Leading Through the Cyber Abyss

In Episode 019 of The Defender’s Log, host David Redekop sits down with Nim Nadarajah, CISO and Managing Partner of Critical Matrix, to explore the evolving landscape of cybersecurity leadership. From the “annual pilgrimage” of RSAC 2026 to the front lines of incident response, the conversation shifts from technical bits to the human psychology of defense.

Key Takeaways:

• Breaking the Stigma: Nadarajah highlights that the “shame” of being hacked remains a hurdle. He argues that confidence doesn’t come from being unhackable, but from preparedness. Organizations that practice simulations transition from “victims” to resilient leaders.
• The Psychology of Response: Security isn’t just about code; it’s about people. Leading with empathy is crucial when a CIO or employee is under the immense stress of a breach.
• Process Over Tooling: Using a relatable analogy of a kitchen sink, Nim explains that while tools (hot/cold water) are necessary, the process (the plumbing and safety locks) is what actually secures the environment.
• The “Agentic” Future: The duo discusses the rise of “Agentic AI”—companies run by AI agents with minimal human oversight. While exciting, Nim warns that an AI-driven SOC is only as good as the quality of the signal it receives.

The Bottom Line: As we move into an era where “vibe coding” allows anyone to build software, the value of a leader lies in their ability to stay curious, innovate, and maintain human oversight in a machine-speed world.

Full episode of The Defender’s Log here:

The Psychology Behind a Cyber Breach and the Leaders Who Survive It | Nim Nadarajah | Defender’s Log

• Mindset Shift: Don’t be ashamed of getting hacked. It’s “when,” not “if.” Focus on being ready, not being perfect.
• Empathy Matters: Cyberattacks are traumatic. Leaders must use empathy to support “victimized” employees who make mistakes.
• Plumbing vs. Water: Nim uses a kitchen sink analogy. Tools are the water; processes are the plumbing. If your plumbing (process) is broken, the tool won’t save you.
• AI Future: We are entering the era of Agentic AI. This means AI agents are starting to manage security with little human help.
• Signal Quality: An AI security center is only as good as the data it gets. Messy data leads to messy security.
• Innovation History: Nim shared how he helped crowdsource a gold rush in 2000. He used the internet to help geologists find millions in gold.
• Final Advice: The power of your ideas hasn’t peaked yet. Stay hungry and keep innovating.

View it on YouTube: https://www.youtube.com/watch?v=_8_NWSayi1E

Listen to the episode on your favourite podcast platform:

Apple
https://podcasts.apple.com/us/podcast/the-psychology-behind-a-cyber-breach-and/id1829031081?i=1000760676160

Spotify
https://open.spotify.com/episode/5CsDd9JMSuVK6OJo1Fgkfd

Amazon Music
https://music.amazon.ca/podcasts/d7aa9a19-d092-42a6-9fe9-9e8d81f68d30/episodes/1cb8d9ec-db1b-43c7-93c7-f4010beb7fe4/the-defender%E2%80%99s-log-podcast-the-psychology-behind-a-cyber-breach-and-the-leaders-who-survive-it

ADAMnetworks
https://adamnet.works

I. Introduction and RSAC Reflections

Narrator: Deep in the digital shadows where threats hide behind any random bite. A fearless crew of cybersecurity warriors guards the line between chaos and order their epic battles rarely spoken of until today. Welcome to the Defender’s Log, where we crack open the secrets of top security chiefs, CISOs, and Architects who faced the abyss and won.

David Redekop: Welcome back to another episode of The Defender’s Log, and I’m really glad to have Nim Nadarajah with us today. And Nim is the CISO and managing partner of Critical Matrix. We have done an incident response project together, and I got to know Nim a little bit. Welcome, Nim. How are you?

Nim Nadarajah: I’m great, David. Thank you for having me. Very excited to be part of the session today.

David Redekop: Yeah, likewise, likewise. Welcome back from RSAC. I ended up missing it this year. How was it?

Nim Nadarajah: It was intense. Fantastic and emotional rollercoaster. Everything in RSAC experience needs to be, I call it our annual cybersecurity pilgrimage, about 50,000 people. They do 30,000 steps a day. We talked about 3000 different sessions and people, and you come back emotionally drained, but You know, mentally recharged.

David Redekop: Well, I remember meeting you there for the first time a few years ago, and it is a wonderful place where you meet like-minded people. For some people it’s more of a networking function than anything else. So it was unfortunate that I missed it this time around. So anyway, glad to have you back. Hopefully you got your rest in and ready to hit the ground running as I remember going that when you come back, the work back home never stopped. There’s maybe a little bit of a pause because a lot of people in our space are in San Francisco at that time, but for the most part, nothing stopped. So then you all of a sudden you’re behind everything. Is that what happened to you as well?

Nim Nadarajah: That if it doesn’t happen, then you’re not busy enough. That’s exactly how it goes down every year.

II. Overcoming the Stigma of Cyber Incidents

David Redekop: So Nim, I’m gonna jump right in because you stand out as a really good leader in the space of guiding organizations past the shame, let’s just say, of being hacked. And in the world of “not if but when” that is a stigma still, that still persists when someone gets attacked, that it’s better to keep it quiet. Have you seen the needle move at all in the last year or two?

Nim Nadarajah: I’ve seen a little bit of the needle move from kind of the coming out of the wall of shame, but I think there’s still a lot of pride involved in Getting injured along with the victimization of a cyber incident that it’s hard for somebody who has taken responsibility to defend the company, to come out and say, wow, what, we got hacked. It’s almost like admitting I failed, like I’m, this is my job and I didn’t do it well enough.

Nim Nadarajah: And coming to the realization that, you know, one person can’t hold all the wires together, can’t hold all the shields up and The inevitable does happen. But what did you have in place that made it a lot better of an experience than it could have been? And that shift in mindset and focusing on, look, it could have been a lot worse had we not have done A, B, C, D previously. That takes some conversation to pull out. And of course there’s also the fear of regulatory consequences and people like, you know what, I’m just not gonna talk about it because I don’t know what the implication is ’cause I didn’t look into it earlier.

David Redekop: Yeah. Right. When I’ve recently spoken to folks that have been compromised. I noticed that the old Tony Robbins quote, you can’t have confidence without competence. And I noticed that those that have been prepared to some degree are a lot more confident in sharing the breach that they’ve experienced because if they’ve applied some competence to the level that was expected of them in their industry. Then that gives them the confidence to say, Hey, it still happened even though we had some preparation in items.

Nim Nadarajah: You know, it’s always the three Cs, right? Competence, confidence, And then there’s the capability. How did you perform? Right? And also those who have experience practicing their readiness and doing that preparedness exercises, simulation, tabletop war gaming, kind of cyber incidents. They seem to be a lot more confident coming out of it saying, Hey, you know what, it did go down, but we were ready. And the team, the team did go through and they remembered their last best practice. That’s all you can ask for, right? What did you remember practicing and did you execute against it? That’s your speed to containment.

III. The Psychology and Leadership of Incident Response

David Redekop: Yeah, exactly. And in your case, Nim, I know you have a decent background in psychology. and how does that help you understand the attacker behavior? Or perhaps even more importantly, how does that help you understand what is going on? The mindset of the employee, of the victim, because that is kind of a different dimension to just being a pure technical Ciso.

Nim Nadarajah: I love that question because we always tend to look at what’s happening with the technology, and you’re looking at your time to recovery, but the people doing the work and the people victimized by the work, you know, the perspective of the person that clicked and what they’re going through versus the people in the war room trying to recover the company and the things we say as People recovering the company. We think you’re in a conference room and the door’s closed, right? And we’re like, Hey, you know, wow, how stupid was this? I would never have clicked on this.

Nim Nadarajah: But then you don’t realize the other person who did click on it probably heard that. And you know, I was going, yeah, I know, man. That was really stupid. I don’t know why I did that. The psychology of the breach is very complicated and, you know, there’s a very strong victim perspective that, you know, we do need to take into consideration as part of every incident response. And having a strong leader that can address the team, the company, the group and having that sort of compassion and leading with empathy is really, really important.

Nim Nadarajah: Yes, it’s inconvenient. Yes, it’s bad. Yes, it’s costing us money, but we are here and tomorrow when we’re back up and running, we’re still a team. We’re still a company, and how do we continue operating cohesively together and what can we learn from this together. That’s really, really important. I’ve been in situations where I’ve seen the CIO completely break down as part of an incident response. And it is really difficult being on the incident response side of things, saying, wow, the person that’s supposed to hold it together and lead us through this is also now you know succumbed to the stress of the incident.

Nim Nadarajah: But you do need to display strong leadership. We do need to put the personal feelings of The negativity of what’s happened and try to stay positive and find a way out of this while still keeping the team and the employees and the company engaged and your vendors who are helping rescue you through the situation.

David Redekop: Yes. And I was with you on at least one of those occasions when we saw this happen and my heart just went out to that CIO because this was a very personal violation of what was his domain of expertise. The company was counting on him for his processes, which, you know, as far as he knew was rock solid as best as he knew how. So yeah, you definitely demonstrated a great deal of patience and understanding because at that point they basically have no choice but to trust the incident response team to do the right thing. And they’re basically hoping that, you know, for the first while that they made the right choice. And so it is a highly vulnerable situation, but equally rewarding when you come out the other end. So I’ve witnessed you do that and do that quite well.

Nim Nadarajah: David, there’s an awkwardness in dealing with an incident where suddenly you’ve gone from being surrounded by everyone you knew and trusted to now being surrounded only by people you don’t know and also violated by people you don’t know. And To be able to feel confident enough of the established trust. Now, here’s a total stranger saying, Hey, I need your passwords. Like, I understand what you’re saying, but you gotta give me access to everything, all the things, so I can start to bring this back together. And as a victim, you’re still going through that experience of who can I trust? Why should I trust you? How do I know that you’re also not here to take advantage of me? That’s a really complicated situation to be in.

Nim Nadarajah: Right. I’ve been on the other side where we had a physical break and enter into our home and, you know, the door was kicked in and it was physical, not cyber. But now you’re sitting here going, well, where did this, like, this is before we had indoor and outdoor cameras and all the tech, but now you’re sitting here going, well, where did this person go? What did they touch? What have they been in? We have no way of doing reconnaissance or audit in a physical crime. And it’s not like the police are gonna sift their fingerprinting, your underwear drawer to see if the person had been in there.

Nim Nadarajah: And then you’ve got people coming to your home from the insurance company quoting you with doors and locks and, oh, you’ve been a victim. Like, you gotta do this, you gotta do that. Well, how do I know you’re not now taking advantage of me? Because you now know that I need something that I didn’t need before. it’s a very difficult time. And if you link that to cyber, at least they understand what a door does. At least I understand how a door works. Here we’re dealing with people and we’re starting to talk about DNS. We’re talking about firewalls, we’re talking about network technology, software licenses, all concepts that they were not thinking of before, but we’re having to implement from a containment strategy perspective. And they’re like, I never had this. Like, do I need it? Should I spend on it? What do I do? It’s overwhelming and it will break a person.

David Redekop: Right, and there are so many technology elements in the stack that had just always been working, right? When there is a component that was a set it and forget it, it’s easy to do the forgetting part, and then all of a sudden when you actually have to peel back the layers and get down to first principles, it gets to be a little bit tricky.

IV. Nim’s Background: From High School Prodigy to Gold Rush

David Redekop: Nim, I’m very used to working with peak performers like yourself. And what I notice is that they all have a story, and the story is about the collective of life experiences that got them to the place. It seems to me that you really have a life story that I would want others to know about as well. That got you to the point where you are an active entrepreneur, a managing partner, while also being technically strong, while also being able to communicate in normal speak to not overwhelm the client. Take us back to how you got started. What were the original life experiences that prepared you for this role?

Nim Nadarajah: I started in tech when I was 16 years old. Actually I was in my high school and there was a library network being implemented. We had a vendor in there trying to do it and they were taking forever. And this was back in the days of, you know, Apple MacJANET Network. And, you know, it wasn’t your traditional sort of PC-based trumpet winsock deployment. But we have to set up a network on a Mac, and these guys were struggling. And I went back to the librarian and I said, look, I could do this, but you know, young and stupid, you don’t wanna share what’s in your head. You want, you think you know it, all right?

Nim Nadarajah: So I said I’ll do it, but I won’t, I don’t want anyone looking over my shoulders. I’ll just get it working, but I won’t tell you how I did it. And the librarian was like, okay, pretty confident. But they were also frustrated that it was three weeks late and they said, why don’t we give ’em a chance? Right? so that night they, after school they called my parents, they sat down. I stayed behind for a special project and I got it up and running in two hours. Connected the MacJANET network. It was up, it was with the Herb Carnegie Foundation connecting our network at school to a satellite that then connected to a school in Africa. So we can look inside their microscope camera to camera.

Nim Nadarajah: Kind of cool. 14.4 baud so 300 baud modem connection That, and I remember also upgrading that to 56.6 later on. That, that’s kind of where it started. And a week later, the consulting firm that was doing that offered me a job in high school to say, Hey, this summer, why don’t you come work, work with us? So I started, I started training teaching windows 95, office 95 to you know, transforming companies like TD Bank, Toronto Star, General Motors in Canada from Lotus 1-2-3 over into the Microsoft platform. And kind of that made the basis of my career.

Nim Nadarajah: And while I was in university you know, my dad had a cardiac event and had to switch from part-time school to full-time work and, sorry, full-time school to part-time school and full-time work so that I could do sort of get extra money into the house and I was lucky to start working with Rob McEwen and Goldcorp Inc. as my sort of first debut into corporate and was responsible for the Goldcorp Challenge, the first ever internet gold rush.

Nim Nadarajah: So we put all our geological data onto the internet with cd-r website and with CD-ROMs, you could order the cd, we would ship it to you, and we said, help us find the next 6 million ounces of gold. And we’ve got a million dollars in cash to take home. We crowdsourced the opening of the Red Lake mine and its high grade zone with the 3D model that was submitted by geologists all around the world and helped put Goldcorp back on the map.

Nim Nadarajah: So that was the beginning of it, and put into an operating mine and moved on from there to RBC capital markets and then working with CIBC to launch PC Financial and doing a whole bunch of projects there. I went to work at Baxter Healthcare as you know, sort of their plan build director in Canada globally. Transforming, helping transform the company into using Salesforce, Microsoft Cloud, various security and transformation projects. And at that time we decided why do this for somebody else? And you can do it for yourself. And in 2007, my wife actually launched CRITICAL MATRIX. I joined the company later on in 2009 and it’s been a fantastic ride ever since.

V. Innovation and Crowdsourcing Firsts

David Redekop: Wow, that just way too fast of a story. I want to go back. I want to go back to the crowdsourcing. I wanna go back to the crowdsourcing part because that today the idea of crowdsourcing to anybody listening or watching is so obvious there, there are so many use cases where crowdsourcing makes sense. But you have to remember back when for everyone else you remember, this is year 2000. The idea of crowdsourcing did not exist. The term probably did not even exist. I haven’t checked to see when it came about, but I’m sure. So what led you to think out, out of the box for that to be crowdsourcing or talk through that thinking process that got you to realize that wisdom from the crowd in this case makes a lot of sense.

Nim Nadarajah: You know, our, we had an amazing CEO, Robin McEwen, you know, visionary leader at that time. and he had an article in his hand. I remember when I was talking to him, it was the Harvard viral marketing study that said the example of a person standing on the rooftop of a corner of a building and then one person looks up and then everybody starts looking up and now you’ve got their focus. And that was a Pepsi ad back in the day. He said, well, how can we use this? How do we use this to scale our company and get attention?

Nim Nadarajah: And you know, there was a lot of talk and brainstorming when the idea was born to say, well, can we get all our data with a 3D viewer that we can give somebody a free 3D viewer back then was a big deal. So we like, yeah, we can put all our data on a cd, we can stamp it on. We partner with a company called Gem com to give us a viewer license. And you basically go to a website and you log in, you sign up.

Nim Nadarajah: And we actually won business week top 50 websites of the year, that year because it was a basic website, but it had a registration process and it would show you information about what we were doing. It had some 3D animations of, of what we were thinking of achieving and video clips. And so when everyone was downloading it, we obviously, there was a lot of marketing hype that were behind it.

Nim Nadarajah: It It allowed us to sort of get all these submissions to come into our contest to say, Hey, this is. why just employ the geologists we have access to. Let’s employ the world in the form of a contest. we had submissions from Australia, Japan, all over US, Europe, Africa and some amazing thought leaders, some wonderful submissions. And we had experts go through them, find the gold, and then the next task was setting up the infrastructure needed to move ahead with operationalizing, going and discovering and exploring and finding that gold.

David Redekop: That is brilliant. I remember you telling that story the first time. I’m like, okay, if this guy’s behind that thinking process, we’re gonna be friends. Because there’s so many times when we are just forced to think outside the box. ’cause that’s the only spot there’s a solution, right? Oh. Yeah.

VI. Process vs. Tooling in Cybersecurity

David Redekop: So you’re talking about scaling there and because clearly that was at the front of your mind is how do we do this so that it can scale all the way through? And that’s the position that a lot of managed service providers find themselves in today. Because in order to offer a significant economic exchange, a value exchange you have to be able to scale, right? You have to be able to do more with less.

David Redekop: And so traditionally there’s been this. Focus on either a tech stack to standardize and groups like service leadership focus on the tech stack, needing to be absolutely consistent, needs to be the best. And then there’s process, discipline, and maybe it’s both. How do you, In your experience, how is the best way to balance those two principles between choosing the right tech stack versus having the right process discipline?

Nim Nadarajah: You know, to be a good author, it doesn’t matter if you’ve got Microsoft Word, if you’ve, or you’ve got the wordperfect 6.1 on MS-Dos. Right? And we fall into this trap as business owners, MSPs, and security companies, where we think It’s the tool that’s gonna make us good. But, you know, quality, disciplined action, which is driven by a good process often gets overlooked.

Nim Nadarajah: And then the question becomes, well maybe the tool is gonna tell us the process. Like, let’s just buy a tool and we’ll follow a process. And yet when you open Microsoft Word, just like you open wordperfect, You end up with a blank white page instead of a blank blue screen, and it comes down to how are you going to articulate what you want to on the inside this application.

Nim Nadarajah: So when it comes to practices, it doesn’t matter whether you’re using Dynamics or Salesforce or HubSpot for CRM or if you’re using CrowdStrike or Defender or trend Micro for your EDR XDR, the tool is less relevant than having the right processes enabled. AND policies enabled and then the tool becomes a discussion. Yes. Tools will make a difference once you have a good process, because now you can pick and choose what aspects of what tool you want to use the most, but it comes down to getting your processes right first.

David Redekop: Yeah, that makes sense. I do have to argue with you though about tools because you’re the guy that I used to fight back in the day. I have, I may have shared this anecdote before, but I had so much invested in my Lotus 123 programming and I had written macros that took 25 minutes to run, and now you’re asking me to switch to Excel. And Excel, you know, does not have the elegant approach of stern.

Nim Nadarajah: Hey man, I had my 60 line chart command in Lotus Chart as well, so I feel you. I get it. Yeah.

David Redekop: But then when we were forced to standardize to Excel, there was a lot of automation that had to be redone and rebuilt, and eventually you’re just like, okay, we’re just gonna forget our personal preferences. This is like learning another language, right? So eventually you just go to where the speakers are. And that’s how we ended up speaking English. Because the internet is in English, north America is English, so you know, I gotta bring it back to the two letters that I wasn’t planning on using today, but I will. It’s A and I.

VII. The AI Era and Data Crown Jewels

David Redekop: So, you know, it’s, we’re on the advent of ai, and I shouldn’t say I, we are in the middle of AI and everything is AI, AI, AI, but it’s only as, It’s only ever as good as what you give it. It literally is a garbage in, garbage out scenario. And if you’re gonna adopt new tools, but you don’t have the correct processes to create the necessary inputs to enable those tools, your outcome will always be flawed. And until you come to that realization, it’s also a fallacy to think whatever I put into AI is gonna get better and AI is gonna make it nicer for me and it’s gonna come out a hundred percent better. And. I’m seeing a lot of that.

David Redekop: You weren’t gonna bring up those two letters, but I was gonna bring them up anyway. So now that we’re on that train, I’m, yeah, because how could you how could you be at RSAC and not see that the world’s being taken over by AGENTIC AI and all the security that it implies. But before we go to the security side of AI, talk to me about how you feel about this double-edged sword. About ai, especially when it comes to intellectual property, because you and I are working a lot with organizations that have intellectual property to protect. What is sort of your overarching view on the perspective that decision makers should be thinking through when it comes to AI or ageNTIC AI deployment in their organizations?

Nim Nadarajah: Well, intellectual capital or intellectual property, or as I call them, the crown jewels data that You do need to make sure is protected at all costs. The consensus from most people I’ve talked to is they’re all generally not aware of what all the crown jewels are or within their organization, their definition and understanding of what, A crown jewel is not consistent yet. And that sort of flows down into their records management, data governance, Data guardrail processes, or a lack thereof before they’ve enabled ai.

Nim Nadarajah: And in many cases it’s been a free for all because it’s become the shadow IT of the organization. The amount of AI tools and the proliferation of use of AI tools has already happened and now security and technology are IN A position of saying, well, I gotta pull some of this back. I don’t know. We, you know, there’s too many here. which is one extreme, which, you know, I’m seeing happen.

Nim Nadarajah: And then there’s the other extreme where Somebody saw this coming and they’ve got 800 rules in the firewall explicitly blocking all the known ais, and they download a list every now and then and they’re re-uploading it. But they didn’t realize that within HubSpot there’s an AI within Salesforce, there’s an ai, like there’s all these individuals that like inbuilt app AIs that people are using that are not being blocked by these same rules.

Nim Nadarajah: to your point, The enablement of your own company, LLM, within certain guardrails and everyone working towards training something which is beneficial to the company is not a bad idea. It’s probably something we should all be exploring today, but there’s a lot of pre-work that goes into that. More so than, Hey, can you turn on copilot so I can write my emails better? Like, that’s not really AI at all. That’s, you know, for those of you who remember clip it, that’s basically clip it after it came out of the gym. It’s just a little more pumped.

Nim Nadarajah: the, where we are today is we do need to take a step back and really look at What are the data guardrails? Where’s the patient being stored? What do you have? Where is it being processed? Who has access to it? Who should not have access to it? And more importantly, cleanse and remove your PII and have retention policies. There’s people with data in their mailbox from 1991, and I don’t know when last you opened it and why it’s relevant.

David Redekop: A lot of the very basic elemental work is just downright boring, right? And so it’s obvious that very often it doesn’t get done when you are operating in. Small business or even a small medium enterprise, and the drive is towards, you know, top line and bottom line. These boring behind the scenes cleanup tasks very often get delegated unless there’s someone in the role of, you know, we need to worry about future liability if we Take care of this. So I could see very easily how in organizations of any size that takes the backseat, especially if you, you’re having a difficult quarter and you haven’t quite, you know, hit your target for this quarter and you really want to just focus on some productivity. It’s easy to say, okay, let’s delay that.

David Redekop: so, but it sounds like it’s really something that we have no choice but to address on a proactive basis.

Nim Nadarajah: If you’re not exploring it, someone’s already doing it.

VIII. Favorite Analogies: From Sinks to Garden Hoses

David Redekop: you are known for, because you sit on several boards. I know. And you’re known for having really good pictorial analogies. And how, what is your favorite way of describing zero trust security, DNS security? AI, LLM access security, all of these topics that everyone at some point has heard these terms, is aware that they should be paying attention to. What are some of your favorite pictorial experiences that communicated the need for this to be prioritized successfully?

Nim Nadarajah: Wow. There’s so many so many different analogies. I’ve used the house and lately I’m using the under the kitchen sink. ’cause we used to have these locks to prevent my daughter from opening the cupboards. But, you know, nowadays she’s figured out where the magnet goes and so she opened a cupboard herself. Right.

Nim Nadarajah: But, you know, as a user in the house, and from her perspective all these days, the kitchen sink was just a place where water went and it went down this hole and it disappeared. But when you get access to that cupboard magnet, now you open the bottom, you notice that there’s hot water, there’s cold water, there’s a drain pipe, there’s this funny looking U that prevents you from losing things. And then on the shelf, there’s chemicals, there’s bad stuff in there that if you don’t know how to use it, and if you don’t close the lid properly and secure it, it can cause some pretty bad damage to everything around you if it’s spills, if you breathe it, and so on.

Nim Nadarajah: This is kind of the underlying premise of technology that the business forgets that watching a five-year-old experience the underneath of the sink was kind of cool. You know, like, wow, all of this is here. What does that do? What does that do right? To us, it’s a sink. It’s just cold water, hot water, dishwasher drain, right? But to somebody understanding this for the first time, it makes you sit back and go, huh? All of this happens just to be water up there into this tub, huh? It’s kind of neat.

Nim Nadarajah: And when it comes to zero trust, when it comes to, you know, what we call DNS and all the different security configurations, that really puts it into perspective because you’ve got, you know, your IP traffic, you’ve got your, you know, approved IP traffic, internet traffic, which is cold water approved as hot water. You’ve got the drain where all the information’s going, and you’ve got all the controls on top, which is, you know, how do you balance it so you don’t get burned? So that’s something that hit home recently because I watched the experience happen after this, after my daughter opened the kitchen sink drawer.

David Redekop: That’s really awesome because the more we can analogize the tech stack, the more we humanize the interaction and the understanding of what needs to happen when. And it turns out that actually the water analogy works really well in a number of spaces. I asked for my youngest son to understand how energy works. He has an uncle, my brother, who is high voltage specialist at a steel factory.

David Redekop: And I thought, oh, I wonder if AI can teach my son the difference between amps and voltage And watts and sure enough, it used the water analogy to talk about the thickness of your garden hose and the amount of pressure and how much water is coming out. And so when that happens, all of a sudden you can just see light bulb click in someone understanding it, and then they’re satisfied after that, never needing to get technical, but by the same token, now they’re prepared to understand that when we say we need to make sure that there’s no leakage in the water hose. That is an important element because what if that leakage happens in a place where it’s gonna cause long term damage? Right? So these analogies that I’ve seen you use really do have like a long tail of value over the long term.

Nim Nadarajah: Yeah, tell, yeah, absolutely.

IX. SIEM Optimization and Financial Risk

David Redekop: I’m curious if you have any stories that you wanna share about your most successful technology transformation project that you’ve been a part of, or that you’ve overseen where you’ve seen the net result actually bring about better productivity that was measurable, better profitability that was measurable. Obviously profit always is, but that you could correlate it back to a transformation.

Nim Nadarajah: I’m gonna use a security example. It’s a security transformation project where we went into a large global customer who was spending millions and millions of dollars a year in getting their SIEM solution working. And it started with improper log management, improper use case configuration, improper alerting, like it just, everything. There was so much noise, you couldn’t discern an actual signal that needed an action. Right. And it was an expensive endeavor for them to continue paying for this every month.

Nim Nadarajah: And they were like, oh, let’s just switch solutions. It should get better. Maybe we’re just using the wrong one ’cause this one comes from Microsoft. That one comes from so and so, and maybe this is better. And that’s not, but that wasn’t the case. ’cause coming back to the question, what is your process? Let’s not talk about the tool.

Nim Nadarajah: So we used a couple different processes within our company. One is finops optimization and one is our sim solutioning and solution design processes. And we were able to save them a few million dollars a month. brought them down from over 700 random use cases to 130, which mattered the most. also was able to deploy a SOAR solution alongside that to remediate Any of the certain percentage of the alerts that are coming through the system and from the savings, be able to justify several other optimization projects for them so that they could continue to send the correct logs into their SIEM and have the right events notified on it was a nine or 10 month project.

Nim Nadarajah: And to this day we hear thanks from the Ciso of that particular customer saying, wow, this is amazing. This transformation helped us significantly. We weren’t even expecting this. And here’s the cool thing, the cost to doing that work was not even 10% of the millions that they saved. So it paid for itself within the first month of us rationalizing some of these logs and

Nim Nadarajah: This comes back to the, one of the other feedback I was getting from RSA. Leaders are tired of being inundated with so many dashboards on so many different screens from so many different aggregated logs that it’s time to take a step back and say, you know, what are the indicators that really matter to our business? And let’s build those metrics based on, you know, Financial risk, manufacturing, risk distribution risk, supply chain risk, and focus our signals on things that affect these 5, 7, 9 items.

Nim Nadarajah: What are the 10 to 12 use cases that map back to this? And let’s focus on that because now you’re taking an approach or focusing alerts on what matters. While still securing everything else, but the inundation of dashboards and the rush to create a board story at the end of every quarter, it’s becoming a lot of work because there’s tool fatigue. There’s way too many tools. Each tool tells a different story.

Nim Nadarajah: And when you ask someone, Hey, what’s your biggest risk? They show you one version thaT matters to them from their vantage point. But then that same CVE that they’re showing you as risk number one, it affects their OT network, it affects their, you know, other systems. And the one that matters the most is not even on the top of the list. Right? So correlation and understanding that layering of IT, OT, biz apps, saas apps, and creating that risk profile based on a consolidative view is gonna be a huge differentiator to understanding the true exposure of the company.

David Redekop: I can see stakeholders very shortly expecting to be able to walk up to their smartphone and basically say, Hey, I am the subject matter expert in my particular vertical. I know, and I don’t want to know anything about security, but I need to know every one of these kinds of risks that you’ve just described. Tell me where I need the most urgent short-term attention and where I need to start preparing for longer term attention and help me prioritize that. Because at the end of the day, if the stakeholder knows their subject matter well, and they are clear and articulate about what their goals are, we are at that point or very close to it, where the security posture is not an element of mystery anymore. And so it’s both exciting and scary at the same time for our entire industry. Right. Are you more excited or more fearful?

X. Agentic SOCs and the Future of AI Coding

Nim Nadarajah: I’m fearfully excited. You know, it’s an agentic soc is only effective as the quality of the signal the agentic soc receives. Everyone is of the opinion, oh, I have such a noisy environment. Let me put it in an agentic soc. Well, it may help you rationalize a little bit, but it’s not gonna it’s not gonna clean up the mess that it’s receiving. Right. And that’s where kinda a lot of the leg work’s gonna come in to make sure that agenTIC soCS are becoming more and more effective.

David Redekop: Just this morning for one of our exercises, Nim, I had to write a quick little routine for a windows virtual machine to launch the browser. Go to URL, grab a screenshot and close the browser. So what do I do? Of course, I’m not gonna write this PowerShell script by hand anymore. Why would I? I’m going to try with a couple of different choices on how to write this. Turns out that in this case, Gemini was pretty good at the first go, except that it immediately ended up opening up the task and that it stayed running.

David Redekop: So then I respond back and say, okay, I’ve got the browser running, but it’s not closing yet, and the past day is running, so it’s not gonna repeat like it’s supposed to every five minutes. So immediately it spots the problem, like, why didn’t you spot it in the first kit? In the first place. So unless we are used to the iteration, whether it’s AGENTIC iteration, which we are now seeing alarmingly amazing, or the human in the loop does the iteration, that is going to be an important skillset for people that Run security is to constantly be, I feel like we need to be even more alert than ever before because now in addition to having sloppy configuration or sloppy apps that we have to supervise, now we have to be super alert on the brand new stuff that we just wrote this morning because it’s gonna go rogue. It’s, it keeps you on your toes. It seems to like today more than ever I was very close to saying, Nim, we need to reschedule.

Nim Nadarajah: Yeah. No, it’s true. I met a very interesting company in one of the startup forums at RSAC, and this is an organization where I asked him, well, how many employees do you have? He goes, I’ve got 29 employees. I’m like, oh, what do you think at startup? He goes, I’m like, so I looked at his company name and I said, well, how many human employees do you have? And he goes, oh, it’s just ME. We’re a PURE AGENTIC driven company. We’ve got 29 agents and you know, this is Sue and Bob and Joe and Jane, and this is what they do, blah, blah. I’m like pretty neat.

Nim Nadarajah: And, you know, they’ve implemented some creative supervisory controls to manage scenarios like prompt injection or drift. and you know, this hallucination, right? they’ve put some controls in place, but I’m not sure. I’m ready to say that we can have a pure non-human involved agentic security platform that is just agents supervising agents, assigning work to other agents and agents testing other agents’ work. Like I was just like, I don’t know if I was mentally ready for that, but it does exist and Vibe coding has allowed it to happen.

David Redekop: That’s exactly right. we, my wife and I are BLESSED with a number of sons and one of them just sent me a short video, and he’s not in the technical stack. Like he’s never actively been involved in writing code of any kind. But he writes me or sends me a short video and says, dad, why don’t you do this? And I’m like, wow. So we really are at the place now where someone with zero coding experience can produce something that is pretty compelling. So as long as they have the agency to think through the entire process of what could possibly go wrong.

Nim Nadarajah: Well, we have real life example, right David? Our mutual friend who created an event app was a software salesperson in cyber security industry, and he’s launched a privacy first application purely based on coding with AI and doing all this security cross checks with ai. Here’s a salesperson who’s never written a code in their life.

David Redekop: Yeah, times really are exciting and for me personally, it is really exciting because my love for actuating code is really in the past, my love for seeing the result of what code can do Is a much more emotionally engaging prospect. I’m much more excited to see how this will make someone’s life better, make my life more efficient, more secure, more private. And so from that part, I am definitely more excited than I am afraid. But if we don’t have enough people that are staying at the leading edge, then I’m afraid, THEN we’re gonna have physical security as a concern pretty soon.

Nim Nadarajah: So true, but you’re absolutely right. We have shrunk the gratification side of software development so significantly to the point where, you know, it’s not quite at like that TikTok level, but damn, it’s pretty close. Like it’s impressive. Like the delayed gratification on writing code and seeing your app run was months, sometimes years. now, It’s like, Hey, are you done yet? I would like to see my code work. And a minute later you’re looking at it like it’s

David Redekop: I have such a long list of projects that I want to do, that it occurred to me this past week when do you remember when BB-8 first came out? and, I don’t even remember which episode or which movie it was, but I was so tickleD pink along with our sons about this robot that was able to just speak in tones, right? And so I thought, you know, wouldn’t it be cool to write an app where you can have your friends download the BB-8 app and then when you type something, the actual transmission goes out over the tones.

David Redekop: So then at the other end it plays the tone, but we interpret it. So we started this process, me and some of our sons, so we had to transpose every tone back to the exact frequency, right? And then basically map a frequency to a character, a letter. And that’s where we got stuck, is just getting further and figuring out, well, how large OUR alphabet is our alphabet going to be? Are we going to do English language only? Right? And so before, you know, you got this scope creep, just in thinking about this book today, I realize. Wait a minute, you could do it right now.

David Redekop: You could literally just modify the scope as you go and get your Claude bot to rewrite it from scratch. So, and we are at the point now where ideas no longer have much value, meaning that all future ideas are approaching zero because once execution is so inexpensive, then it means that the volume of ideas will be so large that the price and the value will effectively be zero. The only thing that will have value is the actual net good execution. There are so many different lenses with which to look at all of our dynamics.

Nim Nadarajah: Oh, true. Yeah.

XI. Conclusion: Words for the Next Generation

David Redekop: Nim, if you had to write one sentence in my defender’s log logbook for the next generation that they will read 10 years from now, what would it be?

Nim Nadarajah: One sentence for the next generation to read 10 years from now. Does it have to be a sentence? Can I show ’em a picture of a cassette or an 8-TRACK and say, you guess what this is?

David Redekop: Do it. Yeah, that’s what I would do.

Nim Nadarajah: I’d be like, Hey, you know what? This is maybe even cd be like, you know what this is? if I had to write a sentence though, the power of your ideas haven’t been created yet. sTAY innovating. Anything is possible. ’cause when I was in high school, I never once imagined that there would be self-driving cars, that there would be a solution to write code without knowing, you know, TURING or, you know, Fortran or any of these languages. It really is the era of anything is possible, and according to Moore’s Law, if we can do what we just did in a period of 18 months with ai, what they can do 10 years from now with the power of computing is gonna be mind blasting. So anything’s possible. Keep innovating.

David Redekop: That is so true, and I’m with you 100%. So that’s only gonna happen if they stay hungry. So we gotta find a way to keep them hungry. You and I are both dads and we are deeply concerned about the future generation. We want them to have it as good as we did in terms of having the exciting opportunity for a bright future.

Nim Nadarajah: That’s right.

David Redekop: Nim, I really appreciate your time today and I’m really going to enjoy sharing this with our sons as well. Thank you for coming on the podcast today.

Nim Nadarajah: Hey, thank you for having me, David. It was a real pleasure.

David Redekop: Yeah. We’ll do it again. Bye for now.

Nim Nadarajah: Absolutely. We should.

Narrator: The Defender’s Law requires more than a conversation. It takes action, research, and collective wisdom. If today’s episode resonated with you, we’d love to hear your insights, join the conversation, and help us shape the future together. We will be back with more stories, strategies, and real world solutions that are making a difference for everyone. In the meantime, be sure to subscribe, rate, write a review, and share it with someone you think would benefit from it too. Thanks for listening, and we’ll see you on the next episode.

1 post – 1 participant

Read full topic

*** This is a Security Bloggers Network syndicated blog from The ADAM Blog - ADAMnetworks authored by Carly_Engelbrecht. Read the original post at: https://support.adamnet.works/t/tdl-019-the-psychology-behind-a-cyber-breach-and-the-leaders-who-survive-it-nim-nadarajah/1537