Hacking Cybersecurity Training: Escape Rooms & Entrepreneurial Thinking with Amy Stokes-Waters

Jim [: 00:00:00

Hello and welcome to another edition of Razor Wire. Today we have Amy Stokes Waters, the CEO of the escape room. She's all over LinkedIn. You have to be hiding under a rock to not have seen some of the content that she delivers. She's a very honest individual. I've spoken with her a few times. Obviously you're precursor. She's going to be fantastic.

Jim [: 00:00:24

Welcome to the Razor Wire podcast, where we discuss all things in the information security and cybersecurity world, from current events and trends through to commentary from experts in the field, providing vital advisory on what it is to work in the information security and cybersecurity space.

Jim [: 00:00:46

Amy, do you want to introduce yourself to the listeners?

Amy Stokes-Waters [: 00:00:50

Hi, everyone, and hi, Jim. Yes, my name is Amy Stokes Waters. I am the CEO at the cyber escape room company. So we provide cyber security awareness training in the form of immersive, interactive escape room experiences.

Jim [: 00:01:08

Fantastic. It's been interesting to see your kind of journey from when you really kind of started out because, I mean, I've been seeing your content for quite a while now and I've been definitely very, very intrigued. But before we go into that, just by, tell us a bit about your history. I mean, tell us, you know, how did you get into infosec? What was your journey like?

Amy Stokes-Waters [: 00:01:26

Yeah, so I think probably like a lot of people who've been in the industry, I've been in it five or six years now. I think most people I know kind of fell into it and that is definitely the same story for me. So I've started out as a project manager like twelve years ago. I think I am horrendous at project managing. So I was living not going down that well, but I quickly switched to sales where I found my forte, I think ended up selling the Microsoft security stack and moving to kind of the enterprise space, which is when I started using LinkedIn a lot more as well, then moved into selling pen testing and then, yeah, started my own business. So we started off selling pen tester training. So I had a business partner who we won't mention, yeah, we were doing Pentester training for some quite prestigious companies and then one of our friends kind of said to us, we want to do something a bit different with the teams, like team building kind of thing. And we came up with the escape room idea.

Amy Stokes-Waters [: 00:02:24

So when my business partner left and I had clearly no experience in Pentester training, being from a sales and marketing background, I went, shit, what can I, what can I sell now? And I thought, well, escape rooms, I can definitely, I can build them. I can come up with a concept for them and I'm pretty good at marketing them. So, yeah, that's kind of how I've got to where I am.

Jim [: 00:02:43

Tell us a bit about the escape room stuff that you're doing at the moment.

Amy Stokes-Waters [: 00:02:46

I mean, I decided to kind of push it as a business. Cause when we looked at security awareness training, I always think, oh my God, could it be more dull? I don't know many people that proactively undertake security awareness training, you know, sitting watching videos and animations and all that kind of thing. I don't genuinely don't know anyone that does that as a hobby, but I think it's something that's super important. So we always sit there and say, you know, the users are the weakest link. Well, why are we giving them boring stuff to try and help them along that journey then? So if we want them to be not the weakest link, surely we need to give them something that they're interested in that's engaging for them. So, yeah, that's kind of where. Where we kind of started pushing that idea from. So you've got three scenarios now, building a fourth.

Amy Stokes-Waters [: 00:03:33

Got ideas for about six more that kind of teach about not just about phishing, because I think a lot of security awareness training just focus on just phishing as well. A lot of the scenarios that we've got will focus on password security because you might, as you might guess, escape rooms inherently lend themselves quite nicely to password security. But we've got other themes that are in there as well. So we've got stuff around like access control or disinformation is one that we're, that we're looking at building soon. And then the next one that's coming out is going to be about insider risk, which I don't think end users ever seem to kind of get told about that much. It does seem to be really heavily phishing focused, which is fine because I think that is one of, you know, that is one of the biggest threat areas. But I think there's also other things that we can be doing to kind of equip our people as well.

Jim [: 00:04:15

No, you're absolutely right. I mean, you know, it's almost a bit of a dirty word in infosec. A lot of people don't like to talk about that kind of insider risk and go back many, many years now, when I have started having some of those discussions with organizations and they'd be like, but we trust our people, it's like, well, that's great.

Amy Stokes-Waters [: 00:04:33

I'll tell you a story. So when I used to sell pen testing, we used to sell obviously internal pen tests. I can probably tell you about 80, 80 90% of the customers, when you presented them with the pen test report would go, yeah, you got to be on the network for that though. Yeah, one guy had 3000 users and I said, you've got 3000 people that you're freely giving access to your network to. And he went, yeah, well they're all nice. I was like, have you, have you, have you interviewed all of them? I mean that would take, I'm sure you've got better things to do with your time than go around 3000 people and vet them. I said it's not just about whether, it's not even just inside, it's not even just, you know, the people over employed by you because if they're getting phished or if they're unhappy in the business, they're the targets for ransomware gangs.

Jim [: 00:05:17

This is one of the big thing with access brokers at the moment. They're actively saying, you know, if you're an internal user who doesn't like the fact you didn't get rise or you didn't get the promotion that you wanted, then please feel free to get in contact with us and I'll actually offer a percentage of the ransomware bounty.

Amy Stokes-Waters [: 00:05:35

I saw something the other week in the news where someone like, I think it was at Tesla. Some guy had walked out of Tesla and there was a guy stood outside with like a briefcase full of cash saying, just give us your username and password. Yeah, for a million quid worth of cash or whatever. And the guy obviously said no, which is why we've heard about it. But yeah, I don't think it's an uncommon practice.

Jim [: 00:05:53

Well, it's a strange one as well because it's like I've got to be careful what I say here, but the crowdsource kind of hacking people where they're getting cheap labor from parts of the world where there's relatively cheap labor and they're getting them to pen test organizations. And I've always said, well hang on a minute, you're paying these guys, people to do this kind of Thing, but they're living in countries where 20,000 pounds, 30,000 pounds in our money is significant. And if somebody approaches them and says, oh, we know you work for these guys, if you could give us the in on the vulnerabilities within some of their big clients, you know, just let us know and what we'll do is we'll pay you.

Amy Stokes-Waters [: 00:06:33

I wrote a blog about it probably last year about bug bounty as a crowdsourcing you pen testing. And I said, well, how are you ever guaranteeing that they're telling you all of the information? So they're sitting there and pen testing the bit of the network that you said or the application or whatever it is that you said is fine to go have a go at. How do you know they're giving you all the information? They might just be giving you the low level vulnerabilities or ones that are more difficult to exploit and not telling you about the easier ones or different.

Jim [: 00:06:59

Ones and then selling them off to lock bit, you know, or exploiting them themselves. Yeah.

Amy Stokes-Waters [: 00:07:04

You never know who the person is that's doing the bug bounty, do you?

Jim [: 00:07:07

Well, this is it. And I think, you know, the industry is waking up quite significantly or the business world is waking up quite significantly to the security threats to them. And ransomware has been a really big. How best to describe this? A bit of a kick in the butt for a lot of people who realize that they could be a target because, I mean, you used to hear all the time when I was a lot younger in my trade, you know, why would anyone go for us? You know, we're a hospital, we're an insert random company here. And I'm like, well, no, you will be. Because if they can see they can make money off of you, then they will do. And lo and behold, you know, I think last week yet another hospital was attacked over in the US and they're really getting found it hard. And it's frightening to see.

Jim [: 00:07:53

I mean, I've been in this game for 27 years and the change in view and the change in the way people perceive as security, especially in the last five years, has been a massive, massive change. We still don't get the budgets that we need in many respects. I mean, I was pulling up some stats for a talk I've got in a couple of weeks time and I think it was like 450 billion is being spent at the moment on information security, yet it's about 9.5 trillion in criminal damage. Not damage, but criminal activity. It's worth 9.5 trillion. So, yeah, we've still got a little bit of a catch up there to go.

Amy Stokes-Waters [: 00:08:32

I think all the small businesses who say that they're not going to be a target as well, well, they're the easiest. Well, they're kidding themselves because I think all you have to do is look, big businesses buy a lot of stuff off small businesses. So if you're in that supply chain and you've got access to systems. When you look at, what was it? Kaseya? Yeah. When you look at that, well, I mean, they're quite big business, but the access that they have to all other.

Jim [: 00:08:53

Businesses and the supply chain. And again, you and I are firing from the same cannon here. The supply chain has since all the lockdowns and everybody going the forcible move to the cloud. I mean, obviously it'd been moving for a while, but it was real kind of right now we need to outsource everything because we don't know where people are going to be working and so on and so forth. It's opened up that problem with the supply chain. And we've seen some of these from some big names who utilize, as you say, small companies for services. And then those smaller companies get compromised. And it's not just kind of them that are compromised.

Jim [: 00:09:28

All of the clients of any other customers that they have are also compromised. And it can go down quite a significant chain.

Amy Stokes-Waters [: 00:09:35

Marriott done by, wasn't that like some web company that Marriott moved? Yeah, it was something like that. It wasn't actual Marriott systems that got compromised initially that had jumped from a supplier to Marriott.

Jim [: 00:09:48

This just kind of goes into it. We put a lot of info put and security into our own systems, my system, my laptop, our servers and so on and so forth. We're not looking down that supply chain as much as I think we need to do. I'm sure you've also got customers where you see they get sent the form. Do you have an infosec policy? Do you have some endpoint security? And I'm looking at these forms and going, okay, so we've touched the smallest possible base of infosec we feasibly can. And that's meant to be what, proof that they're secure.

Amy Stokes-Waters [: 00:10:20

I was talking to a guy this week who said when he was in the police, the police, it was something like to join the public, what's it called? The public sector network. They had to have a seam in place. So they put a seam in.

Jim [: 00:10:34

Didn't have to do anything with it.

Amy Stokes-Waters [: 00:10:35

They had to do anything with it. No one had to monitor it. There weren't rules on which logs you had to be looking at or that you had to submit somewhere. It was just, you have to have.

Jim [: 00:10:44

A seamless, I mean, don't I? Oh God, I've got so many stories down this route. I mean, I've been, I've been a QSA for years, for my sins. I've just recently retired from auditing. So, you know, I've given up the ghost now and gone on to kind of running the business. But the amount of times, especially in the early days, where you'd have like. So do you have any ids? Ips? Yes, we got that. Okay. Right, open up the dashboard.

Jim [: 00:11:07

Let's have a look. And you look. They open it up. As you see, it's in learning mode. It's not actually doing anything. It's just kind of, you know, delivering information on what could be dodgy and what couldn't be dodgy. It's not actually stopping anything because they're too frightened to turn it on in case it starts stopping legitimate traffic. And it's like, well, we're going to get through your PCI certification if you haven't actually turned the damn thing on.

Jim [: 00:11:29

The amount of times I've seen firewalls where, you know, there's an any, any rule sitting in the middle of it, and it's like, it's a router at this point. You've basically built a very expensive router. What have you done? I would too frightened to take the rule out in case something breaks. And the mindset towards security has definitely changed, as I said, in the last five years. And I think it's only for the better. I mean, are you seeing a lot more engagement when it comes to business owners, rather than just kind of like cisos? Because, I mean, we all know what the message is in the info setting, but are you seeing a lot more engagement with what you're doing with the escape rooms? What have you from CEO's, cIo's, CFO's?

Amy Stokes-Waters [: 00:12:10

Yeah, I mean, a lot of the people. So, I mean, most of the people I talk to are probably in that CISO kind of head of role, but I think a lot of them are looking at the stuff that I'm doing and saying, let's engage the board with it. So I'm flying to Miami in June because one of my customers over there is doing a tabletop exercise kind of thing with their C suite, and he wanted something that was a bit more engaging. So, yeah, I think they are trying to include them more in those kind of discussions because I think. Well, I think you have to, because otherwise what do you do? Sit there and say that security is the CSO's problem?

Jim [: 00:12:40

Well, I think.

Amy Stokes-Waters [: 00:12:42

I know that's a whole kind of worms.

Jim [: 00:12:44

I think the SEC, that whole SEC problem at the moment with the SolarWind seesaw, I mean, that's something that we've discussed on this channel a number of times. And I think a lot of us in the Infosec community are really kind of interested to see how that one goes because I think that that's going to set some serious precedent. And then we've got Dora obviously, coming in next year, which, you know, in Europe is going to be quite significantly changing the way that people are looking at security. And I think the landscape of where security is going to be over the next five years. I mean, what are your opinions on where do you think it's going? Do you think we're going to maintain this trajectory? I mean, bearing in mind we do have this kind of brewing economic issue starting over in the states that seem lots of people getting ditched, AI is obviously being looked at as the next kind of big thing. I mean, what are your predictions?

Amy Stokes-Waters [: 00:13:36

Yeah, I mean, I think we all think that AI is going to be the savior, don't we? But I don't see how, how that's possible. I think we need some, some humans on the ground checking what the fuck it's what the fuck the AI is coming out with and trading it in the right ways. Yeah, I mean, I think. I think companies are taking it a lot more seriously. So I'm hoping that we do kind of continue down that kind of route where it's not just thrown to the side. And then I always think, what's the kind of first, what's the first teams that end up going when there's mass redundancies, usually marketing, they just get binned off, but it ends up being like all the junior people that are in teams. And I think if we start binning off the junior people in these security teams, well, we're going to be, we're going to screw ourselves over for the future because they're not getting the experience that they need.

Jim [: 00:14:18

Well, yeah, I mean, again, I kind of ran a load of masterclasses. I mean, the original reason we started doing this podcast was to educate young infosec professionals into this game. I mean, again, you know, you look at cybersecurity ventures, they're saying there's like 3.5 million roles going on, you know, unfilled.

Amy Stokes-Waters [: 00:14:38

Well, I can talk, I can wax lyrical about the reasons behind that.

Jim [: 00:14:41

Go on then.

Amy Stokes-Waters [: 00:14:44

Well, have you seen some job, have you seen the job descriptions for some of these roles?

Jim [: 00:14:48

I haven't gone for a role in Infosec for a long time, but I.

Amy Stokes-Waters [: 00:14:52

Saw a job description the other week where you have to be expert in stock and also an expert pen tester.

Jim [: 00:14:57

Cool. That's that's, that's gonna drive up that price.

Amy Stokes-Waters [: 00:15:00

Yeah, but they were paying crap. They were paying nothing for it either. So it's like 60 grand. But they want you to have experience in everything and I mean everything. So that's the issue that we've got. The job specs that are coming out are just dreamt up by someone who. Well, the people don't exist. So the job, we're saying they've got this 3.5 million jobs going.

Amy Stokes-Waters [: 00:15:20

There's probably more jobs needed. Actually, there's probably more people needed because the job specs that we've got out there are ludicrous. There's no way that we're not going to fill them because no one person could.

Jim [: 00:15:30

That's quite a diverse range of skillset to really have. I mean, you know, in, with a sarcana pen tester, normally a pen tester ends up doing lots of pen testing because let's face it, lots of people want pen testing. They're not going to cross over the road into sock or not very many of them. I suppose some people do change careers, I get that, but.

Amy Stokes-Waters [: 00:15:49

Yeah, but you're not going to be an expert in both. It's unlikely that you're going to be an expert in both fields. I'm able to do forensics, I'm able to look at GRC on Poland and be able to do the communication with the wider team as well. A when the hell are you going to have time in the day to do all of those things? Because each of those things is a job in itself. But then having someone who's got all those technical skills and the communication skills as well, like, no, they don't exist.

Jim [: 00:16:12

Have you seen the raft of cyber lawyers that have started coming into the, into the game? We've got a whole ream of like people coming out of law school and getting into cyber law. And I've been having a chat with a few of them. I'm hoping to have some of them on the channel to be interviewed similar to this. And it's a really interesting field.

Amy Stokes-Waters [: 00:16:29

I probably got a guy who'd be interested in that, actually, because I went over to a law firm in Manchester the other week to go meet a guy that specializes in kind of cyber security law and around instant response and that kind of thing.

Jim [: 00:16:40

Yeah, there's a few companies that marry that up quite well now and they'll bring in the lawyer to help you with the legal aspect and then they'll bring in the, the guys to kind of help you recover from the ransomware. And I did say to one guy, so who are you going to sue here? Because let's face it, the guys that have done this, they're not in a place where you've got reach. Look at locke bit. I mean, they got taken down one day and what was it? Five days later, boom, they're back up and running, no problems at all.

Amy Stokes-Waters [: 00:17:11

I don't think it's an issue of who you're going to sue. I think it's around the legal ramifications for the organization, isn't it? Who are they liable to and what does the company need to pay out and how can they protect themselves in the future and that kind of thing? So I don't think it's necessarily about, you know, bringing a law case against ransomware gangs because, like you say, you know, that's never going to happen, is it?

Jim [: 00:17:28

I have seen a few people who've tried.

Amy Stokes-Waters [: 00:17:30

And were they successful?

Jim [: 00:17:32

Obviously not. I mean, you know, I do find the infosec space pretty funny, to be totally honest, because people who are in it, like myself, yourself and various other guests that we have on, got this kind of very pragmatic view of infosec and how it works. And we always have a good laugh over when politicians and what have you, start legislating in this space. Because it's like, guys, did you actually speak to any infosec people when you were drafting this stuff up?

Amy Stokes-Waters [: 00:18:00

It's like that guy in Missouri, I think it was Missouri where he said that if you push f twelve, you're hacking into a website and you're like, really?

Jim [: 00:18:08

What are your thoughts on this kind of, I mean, obviously you've mentioned, like, AI before. I mean, it's become a massive buzzword now, isn't it? Everybody's got AI and everything.

Amy Stokes-Waters [: 00:18:18

Everyone says they've got AI and everything.

Jim [: 00:18:22

I mean, I see AI as a positive benefit if it's used in the right way. But I kind of agree with the statement you made earlier on whereby you have to have like, a human being who's like, in control there. I mean, they're great for disseminating large amounts of information. I mean, I am that poor sodium who at some point has had the massive stack of logs downloaded from various different scenes and firewalls. And I'm trying desperately to find this very, very small, tiny pin in the middle of this massive haystack of information. And I think that's where AI works very well. Could you find me what's going on in here, please? And off it toddles and goes and tells you what's going on. But I mean, having it in control of networks and systems, I think that's something that we're a long time away from, unless we want to go down the whole kind of Skynet route.

Amy Stokes-Waters [: 00:19:09

Yeah, I don't know, you know, so I was at a meet up with a load of insurance cisos the other week, and Rick Ferguson was talking at it around AI, but he said that, you know, it's not necessarily that we're using it for that kind of thing. It's the use of. He was talking specifically about the use of it for disinformation. So how it's affecting, well, geopolitics and all that, literally every. Well, when the Brexit thing happened, a lot of that was disinformation, which was, you know, disseminated via AI. So I think from a threat perspective, just from a, I guess a political point of view, it's already in use in a way that probably a lot of people, if you've not thought about it or if no one's kind of pointed out to you, probably don't really realize it. But a lot of the stuff that we see on social media, that's all. There's a lot of AI.

Amy Stokes-Waters [: 00:19:58

And that said to you earlier, I was in Africa the other week, and I was talking to some people over there, and they were saying that the elections that they've got over there are all heavily influenced with disinformation, disseminated via AI. So I do think AI is in use from a very real threat perspective, and I don't think that we're using it potentially in the right way to kind of combat the threats. I think, like you said, we're using it for. Let's have a look at some logs. I think it is a much more powerful tool. I just don't think we've worked out kind of how to wield it in the right way, whereas I think some of the bad guys have probably got a bit of a better handle on it.

Jim [: 00:20:30

Well, they've got less ethics, you know. I mean, I'll tell you what really scares me recently, that sora video. You've seen the Sora videos, the AI generated video that chat, GPT is currently just about to release, and they're fantastic.

Amy Stokes-Waters [: 00:20:47

Yeah, I think Rick show does it. So there was some. I think there was an election in, I want to say, Asia, somewhere where they kind of brought back to life an ex leader of the country and had him saying stuff about one of the new political parties that was coming out, but he looked like, I watched the video and I was like, this looks fairly realistic.

Jim [: 00:21:04

People are probably sitting there thinking, what's this got to do with information security? It's very much got to do with information security, I think, because what we're seeing is an evolution in the tactics being used by the people we're at war with. You know, they will use deepfakes. I mean, if you've got a big CEO, you know, let's say somebody in charge of a particularly large social network that not everybody necessarily likes for various different reasons, and they can do a deep fake of him rally wearing lots of white sheets and says things that, you know, would be considered particularly inflammatory. You know what the Internet is like, boom, all of a sudden, you know, it's, it's, it's obviously true because we've got the video.

Amy Stokes-Waters [: 00:21:43

Yeah, yeah, that's the issue, isn't it? People believe what's put in front of them. And people don't tend to question reality because, because AI come along so quickly. I mean, when did chat GPT come out? Was it two years? Two years ago?

Jim [: 00:21:56

There's been a couple of iterations of it, but yeah, I mean, the explosion of popularity has been definitely in the last couple of years.

Amy Stokes-Waters [: 00:22:02

Yeah. And I think of people as the common person who's not kind of looking at this stuff because, I mean, we hear about it every day, right? Because we're in second. It's constantly like, it's a topic of conversation in several thousand group chats that I'm in. But I think if you're not sat listening to that kind of discourse and understanding, these are the things that you can actually do with AI because, you know, most people aren't fucking interested in technology. The amount of times that I have to explain to techies, stop waxing lyrical about firewalls and shit like that, because most people who aren't in it don't care about it. They care about getting the job done and going to the pub. They're not really bothered about it. So if you're not investigating all the AI stuff, you don't know that this stuff is even, that even exists.

Amy Stokes-Waters [: 00:22:42

So like the sora thing, people will be looking at videos and they won't realize that it's AI generated because no education piece around that.

Jim [: 00:22:50

Well, this is it. And again, you know, education is one of our key, key factors here. I mean, I think one of the most insidious things that I spoke with the company actually, that this happened to when the ransomware guys realized they won't get their, their bounty, get their money ransom. Rather, they actually turned around and said, okay, so here's all the addresses of all your C suite, the names of their kids, where they live, everybody. We know everything about you guys. So what do you feel now about paying the ransom? And it's like, wow, have we really got to that level? I mean, us infosec people pride ourselves in being very adaptable in any situation. You never know when you go into this role, what you're going to meet might be a bit of malware. You know, that was the worry back when I first got in.

Jim [: 00:23:34

Christ, we didn't even have firewalls at one point. I mean, that's how old I am. But now we're looking at all kinds of threats from all kinds of different levels, having to include PR people, for instance, in incident response from the word go, you know, just. Just in case something breaks. You need to have that PR piece within that instant response team. You go back about 20 years. The only times you ever really brought them in is if you're a big company. And something obviously went horribly, horribly bandy.

Jim [: 00:24:02

But now we're having to have this multidiscipline approach of, right, so we've got our defense in depth, but it's not enough anymore. We need more intelligence, we need more idea of what's going on, and we need to be able to adapt quickly, which takes money. And of course, you know, they expect us to do our job quite often with five pound and a pickled egg and possibly a packet of crisps, if you're really, really lucky.

Amy Stokes-Waters [: 00:24:24

I think there's legislation that's coming as well. It's kind of talked about how you have to communicate breaches to customers as well. So that's why I think that PR piece is important from a compliance perspective, because the amount of times where I've seen companies get breached, like, companies have got breached and they've done a disclosure to the customers. But I've seen infosec people who are customers of these companies that have got breach going, this is a shit disclosure. And, like, putting them posted about it on LinkedIn or whatever, and I'm like, yeah, because the messages probably weren't the best, but I thought that doing that as a tick box compliance exercise, because they know they have to talk to the customer. But then some of the wording is like, it was an illegal hacker gang that came in. It's like, well, who else was? It was their illegal one, and it was still. And it's stuff like that, where I think they're not got, they've not kind of understood, I don't think, well, a lot of companies probably don't understand infosec, do they?

Jim [: 00:25:15

No. I think it's changing a bit now. I think they're realizing how much they don't know. And that's why there's a lot of, it seems to be a lot of CISO positions coming up and a lot more people moving into that role, but we don't have that level. I mean, I was talking about it a number of times.

Amy Stokes-Waters [: 00:25:30

I'm seeing the opposite of that. I've seen lots of cisos leaving. So I think seasonal positions are coming up because I know probably, I probably know in the last, since Christmas, probably six seeds that have voluntarily left their position and said, fuck this, I'm going to go start my own thing.

Jim [: 00:25:44

A lot of this started out, kind of weirdly enough, around the lockdown era. I saw a lot of qsas, I saw a lot of auditors, I saw a lot of people who, high pressure jobs where customers pushing for you to do stuff, and a lot of cisos as well. And they realized what it was like to sit in the garden and watch the flowers and sit in the sun and have an iced tea or a cold glass of beer and not get shouted at and not get endless emails, and not constantly under pressure to kind of justify their position and justify the budgets, the small budgets that they had and why they wanted to get this particular upgrade to this whole network security piece that was going to basically fry their budget for the entire year, or even, God forbid, a GRC tool that would fry their budget for a year. And I think a lot of them went, well, I'm getting on a bit. It's definitely the older bunch, like, I'm 50 years old, 60 years old, I've got my retirement, I've been well paid, I'm just going to stay here. I'm not going to go back or I might do a bit of freelance stuff. And I think that's migrated on because all of a sudden people started desperately getting cisos cause the ransomware was going nuts and everybody was concerned. So all the really good cisos who were the next level down just got snatched up straight away.

Jim [: 00:26:57

And highly paid jobs. I mean, cripes, have you seen the, have you seen what some of these are getting over in like New York and Silicon Valley and stuff like that?

Amy Stokes-Waters [: 00:27:06

The salaries over there are insanely made.

Jim [: 00:27:09

Me give up razor thorn to go over there. At one point I'm like, I'll get paid more over there. So they all got snapped up, and then what was left was the people who could feasibly fill that role. But because they didn't have the experience, I think a lot of people went into that role going, oh, look at the money, it's great. But then they realized some of the stuff that comes with that role and the pressure, and they just went, you know what? No, maybe they saw what some of their consulting buddies were getting and said, oh, let's go start our own consultancy. But then they don't know how difficult it is. I mean, obviously we've talked about this offline. Running a business is a massively different skill set from doing any other career path that you may have done, even if you're doing it in that career.

Jim [: 00:27:48

What are your thoughts on that? Do you think that's a thing? Do you think that's where we are at the moment?

Amy Stokes-Waters [: 00:27:54

Yeah, I mean, some of the seestos that I've been talking to who are saying they just want to fuck it all off and go do their own thing. Well, the CISO. But are they the CISO? Because they're the only person in Infosec, in that company? So they've got the job title of Ciso. Fine. I mean, I've got the job title of CEO. Brilliant. Everyone likes a nice job title, but if you're not being. You're not actually being a CSO, you've just been the only infosec person there, which is fine, as long as the company's doing something around cyber security.

Amy Stokes-Waters [: 00:28:19

But they're not actually getting to do that. True. See, so role because they're firefighting. Like, I don't know, they're looking at steam solutions and that kind of shit, which is not the job of the CISO. The CISO is to kind of oversee the strategy. Well, in my opinion, this is to kind of oversee, oversee the strategic security, the strategy for the company, and kind of point them in the right direction and move them up that maturity curve and communicate that with the board and be there to discuss security issues with the board. But if you're not, if you're constantly doing, like, technical stuff and firefighting and looking after incidents and all that kind of thing, you're not getting to do that. Kind of true.

Amy Stokes-Waters [: 00:28:54

See so also, I think we've seen a lot of. See so that I know are in that kind of position.

Jim [: 00:28:58

I did post in LinkedIn the other day. I think you commented, actually, it's like, I've seen so many see so's moving positions. It's like game of Tetris. They're all dropping from the sky and kind of fitting into different roles and then disappearing and then dropping from the sky again and landing in other roles. It's like, I've joined this company. I've joined this company. I'm like, God, what's going on?

Amy Stokes-Waters [: 00:29:19

I did see something the other day on LinkedIn, though, about recruiters, which is a very bad practice from recruiters, where they're dropping people in, getting paid, and then moving them to another role so they get paid again.

Jim [: 00:29:28

Oh, that doesn't surprise me at all. Not that.

Amy Stokes-Waters [: 00:29:31

Yeah. I mean, I know. I mean, my background, sales and marketing, and I kind of class recruitment and sales, and I'm like, come on, guys, we could do better than that.

Jim [: 00:29:40

So many things I could say, but I'm not going to because we're busy, busy woman, and you're reaching the end. So I need to ask you my question that I ask everybody. The secret question, which isn't so much a secret. If you've ever seen any of the interviews that I've. I've given before. I don't know if you've preempted it by looked at any of those interviews.

Amy Stokes-Waters [: 00:29:59

I did not. I thought I'd keep the surprise.

Jim [: 00:30:01

Right. There you are, amy. You've just gotten into infosec. You've just gotten that first role, that first role that you had where you were actual infosec person, maybe in that sales role or whatever that you mentioned before. You're in the bar after you get the news, and you're like, fantastic. I've done it. I've gotten into it, and I'm going to build my career in this space. Then all of a sudden, you, as you are now, walk through and see yourself at the bar as you were back when you first got in.

Jim [: 00:30:29

What would you do if you sat down next to yourself and were able to give yourself a few pieces of poignant pointers to help you back then?

Amy Stokes-Waters [: 00:30:40

Yeah. Do you know what I'd say? Just, you've got it. You know, you know what you're doing. You'll work out. If I'd not made all the mistakes that I've made in my career, and there's fucking lots of them, if I'd not made all those mistakes and taken all those risks and done all those things and got told off by several, I mean, I wrote on LinkedIn this morning, my. My mo at work is ask for forgiveness, not permission. Much to the disappointment of several of my managers, I'm sure. So, yeah, I probably.

Amy Stokes-Waters [: 00:31:04

I think. I think I'd probably just say, you've got a. You've got to do it. You've got to do it your way. There's no, I wouldn't. Well, I hate giving unsolicited advice anyway, but I. Yeah, I don't think. I don't genuinely think I would.

Amy Stokes-Waters [: 00:31:17

Well, I know myself. I wouldn't listen to any advice. So you could tell me everything you wanted and I'd still go. So, yeah, I think, yeah, I genuinely don't think I'd do anything differently, because if I'd done it differently, I wouldn't have made the mistakes that got me to where I am now.

Jim [: 00:31:29

Fair enough. Fair enough. It's always interesting to ask that question because you see a lot of people say something similar. It's either, I wouldn't give myself any advice because then I wouldn't be where I am now. But then you do get a few say things like, I'd say to myself, don't worry about it.

Amy Stokes-Waters [: 00:31:45

Yeah.

Jim [: 00:31:45

All the aggravation that you're going to sit through where you sat there in a boardroom and someone's shouting at you because you didn't meet a target, or you, you know, you need to do more with less, or, you know, we're making you redundant because we. We see it as being able to manage security. Just. Just don't worry about it.

Amy Stokes-Waters [: 00:32:02

Yeah, I think I'd probably tell myself to be less hard on myself because I do spend a lot of time beating myself up about, oh, you fucked up here and you need to. You should have done better there. A, Ray. And then, you know, I remember that, a, other people have probably fucked up a lot more monumentally than I have, and b, it happens. So all the time you've got. I think. I think I need to remember that sometimes.

Jim [: 00:32:28

This is it. And it's hard to. It's hard to remember that as well, because when sometimes you look on LinkedIn and you look down the posts, you know, you only ever see the good things that people poke out there. You never see the terrible stuff that the cisos have to deal with, you know, and the mistakes that they make.

Amy Stokes-Waters [: 00:32:44

I screwed up monumentally either last week or the week before, but I wrote about it on LinkedIn and said, you know what?

Jim [: 00:32:49

Yeah, I noticed that. That was quite refreshing, actually.

Amy Stokes-Waters [: 00:32:52

I did balls up somewhere and I did apologize to the customer it, and, you know, it happens, and I've got a call with them at some point to go through some feedback about it. As well, because I'm totally open if I've done something wrong or if something's not gone right. I want till I hear what I could have done better. I mean, I know exactly what I could have done better, which was send the right fucking instructions for the escaping. But, yeah, I think. I think it's really important that, a, if you've upset someone or you've upset a customer, that you go to them and go, okay, tell me. Tell me what you need to tell me. Tell me, vent at me.

Amy Stokes-Waters [: 00:33:20

Tell me where I fucked up, because, a, it makes them feel better, because they've got to tell you about it, but b, there's any way you learn, there's any way you can improve if you. You know, if someone just sat there blowing smoke up your ass all the time, telling you how fantastic you are, well, all that's going to happen is your head's going to get really big, isn't it?

Jim [: 00:33:35

Amy, I have really enjoyed this interview. You're a breath of fresh air in this. In this rather stuffy space. I mean, it's gotten a lot better now. You know, there's a lot of people who have a lot of fun, but I think you're doing fantastically with your skate rooms. You're doing fantastically on LinkedIn and all the marketing stuff that you're doing and what have you. And, I mean, it's been an absolute pleasure to have you here on the podcast. I mean, is there anything you kind of want to let people know about? Obviously, you've got your escape room stuff just to kind of get out there, let people know where they can find you.

Amy Stokes-Waters [: 00:34:07

Well, I mean, find me on LinkedIn because that is where I hang out most of the time. So, yeah, there usually, you can go on the website and look at cyberescaperoom. Cool. Not co dot Uk. I massively regret calling it dot co because everyone goes, is it.com? No. Is it dot co dot Uk? No, just dot co. It's fine. It's a new TLD.

Amy Stokes-Waters [: 00:34:27

Go for it. But, yeah, just look at the website. You can see kind of what we do. There's videos on there. There's testimonials from some very nice customers. Oh, yeah. Follow me on LinkedIn.

Jim [: 00:34:37

Well, fantastic. Well, you look after yourself, Amy. And if you ever need anything from us here on razor wire or you want to come on any. Or if any of you out there would like to ask Amy questions or like to see her debate something with us on the podcast, I'll see if I convinced her to come back because I think she's definitely got some fantastic stuff to say. So, Amy, thank you ever so much for being here and telling us a little bit about how you kind of got in and what your thoughts are on the industry.

Amy Stokes-Waters [: 00:35:07

Thank you very much.

Jim [: 00:35:08

Just want to thank everybody out there who regularly listens. Without you guys, I don't know why we'd be doing this. So thank you ever so much and.

Jim [: 00:35:17

Thank you for listening. The latest edition of Razor Wire. It's always good to get feedback. Please feel free to reach out to us. You can reach out to us via LinkedIn or through our website, www.rosathorne.com. If you feel that there's something that we should cover, maybe a little bit more in depth, a new topic or something of interest to you or the community at large. Got any recommendations or you want us to interview people, we'll reach out to those individuals. So it'd be great to see what your feedback is.

Jim [: 00:35:45

In addition, I do have a book recently come out, the Cyber Sentinels Handbook, a primer for information security professionals. Now, this book is very much geared up towards professionals, all levels of their career, be they starters, be they newcomers, be they people in it for a little while and maybe looking for a little bit more direction, albeit the older ones looking to maybe reground themselves in some of the more important aspects of the trade that maybe they've forgotten over time. I've had lots of good feedback from a lot of different readers of lots of different levels, so please feel free to get yourselves a copy. We've got the e copy. We've also got the paperback copy. And if you don't want to spend any money, you can go on Kindle Unlimited and read the book for free there as well. Thank you ever so much again. Look after yourselves and we'll be seeing you again soon.