Ep. 020 - The Anthropology of Cybersecurity with George Kamide: Exploring the Intersection of Tech, Culture, and Food Systems

00:15 - Kristin Demoranville (Host)

Welcome back to another episode of the Bites and Bytes podcast. I'm your host, Kristin Demoranville, and today I'm excited to be joined by the extraordinary George Kamidi, co-founder of Mind Over Cyber and co-host of Bare Knuckles and Brass Tacks. George brings a unique combination of expertise in both anthropology and cybersecurity, and today we'll be exploring the human factors, cultural dynamics and complexities of the global food supply chain. A special note before we begin, I want to acknowledge something important. This episode was recorded before the recent updates on the avian flu and listeria outbreak linked to deli meat incidents. I wish to extend my thoughts to those affected and be sensitive to everyone working through these crises. Thank you so much. I hope you enjoy my conversation with George. Let's get started. It's finally happening. I have George K. We'll get into who George K is in a second. I want you to start with your favorite food and your favorite food memory, because it's literally my favorite question. I ask everybody.

01:15 - George Kamide (Guest)

Oh, wow, yes, First, I am very excited to be here. I know we've been talking about it for a while. Favorite food oh, okay, I'm going to go with tacos. There's so many I could pick, but tacos were the key ingredient into getting my kids to try new things. If I could get it into a taco they would eat it, and now they love tacos and they are on the hunt for taco trucks and they have a very discerning palate for their age. So I'm going to say tacos, taco trucks, and they have a very discerning palate for their age. So I'm going to say tacos.

01:51

Favorite food memory my family is from Brazil, and so there is a traditional Brazilian dish called feijoada, which is black beans that is stewed over very low heat for a very long time.

01:57

Like many cultural foods that are used to typify a country let's say the pastas of Italy or the noodles of China, the paella of Spain Feijoada was poor people's food, more specifically, slave food.

02:11

It was basically whatever meat scraps were thrown to the slaves they would put in this pot and, because they're working long hours, somebody was watching it for a long period of time. But I had it a lot growing up. It was delicious and so my favorite food memory is the first time I went back to brazil since we had immigrated to the states, being able to locate this fish water that was being cooked out in this field in a gigantic like the biggest pot I have ever seen in my life, and I located it by smell alone, like I was just sort of like a cartoon, like drifting on the vapor of the pot. So it was just felt like a very full circle moment from growing up with it as a kid and being told stories about Brazil and then finally being able to go back to Brazil for the first time. And it turns out that food was the connector.

02:56 - Kristin Demoranville (Host)

It always is a connector, for sure. I feel like just about every culture has some type of like rice and beans and meat. Yeah, when you think, about paella.

03:04 - George Kamide (Guest)

It's like the farmers were like what do you have? I got these clams. What do you have? I just like throw it in a giant pot. It's a very collaborative food, for sure.

03:12 - Kristin Demoranville (Host)

And I think that is some of the coolest thing, because it's about community at that point right. It's about what you can get in the local community and it binds people together differently. And I've also had something similar, experience-wise, when I was in Puerto Rico. I was there on an outreach trip and rice compoy and beans like it was the most delicious thing I'd ever had in my life because it stewed for I don't know 12 hours. But it was more than that because it was about the people who were serving it to me. You know, I knew that they had given their time and their money, that they didn't have that much to give to do this. I was actually expecting Georgie to say something about Japanese food, or I was not expecting that at all.

03:51 - George Kamide (Guest)

Yeah, that is true. I mean there's a lot, see. That was why it was going to be hard. It was either going to have to be Brazil, latin America or Japan, so I went with the first thing that came to mind. I will say I was an anthropology major and the two cultural modes that are saturated we say saturated with the most meaning are food and sex.

04:11

It is how a people think of reproducing their lineage and all the rituals around that, and also how does it feed itself, how does it nurture itself, how does it continue to survive to the next generation? So you brought up the people who cooked. So I mean, today we have history, you have culture and you can layer in class economics. We'll talk about security. There's just so much that goes into food and it is something that can be a medium to convey all of that almost instantly, like the moment you taste it for the first time. They're like all these cultural layers that you're unaware of, but some part of your human cultural radar is picking them up, and I think that's why it's so fun to share food memories like, oh, I was traveling here and people might talk about the sites, but they almost always talk about the food, also the things that they ate.

05:00 - Kristin Demoranville (Host)

Or what they were eating when they saw the site. I've gotten that quite a few times and I love it how people get so passionate when they talk about food and especially all the guests that I've had. I had someone that I didn't expect, completely nerd out on pizza on air, just so excited about like the whole process of it and like the making of everything and the temperature and the pressure and all the rest of it. You're just thinking, man, I've seen you get a pizza, it doesn't matter, like I don't care about that. But listening to people get so impassioned by the food that they they love makes this more of a joy for me as well. On a personal level, I really, I really love people's stories. So I do have a question about the tacos, though. Like what's the favorite right now in the house with the tacos, since that seems to be the item your children go towards?

05:43 - George Kamide (Guest)

Yeah, so they have always favored soft tacos. I do too, and we have and sort of street style, in other words, much smaller tortilla. Yep, lately they've been favoring the flour tortilla, although there is an outfit here where we live where, in the farmer's market, mom and grandma are personally pressing masa tortillas, like as you're ordering them, and that is incredible. Yeah, and one day I will take them to Mexico and I have this insane taco story there, which was I was in southern Mexico and the family I was staying with was like we're going out for tacos, didn't really know what to expect at that point in my life. Going out for tacos, didn't really know what to expect.

06:24

At that point in my life, I'm pretty sure my experience of tacos was whatever chain Tex-Mex restaurant we had on the East Coast, which is to say, the nadir of Mexican food, and so we go out there and there's like three things you can put on the taco. So that's it. He's giving you choices. It's like cheese, chicken or beans. I was like, oh, and these tortillas were very small, like the size of your palm. Yep, oh, okay, I didn't really understand what was going on. Okay, great, so ordered whatever. And then I turned around and there's this table with this array of like 90 salsas and I was like, oh, I see, this is merely the vehicle to transport the salsa into my face.

07:02 - Kristin Demoranville (Host)

So it's really the salsa. To transport the salsa into my face, it's really the salsa.

07:05 - George Kamide (Guest)

That's the meal. Yes, and I did my best. I did my best to eat every single one. I'm not sure I got there, but the cost of the time was insane. It must have been less than 90 cents per taco. So I really tried to do as much damage as possible, but that was like a peak experience for sure.

07:20 - Kristin Demoranville (Host)

Glad that you had a good experience. I had a similar one in Mexico City, for sure. Glad that you had a good experience. I had a similar one in mexico city. I was on a food street tour, actually, and it was the best thing I could have done for my palate. I did the same thing when I've traveled anywhere, getting my use of textures and flavors. So I don't, you know, make a fool out of myself at a table or couldn't navigate chopsticks or something like that, but I remember thinking authentic mexican food and I mean authentically, not what we do to it here in the states, of course is some of the most amazing food I've ever had hands down. And yes, um and I, there's some stuff I think about daily to this day actually the family we were staying.

07:53 - George Kamide (Guest)

Yeah, the family we were staying with. You know, the day is hot and so we would come back from the university and lunch is the biggest meal of the day and I kid you not the housekeeper who was in charge of preparing the meals my friend Scott and I sit down and there is this like just cartoonishly large stack of tortillas. He and I are like really uncertain as to like whether we are expected to get through this mountain of tortillas. Anyway, we got through as much as we could and it was incredible. But it was also like this is why you have the siesta, because I cannot move right. It was like just it's super hot and a full-on food coma and you're like, yes, I am not moving again until 3 pm, when it gets cooler and I have at least digested some of this exactly, and some of the things I love the most about suit adventures outside of your own comfort zone is when you don't speak the language or you don't speak language alone or you can understand a little bit of it.

08:47 - Kristin Demoranville (Host)

Situational awareness kicks in usually and you're kind of having to guess what's on the menu and then you end up with this like plethora of amazing food that you've never thought of because you couldn't really read the menu. Don't be wrong, it's like an adventure. I did something like that in mexico city. Did not end up with crickets I thought we were going to. I'm glad we didn't. I think I would have been a little weirded out by it.

09:04

I'm just not a bug eater like that's not my thing, but everything that we had was amazing and nobody in front of us any english, nobody around us spoke in english. They didn't have english menus and you just point and like that looks good. You try to use google translate, but it's kind of it's cheesy. You don't really want to do that, you just kind of go with your gut instinct on it. So the same thing when I was in Japan, same thing when I was in Malaysia, like all these places, I just was like that looks great, do that. Or if it's visually in front of you, that looks amazing. I don't know what it is, I want that.

09:29 - George Kamide (Guest)

Yeah, china had more pictures when I was in Japan. I was learning Japanese and I was living near Tokyo, so the lot was in English. But when we traveled out to the countryside, if you got into the place that didn't have it. You're like looking at them and you're like I'm I think that is the kanji for codfish, or it's like umbrella, and I guess we're gonna figure that out. When it comes to the table.

09:51 - Kristin Demoranville (Host)

I think my favorite interaction with that was I was actually standing in a train station in shinagawa in tokyo. Granted, english is a little more prevalent in tokyo and the sushi chef did not speak english and he was very irritated with me, clearly, because I wasn't moving it along because, you have to, it's a fast moment there and I was my last time being in toki when I knew it was, so I was sort of like laid back a little bit more than I probably should have been. You know, taking my time ordering and not getting too excited. They didn't have any scallops, so I was kind of sad about that, but I was. I pointed at you know, I want the fatty salmon, and he was, and he pointed at the wasabi. This is what we do, we just point at things.

10:24 - George Kamide (Guest)

Yes, gesticulate wildly until you get through it Exactly.

10:27 - Kristin Demoranville (Host)

He pointed at the wasabi and I made the like, the little teeny like moment with my hands. Oh, no, no, no. This man like dumped it all on me.

10:35

Love it I was. Every orifice was just steaming. You could tell that he was amused by what he did and I was amused. But I also was amused because I was. You know, I'm gonna give this guy gene the largest pile of wasabi I can muster, yeah.

10:54

But it gave me an opportunity to like cry out that I was leaving and I was really sad and um, and nobody would question it because I just had a really strong wasabi moment as the kind of cultural things that I love, or if someone wants to practice their English while they're serving you a drink or you know those kind of things and they want to know all these things and it's I love that connection, and food and drinks are such a vehicle for that moment and this is why I think that it's so important to protect it and why we need to continue, as cybersecurity professionals, to focus on that human factor of why we're doing it. It's not just because it's data, it's about human lives. So before we jump all onto that, George, I will let you introduce yourself. I will say everyone that it's because of George that you have this podcast, because if it wasn't for his encouragement and sitting down and having lunch one day making a food that this podcast wouldn't have been born. So take it away, George.

11:40 - George Kamide (Guest)

George Comiti. I am head of community and events at the CISO Society, co-founder, executive director of Mind Over Cyber, which is a nonprofit, and co-host of the podcast Bare Knuckles and Brass Tacks, with another George, who is a CISO. And, yeah, lucked into security by way of many side doors and I also had we discovered a food background. I'd written my undergraduate thesis on deforestation in the Amazon frontier, which was the result of large scale soy farming and yeah, I think when I entered undergrad I would not have guessed that I would be writing about, like, industrial agriculture I didn't really have a lot of connection to that, naturally, and I didn't really know a lot about it to that naturally, and I didn't really know a lot about it. But I was an anthropology major and I was interested in how I could get back to Brazil and one of my professors directed me toward this research topic and it was interesting because, from an anthropological perspective, what you're trying to do is learn how different groups see land. I think the debate is obscured, like, oh, it's deforestation, but producers that's what they call themselves, instead of farmers. You know, if they say produce, that's the universe they see and measure everything in, so it's about yield and it was just like a very interesting way to explore how people are thinking about things. And then I had been also in a number of environmental studies classes and that's when I think I really got enamored with the complexity and the precarity of the food supply and I was like, oh, this is very different than what I thought, which I think, like most people, my exposure to the food supply was the grocery store and you know, my dad had an extensive garden, so I wasn't so unaware that, like carrots come from the ground or that stuff has to get dirty and then get washed. But I just didn't see all of the systems. I didn't see it as like a linkage of many chains and you know, should one go down, that's a big deal. And then when I was in Brazil, I mean this was circa 2004. And even then we're talking about farms the likes of which most Americans have never seen in terms of technological advance and size. So Brazil is measuring farms in hectares. I saw farms, hundreds of thousands of acres, like as far as you can see in any direction toward the horizon, a crop cotton, soy, whatever and they rotate, but monoculture. You know, you'd have to drive more than an hour to get to the other side of the farm, and this again 2004. So I want to emphasize where people might think Brazil was at that time. But these farms were run by like five people and they had laser guidance systems on the posts and the harvesters would just follow this grid that was being projected. So that was my introduction to the level of technology in industrial scale farming and also just the amount of software involved in order to get the gains that they wanted. Like you can't farm that much land with human labor. It's just kind of impossible. And so, yeah's just kind of impossible, yeah, and so, yeah, just kind of considering that cycle, like how is it dependent on technology? Why technology is like literally the only way it can be done, and, of course, its role in the economy of Brazil at the time and also its role in the larger world economy.

15:00

So these soy farms were growing soy to feed pigs in China. So you see all of this and I think again as someone who had minimal exposure to this, you think, oh, you are growing this for people Like how much soy could anyone need? And I thought maybe it was soybean oil and stuff that was being used in processed food manufacturing, and it turns out. No, it was like harvest the soy, get it on the boat. Insatiable hunger for it from out. No, it was like harvest the soy, get it on the boat. Insatiable hunger for it from china, as china was growing its middle class. Middle class social demands for meat meant, in china's case, pork. The pigs gotta eat something. It was so it's just like grain. We were just growing food grain, I don't know. That was all very eye-opening to me, uh, and it sat with me ever since get the percentage.

15:43 - Kristin Demoranville (Host)

I'll try to find the statistic and throw it into the show notes, but majority of soy corn Corn Are all for animals and it's kind of on a whole other side and, not to get onto some kind of soapbox, it's kind of crazy to think about that. We do that though, because naturally I don't think pigs and cows and chickens and other things like that beef eat soy and corn. Like, I kind of find that to be a strange thing. We're feeding animals things that they're not normally eating, but we don't have enough grassland or forage land for them anymore because of the way we live on this planet and I'm not and also like that, and also like that number of pigs or chickens.

16:20 - George Kamide (Guest)

Yeah, it just wouldn't like naturally congregate in groups that large.

16:25 - Kristin Demoranville (Host)

Correct chickens. Yeah, it just wouldn't like naturally congregate in groups that large, correct? That would be crazy. If they did, I mean, then you'd have an it would be terrifying.

16:29

Oh, terrifying, for sure with any of this information. I feel like somebody is probably going to make a meme off of that right there, like just the army of like animals coming at us. Are you tired of stuffy cybersecurity events with the same old steakhouse dinners and whiskey tastings? Then buckle up. Brought to you by the irreverent cybersecurity podcast Bare Knuckles and Brass Tacks, on October 9th in Denver this year, we're mixing up the energy of a comedy roast with a freestyle rap battle to create a cybersecurity event like no other. Vendors will have just minutes to pitch their products, without using jargon, in front of a rowdy practitioner audience. This event is designed to break through BS and bust barriers, to build real relationships, for sponsorship opportunities or to participate as a vendor. Email bareknucklespod at gmailcom. Don't miss your chance to be part of this groundbreaking event that's bringing street energy to cybersecurity. Yeah, definitely, I completely understand.

17:51

I think that aha moment, George, is something that I consistently have in this industry, because I am innately curious and talking to people who do this production work. They talk to me, so I learn something new every day and I think it's amazing. And also that aha moment when I was doing my degree in environmental management. It was like the light bulb clicks every couple seconds, like, oh, my goodness, really, we do it like that. That's what that is. Oh, no, like.

18:14

And you just get kind of like super overwhelmed because you start to picture the whole ocean, if you will. And it's a very daunting task because we didn't put cyber security in mind when we put this tech in. It wasn't even a thought, it was just oh, I need to do this because we're going to get higher yields, better production, our, it will be better for everyone all around. And they didn't think oh, nobody's going to hack food because, or tamper with food because we're good human beings, everybody's a human, nobody knows, nobody's going to mess with food. And lo and behold, we're seeing this in real time, with Ukraine as an example and other places.

18:50 - George Kamide (Guest)

Yeah, I also think that that's interesting and worthy of discussion is when the war broke out in Ukraine. Let me rephrase when Russia invaded Ukraine, it destabilized prices in such a way that even these aggressors could come to the table to negotiate, like wheat exports, because while the US does not rely on Ukrainian grain, many millions of people do across the Middle East, like Oman, yemen, which is also suffering from horrific conflict. So, like this, one thing here could create a famine, you know, tens of thousands of miles away.

19:28 - Kristin Demoranville (Host)

Yeah, and I think the other article recently I just ran into because obviously I pay attention to a lot of the farming community news. They've been talking about the quality of the soil because of the wars that are going on, what's going to happen to the topsoil because of it, and of course, people are like that's a stupid thing to worry about. A the earth will just heal itself. Yes, but the earth takes a while to heal itself. It's not like it's a snap of the finger and it's magically healed by some massive technology that us humans have created probably destroy the planet more if we try to create a technology like that. Let's be honest. But I think the fact that people are looking at this in such a systems thinking approach this is what's happening here, it's going to affect here. You know it's all interconnected and it just goes to show you how fragile the food system is ultimately and how fragile the food supply system is. And again, how do we, how do we deal with this? Because I feel like I spent quite a bit of time, George, educating the cyber security community that this is a problem and there's tech there A bit on air.

20:24

I've talked to people who literally thought that POWs were built by hand or that nothing's secret or safe inside the food industry. And I've had to 100% clap back and say your favorite snack recipe is secret. That's just a random example. And then how the machines are made to create your said favorite snack. I worked for a company that they created a machine that suspended eight blueberries in one mix and they had to do it in such a way that gravity was being restricted. It was very, very engineer crazy. But that patent for that machine is secret. They obviously wouldn't want a competitor to know that how to suspend blueberries in a mix.

21:00

So it's just, it's frustrating to me that I have to not only help I'm obviously helping the food industry and that's great and I love that and that's what fills me up but I have to like turn around to my colleagues and be like hey guys, are you thinking about this in a, you know, a holistic manner in which it encompasses everything and what you're doing over here probably is affecting over here and bottom line, you're probably hurting a farmer, I, I. It's one of those moments where I'm constantly having to have that conversation and obviously part of the reason why the podcast is here is to open that space up more and have those conversations and that dialogue between all the different people that are involved in the stakeholders.

21:34 - George Kamide (Guest)

Yeah, it's also so multifaceted. Right left college and I really wasn't working with industrial agriculture, my next touch point with the nexus of technology and farming was like the right to repair or as sick codes work was just being able to hack into systems like remotely controlled Harvard. Like all the technology is there to enable the farm also makes it vulnerable to the food supply stuff, and that was even before I was in cyber. But I understood that software dependency and that vulnerability and also, yeah, I think just the I don't know if transparency is the right word, but like there's so many layers in it and I think many of people who occupy different layers can't see through to the other one, right, so they're operating kind of in an information vacuum and like, oh, they're just going to do with my thing over here and really not consider the implications downstream. But I think if we can get to models where there's more information sharing, you may not have something to do with it today, but there's maybe information in the system that can be used later. So, for example, you know NASA maintains a third-party database where pilots and airlines can anonymously report errors and misconfigurations and problems and accidents and others can learn from that, and every year that data is collated into, like updated guidance for pilots, right? So I just think that is a very powerful idea the ability to basically show your work and your mistakes, because in Cyberland a breach is going to hit a headline, so-and-so lost. All this stuff Turns out an S3 bucket was left open to the internet or so-and-so taken for a ride because of the move at file transfer exploit, okay. And then, like maybe two weeks later, we see in the popular media another thing hit by ransomware. If we dig in as people who work in cyber, we'll see was the same vulnerability or the same exploit.

23:33

But I feel like if people could catch something because they're always near misses in cyber, there's for every headline there are probably 10 instances where there was an oh shit moment and they caught it before it was a problem.

23:46

Either it was a vulnerability or a misconfiguration.

23:48

But there's so much shame in cyber and people are so afraid to talk about those mistakes that withholding that, I think, is keeping us less safe overall, whereas if somebody could feel comfortable enough to report like this happened and we kind of have intelligence sharing through the ISACs, but I don't know of a mechanism where people are publicly sharing and it should be anonymous problematic settings, configurations, mistakes, overlapping, tool sets, whatever was the problem, so that other people can learn from that and that we don't have multiple casualties because of the same issue. And I think, for example, if we had that in the food supply, it would actually not only be a breadth issue, it would be a depth issue, right, you could have people talking about software issues in processing, like OT ICS instances. It could also be, who knows, like just the billing software, right, that's what a lot of ransomware just hits that operational part of the business. Anyway, I just think, because we're operating in opaque layers, it gets harder and harder for us to understand, like where we could do better.

24:51 - Kristin Demoranville (Host)

Essentially exactly I, and it's so great that you brought up that traceability aspect, because the food safety side of the house is that's their big thing now. Traceability because they need to be able to trace it back and what happened in the food. They know that they're going to have to use tech to do this. Basically, they want to track it all the way back down to seed, so that's what they would like to be able to do at some point but that traceability aspect is already very prevalent in the food side, because it's part of their mandate, it's part of the regulations now.

25:18 - George Kamide (Guest)

Yeah, you had pointed out to me or I think you'd said it to me that we have more traceability and information in a barcode, like on the back of a pack of Oreos, than we do in our standard supply chain of software.

25:34 - Kristin Demoranville (Host)

Correct. Yes, it's very much true, and we won't even get into S-bombs, but that starts to get real creepy and scary and people are tackling that and that's not for me. Creepy and scary and people are tackling that and that's not for me. But I appreciate the people that are doing that work because that's definitely a lot of traceability and and ability to be able to communicate what's in something, the software in this case. I do think that we're going to need partnerships and collaboration when it comes to traceability, when it comes to cyber events. We need to normalize feeling like crap when something happens.

26:03

Yes, I was speaking to another colleague who does the the work that I do similar, and they were talking about how there were two ransomware attacks that hit this year. One paid the ransom, one didn't pay the ransom and they they equally both were screwed like it's. It was definitely a bankrupt situation on both sides, just one purpose of the other. But what this person was telling me that they were really saddened by besides that fact because that's horrible in itself was the emotional reaction from both sides. One company was angry and just volatile.

26:36

The other one was remorseful and shameful and crying, like grown men crying, and I said are you okay, because I have a cybersecurity expert going in to help. Are, are you okay? And the response back was yes, but I was not prepared to deal with their emotions. I did not know how to do that and it got me thinking that as cybersecurity experts, we see people literally at their worst, like at their worst moment. You have to have such a high level of emotional intelligence to be here to understand, to either a not absorb it or b take reaction to it. I was just speaking at a meetup group yesterday just with some new newer coming into the world of cyber, and there's part of me that always wants to be like right away.

27:14

No, but not like in a joking way, but uh-huh you would not be the first yeah, I'm sure, but I was talking with this one person who just come out of desktop support and is now in the identity space, which I thought looks great and I was talking to him and he said you know, I really feel like my time in desktop support and IT really taught me how to deal with people. And I said that's great, bingo, hold on to that, because you're going to need it, trust me. I said you're going to need to know how to handle an executive who chucks their laptop at you from across the room you know when they're angry about something. You're going to need to know how to handle a boardroom that's full of people that are upset because they didn't understand what you're trying to say, if they didn't get the research ahead of time and you dropped a bomb and then you're going to have to deal with that fallout.

27:56 - George Kamide (Guest)

Yeah, my co-host is very clear on from his military days. Like the way it worked is if there's a sit rep situation, it's not rank. If you're like the junior analyst who is writing the report, you got to be able to stand and in 30 seconds deliver the news to the commanding officer. And I don't think that we invest as much in those communication skills, which is a miss. Many companies are willing to sponsor their cybersecurity employees for technical training certificates in the technology stack that they're using and we just sort of rely on the communication skills like you either have it or you don't, which I think is unfair because it means if they're not nurtured and you're highly technical, you can kind of get railroaded into like you'll always be the technical lead, but they're never really going to let you into management because you can't interface between the layers.

28:44 - Kristin Demoranville (Host)

It's like you into management because you can't interface between the layers.

28:46 - George Kamide (Guest)

It's like you failed and you didn't fail, yeah, yeah. And so if you do nurture those, I think you get, instead of having that skill set concentrated into the management level. I think broadly we might be able to have better communication, sort of through organizations. Security maybe is not viewed askance, as it often is like oh, those are the IT weirdos. And then also dealing with these situations, like being able to maintain a calm head during an incident and calmly report on like this is how we are responding to it. We remember we had this plan that we walked you through and we are at this stage of the plan and this is how we're adept. I don't know it that we walked you through and we are at this stage of the plan and this is how we're adept. I don't know, it takes a very cool head because reacting emotionally or in a highly fatigued state also often leads to worse decision making.

29:34 - Kristin Demoranville (Host)

And I think specifically in the food industry because it's such an emotionally charged industry and I'm not saying like food people or farmers or ranchers are emotional. I'm not saying that, I'm just saying it's a heart and soul moment. There's a lot of heart that goes into these jobs and to have something that happens that you have no control over or you feel like you have no control over it makes a person kind of half crazy. One of the best trains I ever got, George. Honestly, I've had tons of technical training over my, say, over 25 years now the best training I ever got. Aside from all the leadership training, aside from everything, I was culturally trained how to handle random scenario situations that were emotionally charged inside of different cultural environments and I'm talking about country environments, I'm talking about work environments, I'm talking about industrial environments, and I learned so much and I actually went through two rounds of it. I went through like the advanced level as well and I just remember absorbing this like I was this kid in school again and just really loving it because it resonated so heavily with me because we need to do that kind of work inside of cybersecurity.

30:30

But the problem is and you know there's two. George said if you go to speak about this at a conference or you go to pitch it as an abstract, people were like what does this got to do with anything? This doesn't make any sense. Why would anybody want to talk about this or learn about this? And I feel like the industry is hungry for it. I feel like they want to know and I also think that it's important to be able to serve and protect our communities, because crises, as I've learned recently, are really about the community level. It's not about, like, the big picture, because the community is what's affected. And how do we serve better if we can't even manage our own community? But these are like my little journeys.

31:03 - George Kamide (Guest)

Yeah, I mean, look no further than the recent CrowdStrike and Windows outages For the impact on millions of people who have no idea what those companies like, what CrowdStrike is, household name and cyber. You think my mom knows what CrowdStrike is, what they do and just the ability to clearly communicate. Why can you not get home today? Yeah Right, and you can't just say like supply chain, sdlc, kernel level update, like what is that going to do for the person who is now stranded in the airport?

31:33

They probably like kernel I don't want to talk about popcorn or kick in or something. You know we don't do ourselves any favors by making it harder to communicate the complexity of our systems or our event. I think a lot of it starts with that awareness and then trying to empathize with where other people are coming from. Everything from this is why the food system is fragile, because this and then this is connected to that and then this, to even doing it within orgs, right, usually the front office of like a big, whether it's a food processing plant or food processing conglomerate, you know, like a Tyson's or a ConAgra, like they are operating in a different mode in front of computers than the folks on the floor, than the people who actually have hands on materials, getting the stuff off the truck. And even within the organizations, the language can become obscuring as to like why? What does this piece of machinery do? What is it connected to? If it goes down, what's the plan and what is the impact? Again, I think it comes back to communication, hey everyone.

32:36 - Kristin Demoranville (Host)

Just a quick break to share some exciting news. We've hit a major milestone 5,000 downloads. Thank you so much for your support. Also, the show is still up for the Women in Podcasting Network Awards of 2024 in the technology category, and your vote would mean the world to me. Please don't forget to cast your vote by October 1st. The link is in the show notes. Let's keep bridging that gap between cybersecurity and the food industry together. Now back to my conversation with George.

33:07 - George Kamide (Guest)

I've been on a kick all year trying to rebrand soft skills as vital skills. I think the reason we don't invest in them is because soft relegates it to this thing that, like it's just on you, you go develop your soft skills, whereas these are the things that are also critical to making operations run more smoothly.

33:25 - Kristin Demoranville (Host)

I do think there is an interesting movement in the food industry to focus on some of the softer skills though. I'm thinking about like the regenerative ag farms, like Vital Farms and Muffin Greens and not to call out brands, I usually don't, but two examples of companies that are making the most of tech and also educating consumers on what's going on in their companies, and they're very transparent and open about it. I think that people will be more willing to spend a little bit more if they knew where their food was coming from and how it was prepared and what steps are being taken to protect it around all these different aspects and avenues than if it's just whatever. But I also think about the imbalance of our food supply in general Cheaper to buy a hamburger at McDonald's than it is to buy three apples or whatever it is now.

34:09

I think that we've got that kind of layer of crazy town as well to deal with. There's too many factors in here. And then, if you chuck in the food safety aspect, how we're basically one breath away from some kind of foodborne illness at all times. It's kind of insanity to me.

34:24 - George Kamide (Guest)

Yeah, I've been following that new avian flu very closely because it's weird that it's showing up in cows so it may not be as weird as you think so or sea lions this is my opinion of that and I am not a scientist working on this.

34:37 - Kristin Demoranville (Host)

I want to make this very clear. But it's probably being moved around by humans. So example would be if you walk into one facility and then you walk out and you go to another facility, you're probably taking like a 10 minute with you. Recently I was rereading some food safety training brief because I was curious what they were saying about this particular industry and one of the things that jumped out at me which is like such an aha moment but yeah, that's like a dumb thing. Don't come to work if you're sick and you work in food.

35:02 - George Kamide (Guest)

Yeah, that makes sense to me and I never thought about actually calling out Create the culture that allows people to feel comfortable, to be like I am really sick today and I shouldn't be coming.

35:12 - Kristin Demoranville (Host)

Pay people to be sick as well. It would be really helpful, but that's a whole other conversation.

35:17 - George Kamide (Guest)

Well, I mean, for example, you and I have both spent time in Japan. Japan and the thing about Japan that I think is fetishized in the West is the idea of social harmony. Don't get me wrong. It's amazing that people don't talk loudly into their cell phones on the train. But, pushed into the extreme, that also means people are expected to be at work if they're sick, which is why Japan has always had a culture of wearing face masks, even before COVID.

35:41

You're sick. It is incumbent upon you not to disrupt the social harmony by getting other people sick. Also, people wear face masks because it's flu season. They don't want to get sick. But I mean, I had friends and students in Japan who were like full on feverish and they would show up at work and they were fine if they didn't work, but they had to, like put their head on their desk and they but they physically had to be there, be there. And I was like I don't understand this paradox that to disrupt the social harmony, would you to be absent, but when you go and touch all the hard surfaces in this office and get more people sick, that seems like a productivity nightmare. Right, I would rather you stay home, get well and then come back, but yes, especially to the food supply, for sure, please, for the love of god, stay home yeah, please stay home, we don't.

36:25 - Kristin Demoranville (Host)

We don't. Nobody wants to get sick. I think we all kind of learned that lesson in a really different way because of the pandemic. For sure, regardless of where you sit on the spectrum of conspiracy around it, we all know that germs are passed because humans touch things. We get bad. We're taught that very young anyways. So I think part of it goes into this aspect as well.

36:42

With the contamination of all the food lately, I think everybody keeps asking me like why do we have such listeria poisoning, like all this e coli? What's going on? And I said you have to follow the trail, literally you have to think about it in that you know holistic sense of where does it come from and how is it moving? What are we doing? What are we not doing? And I think this is this is the part that scares me is because if that system's broken, how, how exploitable is that? You know? That's what keeps me up at night is knowing we're a breath away from some type of foodborne illness because somebody, whether it's a nation state or some jerk, just wants to mess with our food. And I have sat in labs, George icsot labs and watched production lines be manipulated and you didn't even know what happened. Literally lights didn't change, it looked like everything was running fine. But yet on the output later on, when you're watching the forensics data, it shows what they did change the ph by blah, blah, blah and and you have an entirely new product in front of you that hit the shelves and you know could hurt people.

37:36

This is what this is, when I feel like and I this is again a little bit conspiracy, so just everybody bear me. I don't think that security as a whole, cybersecurity as a whole, is going to really take up notice on what's going on in the food industry until something really catastrophe happens, because we are definitely the bandwagon group of oh, this is about to happen and everybody all of a sudden has an opinion and is an expert on it, and I don't want that kind of wake up call because that, first of all, that means people might be hurt. But the other part is, I don't want people who don't know talking about it in a manner of I read an article, I read a book, so that's why I'm now an expert people and I'm afraid of that happening in the food industry and the food supply. That's something that really does make me upset and keeps me nervous.

38:18 - George Kamide (Guest)

Yeah, a number of cultural and biological things there. You know, I think as humans we have to continually make our peace with the fact that we are very bad at that kind of long stage planning. Yeah, from an evolutionary standpoint, like for all the tech we have, the hardware between our ears has unchanged for 100,000 years and probably no updates on the patching schedule anytime soon, which means, like we are in these new, more complex systems and we're carrying that evolutionary baggage, which includes survival stuff. Right, I mean, this has been shown repeatedly in like how to teach people how to even save for retirement. It's very hard to hold these things in the future, and so trying to plan for hypotheticals feels very difficult, and so that's often why bad things have to happen before.

39:08

And then everyone's like why, you know, like when the boat slammed into the pylon in Baltimore Harbor and just like took out a bridge instantly, you know. Then there are all these articles about like those weren't made to withstand container ships of that size. It's like, oh right, because when the bridge was built we weren't shipping like that. And I'm sure somebody at some point said, hey, if we're going to renovate the harbor equipment to accept boats of this size, somebody probably raised a red flag. Like you know, structurally a lot of other things aren't made for this, but really hard to plan for that until it happens. And now everyone's like it's so easy to ask in retrospect well, why hadn't it been fortified for whatever? I mean, how many times have we learned this with, like earthquake, architecture right, it took a lot of people getting hurt.

39:57 - Kristin Demoranville (Host)

Hello listeners, it's time for today's breaking news segment, where we'll bring you up-to-date headlines from the food industry and examine how cybersecurity plays a role in these crucial issues.

40:06

First, let's turn our attention to the Boar's Head food safety crisis. Boar's Head, a well-established name in deli meats, is facing a severe public health crisis after the Listeria outbreak linked to their ready-to-eat products. Tragically, nine people have died and 57 others have been hospitalized, many who will suffer from lifelong complications as a result. The recall of these products was issued, but that was only part of a much larger problem. Recently, inspection reports shed light on unsanitary conditions at one of their facilities, including the presence of mold, insect infestations and leftover meat residue which likely contributed to the contamination. In response to this crisis, boar's Head shut down the Virginia facility, discontinuing its liverwurst product, and formed a food safety council composing of top experts to prevent future disasters.

40:53

Next, let's discuss the avian influenza outbreak. Since April of 2024, 14 human cases of highly pathogenic avian influenza, hpa1, or bird flu have been confirmed. These cases primarily affect poultry workers exposed to the infected birds, though human cases remain rare. The virus has caused widespread concern within the poultry industry, leading to the culling of hundreds of thousands of birds to contain the outbreak. In response, the USDA and CDC have heightened their surveillance efforts and reinforced biosecurity measures at poultry facilities nationwide. That's your breaking news update, where food safety and cybersecurity converge. Stay tuned for more insights after the break.

41:36 - George Kamide (Guest)

The other thing is the basically the social media brain. You know we've been living with the last decade of being essentially rewired in our social behaviors to weigh in on everything. I personally find maybe one of the more liberating passages of marcus aurelius's meditations is simply the passage you do not need to have an opinion on that that you is marcus aurelius talking to himself, emperor of rome, arguably most powerful person on the planet at the time. But that is very liberating. You see, stuff here like I don't really need to weigh in there, but there's this reflex to do that, and so this is, I guess, where I try to apply my wares.

42:14

I'm not a technical operator, but I do understand culture, and I think it's something that gets not enough attention because it's the mode through which we operate.

42:22

So cybersecurity as an industry, as a culture, food safety has its own culture, society, and we're sort of operating between these layers at all times, sort of toggling between them. That's just how human society is constructed. But I do think being aware of that is very helpful. You know, I think we would probably not have CISA were it not for Homeland Security. We would not have Homeland Security were it not for 9-11, right. So we had to kind of go through the disaster to think of new systems and ways to mitigate disaster. So I don't know what I'm trying to say, kristen. I'm trying not to say that it's going to take certain disaster for it to happen, but it might take a different reframing To be able to either tell it through a story that's relatable. There's something that has to like pierce the cultural veil to make people think through these complex systems, because just sort of screaming gets you labeled as like chicken little, because it's just not evident to us so it doesn't hit the radar.

43:19 - Kristin Demoranville (Host)

I think the ability to be relatable and to find the ability to find common ground is what's probably the most important. I will say that food safety culture has adopted cybersecurity as part of its culture processes now, because food defense is very similar to what we go through and in cybersecurity. I do appreciate that I have been welcomed by that side of the house in terms of an ambassador for cybersecurity, because that's kind of why I look at myself when I'm an ambassador for cyber, because they don't know enough about it to do anything about it, necessarily, but they need to be informed enough where they won't do harm. And I do think that every cybersecurity professional and this is my opinion has that responsibility to be an ambassador for your sector of security. Whatever that means, you are a representation of what that part of the sign of the house looks like. This is why the hacker in the hoodie is stuck so well and it's become this number of things for what a hacker is is because it's easier. It's easy for people to understand what that is.

44:17

I constantly have to remind people that not all of us are hackers, that we actually some of us are. You know, we talk about risk and we talk about system thinking and we talk about different ways to avoid being vulnerable and be resilient, and I really I want to leave our episode on a positive note, because it's been a little. You know, we've been a little harsh. That's okay, though I feel like you and I sort of especially, are okay with being a little harsh, but we need to really move away from recovery into resilience, and I know that's like a hot button thing and I kind of need that every bell and whistle on the marketing trail, but I actually really do believe that that you're going to get hit with an attack, it's going to happen, but can you survive it?

44:53 - George Kamide (Guest)

Or you're not hit by an attack, but your critical supplier is.

44:56 - Kristin Demoranville (Host)

Exactly what happens when you know counterpart, your partner, gets hit. Is that going to affect you? Are you liable for that attack? There's questions there. I've had a lot of those questions recently of do you have strong security riders? Uh, the beef industry is worried about this because the gbs attack. They're still concerned about it. They know that they need to work on their uh, whole supply chain.

45:15

But because everybody keeps focusing on boiling the ocean and not making that cup of tea, it gets really daunting. And I always say let's start with the basics. Is your door of your house locked? Did you lock your windows? Is your alarm system on? Do you have a guard dog? You know, we go through kind of like the basics of that understanding and then I say do you feel like you have a window open upstairs? It's not locked. Where is that in your facility? Do you have concerns? And then that's where what you mentioned, George, the shame kind of comes in is getting people to realize that it's not a shameful moment to admit that you probably have something wrong or something's not done, because we can just deal with it. It doesn't have to be OK, great Congratulations. Yeah, I like whatever.

45:52 - George Kamide (Guest)

Moving on, because it's also like let's be honest about how complex these systems are. Like, if you're like it's cool, I got it on lock, I did a tabletop exercise, like it's fine, Like the thing that you're dealing with is insane, some vulnerability, is somebody going to ransomware just key suppliers like JBS? And so it's fine to say like I think I have it, but I'm going to, this is my process for making sure. Like, who are you to think? I mean, no other part of the economy has ever been this complex, and that's sort of like the crazy thing about living in the present is it is always, at its most material, complex, and so it should be fine to be like I don't know, I'm not certain it's, you know, let's check that.

46:52 - Kristin Demoranville (Host)

Yeah, and I think that we should start throwing spaghetti at the wall, you know, and start seeing what's going to work and what's not going to work. I think it's not going to work. I think it's not going to be a one size fits all that fixes the supply chain. I think a lot of people are looking for that silver bullet and I'm just like, yeah, no, it's not going to be that, it's going to be little increment fixes here and there, kind of like playing Tetris. You just kind of have to work through it and I wish I had a silver bullet. I wish I can ever come up with Probably be that anyways. But the small little changes, the small adoption, adoptions of different behaviors, because to me it's people in process always. Tech isn't going to break itself. It's people that do all that nonsense. And I think people get confused that because of AI and all kinds of other spinny things around, that they think that machines are causing the problem. No, it's people. It's legitimately people causing the problems, and this is where I say social engineering is really the state of cybersecurity at all times.

47:51

We are constantly trying to figure out how someone could do something. Why would they do it? How would they get their financial motivation to do this or just be disruptive. In general, I often think that adversaries are like angry teenagers, like just chaos, just chaos. And that's how I I see it, and it helps because it's like, if you've ever been to like a punk, like gig right, or a punk concert, or like a rock concert or a metal concert, it's like pure chaos. At times, the pit's going, everybody's freaking out. That's how I see an attack happening, like everybody's just freaking out. It's like the, the attackers, the people are being attacked. It's just this chaos, right, but somehow there's sort of order to it. You just have to kind of work through that moment and like, okay, this is what we're going to do now, we're going to clear this, the stage, we're going to get the person out who got crushed in the pit, you know like, and that's how it kind of would have to go.

48:31

And the fact that, again, we are constantly looking at this global food supply, all this stuff. We really just need to focus on the company, all the suppliers around it and the employees. That's it. It's all you need to think about. And then, don't add new tech without considering cyber, but that's charging the upper wall. You said technology. Cyber should just be right there with it as a friend. It's like salt and pepper. We don't say pepper by itself, we say salt and pepper. You have to say tech and cyber together, and that would be a magical moment for a company if they could do that consistently.

49:03 - George Kamide (Guest)

Yeah, there's a joke to be made about silos. Given that we're talking about farming, I will not make it. But to your point, about people and culture, which is a word I've probably overused, this episode is also creating a culture where people can dissent, where they can argue, where they can raise issues. Right, if we, post 9-11, try to empower literally every citizen of these United States to, if you see, say something, say something. But we do not allow that. I guess, break from the rank and file in our internal teams, like no, who are you junior analysts to like raise this concern? This is an obvious problem, right? So you're not going to tech your way out of it, but you can build processes where people can either review each other's work or they can begin to say and feel comfortable raising their hand. I think that's from, and you know, best case scenario they're wrong, great, and. But you have like, don't use that as a punishment against them. And as long as it's a moment's a moment, yeah, as long as it's good faith and it's not, you know, boy who cried wolf. But like I don't again, especially from a CISO perspective. 90% of the CISO's job is not like hands-on keys, it is negotiating these different processes inside an organization and, again, procuring technology small portion of that pie of responsibility. And so to imagine that, like the upper echelons of a security organization can keep a read on the pulse of everything is sort of delusional. Right, you actually do rely on the people who are they're watching the logs or intercepting the packets or whatever doing that work and then being feeling empowered to stop the presses, push the button, whatever it is, to pause and like let's review what looks to be an anomalous event or whatever. And or, you know, just architecting your teams to have that Cause.

50:46

Right now, I think the way we have built our teams is built around an old fashioned model of how we work. It's like network switches in the basement. We don't longer have that. It's in the cloud, right, code built in-house, yes, but also third-party code repos and I even human specialization right, you are the insider risk manager. You are the SOC analyst. You are the tier two SOC analyst. You are the incident responder. You're the forensic person.

51:12

The volume and complexity that we're dealing with today, I think we need to learn new ways and experiment with new ways to make ourselves a little bit more agile, not in the code, dev sense, but like being able to respond, because, as AI tools get layered into new technologies which they will, because there's just a market pressure to do that I don't think that the teams we have today can ingest that information that fast. I think if you're architected for human specialization and you have machines also specializing, you create enormous bottlenecks in your ability to respond, triage and do whatever else, and so, yeah, I don't know. I think that's interesting. I think it's a hard problem to solve. I would say it's not unique to security.

51:51

Entire businesses have been built around this level of human specialization and I think the best organizations in the world will start to invest in either organizational psychologists or just new ways. You know, like we went from kind of specialists Right, well, we went from like you know, I think the most visible reminder of these changes is going from like cubicle to open office plan Right, that was supposed to be a physical way to get more collaboration, more sharing. I would argue that didn't really work, but that was an idea that, like this is how we should organize teams, or a lot of the tech in the Valley is organized very flat. Again, they were experimenting with how do we foster innovation, how do we? Well, okay, so they're re-architecting things for innovation, delivery of product.

52:33

How are we architecting teams for faster response, faster recovery, greater resilience? Right Again, like you have these teams under budget constraints and you lose one part of your team, either to layoffs or a riff or whatever Like, do you just completely lose all that talent? Or have you kind of cross-trained your team? I mean people get sick, death in the family, serious injury. Are you telling me that if that CTI lead is out for a couple of months, like you just don't have, I don't know. Like, how do we think about resilience within our teams as well?

53:00 - Kristin Demoranville (Host)

It's true, and I think what we need is to nurture and foster more of and I'm going to use the term, it's probably not the right term the disruptors inside of organizations, or they're not, the ones who don't sit in the silos, the ones who can go across the silos right and they can be able to move freely. I'm going to go on a limb and say that's you and I, George, we're very much those people can move across silos without issue, and I will say that we are. I've always been labeled as a problem because I could flow in different spaces and and I definitely could stick to your lane yeah, I got stuck to your lane. Stop being so northeast, you're too aggressive, and I got all being so northeast, that's fun I um, I've gotten, I've gotten the things.

53:41

But I think some of that was probably because I'm a woman as well. But that's a whole other show too. But I will say that the food industry is. They want us to be there, they want help, they recognize the problem, they're big on forecasting. So they do try to plan for three to five years at all times, and I think that that is an opportunity for us to come in and be partners with them and hopefully lean a little bit more on breaking cultural norms and inside of business and becoming just what we are as human beings.

54:09

We're just trying to survive, you know, have kids, have our kids be healthy and safe, live a good, full life the whole thing that we all want, right. So if we can kind of focus back on that and that's always the overarching, especially in the food industry, I see that a lot People go back to we're just trying to create healthy, safe food that people are going to want to eat. That's an easy mantra, right, we all get behind that. I can definitely get behind safe food.

54:32

You know, we definitely could say something like in our industry we just want people to be resilient. Well, that doesn't really ring to a lot of people, because resiliency actually is an action. It's very hard to get to be resilient. It is you have to go through something to become resilient, right? So it's a tough word in itself, and I think the food industry understands that, because they've already been through some stuff. You know they go through stuff all the time. I think, again, moving forward, I think that culture piece is really key, George. So I'm really glad that we talked about this today, because if we don't figure out how to work with that and how to be better even in our own industry, how can we serve others effectively ultimately? Yeah, thanks for being here, George. This has been great. I love rifting with you anyway, so I'm glad we finally got it on air, because it's always been fun, absolutely. Is there anything coming up that I can help promote here for you? Anyone? Tell the listeners.

55:18 - George Kamide (Guest)

Yeah, I mean Bare Knuckles and Breast Hacks will be. Keynoting will be the closing keynote of Secure World Denver October 10th. I think that's very exciting. We are keeping it pretty close to the chest, but the title of our talk is Radical Transparency. I think if anyone knows us, they know that you might need a fire extinguisher after we're done, but that's the way it goes. It's been a very busy year and we'll just keep pushing on the culture front. Really, yeah.

55:43 - Kristin Demoranville (Host)

Thanks.

55:43 - George Kamide (Guest)

George for being here, Absolutely Thanks for having me.

55:52 - Kristin Demoranville (Host)

Thank you for tuning in to this episode of the Bites and Bytes podcast. Remember to like, comment and share this episode. Thank you to our guest, George for his enlightening discussion on the intersections of agriculture and cybersecurity. If you enjoy listening to George, please check out his podcast Bare Knuckles Brass Tacks, which drops weekly. The link will be in the show notes. Also, remember to vote for the show for the Women in Podcasting Awards. The link is also in the show notes. As always, stay safe, stay curious and we'll see you on the next one. Bye for now.