The Glass Room

Show Notes

A breakthrough patent forty-eight hours from launch. An industry gala celebration. A hidden corporate espionage operation extracting core proprietary secrets over a glass of bubbly champagne.

In this second episode of Pressure Zone, host Christine Bartlett puts veteran security leader Brian Markham straight into a fast-moving cybersecurity scenario where every decision raises the stakes. What begins as an uneasy discovery about an overshared conversation quickly spirals into a board-level risk crisis involving a multi-million dollar extortion demand, legally hazardous commands for offensive warfare, internal corporate panic, and a ticking countdown to public exposure.

As the pressure builds, Brian must decide how to balance corporate compliance, legal boundaries, stakeholder anxiety, employee empathy, and strategic communication, all while explaining each high-stakes call in business terms. Should the security team launch an immediate forensic lockdown? Should offensive "hacking back" operations be authorized against an unknown infrastructure? Should the organization scapegoat the compromised researcher, contain the incident quietly, or aggressively shift their entire communication timeline to strip the attacker's leverage?

Transcript

SPEAKER_01 0:08

Welcome to the Pressure Zone, the HTV podcast where we take one security scenario and watch it spiral out of control. Today we aren't talking about hardware firewalls. We're talking about the human firewall. And we're joined here today by Brian Markham. You spent millions on encryption and you forgot about the guy in Tuxedo with a glass of bubbly champagne. Here comes the storyline. Your company is 48 hours away from announcing a breakthrough patent that will double your market cap. While your engineers are celebrating at an industry gala, a journalist from a prestigious tech publication approaches your head of research through a masterful 20-minute conversation using classic elicitation techniques like giving a little to get a little. The journalist convinces your researcher to clarify a few technical rumors. By the time the gala ends, the journalist has enough clues to reconstruct the patent's secret sauce. The catch, the journalist doesn't exist. It was a sophisticated corporate espionage operation, and now they are threatening to publish the leak unless you pay an exclusivity fee to keep the story dead. Let's see if you can protect the secret when the leak happens in person. Are you ready to step into the zone?

SPEAKER_00 1:39

I'm ready.

SPEAKER_01 1:41

Okay. There's a total of five questions. Question number one: the hacker gut discovery. The morning after the gala, your head of research comes to you, visibly uneasy. He realized is he overshared with a stranger. You check the guest list. The name was fake. You now know your most valuable intellectual property has been partially compromised through human means. What is your move? A. The internal lockdown. Immediately suspend the head of research's access and start a forensic audit of his devices and communications. B the counter spin. Instruct public relations to leak a fake version of the patent details to muddy the waters. C the CEO liaison. Inform the CEO immediately that the high-value patent is at risk, even if the full extent is unclear. Last D, the stealth tale, hire a private investigator firm to identify the journalists using uh the gala foot security footage and other leads.

SPEAKER_00 2:52

I think I would go with C to let the CEO let leadership know what we're dealing with because you want to try to address problems as a team, not to try to keep it to myself and start trying to make decisions on my own. This is a larger issue. It's one that would involve the CEO, it's one that would involve marketing and public relations, it's one that would involve technology. And so I think the sooner you kind of let leadership know what's going on, the better chance you'll have at a good team-based approach where people can bring all of their various talents and experiences to the table. So I think I'd go with C.

SPEAKER_01 3:33

Okay. Not a bad, not a bad choice, but here comes a little bit of the roast. You're sharing the pain early, but you've just turned a developing situation into a potential boardroom panic with incomplete information. The CEO's first question is going to be brutal. We spent millions on cybersecurity. How did a guy with a fake press pass walk away with clues to our future? How do you answer that question?

SPEAKER_00 3:59

So the first thing that comes to mind comes to mind is that there is a difference between the money that we spend on cyber and what just happened, right? Now, the CEO's not really going to be interested in that distinction. They just want an answer to the question.

SPEAKER_01 4:16

Right.

SPEAKER_00 4:16

But I think immediately that's my that's my first thought. Um I think if you're telling good stories about security on an ongoing basis, I think people know, your leadership should know that this is never an exercise in perfection, that um human risk is always there, it always has to be dealt with, you can do everything the right way, and a very smart, very qualified, very knowledgeable human can still make a mistake. And I think that that's what we're dealing with right now is that a very smart, very capable human was social engineered.

SPEAKER_01 4:51

All right, question number two uh the regulatory trap. The attacker sends proof now of the stolen clues and demands $5 million. They warn that if the information becomes public, it could destroy your ability to secure patent protection and trigger a material event for investors. Do you report this incident involving potential loss of intellectual property to regulators right now? Here are your choices. A the post-closed cleanup, pay the fee quietly, secure the researcher, and assess disclosure later once the patent is safely filed, in consultation with legal counsel, of course. B immediately uh immediate disclosure, report the incident properly by potent as potentially material to the to stay compliant, even if it damages the announcement momentum. C the indemnity demand, pursue legal action against the gala organizers for inadequate security, vetting to create a record that may support delayed disclosure. D the hacker hunt, task your team with legal approval to investigate the attacker's identity, escalate it to the FBI if indicators point to a national a nation-state actor.

SPEAKER_00 6:13

Unlike the last question, I feel like there's like multiple good, there's multiple good options here.

SPEAKER_01 6:19

Okay.

SPEAKER_00 6:20

Whereas the first one, I was like, oh, I definitely would not do those other three. Um I think if I can just ask a clarifying question, we were going to go public with this in 48 hours.

SPEAKER_01 6:32

Correct.

SPEAKER_00 6:33

And so what this what this person is doing is threatening to go public with it sooner to basically take the take the wind out of our sails, essentially, and screw up our rollout.

SPEAKER_01 6:45

Correct.

SPEAKER_00 6:47

But they've got a problem in that they've only got 48 hours before their their information becomes stale and it's out in the public domain anyway. So I definitely would not advise that we pay because this person is trying to extort us. Um I would not do that. I think I would um I really I like I like D. I like doing an investigation to try to understand who this person is. With 48 hours to go, I have no interest in pursuing legal action against like an event coordinator. You know what I mean? Like that's like chasing my tail. So yeah, I I think I would go with D because I like the law enforcement angle. At this point, I'm being extorted. Um, we're we're we're the victims of a of a crime essentially. So I probably would want to involve um law enforcement. Um, but actually, if I'm being specific, um general counsel makes that call, honestly. Like cyber cyber can can weigh in and certainly offer an opinion, but generally the way that I approached my job is that um it is not my job to engage law enforcement, it would be it would be legals, it would be counsel, but you make that you make that decision together. Um, I think so. I think I would go with T.

SPEAKER_01 8:08

But I like your approach. I like the teaming aspect, leaning on your legal counsel and and coming together. I think that's uh an important move in any of these types of scenarios for sure. Okay, question three the board's ultimatum. Now we've reached the boardroom. The chairman says, I don't care about the ethics, use whatever means necessary to neutralize the attacker's copies of our information and stop the publication. How do you respond? A the technical deep dive, explain clearly why deleting data you don't control is extremely difficult and legally uh out of scope while recommending lawful options such as law enforcement involvement. B the conditional fix agree to explore aggressive defensive measures only if the board provides explicit written authorization and a significant legal defense budget. C, the resignation threat, state firmly that unauthorized offensive action hacking back is illegal under laws like the CFAA, and you will not participate or allow your team to do so. D, the risk taker gamble, authorize a limited technical operation to disrupt the attacker's known infrastructure.

SPEAKER_00 9:30

Right now, all I know is that someone went to a party and basically extracted human intelligence from a human. Right? Like, for me, like the cyber component of it, like, are there electronic files somewhere? Like, yeah, maybe, but could there be some articles sitting in a draft box somewhere? Like, possibly. But I don't know that. So I think at this point I'm not gonna try to take on any sort of offensive cyber operation against that person because I don't even know who I'm dealing with, right? Like, I could be inviting something way worse. So I think the answer I'm going for is A. Like, look, you've got other items of value uh, you know, online, right? Like, yeah, you've got a business to run, you've got employees, you don't need to risk, you know, pissing off someone that is you don't even know who they are. Um, you know, I just wouldn't go there at this point, and maybe that's just my personality, but um I can be vindictive when I have to be, I guess, but I don't think right now is the time when you don't know who you're dealing with, what their motivations are, uh, what their capabilities are, especially when there is nothing about their infrastructure right now that you even see as special. You know, it's not like they're hosting a site that's like all my company secrets.com, you know, and and because once they once they do that, there's legal channels for getting websites taken down. They don't even have them.

unknown 11:08

Right.

SPEAKER_00 11:08

You know, I don't need to start like DDoSing things that I don't that I don't know about, you know what I mean?

SPEAKER_01 11:15

So so it continues. Now we're on to the internal leak. The attacker leaks a short audio clip of your researcher sounding careless after a few drinks, because that's what they were doing. It's over champagne. Employees are furious that years of work were lost over champagne. Morale is collapsing. What's your move? A the CEO keynote, release a video focused on human resilience and learning from the incident. B the targeted fire, publicly remove the researcher to send a strong zero tolerance message. C. The counter narrative, push a story framing the researcher as possibly manipulated or compromised. D. Full transparency, hold an all-hands meeting, admitting this was a human vulnerability, not a technical failure, and outline improvements to come.

SPEAKER_00 12:15

Yeah, so many interesting options there. I well, first off, let's before I give you an answer, let's kind of talk about dealing with an employee who may have made a mistake or been a victim of a crime. I am not HR. Um right. So while we care about insider threat, the the people that really make those decisions about what to do with an employee that's kind of acted out of step with with company policies, that's an HR decision. So I think at this point, I'm working with them and what they want to do, there's there's precedent to it, there's laws, there's norms, um, risk tolerance, and and that really kind of would fall under them. But I would not move to publicly shame the researcher because I don't think that is sending the right message to the rest of our employees. So but I think if morale is getting hit, I think if there's a lot of information out there, um, the best thing to do would be to come up with something internal. So I think that I think that's D. Um, to have some sort of all hands, some sort of um singular communication to employees so they know, hey, this is what you may have read, this is what's actually going on. If you're contacted by the media, this is how you handle that, you know, because we don't want people talking to the media. We want it going through marketing and communications, right? And so here's that point of contact. We just kind of want everybody to be on the same page and to let them know, like, look, like this was a targeted um instance. They specifically went to this event for the purposes of gaining information, non-public information. Um, this person was a victim of that. Um and now we're dealing with the cleanup, right? We're dealing with now how do we how do we represent the company? How do we represent everyone's work in a manner that is um you know the way we the way we want to go public with it while being empathetic to all the all the concerns. So I think I would I think I would go with D. Um mostly because it's not what happens to the employee from like do you put him on leave, do you fire him? Do you I don't know. That's someone else's.

SPEAKER_01 14:36

It's not your call.

SPEAKER_00 14:38

Yeah, and it's like just in general in security, like you you're hired to protect your employees. They're an important constituency for you. So I think when you start talking as a CISO about like, well, let's just kind of throw that person overboard, it's kind of like the oh the moment that they need you the most, you get rid of them. You know, it's like that that's not something that I would necessarily advocate for, but if HR made that decision, like, sure, that's their call. And I was lucky that my previous institution, my previous job where I worked, we had really capable people in those business areas where you knew exactly where to go to, you knew exactly who the decision makers were. Um and so despite the fact that higher ed does tend to run a little slower because you know you can't make a lot of people happy. I think someone said this week they were like, yeah, higher ed is the only the only place where you can um where a vote of 99 to 1 can be a tie. Like um, so I think that that that really uh that really is accurate. Um but I think it could, I think you gotta keep that in mind that you're not just doing this alone and that you do have a team, and and in fact, you protect yourself as the CISO by leaning on that team rather than trying to be a hero and kind of be all things to all people. I'm certainly not a lawyer, and and cosplaying a lawyer can be incredibly dangerous, cosplaying other uh members of your executive team can be can be very career-limiting, we'll just put it that way.

SPEAKER_01 16:12

Yeah, that's true. Those are not the decisions you want to be making. Let the master uh take hold of that one. All right, so we're down to the last question. The day zero choice. It's hours before the planned announcements. Now we're back to your planned announcement. The attacker is about to publish. You have a zero-day capability that could disrupt the attacker server, but it carries significant risk of unintended collateral damage and clear legal exposure. What is your command? A do it live, deploy the capability despite the risks, B. The manual backup, allow the information to surface and prepare for a lengthy legal battle to protect whatever remains of the patent trade secret rights. Remember, we still don't know exactly what this person has outside of the conversation. C, the ransomware play, pay the five million to buy time in silence. Or D, the hacker moment, attempt to stall or socially engineer the attackers person uh personally for a few more hours to stall them.

SPEAKER_00 17:21

Well, um based on those options, I'm I'm gonna go with D again because I think time is not really in their favor. But um, I think the real answer that I was kind of waiting for is this is a this is a calm strategy issue at this point. Like, I don't know if you remember back a long long time ago, like maybe 16 years ago, when someone stole the iPhone 4 from like an Apple tester, like they like left it at a bar.

SPEAKER_01 17:54

Oh yes.

SPEAKER_00 17:55

And they like basically like went public with the design. And the way that Apple responded was very aggressive. Um they went aggressively after the the quote leaker, the people that like took the photos and put it out there, and no one loves Apple more than I do. And I remember thinking in that moment, like, who cares, man?

SPEAKER_01 18:20

Right. Like you were gonna get that out anyways, right? You were gonna share that in a couple days' time.

SPEAKER_00 18:26

Of course you're working on something cool. Of course you have like a great new antenna technology, right? Like you brought more attention to it by the way you reacted to it than you know, you you you put more like put more juice into it. Um, so the real, like, yeah, so D, I would try to stall because again, time is not on their side either. And certainly the more you squeeze them, they could do more desperate things, and that's a risk that you take. But for me, it's like, how do I come up with a strategic communication strategy where I actually still own the message that I can frame this however I want, and that I can basically make this unfortunate um social engineering instance, this unfortunate unauthorized disclosure? How can I just drive its value to zero? And I can do that with good strategic communications, I think. And so that's probably what I would advise. Like, let's just own the message and hey, we were gonna go public in 48 hours, how do we do it in 36 instead? Um, and then how do we, you know, how do we lean into like what happened? Because I think most people would would would if the story would resonate with them to say, like, hey, look, we had like someone try to steal this from us and extra that makes the the story more interesting, honestly. So we had to go public with it earlier than we thought. But leaving that aside, look at this cool stuff that we did that we're that we're announcing.

SPEAKER_01 19:58

It almost allows you to hype it up even more to some degree if you can tailor it that way, right? It's so interesting that somebody had to try to socially engineer their way in and get it out before we could, which it's like we we were already ready to tell that story.

SPEAKER_00 20:15

Look at what happened a few weeks ago with Anthropic. Like there was there were those leaks in their CMS, so people got access to like what I believe was the Mythos rollout blog post and other items. And the way that they reacted to it was really just by going live with the announcement.

SPEAKER_01 20:35

Right.

SPEAKER_00 20:35

And like, okay, like who cares? Like, yeah, it was it was drafts. They were drafts, right? But they're not drafts anymore, they're final because we we say so. Right. So they like really kind of owned it, I think. Um, and now no one no one's talking about the CMS, you know, data being left unfortunately.

SPEAKER_01 20:54

It's kind of old news. Yeah, to your point, they just kind of washed it away and made it. Yeah.

SPEAKER_00 20:59

Yeah.

SPEAKER_01 21:00

No big deal. To close off on that uh question, uh you went with D, more of the the hacker moment to stall them. Uh you're looking to stall the professional attacker while the clock runs out. If you pull it off, you're a legend in the shadows. If you fail, or worse, make things escalate. You're the executive who played pretend spy while the company's future evaporate evaporated, no pressure. Although, as you just said, like you can kind of tailor the story with how you'd like to. Um, okay, so now we're down to the verdict closing the pressure zone. Uh, just a quick instant replay uh replay on what has happened. The clock has stopped. The patent is either safely filed, or your secret sauce is currently being served as an appetizer on the dark web. You've just watched a hundred million breakthrough hang by a glass of champagne. Campaign. Brian, you face a social engineering nightmare, a regulatory landmine, and a boardroom demand for digital warfare and a final choice between being a law-abiding executive or a cyber vigilante. Before we reveal your final resilience score, I have to ask: at any point in the last 20 minutes, did you miss being the guy just writing firewall rules where the only thing that could betray you was a line of code, not a researcher with a loose tongue?

SPEAKER_00 22:34

No. No, I haven't. I mean, I think you choose the um you get to make choices in your life as far as like what you're gonna do from a career perspective. And I never like, yeah, the job can be can be certainly stressful, and I I'd like to actually believe that some people have had it, a lot of people have had it way worse than me. Um, but no, you don't um you do the job, you get the paycheck, it's your responsibility now to to earn it, and sometimes you gotta earn it when when the pressure's on. So no, I'm not. It's what you do, right? And they they trust you. They they expect you when things get um when things get crazy to be the uh to be the voice of reason and to be a subject matter expert and to be part of the solution and not part of the problem. So I think I try to do all those things every day anyway. So it's just a just another day.

SPEAKER_01 23:33

Nice. Okay, well, based on your answers, which uh were a little, you know, kind of you weren't consistent with choosing A's all the way or B's all the way or C's all the way or D's all the way, which is good.

SPEAKER_00 23:46

That'd be terribly boring, right? If I just A every time, like it was the last 30 seconds of an exam.

unknown 23:53

Right, yeah, there you go.

SPEAKER_00 23:55

Yeah. Just pick C. It's right there.

SPEAKER_01 23:57

Just fill it out. Yeah. Um no, I love that. Um okay, so we're gonna go with based on your answers, the strategic architect, you were balancing risk and also leaning more on the corporate side, the verdict, you played the board like a grandmaster, you leveraged the crisis for a legal defense budget and treated the attacker like a business negotiation rather than a movie script. Uh, you moved from root to suite without losing your cool or your conscience. Um, the other thing I would add in is you're also a team player and a collaborator because you brought other folks to the board or other folks to the scenario. And then your final resilience score is 88. You protected the asset and the reputation, stable, calculated, and professional.

SPEAKER_00 24:49

Cool. Sounds like I did all right.

SPEAKER_01 24:51

Yes, you did.

SPEAKER_00 24:53

I was nervous to be like, well, you ate shit on every front.

SPEAKER_01 24:57

So no, no, no. Okay, and final, final question. Uh, before we let you out of the zone, uh, we ask every leader who survives uh this challenge, uh, if you could send a one-sentence encrypted message to your 22-year-old self starting out in security today, about trust or any anything that comes top of mind from this uh this pressure zone, what would it say?

SPEAKER_00 25:25

Hmm. My 22-year-old self. I think uh just a little bit of setup. I think if I only have one regret, it's that I wasn't more focused earlier. Um and so I think maybe I would say to myself, like, my 22-year-old self, like, don't don't waste time or energy on things that you don't care about, people that don't care about you, and on pursuits that are not aligned with who you are. Um And I think I'd probably try to find a more eloquent way of saying it, but I was just talking to a friend I was just talking to a friend yesterday, and I said, I wonder what my life would have been like if I had just gone to DEF CON when I was 16 instead of when I was much older. Because that that's who my my people were, but I was not focused enough to kind of recognize that that's who my people were, and that's what my scene was, and I was spending time with other people in other scenes that were probably a little less um less aligned with who I knew I was or who I ultimately became. So yeah, I try to find a little more eloquent way of saying don't waste your time on dumb stuff.

unknown 26:55

Okay.

SPEAKER_01 26:57

Maybe you wouldn't have gotten your minor in PR.

SPEAKER_00 27:01

Yeah, I don't know. Maybe just kidding, although you have bad talk time. We could probably have another conversation about that, but I don't know, like learning how to speak, learning how to write, like understanding that the the way you do it and the way approach it, the way you approach it actually matters and it's a skill and not just like a you know, just like a you're not just winging it. Like, I think that actually served me quite well. And although I figured out pretty early on that I did not want to work in PR, um I think it, I think it actually, um the fact that everything I do as a CISO comes with a communication and a rollout plan, I don't think that that's um, I don't think that that's an accident. I think I understand like if things matter and there's a constituency, there's an audience part of it, like you have to consider the audience, you have to consider the messaging, you have to be able to tell that story. And yes, some people won't read it, but like the people that will will get it and they'll be your allies.

SPEAKER_01 28:04

So uh and that's a wrap on the HTV pressure zone to our listeners. Remember that your encryption is only as strong as the person holding the key, and sometimes they'll give that away for a nice glass of bubbly. Join us next time when we call another leader and put them in the hot seat. Until then, trust the math, trust the math, but watch the room. I'm your host, Christine, and this was the HTV pressure zone.