I got tired of the dot com booms in the two [00:01:00] thousands, got him dating myself and I decided to, uh, throw my, my hat in the ring and join the military.
Um, I wish I could say it was for patriotic reasons, but I honestly, I just got tired of, of getting laid off from jobs and needed some stability in my life. But, uh, lo and behold, they were pretty impressed with my resume and I. Uh, got to continue to do what I love, which is working in I. T. Uh, this was obviously before cyber was a cyber thing, uh, in the military.
And, um, you know, quickly adapted pretty well to military life and got to do a lot of cool deployments and a lot of cool missions, um, before ultimately making my way around over to, uh, U. S. Cyber Command, where, um, I was one of the first one Bravo fours, um, to. To, you know, kind of, you know, chariot in the new career field for cyber warfare, um, help build the, uh, first functional training unit for, uh, for cybersecurity.
Um, you know, got to train, you know, all the NSA hackers that are, you know, TAO and, and the rock and everything else [00:02:00] for, uh, offensive cyber operations, as well as participate in offensive cyber operations with the continuity of operations center that we had down there. So. Uh, that was pretty exciting. Um, was a SANS instructor for a number of years, uh, both, you know, my last few years in the military, as well as, you know, when I came out, uh, built and led offensive security teams for, you know, companies like Fidelity.
Um, built, helped build a 10 million ARR pen testing practice for an MSP out of Ann Arbor. Um, and then ultimately got a, a shot at the big leagues working for a PwC for a big four. Um, you know, where they had asked me to come in and help build, you know, a pen testing practice out of the Midwest, uh, you know, out of the Chicago office, which then ultimately translated into an incident and threat management practice You know, I consulted with a ton of teams, um, you know, uh, you know, tons of security teams across a lot of fortune companies, you know, done a ton of rebuilds and, and, you know, you know, transformed a lot [00:03:00] of, uh, a lot of security teams, both offensively and defensively.
And then finally got a great chance to work with a great, uh, CISO at the time, Bobby Ford, who's now the chief security officer over at HP enterprises. Um, he had asked me to come and help him rebuild. Uh, the first, uh, security operations team out at Abbott Laboratories where, um, you know, probably one of the biggest budgets that I've had to, to work with traveling all over the world, um, protecting, you know, a multi billion dollar, uh, company, you know, single handedly in charge of.
Building that capability from the ground up. Um, ironically, I was doing a ton of, um, uh, writing at the time. Uh, it was writing a lot of news articles and things like that. And I had written, uh, shortly after the want to cry about a certain insurance company and, um, its relationship with, uh, you know, uh, another manufacturing company didn't realize that that would then lead to, uh, bumping into that.
See, so I had a hockey game in Chicago who had read my [00:04:00] article. Um, And was very intrigued by it. Uh, and then ultimately sat out to recruit me, uh, to, to leave, uh, Abbott and go to Mondelēz International and help them rebuild their security, uh, security team, um, post WannaCry, uh, incident there, um, did a couple of stints at a couple of startups and, um.
Now I'm hanging out here at Query doing, doing the thing at Query. I guess I didn't, I didn't really talk about like cyber insecurity. I mean, for those who, who do know me from cyber insecurity, I'm also the host of the cyber insecurity, uh, live stream on Twitch and YouTube and X and LinkedIn, but, um, that's, that's the shortest I think I can make my professional
Yeah. Yeah. Uh, you're also, uh, streaming on Tik TOK. Correct. You
I am. I'm, I'm, I'm trying out the short format stuff. Um, you know, it's, it's, it's interesting. It's interesting to dabble your toe into. Short format when you're doing cyber security [00:05:00] content, um, arguably the audiences there, uh, have a shorter attention span. Uh, obviously that's kind of the point of, of short format stuff.
Um, and, and they're, uh, you know, they're obviously more interested in, you know, what Hollywood's depiction of cyber security and hacking is then, then kind of understanding more of its, um, organic, uh, nuances, if you will.
mean being a CISO for a small startup, isn't constantly in console watching like matrixy stuff run down your
Oh, I absolutely am. I mean, like, that's one of the things that I absolutely love about being a CISO at a startup is, um, I, I can be anything from the security analyst to the security architect to the help desk, you know, to, you know, accounts, uh, you know, accounts receivable, um, To, you know, you know, the, the chief operations officer [00:06:00] to, um, you know, the, the resiliency engineer to, uh, you know, and eventually I'll get around to, to, to doing the CISO work as, as well on top of that.
But I mean, that's, You know, it's a, it's a team of one, it's a team of myself, um, you know, working really, really closely with the CEO and everybody else there to, you know, make sure we're hitting our compliance goals to make sure that we're secure, you know, um, and, and, and honestly, you know, there's, there's no other it leader you'd think in a, in a startup where you've got a ton of really smart people, you know, like, oh, well, you know, you don't really need an it person.
Well, no, cause we still have SAS systems. You know, I've Still got a, you know, I had to, I had to build single sign on from scratch. I had to, you know, um, you know, you know, you build out a lot of our, kind of our, our overarching organizational infrastructure when it came to things like AWS, um, and, and so, yeah, it's, it's, it's, you know, one of the things that I have always.
I tried to be cognizant of in my career, um, and this actually [00:07:00] started back in 2016 when I was working for Abbott. Um, you know, that was really the first job that I had where because of the role, because of how high profile it was, because of, you know, I was literally three spots away from the CEO who, who, you know, made, I think like 20 million a year, right?
You know, I was three steps away from that, you know, my, my, my days on the keyboard felt very, very numbered. And, and that was ultimately why I started to, you know, start my own company, um, you know, do some, some side work, some side hustle on the side, um, was to keep those technical chops because I've always had this kind of like feeling in myself where I didn't want to, I didn't want to migrate too far away from doing that technical work.
reasons I call this a show loops and life cycles is, uh, a shared understanding that we have of the OODA loop. Um, Air Force really loves, [00:08:00] uh, utilizing the OODA loop wherever possible. When I was introduced to it, it was at the Academy about, uh, air to air combat. The traditional, but your take on the OODA loop, uh, you've utilized it, uh, for understanding what our actions should be in the cyberscape and, uh, a little bit in business and a little bit in personal growth as well, which, uh, I'll tell you, uh, kind of led to the whole life cycles part here.
The DevSecOps lifecycle being a continual growth, continual improvement, continual development system, how, in your words, how do you utilize? Like that feedback loop that that's, uh, you know, secured it. Can't say that word that, uh, continual growth cycle in your daily or in like the business.
Yeah, [00:09:00] so, so I think it's important to, to, to contextualize this just a little bit. Right. So remember when we talk about my background, right, I started out, you know, before I went in the military in, in, in 2003, you know, I'd been in the business world, I'd been in the startup world, I'd been traveling to meet with clients.
And, you know, you know, I had a team, uh, you know, I had a team of, I think 12 at the time when, when the last startup that I worked for, um, you know, went
Mm hmm.
And so, um, you know, going into the military for me was, um, I was, I was relatively mature, you know, I was 24 versus 18 and, and that may not sound mature, but I mean, Josh is having been exposed to a lot of cadets and, you know, and, and, and younger enlisted folks.
There's, you know, there's still quite a bit of maturity there that exists in, in some of those younger enlisted folks. And so I, I had a, um, I, I had a pretty eyes wide open moment, um, when I went into the [00:10:00] military and I was able to compare and contrast that to kind of what I had just got done seeing in the, in the business world.
And, and so I, I contextualize that because I think what's important to understand is that when I came out of the military in 2013, um, I realized that for me, the way that I saw cyber security, the way that I saw us operationalize what it is that we do in the, in the outside world versus what we do in the military world, it made way more sense for me to try to adopt and implement a lot of the military cultures and behaviors, uh, that I just spent the last 10 years.
Um, yeah. Being exposed to and one of those very much was the, the, the OODA loop. And, um, when you're, when you're doing offensive operations, you know, the OODA loop kind of plays a, I'd say a, a, a looser role in pen testing, um, [00:11:00] in the real world than it does in the military. So I want to fast forward kind of to my first real stand on the soapbox moment when it came to OODA loops.
And that was really at Abbott when I was building, um, my own security operations team and specifically the incident response team. And I remember the very first incident that I dealt with there. It was a, it was a fishing incident. They had fished the, the, the CFO. Um, and they were really just trying to get to his, uh, his retirement account to steal money out of his retirement account.
So it wasn't even really attack on, on Abbott as much as it was just personal finances of the CFO.
Mm
But what I quickly found was in a large organization like that, where you've got. You know, high profile people, you know, people who are used to leading teams of hundreds making vast decisions. It was really amazing to me how.
Much of a long lead there was in terms of actually making a [00:12:00] decision. And when you're dealing with an incident, when you're dealing with a cyber attack, you know, um, time matters, right? The, the longer the adversaries in your network, the longer the adversary has access to an account, the longer, you know, uh, the longer it takes you to initiate those first few critical steps of an incident, um, can literally make.
Millions of dollars worth of difference, depending on the scenario you have to deal with. And so quickly teaching, which was also a very odd concept, was teaching in the middle of an incident, the concept of an OODA loop, to be able to observe, orient, decide, and act. What I quickly found is that large organizations had a hard time with the deciding and acting part.
They get kind of stuck in business in the observe and orient and what ends up happening is they almost insert like an observe orient [00:13:00] create Conspiracy scenarios and then they go back to observing and orienting themselves to the conspiracy scenarios that they just created So back to my example about about the fishing exercise
course. I
I won't mention which leader it was because I don't want people like they're getting called out.
But one of the leaders at the time came in there and said, well, well, why the CFO was the CFO's target was a CFO targeted? You know, is there any information on the CFO on the dark net? How do we get the information about the CFO off the dark net? And, and, you know, who was the one who called and how do we get law enforcement involved in?
And, you know, they wanted to kind of go down this personal attack trail. And so it was observe, orient, follow a rabbit trail of conspiracy before they ever made it to a decide and act piece. And so I quickly started to talk to folks that, you know, really, when we started talking about, like, real world incident response, [00:14:00] it's real easy, I think, for organizations to observe and orient themselves.
I think they do that very, very well. I think what organizations fail at. Is the deciding in the acting part. Either everybody's too afraid of business consequences, or they're too afraid, afraid of making the wrong decision, or they're too afraid of, um, you know, you know, some type of pushback from from a peer or peer organization.
And then when it comes to acting. You know, you've got anything from fear to, you know, a lack of support from partner organizations, and so they just they avoid the decide and act part, and they just get stuck in. And I think that this is where a lot of organizations, a lot of teams get stuck in, like these endless meetings after meetings after meetings after meetings, because it's really easy to do observe and orient, but it's really, really hard to do decide and act.
And so I've always tried to bring security back whenever I have conversations, whenever I talk on podcasts, whenever I give talks at, um, At conferences and things like that, I always try to bring it back to some of those military principles where it's like, okay, [00:15:00] what is our observe, orient, decide and act process?
And how do we ensure that we make it from one face to the next in a in a clear, concisive, decisive manner so that we can actually get to the action part and actually make some real impact in the organization?
love that. Um, I can't help but think it sounds like there can be issues sometimes at the top with having a strategy and then moving In accordance with that strategy, I know you use it all the time. I'm, I love the term, uh, uh, strategy to task the organization. The leadership comes up with a strategy and with that, uh, leadership or commander's intent and with the leadership or commander's, uh, risk, um, acceptance or risk level, then individuals or team leaders at the lower levels can make decisions.
That [00:16:00] are in line with that strategy that, um, is that, uh, do you see us doing that enough at companies or do you feel like there's, uh, there's something that gets in the way of,
so I've got a good story for this as well. And this, uh, this actually happened when I, you know, in 2013, when I first came out and I joined, uh, FIS, um, to build their red team out, um, I introduced strategy to task, um, to the, the security director that we had at the time. Um, And when I introduced what you had just described as strategy to task to them, they loved it and they loved it.
And they said, this is exactly what we need in the organization. Can you teach the organization? So I had to find a way to, to teach strategy to task to a bunch of pen testers. And what was difficult, what's challenging about that, especially in the pen testing world is, you know, you're, especially in corporate pen testing, right?
Let's, let's make a [00:17:00] distinction between corporate pen testing versus like consultative pen test. Cause I'd argue. Consult a consultative pen testing is a little easier because a statement of work gets signed. You have a predetermined scope. Um, you go out, you execute said scope, you produce said report and you close out the statement of work and you move on to the next one, right?
It's pretty easy, right? I think that that's a, that's a very compact version of strategy to task. But in a corporate world when you're working for a large enterprise and you're part of a pen testing team, You know, you're, you're expected to derive your own, if you will, statements of work in your own scopes, and I, and I get a sense when I talk to a lot of up and coming pen testers and even some experienced pen testers that they're like, Sweet, that means that I get to wake up every day and I get to hack whatever I want inside of a corporate network.
And this is very much what the case was at F. I. S. At the time, they just come out of their 50 million SunTrust brief breach and, uh, You know, we had a [00:18:00] team of God. I think it was probably like 12 or 15 pen testers. There were, there were three network pen testers. I was part of the networking pen testing side, you know, and the rest were application pen testers.
And all they were doing was they just had a list of all the applications. And we just had a list of all the BU's business units in the organization. And, and the, the first few months that I was there, it was just like, Go forth and hack whatever you will. And there was no strategy to it. And so it was after I briefed the security director, uh, on the concept of strategy to task that I got to teach the pen testing organization, what strategy to task meant and when I taught them strategy to task and the way that I, the way that I translated that from military speak to civilian speak was I was like, listen, the, the CEO has a business strategy.
And what happens, and it was amazing that I had this, this wherewithal coming out of the military, because it wasn't something I was natively exposed to in the military. Then you didn't have these types of hierarchies. You didn't have a board of [00:19:00] directors and things like this. But what I explained to the team was, you know, the CEO is going to have a certain set of business strategies and those business strategies are going to get passed down to the CISO and the CISO is going to take those business strategies and develop a set of goals and objectives that the security team has set up.
To to achieve and those security goals and objectives are gonna get past the security director and ultimately down to us as the as the testing team, I said, what we've failed to do as a testing team is we failed to align our testing methodology and our testing strategy to the goals and objectives of the organization in a true strategy to task fashion. And what we found is when I taught them strategy to task and when we actually had a concerted effort where we took the business goals and objectives, we filtered them down from from ceo to see. So to security director down to the security testing team and we developed our testing plans are pen testing plans are absent testing plans and our network testing plans against those goals and objectives.
We ended up driving [00:20:00] far more business value back into the business because now we were able to align our testing to the strategies of the business. For example, mobile, this was a time where mobile banking was becoming massively huge. But if you'd looked at our testing plan for the three, three months prior, the mobile testing business unit was the furthest down on the list because it was the smallest in scope.
And so we had thought that we needed to do the biggest in scopes first, because the biggest assets in scope must mean the most risk to the enterprise when, in fact, that didn't align with the business objectives whatsoever. And so once we started to focus in on the business objectives, in this case, mobile, mobile app testing, mobile banking, pen testing, things like that, we found that we got a lot more support from business.
We got a lot more support from organizations. We saw bugs and vulnerabilities and things like that get. Fixed faster because they align to business [00:21:00] objectives because we had done a strategy to test to task exercise.
How can people who maybe aren't schooled in. That process who haven't gone through, um, you know, senior NCO academy. Uh, what's the easiest way for people to dip their foot into that and try to operationalize that in their organization?
I, I, I think there's, there's, there's a pre step that is slightly cynical to whatever advice would be offered from that, right? I think the, the cynical pre step is you have to realize that if you're a, if you're a pen tester, like your job isn't to hack things. Right. And I think that pre step has to happen first mentally, um, before you can do the actual step.
Once you've mentally prepared yourself that your job isn't to hack things, [00:22:00] I think you become much more aware that your job is to bring business value. And then it makes it really easy for that first step for you to do to look at whatever it is you're doing as a pen tester and say, What is it that I'm hacking that brings business value?
And realizing that, that identifying a vulnerability or identifying a, an attack vector isn't necessarily bringing business value. I think if you're part of a, let's talk more broadly around the security organization as a whole. I think if, if you're sitting at a console watching a bunch of alerts and you're Perspective on the day is I'm just here to punch a clock, see the blinky light turn red and put in a ticket in service now to have some machine wiped or, you know, you know, run the sword playbook to have, you know, you know, the phishing email removed from everybody's [00:23:00] mailbox.
I think if that's your perspective on your job. You're very, very far removed from the mentality that you need to, to understand strategy to task. And it's not to say that like everybody who watches Blinky Lights should have a concept of strategy to task, but you should really be understanding what the strategies of the business are.
And what your day to day impacts at the, at the most tactical level, um, are to help that strategy. And I think this was something that I didn't realize at the time in the military. And it took me honestly, working at the 39th when I was having to write cyber op awards with, you know, with commanders, um, when I was reviewing cyber op awards, um, operation orders,
hmm. Mm
When I was having to brief, uh, commanders and generals on cyber op awards, it, it, I didn't, I don't think it's taught even well enough in the military [00:24:00] at the, the, the most junior, junior ranks of the military, what the strategy is and why it is that you're doing what you do on a daily basis.
And I got plenty of examples of this. Like I remember being a senior airman, you being an early staff sergeant, early five, Right. Um, in, in Germany, getting told that I needed to go support, you know, a fighter squadron, um, on a 45 day, you know, home row in Africa. Right. And I was like, okay, I know I'm supporting a fighter squadron and I know I'm supporting a humanitarian mission,
Mm hmm.
but why?
Ooh.
Right. And I blame the military a little bit of that because they try to beat it out of you to ask why.
huh.
But I think that there was a little bit of failure to understand the why not to question orders, but to understand what the strategy was so that when you're on the ground, when you're standing up [00:25:00] communications, when you've got plane sorties taking off every five minutes, you know, um, you understand the wine.
Now, some wiser easy to understand when I supported, you know, the pirate hunting missions out of the Seychelles. We knew what the why was. Right, but you don't the wise aren't always that obvious. And I think that translates very well over in a business is that when you're tactical on the ground watching a console, sometimes the why isn't obvious.
And you just think that your job is just to watch the little brink, blinky red lights and respond to those incidents. And I think it's your responsibility to try to force leadership to explain to you. What is the business strategy for what it is you're doing?
Ooh. Then at what point during onboarding or. Should it be an annual thing or a regular thing? Should leadership be sharing that strategy with an [00:26:00] organization? I'm in a startup. You're in a startup. Is this something that should happen more often when you're in a big organization? At what level should that get communicated?
Sorry, throwing a lot at you.
Yeah, no, no, it's okay. It's okay. I think it, I think it looks different depending on the size of your organization, right? So let's talk about bigger organizations. And when I talk bigger organizations, right, remember I was at PwC, I've consulted with a ton of fortune, you know, 1000 plus companies. You know, I've, I've worked at, at fortune 100 companies, you know, I've worked at fortune 10 banking, you know, organizations and, you know, understanding that, you know, there is yearly goals planning that happens.
And I think at the tactical level, you get really, really consumed with like, oh, goals planning just means that if I don't do these goals, I don't get a raise. But understanding that goals planning actually. Actually is a form of strategy to task, but it gets diluted down pretty significantly. The further from the top you are.[00:27:00]
And so once you realize that goals planning is a diluted version of strategy to task, I think when you have that goals conversation with your leadership, understanding what the high level strategies are that are being passed out. I'll give you an example. When I was at Abbott, you know, and we did goals planning every year.
Right and and, you know, just let's do a calendar year, right? January to December, right? When when December ended and January began, we knew that there was going to be a board meeting sometime in January. Or February, give or take, depending on how, how things went. We knew that going into that board meeting, there was gonna be a lot of conversations between the, the CEO, the CFO, the CIO and the ciso, and then all of us directors that supported the, the, the CISO.
And, um, we knew that what was going to come out of there was the CEO was going to say, here is my objectives for the year, [00:28:00] and he's going to say, you know, you know, financially to the CFO, this is the this is the goal that I want you to carry CIO. This is the goal. I want you to carry see. So this is the goal.
I want you to carry.
Mm
In our case at one year, it was manufacturing security, right? Pointed to the CISO and said, CISO, manufacturing security is a goal I want you to carry. That is the commander passing down to a lieutenant commander. Right. Here is your strategy to task. Right. And so what the CISO would do is he'd come back and say, we all have goals.
We all have objectives. But the one goal that is super important for us as a security organization is manufacturing security. So Doug, from a security architecture, I need you to come up with a goal that is specific to how you're going to support Manufacturing cybersecurity from an architecture perspective, Ron, your GRC, I need you to go out there and derive a goal that's going to be super important for you to, to carry around manufacturing security, Neil security operations.
I need you to develop a goal. That's going to be super important for you to understand [00:29:00] for security operations around. Manufacturing security, so forth, so on down the organization, but then in most organizations, that's where it gets stopped because then what happens is those directors then go forth and say, okay, managers, make your goals, but it's got to be something manufacturing security related like what's missing is.
I don't think there's ever a why ask that's in there. There's never a conversation that says, well, this is what's important to the business. This is why manufacturing security is important to the business. This is what, this is how much we make revenue wise based on manufacturing alone. And this is why manufacturing is important.
Here are the plans for the business to expand manufacturing into China, right? Things like that. All they just get told is, hey, go make some goals for you and your team, but also try to make them at least a little bit skewed towards manufacturing security. Right. And it just kind of gets left at that high level.
And I think that that's, that's the failure that regardless [00:30:00] of, of whether you're working at a big organization or not, what I would argue is when you work for smaller organizations, you're a lot closer to the making of the bread. And so it's super easy to see. Listen, I work, I work at query. We work at a startup.
We're 21 people large. Right.
hmm. Mm
I'd bet. I bet you a good amount of money that you could point to anybody on our team and they would be able to tell you what our strategy to task is, right? We are validating our product through ARR, right? We're trying to get customers. We're trying to validate our theory in the marketplace based on recurring revenue.
Right. And everybody knows that. And so I think that the strategy to task conversation is much, much easier in smaller organizations because you're closer to the making of the bread. What happens is we get so disenchanted with the goals making process as we get to larger organizations that we just view it as a monetary exercise with which are our bosses are going to use to decide whether we get paid or [00:31:00] not.
And thus we don't equate it to a strategy conversation, and thus we don't end up taking seriously. And so I think that's the The big problem that most people have when you're looking at larger organizations interpretation of strategy to task.
I love it. I love it. You mentioning goals and us just coming out of January, um, I can't help but think about personal goals, individual goals. And I know that you take making personal goals. Highly, like it's, it's a big part of what you mentor people on, on cyber insecurity. It's a big part of what we talk about in the community and what you've talked about on your shows.
Um, for us here, what do you see as the most important thing about building goals for yourself? Why do you do it? Yeah. Hmm.
always [00:32:00] have this appreciation for goals. Um, it's, it's super interesting, right? Um, I'm, I'm, I'm, I'm 44 years old and, and I, and I know more than I did 20 years ago. And I still and I'm just now realizing that I'm still so ignorant on so many things. And I think a lot of that really boils down to our self perception of ourselves. And I think that that self perception is what Inhibits a lot of people from making good decisions around goal planning. Um, I can look at myself 20 years ago and be like, Oh yeah, of course I had goals, but my goals were things like, Oh, I'm going to, drive a Ferrari, right? I'm going to, I'm going to live in a multimillion dollar home, right?
I'm going to, you know, [00:33:00] I'm going to, I'm going to do all of these, these things that are all very short sighted and very, and we'll call them materialistic, but they're, they're end products. Of a, of a, of an imaginary intangible. You're measuring the goal based on the reward, not based on the achievement, if that makes sense. Um, and I didn't have that realization. Honestly, I didn't have that realization. Um, I didn't have that realization until I started working for bigger companies after the military. It took me, it took me almost 15 years to realize what real goal making was. And so at first I'd say a lot of my focus on goal making is to try [00:34:00] to try to teach people the failings that I had through a lack of maturity in my younger age, right?
Because I see it in a lot of the folks that we talked to in the community, right? You know, Oh, I, I just want to be a, become a pen tester. Okay. Why? Why? What's so important about that? What is, well, because I saw it on TV. It looks cool. I've always had this, this passion to be a hacker. Also, you've had a passion to be a criminal. That's what you're saying. You've had the passion to be a criminal, right? People don't think about. They don't think about their passions when they think about goals and objectives. What they think about is they think about the emotional reward and think that that the goal has to tie. To, to, to some intangible emotional reward. I had always heard about smart goal planning, um, specific, measurable, actionable, relatable, uh, time bound goal planning, but, but I'll [00:35:00] admit like I didn't take that shit seriously. Um, you know, it was, I thought that was just a fancy acronym that, that big organizations use. And I, and, and I very much look back on, on that mentality now.
And I'm like, yep, that was a maturity thing. It was a lack of maturity thing, right? I didn't have the maturity. The maturity to understand what the goal of smart goal planning was,
mhm,
and And so I think a lot of my teachings around goal planning are to try to break the stigma and to help educate people that goals are key to living a happy life. Because I think that's what everybody wants. When everybody thinks about getting into cyber security, when everybody thinks about getting a job as a pen tester, when everybody thinks about, you know, being a CISO, when everybody thinks about, you know, You know, let's face it, like a lot of people want to get into this industry because the money is good.
And a lot of people want money to be good because they want to provide for their family. I genuinely believe [00:36:00] that the majority of people that want into this industry want it because they want to provide better for their family. It's just, it's, it's Pavlov's hierarchy of needs. It's, it's innate in us and in human nature to provide for our families. Right. Um, but in, instead, we get so focused in on, I just wanna be a pen tester. And that's not smart goal plan, goal planning. We don't have five year plans. We don't have 10 year plans anymore. We don't, we don't focus in on, you know, the fact that, that the world changes around us so quickly. You have to be ready to pivot and I'm guilty of this.
Like I don't sit on the ivory tower and think like this is how it's done. Like I can literally look back on my life and cite examples where I'm guilty of everything that I'm preaching here. And that's why I talk about it is because, like, you know, you know, let let me show you how bad I screwed it up in the past.
Right? [00:37:00] Um,
mhm, mhm, mhm, mhhm,
so I, I, I say all that to say, I encourage goal planning. I encourage people to talk about their goals. I encourage people to celebrate their goals and to celebrate their goals publicly and their achievements publicly. Because I think it's important for you to realize how important your goals are to success.
And I'll tell one story, one personal story, that honestly nothing to do with cyber security, but has everything to do with how important goals are, right? When I got diagnosed with cancer, like for the longest time, let's take a step back, for the longest time when I got out of the Air Force in 2013, the only goal I had was to become a CISO.
You can talk to anybody who, who, who, who knew me back in 2013, like, like, you know, what's your goal, Neil? I want to be a CISO. Like, God, I want to, you know, I have people tell me, I want to be a pen tester the rest of my life, or, you know, God, why would you ever want to be a CISO, blah, blah, blah, blah, [00:38:00] blah, blah.
And, um, and, and so that was the goal for a really long time. And then, and then I got to be a CISO. And then I got diagnosed with cancer. And I needed a goal. And I think this is what people don't realize about goals. Right? And the goal isn't to become a hacker. Right? The goal wasn't to become a CISO. The goal is not to die.
Sitting behind this keyboard slaving away for somebody else. I have an expiration date, like it or not morbid as it sounds or not. I have an unknown expiration date. I get, I very much feel like a package of meat, right? You know, it's like, it's like, I'm, you know, please sell by. You know this day now I may last a little longer than that day But there's definitely like a police sell by on on on my packaging, right? And I think [00:39:00] that's where goal planning really hit me. It's like well, holy shit What is the goal the goal isn't to become a see so the goal isn't to become a hacker The goal isn't owner ferrari You know for the longest time you can talk to the wife about this Right? The only goal I had was to buy a Ferrari after I became a CISO.
After I became a CISO, the only goal I had was to buy a Ferrari.
Not a lambo? Mhmm, mhmm, mhmm,
No, fuck Lambo. Ferrari, man. Lambo's for people who don't want to like, uh, have to be, uh, approved to get a car. But like, you know, when you want to be culturally approved to get a car, you get a Ferrari. Because if Enzo Ferrari doesn't sign off on it, you ain't getting one. Anyway, um, the only goal I had was to get a Ferrari. When I had cancer, do you know the last goal that I thought about? The
a Ferrari? Mhmmm,
Ferrari. That Ferrari went out the window so fucking fast. I haven't thought about a Ferrari [00:40:00] in 18 months other than when I go to the car club, right, to work. Because I realized that that's not the goal.
Yeah.
That's not the goal. The goal is to not die sitting behind this monitor.
Mhm,
The goal is. I want to, I want to do whatever it takes where I'm not sitting behind this monitor. Money stops being important, right? Material things stop being important. All those things stop being important when you realize you have an expiration date.
Yeah.
And so I talk about goal planning in the sense of think bigger, think bigger on your goals,
Mmhmm,
And maybe being a pen tester is a milestone. And when you [00:41:00] realize that those are milestones and you realize how big your goal is, it becomes way easier to see the forest for the trees. And I think that's the key to goal planning.
mhmm, mhmm. That's huge. So, soon, I can't help but think of a country song from, what, 90s, uh, early thousands. Um, did you have this thought process of, you need to go skydiving and mountain climbing and
no, no,
a bowl named Fu Manchu?
no, no. I didn't have that. I didn't have that thought. Um, no, honestly, like, my, my, my biggest thing and for me, like, it was different, right? Because, like, if you look at my grind, like, [00:42:00] I, I dove headfirst into the grind mentality. Like, I was, you remember, I think when you and I first met, You know, I talked extensively like I'd be up till 2, 3, 4 o'clock in the morning, you know, and then I wake up at 6 o'clock in the morning after, you know, 3, 2, you know, 4 hours of sleep at night and I'd, I'd be right back at it.
Right. And, and I was all about like, okay, you know, like the long, the longer I'm awake, the more I get done, the more I get done, the more successful I wait. And because, you know, because my goal was a Ferrari
mhm.
and I, and, and it wasn't until I got cancer that I realized that I The Ferrari being the goal was actually contributing to my demise because of the fact that my goal was so small. It was so materialistic. It was so focused [00:43:00] in on this one little minute thing that can go away in the blink of an eye.
hmm. Mm
It wasn't a big goal. And so being focused, we have a saying in golf, right? Aim small, miss small. Right? And I think that that's what, I think that's what gets missed, right?
Is like, I was, I was aimed at something that forced me to miss something so big in my
hmm.
no, like, like skydiving wasn't, it was never a part of it. Like, like, I have no interest in that. Like, like, there's no, I don't have like a. I don't have a, a, Oh, I need to do this before I die mentality. I have a, I don't want to die doing this mentality.[00:44:00]
I like that. I like that. I The idea of a bucket list of a I have to do this. Um, these far reaching nonspecific goals It doesn't seem to fit your personality. Um, I get that I feel that I'm I'm the same The list is
I, I, I, I'd much rather spend my last few days hitting golf balls on a golf course. Um, not because like I, you know, you know, want to like, you know, retire on a golf course or anything like that, but more along the lines of like, you know, I want to be mobile. I want to be moving. I want to be outside. I want to be competing, right?
I want to be I want to be hungry. Right for something else and has nothing to do with, you know, with like, you [00:45:00] know, being an old guy driving a golf cart around a golf course type of thing. It's that I don't, I don't want to be, I don't want to be slaving away working for somebody else and dying of cancer.
How do you, how do you use that, that energy, that thought process now? I know you're, um, you're, you're training. You've got the sim in your house now. You're, you're, you're prepping up for this season. You just had Um, uh, pretty decent in my opinion, a pretty decent, uh, uh, game the other weekend, um, or a couple of rounds the other weekend.
How are you, uh, yeah, using that? How could others kind of, you know, take from that?
so I'll, I'll tell a little bit of a personal story because this is a conversation the wife and I had, and it, it, it almost made me cry, almost made me cry when she told me, um, [00:46:00] despite outward appearances, I've never been the most level headed person. Patience has definitely been, uh, a hard thing for me to achieve.
Um, the, the Ferrari will go back to the Ferrari conversation, right?
hmm. Mm hmm. Mm hmm. Mm
the only reason that prior to me getting diagnosed with cancer, that there wasn't a Ferrari sitting in the garage was because the wife was the one holding me back. And I don't mean that in a negative way. It was, you know, she was the pragmatic one.
But I'm a, I'm a right now. No patience. Let's go. There is no time like the present. Let's execute on this right now. Um, when I started playing golf, um, let's try to, I'm trying to not to make this a long winded story. Um, I started playing [00:47:00] competitive in April of last year. Now there's, there's a huge difference between competitive golf and, Hey, I'm just going to go out with the guys on the weekend and drive around the golf cart and drink beer and fuck around on the weekend.
Right. Um, You know, there are rules. I think that's one of the biggest things, right? There are rules. Um, and, and, you know, unless you're a cheater, you have to abide by the rules. And then there's standings and there's placings and, and all of a sudden when there's accountability, things matter, right? Um, you know, your bad shots. Um, when you first start competing, Feel pretty miserable, right? You feel like everybody's watching you. You feel like everybody's judging you. You feel like, um, you feel like you're a failure, the imposter syndrome that everybody talks about in cyber comes back full force, right?
Mm hmm.
And between April and [00:48:00] September, when the championship was, I probably thought about quitting golf
Yeah.
at least a dozen times. And the wife bore witness to me coming home from some tournaments where I put up some horrendous numbers. I put up some just monsters on the scorecard. I lost, you know, a box of balls, right? I was putting stuff in the water all the time. I, you know, I had one tournament where it took me six shots to get off the tee box, right?
And I'd practiced for a week, you know, before that tournament. And I came home and I was mad and I was threatening to sell the golf clubs and I was, you know, I was done. I was done. [00:49:00] But I kept at it and I kept finding the discipline to think differently about golf.
hmm. Mm hmm.
And what I thought differently about golf was golf isn't about me and the other 70 competitors.
Even though there's a scoreboard with 70 other, 70 people's names on it, golf isn't about me versus 70 people. Golf is about Me versus me. I'm playing against myself and I'm playing against myself against somebody else's design of a golf course. So for you cyber nuts out there, you walk into a CTF, somebody like Josh or myself or somebody else makes a [00:50:00] challenge in a CTF. You're not competing against other people. You're competing against yourself.
Yourself and your ability to defeat Josh's challenge. And that's what I had to realize about golf was that I wasn't competing against other people. I was competing against myself. And when I realized that I was competing against myself, I realized that every time I got mad, every time I lost my patience, I was sabotaging my own game. Every time I let a bad shot affect me mentally and emotionally, I was destroying the next five shots. And so I think that for me, [00:51:00] golf has helped me grow as a human because I learned something about myself that I hadn't learned in 44 years. And, and it, it really came to a head just here recently with talking with the wife when she confided in me that she was jealous that I had found something, I had found a hobby, it's a little bit more than a hobby but she equated it to a hobby, had found a hobby that allowed me to overcome home.
A personal development that it had literally plagued me for 44 years. so now when I practice golf, my practices are different. My practices have purpose. My practices have meaning. My practices [00:52:00] are about self betterment. My practices are about making me a better human. They're about making me a better CSO.
They're about making me a better streamer. They're about making me a better contributor to the cyber community because I'm becoming a better human because of them. And I think that's been, like, like, I've got a, I've got a pretty massive goal for myself coming out of this golf adventure that I hope to achieve one day. But I will say that even if I threw out my back this weekend playing a tournament and moved so bad I could never play golf again, I'd be sad, sure, but I'd be grateful because I'm a better human for finding a hobby.
That forces me to work on something that was such a huge flaw for me.[00:53:00]
for everyone listening Not a lot of this is as news for me You know and I talk all the time, but man it is it's still always Great to hear for those who want to get Uh, more Neil Bridges in their life. Uh, I know, um, Twitch and YouTube, LinkedIn, Twitter, uh, or X, TikTok and Instagram are all places where they can catch you probably, uh, Wednesday night and Friday mornings,
and Friday mornings. Yeah. Yeah. Wednesday night and Friday mornings are the most consistent for streams.
uh, and then the cyber insecurity, discord channel, uh, cyber insecurity on all of those, uh, platforms. And then, uh, what if people want to follow your, uh, Your golf journey, your PGA journey, your journey to the PGA, where, where should they tune in[00:54:00]
I mean, I, I, I'm still finding my feet, my footing, if you will, on content when it comes to my PGA stuff, but I appreciate all the support. Um, for, for, for those who are hearing me for the first time, um, Um, when I got diagnosed with cancer, one of the biggest goals that I, I set out for myself, um, you know, surrounding golf, you know, I needed a, I needed a North star to work towards.
And so the North star that I set for myself was. Um, to, to plan the PGA tour, um, PGA, unlike any other professional sport is truly meritocrial. Um, meaning, you know, there, there's no age limit, there's no minimum age, there's no maximum age. Um, you know, there's no, you don't have to like, you know, sign with a minor league club or, you know, go to, to spring training or, you know, have tryouts in a draft or anything like that.
You know, you literally can pay. Um, to show up to a pre qualifier and [00:55:00] if you score well enough in the pre qualifier, you can then go to a Monday qualifier. And if you score well enough in the Monday qualifier, you get a shot to play on Wednesday. Um, for that PGA tour event. And if you score, if you make the cut.
Between, you know, you know, Thursday and Friday, if you make the cut, you can play Saturday and Sunday, and if you make the cut and play Saturday and Sunday, then, you know, there are there are increasing amounts of rewards. And so the bottom line is, it's truly meritocrial. And so literally, the only thing stopping me from this goal is myself. Again, it gets back to realizing that the only person I'm, person I'm competing against for this is myself. Now, I'm not saying I'm going to go out there and win a major and, you know, Rory is still the greatest golfer alive and, you know, and, and stuff like that. I just want to compete on the tour. And so if you want to join me on that adventure, in addition to everything else, um, I talk extensively about, you know, the things that I'm learning on the golf course and how they relate to cybersecurity.
In my career, um, my [00:56:00] personal Instagram, um, you know, I T dot junkie is, you know, definitely the best place to follow that. Um, I've had several people ask me for baseball cards, um, golf cards, golf, baseball cards with golf themes, whatever
golf trading
um, golf trading cards. Thank you. Um, And so we have a set of golf trading cards.
I've, I've, I've, you know, hired a photography to come photographer to come out and take pictures. And so we have some golf trading cards, um, you know, to, to kind of support the journey. And, um, you know, I, I appreciate all the support. I mean, it's, it's, you know, uh, it's, it's, it's a long road. It's a hard road.
I don't anticipate to be on the PGA tour next year. There are people who literally spend, you know, a decade trying to get to the tour. Um, You know, I'm trying to do it, um, by the time I'm 50. That's kind of the goal is, is, you know, back to smart goals, it's time bound. I'm going to try to do it by the time I'm 50.
Um, you know, but, but I'm learning a ton about myself. It's [00:57:00] helping me be a better CISO and helping me be a better security practitioner, and I'm, I'm anxious to, to share those learnings with, uh, with everybody else who follows me along on this, this journey as well,
Neil, thank you so much for sharing with us. I'm going to post links to all the socials in the show notes and, uh, hope to see everyone on, uh, one of Neil's live streams soon. Thank you again, my friend. And, uh, this has been loops and life cycles with Neil bridges. Thank you, sir.