Dragos CEO and founder Robert M. Lee has been talking about cybersecurity risks to critical infrastructure long before threats to utility operators and water plants were making headlines. In this episode of WE'RE IN!, he discusses the ongoing dangers to the grid from nation-state hackers and ransomware gangs, but also the progress the U.S. is making to better secure its most vulnerable assets. And there's also a great conversation about pay transparency that anyone working in infosec will want to hear.
Dragos CEO and founder Robert M. Lee has been talking about cybersecurity risks to critical infrastructure long before threats to utility operators and water plants were making headlines. In this episode of WE'RE IN!, he discusses the ongoing dangers to the grid from nation-state hackers and ransomware gangs, but also the progress the U.S. is making to better secure its most vulnerable assets. And there's also a great conversation about pay transparency that anyone working in infosec will want to hear.
A few more reasons to listen:
*It's a candid and sobering interview with one of the world's leading experts on industrial cybersecurity.
*You might be surprised how Dragos approaches pay transparency, hiring and job interviews.
*Better understand how critical infrastructure operators should approach cybersecurity differently from enterprise technology.
Key quotes:
* "If you are an oil and gas pipeline or a manufacturing company, and you haven't had ransomware scenarios at a board level with an understanding of what you're doing specifically in OT, your liability and your lawsuit is going to be bad."
* "One hundred percent of our engineers are in the United States. We don't outsource anything where they're related to our product, because if we're deploying software into nuclear power plants and similar, I'd like control of the supply chain."
* "We've been talking about cyber at a presidential, international leader, board level for a long time. But they never knew they needed to differentiate between IT and OT. And now they're realizing all the resources have been spent on the non-revenue generating side of the business and they're going, "Holy crap! What's our OT cybersecurity strategy?"
Links:
[00:00:00]
Jeremiah Roe: Thank you so much for joining our show. Um, I've personally been following you for quite a while, as well as
Robert Lee: Oh, I'm so
Jeremiah Roe: your company. Um, I think, I think it's a fantastic organization to begin with. And, and one of the things, uh, I was originally looking at initially was, uh, was you as well are also a former service member.
Uh, is that, is that correct?
Robert Lee: Yup. Yup. But I was in the air. Where were you? I was
Jeremiah Roe: Yeah. W so I was in the Marine Corps. Um,
Robert Lee: Yes. Mine
Jeremiah Roe: but no, I mean, it does, it does, right? Like, I've got, uh, I've got plenty of friends who are currently still serving in the air force. It's just a
Robert Lee: Yeah, I was, I was, I was military curious, you know?
Jeremiah Roe: I just signed up for the tested out phase. That's great. and so thank you for your service. I wanted to make sure I said that and, um, uh, again, it's a pleasure to have you on the show, so thank you.
Robert Lee: Yeah.
Bella DeShantz-Cook: Yeah, we're very excited to get to, [00:01:00] uh, to chat with you today. Um, I want to start out with a pretty simple question. Uh, could you clarify for us exactly how you pronounce the name of your company? Please
Robert Lee: he had Dragos like it's the long a Drago's sells oysters in new Orleans. Draigo sells hot takes and ICS security.
Jeremiah Roe: funny, you mentioned the Dragos and the folks that sell oysters because, uh, I've seen that video of the gentlemen.
Robert Lee: It's good. They're good. Oysters. Like they're really good. They're not like Maryland fresh, like oysters, but Char-Broil they're there. They're pretty good. You know,
Bella DeShantz-Cook: do a lot of people. Get the pronunciation wrong or confuse you with the.
Robert Lee: uh, the confusion of the oysters only comes on Google reviews and we'll get it every now and then. Super nice service. Just didn't really like the oysters or something, you know, like there'll be like on our like HQ page, uh, which is hilarious to me. We've had a number of oyster calls in our instant response call line.
That's always fun. [00:02:00] Um, the pronunciation, I don't care, you know, there's a ton of people pronounce it Drago. So my thing is, if there's not expletives, you know, around that, I don't really care how you put it.
Bella DeShantz-Cook: Nice. Totally fair. Um, so getting into the, you know, actual more interesting questions, I suppose. Um, so I want to talk a little bit more about you, your background. Uh, you started focusing on industrial control systems. While working for the national security agency, uh, kind of a while before a lot of others were really paying attention to cyber in this area.
Uh, and I thought it would be pretty useful to start by talking about, uh, some of the unique challenges facing critical infrastructure providers, uh, and maybe like the key differences for security when you're considering a utility company versus a company like Facebook or bank of America, for example,
Robert Lee: Yeah, sure. So it's been really interesting to see it evolve for sure. So I started my career, um, as mentioned the air force out of the house, but I was tasked over to the NSA pretty early on and they [00:03:00] didn't know. Ask me to focus on ICS. They had, what they asked me to do was go find the unknown unknowns.
And I was like, um, what is that? And they're like, we don't know, but Rumsfeld's really big into it. I was like, oh, okay. You know? And so it was like, go find the state actors. We're not tracking today. And I was like, yeah, no problem. And so I had a background in building controls since I'm not an engineer by trade or anything, but.
I spent a short time doing my humanitarian projects in Cameroon and other places building like water filtration units and wind turbines and things like that. And, and so I really liked control systems. Like, so what do we, what are we doing on control systems? They're like, what are control systems like, oh God, you know, they're everywhere.
You know that the stinky things that you want to say stunk those, those submarines, that that's them, the floating things you want to keep floating. That's that's on there too. Like, you know, it's, it's everything. Um, and so they just kind of wish me to just ask her or whatever, you know, dumb Lieutenant and go forward and have fun.
And, uh, and, uh, you know, what I found was we had this view in the government. I think this transcended to the private sector as well of, [00:04:00] well, there's not really industrial. Yeah, that's why I focused on, and we're not seeing any attacks. Um, but when I dug in what the reality was is we weren't collecting data out of industrial environments.
We were collecting in the enterprise, it networks expecting to find industrial attacks and that doesn't make any sense. Um, it's like the old intelligence parable when the drunk guy's underneath the light and he's looking for his keys and a cop comes by and says, Hey, What are you doing? He's like, I'm looking for my keys.
He's like, okay, well, you know, I'll help you in there after 15 minutes or so he was getting pretty frustrated in this dark alley. He was like, what's going on, man? What'd you lose your keys? He's like, oh, over there. Well, why the hell are we looking in here? Well, this is where I can see, you know, and that's, that's kind of the problem that has existed.
So we adapted our collection, started getting into industrial networks and we started finding everybody, not only the, the state actors that you expected to find, but state actors, we didn't even expect to have cyber programs at that time. We're already going after industrial environment. So. That's pretty interesting from there.
Um, when you, when you talk about the, kind of the key differences. Um, I'm sure there's plenty. And there's plenty of skillsets that you have an it [00:05:00] security that'll help, you know, D security don't get me wrong, but, um, but there's a real necessity to understand the mission. It's probably the first thing I would say, know, what's this plant in the business of, is it a water filtration plan?
Is it a, uh, a rail switching yard? Is it power generation? Like what, what are we trying to do here? So a lot of it security folks. I don't mean this. Wrong way, but a lot of it, security folks have our biases, right? Everybody does you, you know what works, you've done it for 20 years. Hey, I'm gonna come into this place.
And of course, I want to ask about a patch management system and you're like, no, no, no, no stop. Like, what are we trying to solve here first, then figure out what actually makes sense based on your skills and what brings in and the unique ways you need to do it. And, and in a big hand way, Way, I'll say that it security in the enterprise writ large is data security and system security.
And those are very hard and they're very important, but it's how do I protect the data encryption encryption at rest and transcend and DOP, whatever else, how do I protect my systems, [00:06:00] patch it, product security, end point protection systems, whatever else, how do I make sure I keep my assets off the internet?
So, you know, tax service and all that kind of stuff, but basically how do I protect the system? How to protect. And that drives a lot of what we've seen in product security and so forth. When you get into industrial security, whether you call it OT for operations, technology, or ICS, industrial control systems, it doesn't really matter.
Industrial security when you're dealing with that. Well, we care about is systems of systems, security and physics, everything that the adversary wants to be able to. Bound by the world of physics. Like I'm going to open up this valve and kill 30 people. Well, no, the valve doesn't open that far, so that's not possible.
So I don't care. Or, Hey, actually, if you mix those two ingredients together, you're going to create an explosion that matters a lot. Um, and then you care about system of systems. I don't care that the control system itself to like the little controller, I don't care that it has a vulnerability that lets you have a password on or whatever.
I don't know. Okay. What are you gonna do with that? But can I get on an engineer workstation and change the logic on a controller in such a way [00:07:00] that's going to impact a valve that impacts the physics. Okay. That system one plus system two-plus system three that matters. And whether you do it, the vulnerability and malware or native functionality that's resume in the environment.
I had a matter if you understand the operations of the engineering and the mission of that environment, and you can then learn the systems navigate around that system, that system security, you can hurt some people. And so that, that, that's the, to me, the key differences, what are we trying to accomplish?
And. Breakaway from the system and data security and understand the systems of.
Jeremiah Roe: so in an operational technology perspective or, or ICS systems attack, right? Um, what's one of the early. Compromises that come to mind for you that really took advantage of these kinds of devices.
Robert Lee: Yeah, probably the, I mean, there's so many like stories and so I'm going to give you answers and there's gonna be someone online. It's like, well, what about the Trans-Siberian pipeline? No, that's completely BS. So there there's, there's a lot of stories out there that are fake. Um, but the, probably one of the earliest ones that was real was an insider [00:08:00] and it was the Maroochy, um, water services plant down in Australia.
Uh, it was essentially a contractor or an employee. I don't know if it was employee Blair, a contractor, but he, he got fired and he was very. About that. And, uh, he got some equipment, basically, you know, equivalency of RadioShack going and getting some like, uh, RF type equipment to be able to access the control systems, the water plant, the sewage treatment plant.
And he was able to manipulate the control environment to reverse the flow of sewage, to empty it out into the, the rivers. Um, and the town and that to me is a classic. He knew the inside knowledge. He had an understanding the operations and engineering. And so then it was about access and manipulation of systems of systems to be able to impact the physical environment.
And that was, I don't know, that was the. Either late eighties, early nineties, probably early nineties. Um, and so then from then on, there was a lot of cases, but never really anything public. It was very hush, hush stuff of, Hey, we have something going on here with a logic changed [00:09:00] across 20 substations. Can you come in and investigate?
And it was, it was stuff that he didn't really talk about. And there was some of that reason that they didn't get talked about was quite honestly just the media would overreact to everything, a phishing email. I sent to a power company, they're going to take down the grid and it's like, there's not one grid and that's not how that works.
Um, and so there wasn't really an environment to have those conversations. It wasn't, there was no benefit to doing it. Um, the, probably the next, you know, there was compromises and espionage was a lot espionage. If you go back to even the old Knight dragon cases or operational roar. And so like that with the RSA breach and similar.
Wow. The companies that got hit in a publicly name, like Dow chemical and these others, th the apt one story for Mandy, it hasn't, well, you'll, you'll read those reports and there's not a whole lot of mention of industrial and SCADA and DCS and all that stuff. But if you look at what they were taken and why they were targeting those companies in the first place, they were getting into those areas.
But the people may have not had the skills to go into those [00:10:00] sites, but also as big cultural divides of they weren't welcome in to the plant inside of the house. So there's a lot of historical espionage cases that had an industrial flavor that just wasn't properly explored. But the, the, the, the case that everybody says, and of course we can't get through any discussion of ICS without dropping the S word, but, you know, Stuxnet comes up and in 2009, 2010 timeframe,
Jeremiah Roe: the one that I was thinking of initially. That's what drew my attention.
Robert Lee: It had a net benefit in some ways of getting people interested in industrial. So that's good. Um, and, but there was also this sort of like all that, of course, the United States and Israel could do this, and of course they do to somebody else, but nobody could do it to us. So, so nothing really changed after that.
Um, there was interest, but nothing really, I don't think anything was massively changed. The one that really changed things in, uh, uh, the next. Probably pretty big. It was 2014, it was an attack on a German steel facility. It caused massive physical damage across the plant. Um, but the one that really changed the discussion [00:11:00] was the 2015, um, attack on the electric system and Ukraine.
That was the, yeah, that was the one that I got to, um, be involved in. And that was cool. Um, but that one changed the discussion for very simple. And it was at the national policy leader level. It was always an expectation that critical infrastructure was a red line and yeah. You know, okay. A nuclear enrichment facility, but it's really a military facility that county, you know, that uncovering thing, but civilian electric power.
What? And so it was sort of this head fake moment for a lot of the community. And when it happened originally, I remember, and I don't, again, I'm not trying to put anybody down here, but I remember the us government's original response was don't worry, that can happen here. And there's a lot of downplaying of it.
And Mike , Tim Conway and myself. Did kind of a road show out in the community of, oh yes, it can. And this is exactly the way that it would look. And some elements may be different in the recovery may be harder to do on the front [00:12:00] end, but like manipulating control of a distributed control system or at distribution management system.
Of course, again, And, you know, a lot of credit to the power companies. Cause it was the power companies and their CEOs that originally came out and said, Hey, Congress, white house, we hear you. But, um, yes, you can, like, you could absolutely do that here. And they're the ones that got to get the narrative changed, then it just accelerated 2016.
You see it again, 2017, you see the first ever cyber attack that target human life take place in Saudi Arabia, 2018, 1920, you see, uh, near dozens of compromises across the infrastructure. In the way that would not be espionage, but would actually be pre-positioning 20, 20. You have solar winds. Everybody's talking about the it side of it.
But actually that was, you know, there was OEMs, original equipment manufacturers are getting compromised. You had an adversary have to remote bi-directional access to gas, turbine software systems across the planet. And it's just it. So it's kind of just blown up in the sense that people are realizing like, oh, we haven't done all the things we thought.
At a time that [00:13:00] the adversaries are going, oh, well, there's not a whole lot of reasons not to do this. You know, there's no, you know, warheads on foreheads coming from compromising an electric system, all this bluster that's been done over the years. No, no, no. I think, uh, I think this is a completely viable target for geopolitical concern as well as intellectual property.
And so that that's, that's kind of where we are
Jeremiah Roe: so I think, um, to your point that there've been a lot of misconceptions around how this affects, uh, whether it be it or OT and how it implements together. Um, we're seeing. Incremental shift in how individuals ultimately think about this, right? With a minor developing the industrial control system, uh, sort of, uh, Implementation that can be utilized for testing these devices.
And then of course, uh, with, with, with you founding the company Dragos, and, and then with sands creating courses that you, by the way at happened to be teaching on some of them, um, what do we do, right? How do we prevent this [00:14:00] stuff? Uh, from an industry perspective? As an executive, how do I, how do I focus more on these things?
If these things are in mind?
Robert Lee: Yeah. The first thing that must happen is there's gotta be a board level conversation and you can, you can get your C-suite aligned first. That's fine. But, but trying to solve it from by-product build a process, hire person, you got to get aligned on the risk first and that's going to be inherently a board conversation.
And the mistake I see most companies make is they think the boards are stupid. Quite honestly, they think, oh, they don't get cybersecurity. And we've got a. We got to put it into FICO score or something. And you're like, guys, like they deal not only with risk scenarios all the time, they deal with like gap accounting of revenue.
Like you tell me, gab accounting is not complex. Okay. Like they they're smart people and you just can't use your jargon. Um, and, and so I don't like when I see folks get in front of boards and be like, there's 300,000 [00:15:00] scans on the firewall and we say, here's our phishing protection and here's what we're doing on VPNs.
It's like, stop. What's the scenario. Are we a power company? Should we be prepared for. For a Ukraine like scenario, are we a manufacturing company? We should prepared for an espionage scenario as well as a ransomware scenario. Like what are the scenarios that we want to build in, get aligned on the risk, then your C-suite and your CSO can come up with what are the protection detection and response mechanisms that we want to put around that maybe we choose a framework like this cybersecurity framework to be able to ground the conversation, whatever it might be, then we can figure out what, what the actual mechanisms are.
Probably the biggest mistake I see beyond that is right now. And this is actually, what's driving a lot of the ship right now at the board level. They're getting views in a cybersecurity. There's no critical infrastructure company that has been talking about cybersecurity for the last 20 years. That's not new, but they're used to getting the here's our patch rates, here's our detection rate.
Here's our NIST cybersecurity framework rates, like [00:16:00] in a good company. They're getting all those things and they go, oh, okay. Yeah, yeah, yeah, no. Why are we talking about more investment? And I had this experience recently in a fortune 50 board. I got invited in to come brief on the threat landscape, kind of stop. CEO, super smart guy, great board CSO. Great CSO brief that exact view. Here's the, all these things and this and all this and look how great and wonderful we are. And it's like, Hey, there's a greatness. The CEO turns me like, see Rob, you know, it's kind of like showing off, like, what do you think about this?
And I was like, I think your team needs lauded. They've done a lot of amazing work and they're in, they're absolutely doing the right things. Um, I would have told them that they weren't. I was like, they are however. Um, I called him the CFO and I was like, are you thinking enterprise? Like the enterprise?
Are you thinking enterprise? Like enterprise, it will internalize it. And the CEO is like, eyes just opened. I was like, wait, hold on. Do you mean that doesn't cover our plants? And he was like, yeah, no, no, no, that's the enterprise. It, and it just like the border erupted. And, and so [00:17:00] there is an expectation at most companies that all of these things are being done.
So why are board members, why is, why is the president of the United States last year, coming out with an ICS specific national security memorandum? Because they never thought they needed to, but it turns out they had to. So we've been talking. Cyber at a presidential international leader board level for a long time, but they never knew they needed a differentiate between it and OT.
And now they're realizing all the resources have been spent on the non-revenue generating side of the business and they're going, holy crap. Um, what's our OT cybersecurity strategy. So the first thing is to make that awareness available, then get aligned on what the risk scenarios are. Then you dig in and go, okay, what are those controls?
Understanding that most of the standards, frameworks. Regulations, whatever, have a strong prevention bias. Um, we did the, we did some work on this where he looked at every single regulation and framework out there and found that about 90% of all the controls were preventative in nature patch, [00:18:00] passwords, AAV, you know, that kind of stuff.
So there's a lot of prevention. In these standards that you never get to controls around detecting and responding, which means then you don't even have the visibility of what's happening the environment, which means you don't even know what's in your environment, which means you're not applying prevention appropriately or watching it in atrophies over time.
Anyways. So, so for the CSOs, it's not only understand that OT is different, but understanding that a lot of the frameworks we might be using are pushing us towards a very it centric approach that even in the it environment is probably pretty late.
Jeremiah Roe: Yeah, I think that's pretty scary, right? From an executives perspective, especially when you are running a company, you're dealing with a lot of the business aspect. And when you deal with these things, you have an expectation of, like you said, of, of the enterprise being taken care of from the divisions that should be controlling those things.
Um, and to your point, Uh, when you first got started in this from the air force, you know, it's find what you don't know that you don't know. And, and that's a scary [00:19:00] aspect when it comes to, um, executives, because they're relying on the individuals that are running the organization to inform them to, um, to help them to understand where the gaps are.
And. And a lot of cases with this, not being such a hugely, uh, uh, focused on area within cyber or within the industry as a whole, um, it's left this weird gap and, and, and I think that's one of the reasons why you initially started dragging us what in 2016. Right. Um, and
Robert Lee: It's exactly why I came back from Ukraine. And I don't mean this against your company or any other company. We're all love each other, but I have generally never in my life been like, I want to start a software vendor. You know, I always remember being on the client side and being like, here's, what's coming in the roadmap.
I'm like, no, it's not, this is how we use AI. I'm like, it's snake oil, you know, like I've never wanted to be a software vendor, but I came back from Ukraine and did all these briefings and then. Started talking in the companies to see us. It was like, Aw, that happened because they didn't have a patch management program and didn't have [00:20:00] a V on the SCADA system.
I'm like, what are you talking about? And so it was out of a very like strong desire for my son to have lights and water. When he grows up, it was like, oh, we need to make a software company to like codified knowledge on this. And we're also going to go have smart people on staff to do like response and things like that to inform that.
And so, yeah, you're, you're spot on of, of, of where that came from.
Bella DeShantz-Cook: I have you mentioned something that I wanted to like. Just kind of get more information about, you said something about how, um, like in, particularly in industrial security, there's this focus on like proactive or preventative? Like if there's a focus on security, there's an emphasis on this proactive, preventative, preventative approach, but a lack of emphasis on detection and response.
Um, and so I have a background in, uh, mostly applications, security, industrial security is something that I still have a lot to learn on. And when you said that it got me really interested and curious, like, why is that? Why is there this [00:21:00] disconnect? Because it does seem like a lot of other areas of security.
There's plenty of, uh, of, of focus on detection in recent.
Robert Lee: Yeah. I think if you look in the, like the 1% of the community, if you look at the larger companies out there, um, you will find that they are doing prevention detection. And there is a lot of discussion. We get, we all get involved in the Invotech circles. We talk about detection response, some of the sexier stuff you get into, right.
It's fun. And it's exciting, even though prevention, there's a lot of the hard work you got to do it, but if you actually look at the standards in the broader community, not even it or OT right now, it is extraordinarily prevention bias where you know, whether it's from the NIST cybersecurity framework, the top 20 critical controls that come out of CIS, you look at NERC CIP on electric power regulation, side of the house, whatever it is.
It's all preventative or heavily preventative. And there's a couple of reasons for that one. Sometimes we've talked ourselves into like a pound up prevention as well, you know, it's like, okay, whatever, there's some like anecdotal crap that's got thrown in there. Some of it has been [00:22:00] well-intentioned of, Hey, look at all these attacks, how do we stop the attack?
And I was like, oh, you should have used multi-factor authentication, which is an awesome control. Um, but people don't have the larger discussion of like that. And I hate to use the buzzword, but like that kill chain kind of view of, and regardless of the stopping yet, What all places did we have an opportunity to disrupt it, to collect data and understand it and to respond to it.
And so I don't know that outside of like leading companies in general, that people are actually all that focused on detection and response it or OT in OT though, it's been magnified by the belief for a long time that those environments were disconnected. That, that fuzzy word air gap has been thrown out and time and time.
Yeah. And it gets defined a million different ways by people. Um, but it's not real, regardless if you're not operating a nuclear power generation site, you don't have an air gap. Um, but either way they did exist at one point. And, and you know, not to go on too long of a diatribe here, but if you go back to 1998 presidential [00:23:00] directive, 63, he came out of the Clinton administration and said, you need to protect critical infrastructure.
And they said, Hey, asset owners. Our critical infrastructure is vulnerable to cyber attack. You know, that doesn't seem like a sexy statement, but that's a big statement, especially in 98. And it's a big statement for a country, a leading super power to say, we know we're vulnerable to cyber attack. That's a big message to our adversaries.
And they said, look as an asset owner in the private sector, you operate our electric water oil and gas manufacturing infrastructure. It's not government owned. We can't do anything about it. Therefore, if you want to go reduce cyber risks from a business impact, you do as much, or as little as. But you can't skirt your responsibilities from a national security perspective.
You got to do enough on the national security front. And when that happened, there's not a CEO or board out there that said, screw them. You know, they all said, oh, let's do it. Let's, let's invest in cybersecurity. And they turned to their staffs, which were generally at that time, CIO, they didn't have a whole lot of CSOs that were running around the companies.
At that point, there was some, but not, not as many as today. And the, and it was all [00:24:00] well-intentioned. None of it was malicious. The CIO is went to the security staffs, which were just, you know, sort of spinning up. And they went to their VP of operations and plant managers and so forth. And well-intentioned really the plant side of the house largely said, what are you talking about?
Like, we're, we're not connected to the internet. We're not. Using the applications you're talking about. Like you've got a limited budget and a whole lot of work in front of you. Why don't y'all focus on that. We're, we're disconnected the risk. Isn't really here for us. And so immediately everything got started spending on the website, the domain controller, the enterprise side of the house, the PCs, et cetera.
And they never revisited that. And in 1998, that was probably. I 2006, 2007, a lot of those environments are getting connected up by 2015. We it's a buzzword, but we had that whole digital transformation thing starting to happen. And that was where these plant environments really were taking advantage of hyper-connectivity cloud resources, interactions directly to the, uh, the vendors and the supply chain for optimization, predictive maintenance, turbine [00:25:00] monitoring systems, et cetera, et cetera, et cetera.
So at one point in time, it was a well just disconnected and keep it as connected. And we're okay. And that's a prevention thing. The reality of the business is. You can't do it. So some people look at an air gap and go, yeah, that's stupid. No, actually an air cap is a great security control. If you could actually maintain one and have one, but if you were running a modern business, it's impossible.
So let's get it off to the side and go, well, now that we have all this, what else do we do? Some of those preventative controls make sense in OT. If you can roll out multifactor authentication for road access, you should be doing it. But then. What are we going to do to get network visibility and monitoring, to see system to system interactions and communications, and how do we respond to this?
And more importantly, I got to be aligned from board level on down and what those response scenarios need to be. What are the questions we're going to need to ask from a compliance and legal and regulatory business risk, national security risk, et cetera. What are the questions we're going to ask? And the response, which is going to determine what kind of response scenarios we need [00:26:00] to plan for, which is going to determine what collection we need in the first place, which is going to set our detection strategy, which then should inform what we need to make sure we prevent that we don't have to deal with a lot of people.
Let me roll in my prevention, then I'll get to detection and then I'll get to response. And by the end, it's all misaligned.
Bella DeShantz-Cook: Right. It reminds me of like, I think there's been, uh, some shift, at least. I, I feel like something that I've started to see a little bit more in the last few years, from my perspective in cybersecurity, is this emphasis on like threat modeling and risk, risk based testing and just security in general, right?
Like this risk informed perspective. And it sounds like. You know, that's even like it's important in every industry. Like, it's, it's really so important to know, like, you've talked about like, okay, we can do all of this, but like, why what's the most important? What's the what's what are we actually securing?
But it sounds like that's just so much more important when we're talking about industrial security.
Robert Lee: Especially because the many of these companies are [00:27:00] very mature companies, but they haven't gone down that OT security journey yet they're new to it. And we don't have time to reinvent the last 20 years of. It's gotta be more targeted, more tailor. Hey, I don't care about your 20 controls where the five that are gonna be most impactful that we can get this rolled out quickly.
And so taking a risk-based approach and having an understanding of the threat model is incredibly important to that. You know, I, I remember going out a couple years ago doing an assessment at a facility back back when my teams would still let me do an assessment. Now they'd give me the elevator eyes and I'm like, you can gay sit down, stick to the powerful where you guys, maybe I was back back when I was irrelevant.
Um, I went into this assessment at a, at a hydroelectric facility on the middle. No CCTV, nothing else. Gate guards, everything was there, but it was on the middle of nowhere. And we go in and there's a sticky note with a password on the human machine interface that allows somebody to interact with the, um, the turbine piece of the hydroelectric facility and the it security person from the company I was with.
It was like, oh my gosh, this is a write-up. I can't [00:28:00] believe they'd done this. I'm like, why, why do you care? Like what? It's a password, the sticky note. I'm like, Like, well, somebody walks in here, they get access to this. I'm like who's walking in here and like, oh, we have pen tests to do that. I'm like, well, hold on.
Now, are you developing your threat model on pen testers? Or are you worried that Russians are paratrooper being into the substation and like bypassing your gate guards and getting it into like a sticky note? We got it like it, the biggest risk here is that operator who needs to be on top of a safety critical device.
That if he's not monitoring. I could have a life impact, can't access the system. So he's either going to not put a password on it, put a crabby password on it, or write the complex password down. And in these scenarios, I want him to write the complex password down. And so it, it, you know, sometimes we, we get training.
By the wrong inputs, instead of thinking about what is the risk, what is the point and what is the threat model? If you're a power company and you haven't planned at a tabletop exercise at a board level and already [00:29:00] implemented your controls on the two different Ukraine scenarios, your testimony in front of Congress, we need.
Uh, called up is going to be bad. If you are an oil and gas pipeline or a manufacturing company, and you haven't had ransomware scenarios at a board level with an understanding of what you're doing specifically in OT, your liability and your lawsuit is going to be bad. Like there's certain ones that are obvious.
Do I care that there was new research at Devcon released about hacking Bluetooth to spin up a wind turbine, and then it caught on. Don't care at all. Like I cared that those other scenarios have literally happened and now you're in trouble. If you're not covered, you're behind. If you haven't done those, but have you not rolled out as bomb discussions yet?
Cause it's now interesting and emerging. That's okay. You got time. Is it interesting? Go for it. Yes. If you diamond done at your testimony in front of Congress will be okay. Don't.
Jeremiah Roe: To those points that you just made. And there was something you mentioned a moment ago, which was, uh, discussing national security. And have you done enough? Are you doing [00:30:00] enough, right. With, with regard to national security? And so I just kind of want to pose that question to you based off of. Vast experience as well as, you know, uh, the many operations your company has conducted since then and continues to perform for the industry.
Um, are we doing enough from a national security perspective?
Robert Lee: Yeah, the answer is no. Um, however, there's lots of nuance there, right? And I think what normally happens is when somebody like me, he gets over to Congress or the press or whatever else and is able to say no, That's the thing that gets captured. I'm going to, um, I don't know if you hear the dogs in the background is going to disrupt everything.
As things walked by, we can keep going then congratulations. All the listeners in the world. I have dogs. Um, but, uh, when you, when I say know, people sort of capture it there and go, oh my gosh, these companies are not doing enough and that's not the right takeaway. The answer is still no, but sometimes there's economic drivers, regulatory reasons, all sorts of [00:31:00] reasons that it's not as an example.
Uh, investor owned utility. So you're one of the largest 60 to 70 utilities in the country and you're, you've got the budget and you've got the resources and FERC has come out and said, Hey, you can do rate recovery and all these things, you better be doing a lot, but are you the one of 55,000 water treatment facilities or water, water plants in general?
It's not just treatment, but water plants in general that, you know, your Oldsmar, Florida. So old Mars, Florida, Oldsmar, Florida got called out when an attacker tried to get in and. Um, the citizens and Ultima, Florida through an attack on the OT side. They're a small site. There probably don't even have an it staff let alone a security staff, probably sharing an it person with three or four other water utilities.
That's pretty normal. Why? Because they're not able to increase the rate of the water bill. And if you're trying to explain to a small town, well, Russia could do X or China could do Y or Iran. It's not going to have them increase the water bill by a cent, let alone [00:32:00] 10 cents. And they're literally not able to, you want to complain about pipelines?
Okay. Well pipelines in certain regions, um, because they have a monopoly in certain areas are rate regulated. They're not allowed to charge more than a certain set price for that gas. Well guess what comes out of that security? And so. There is some companies that are negligent that we come across.
They're rare though. And there are some that should be doing a heck of a lot more, but there's a lot more that want to do more, but the system isn't allowing them to do more. And that's where we need to have conversations about roles and responsibility of government and how, you know, how do we message this?
Do you know every single utility gas, water and electric has a public utilities commission inside that. The regulates how much they spend, what they spend it on, how much the rates are, et cetera. Does every single company to go to every single PUC in every single state to have this conversation, or couldn't the federal government lean in and go, Hey, we're not trying to, you know, disrupt your state autonomy, but let's have a inter like let's have a [00:33:00] national discussion about how we want to think about the cybersecurity investments for OT that manifest anything into safety and reliability of the services and goods.
Bella DeShantz-Cook: So, uh, speaking about testifying in front of Congress and, and ransomware, uh, I actually wanted to talk to you about this. Uh, so last year you testified in front of Congress about the ransomware problem, uh, and specifically how it's growing. It's a growing threat for critical infrastructure. Um, and you said at the time that Dragos responded to numerous ransomware incidents in OT that have gone unreported, uh, which is really interesting to hear.
Considering that is the general problem of ransomware, uh, and the risk that it poses to the public is that a lot worse than, you know, we realize.
Robert Lee: A lot worse. Yeah. Um, and so we've had a lot of close calls on some pretty important, critical infrastructure as well. And, uh, looked so again, without, I never liked to be the fear guy. There's, there's a lot of good stuff happening. And again, You know, hugging a lineman and, uh, uh, [00:34:00] you know, say thanks to the it security teams that are usually at these sites work and they're, they're understaffed and they're, they're keeping the lights and water on.
Um, but. When you look at these companies and we take some of the things we've already talked about here in this discussion today, a heavy reliance on prevention, a misalignment, sometimes the board, a heavy belief that environments are disconnected. Well, ransomware is just doubling down on those beliefs versus the reality.
And so it's not anything different half the time, but it's oh. This environment, nobody has an understand what's in it, nobody's monitoring it. Nobody knew what was in the environment, in their inventory. I know there's rogue access devices and Hey, that VPN that got stood up for that connectivity that we didn't even think about.
All these things now. Taken advantage of by ransomware actors. And the next thing you know, you've got ransomware across your operating operations environment. And sometimes it's not all that impactful. And sometimes it's a close call and we're lucky the infrastructure stayed up. Sometimes the infrastructure didn't stay up, but [00:35:00] those companies were able to move things around, to have the production line, the manufacturing, whatever else still produce, what was supposed to be produced.
But somewhere else, sometimes it didn't happen. And there's some interesting SCC filings out there around, you know, shareholder. Uh, value and so forth. It could be tied back to, you know, hundreds of millions of dollars in damages related to ransomware cases that aren't all that public. And to me, that the initial response I get from a lot of people is why.
And I think we've covered that pretty well. The second response I usually get, and this one from Congress as well as well, then they need to report those things. And, and there was this whole discussion in Congress, bipartisan support for, uh, instant response reporting bill, um, last year that didn't pass and I'm glad it didn't pass.
And I'm probably one of the few that's saying that publicly there's a lot privately, but at saying it publicly, because it did have bipartisan support and there's some really good and smart people out there at CSA and others who I like and respect that were really advocating for this. But my. I had two fundamental problems with the reporting bill.[00:36:00]
Uh, number one, it wasn't scoped very well because we were telling people to report an incident and then it gets into what's an incident and what's this and what's that. And people tried to play the tech game of, well, if it hits this type of system or it's ransomware, if it's a state actor and there's perverse incentives that can happen, then there's things like.
I identify if it's a state actor or not, because then we might have to report this or should report every scan on the system, or just the only be expectation. I should only, only expectation of critical systems. And she gets into all these fundamental questions, which I think we could have bypass by saying, Hey, you're a critical infrastructure because of the goods and services you provide, not the types of systems you have.
If there's an incident that can impact. The services and goods you provide. You've got to report that. So like scoping it differently. It could have been very easy. There's already precedents for that. And regulations like NERC CIP for that we could have just copied and pasted. The other problem I have though, is what's the value in people like, wait, what do you mean?
Like, okay, we reported it now. What, what, what intrinsic good is there to come to the public or that company [00:37:00] from reporting an incident to the. What's the value back because there's resources getting dedicated. That's going to manifest in your light bill or your cost to your manufacturer. Good. What's the
Jeremiah Roe: I know there are some organizations who also have an adverse view. The government for whatever reason. Right. And they feel like, look, if I'm going to report this stuff, I'm going to get fine. I'm going to get, you know, maybe, maybe charged with something I'm going to get looked at as being negligent or something worse.
And then there are other companies who say, look, I want to partner with the government. I want to share my information. I want to collaborate. And I want to build a better infrastructure across the board. How do you bridge the gap right? Between individuals or companies, organizations who are just afraid to share information.
For fear of retribution, uh, to the companies who are buying.
Robert Lee: Yeah, you have to actually listen. And this is the problem for the government. And by the way, when you say the government, as you well know, with your prior [00:38:00] service, what we tell them at the post office, we talked about FERC, we would not get it right. That all government. When we talk about the government, there's a lot of different agencies and a lot of different organizations, a lot of different priorities.
And there are some who have consistently been useful and helpful, and there are some who've consistently gone and tried to find those vines and retribution and so forth. And so a lot of the companies out there that are. Uh, not try to partner the government and kept them the arm's length have real documented experience on why it was bad for them and doing that.
And I've been a part of a number of incidents where they contacted the government and it was bad. And it, it went very poorly and there was no value to anybody and bringing them in. And I've been in part of some where it was a wonderful experience, but it's hit and miss. And when it's your. And your shareholders and your community, a hit and miss, and probably not the time to have that discussion during an incident.
And so there's a lot of apprehension. So to me, bringing people together and listening on what are your actual concerns, let's [00:39:00] have a closed door, real understanding the problem and trying to get through that would be helpful. Um, and I look at, I think a lot of times it's pleasantries and what we talked to the CEO and they really wanna do okay.
Well, what does the stock analyst thing to have to deal with this? You know, Not just go talk to the exac and you know, and I think if you were to ask me and as Congress did, it does DHS and example CSM and big fancy essay w writ large, but does CSA DOE DOD, et cetera, have roles and responsibilities to the private sector in critical infrastructure and value?
Add my answer is yes, but my immediate question is what are those roles and responsibilities because they haven't. There's a bubble chart. And I remember all that crap too, but there's not a real good, clear understanding of when do they get involved? When do they not what goods and services they provide that aren't competitive, the private sector.
Like sometimes it's it's Nimo or, uh, you know, finding Nemo, like little a SQL. My mind, my mind, my mind is this
Jeremiah Roe: And everybody's [00:40:00] doing that too, right?
Robert Lee: in everybody, FBI can come in and do your answer response. Why aren't you calling a Dragos Krauss record mandate? Why, why is taxpayer money getting used to compete with tax paying entities that doesn't make any sense.
And also they're not skilled up across every field unit to do that. There's some field offices that are phenomenal. There's some field
Jeremiah Roe: from an agile perspective, like a Dragos or others can as well. Right.
Robert Lee: Yeah. I remember, you know, I, again, I I'm actually much more pro-government than I ever come off, but because I give any sort of critiques, that's the first thing that people, oh, Rob said something bad about the government.
I'm like, yeah. I said 15 nice things. And you're focusing on the one critique I levied, but the, the one good example, the critique, I remember it was RSA one year and, uh, one of the DHS leads got up on stage and said, Well, we're, we're really here for when the private sector can't scale to the incident. So when you have an, a, an attack on an electric company, it's actually national security, you should be calling us and not one of these private sector companies.
And so when she got off stage, I just nicely went up to and I was like, cool. How many incident responders do you have in your organization that know [00:41:00] OT? Well, you know, and I was like, how many. She said why four? And I was like, cool, I've got 40. So why don't you get back on stage and say, I'm here for when the United States government can't scale to the problem, you know?
And so there's a, if you clearly go out and communicate to the asset owners and operators of here is a lane for me, and this is what I can do, and you can depend on me to do those things. And we're going to put protections in place to not have these bad things. The government would find that there is an overt desire to partner with the government and prepare for those types of things.
But when you don't really know, and you don't have SLS and you don't have identification documents, you don't have anything. You don't have any
Jeremiah Roe: you don't have legislation
Robert Lee: this going to go? They add absolutely. You don't know if they're going to be there when you need them and what their role and responsibility is and who does what and who does then of course, you're not going to leverage that.
And it has nothing. It's not anti-government, it's just, you wouldn't depend on somebody and dependent. In a critical national infrastructure emergency. And so that's, yeah. My advice on bridging it as clearly, Congress should help clearly [00:42:00] define because this is where gets the short end of the stick. And I feel so bad for them is everything is a scissor thing.
If there's any issue that Congress wants to talk about with cybersecurity, Susan, why aren't you doing this? Why aren't you on election security? Why don't you to miss information? Why aren't you doing this? And then they held, they had some cybersecurity people that employ down to the border wall discussion in the last administration and like, oh, they're doing that now, too.
It's like, they're the bullwhip for anything related to security and cyber scissors supposed to have an answer. And that's not fair to them. They're wonderful people, but they don't have an infinite budget and resources. What do we want them to do? Let's carve that out and whatever it is, it's theirs, but whatever, it's not now we have clarification that there should be markets that form and go do those other things.
Jeremiah Roe: To shift gears slightly. Um, I know we've been discussing a little bit about some of the things that have gone wrong and we're could be better inside of, um, this whole systematic approach to addressing OT issues. Right. Specifically [00:43:00] speaking about operational technology and malware these days, right? Uh, previously you're going to be seeing tons and tons of malware, specifically being developed for say windows or for say those traditional, um, information technology systems.
Um, when you're seeing a huge uptick in operational technology and focus around that, are you in addition, seeing a huge uptick in the malware that's being purposely created for.
Robert Lee: No. And so are there ICS visiting our families? Yep. Right. So Stuxnet have X black energy to. Crash override Tracis and Ekins were, were six families, vice Esko malware, and two or three of those could be repurposed and used in large ways, other places. Um, and so does it exist? Sure. But it's not necessary for most of the things, if you're going to cause physical disruption.
Long-term impacts things like that. You probably want a tool to help you and that's going to be malware and you know, it can help you in those cases [00:44:00] by and large, whether it's espionage, short-term disruptions, maybe even some smaller, destruction's not, um, sustained. You don't need it. It's that functionality we were talking about.
So I could use it malware to get. And then it's kind of living on the land of that native functionality, moving across the environments. Most of the cases we respond to the malware is the least interesting piece of it, but that's where a lot of InfoSec wants to focus is vulnerabilities exploits, malware, and it's it's.
So it's like patching, patching is not useful. But it's one of the least important security controls and ICS, but it's one of the first things that people get hit over the head with. Oh, you have a vulnerable window system. Like, okay, now make the lights blink. I don't know, like what, wait, what am I doing that?
And so, you know, w we've got to have some maturity conversations here and I think we will see more of it in the
Jeremiah Roe: Like what's the real world impact here,
Robert Lee: Yeah. And like, and where we've seen, like Ekins as an example, using ransomware cases where it was tuning in, on various ICS windows [00:45:00] processes. And that's interesting, but there could be some really interesting use cases of bricking, certain types of controllers, mass, you know, issues down to the control level that, you know, there there's all stuff you could do.
I don't think many of us want to get out publicly and be like, well, here's exactly what you do to take all this down, but, but. There are some scenarios where malware has a place by and large though, it's get access and then have people that understand industrial environments get into those and you can achieve your opera. TAKE OUT AWKWARD SILENCE
Bella DeShantz-Cook: Um, we've been talking a lot about the threat to critical infrastructure, um, and particularly like what that looks like in the United States, how we are prepared for it or not, and, and who's involved. Um, but we also talked a little bit earlier about how some of the major, or like most well-known attacks on utilities, uh, happened [00:46:00] overseas, like Stuxnet, uh, the Ukrainian power grid, uh, Saudi Aramco in Saudi Arabia.
Um, those are all happening overseas. Uh, are you seeing more growth, um, you know, with your company, but also with this field in general? Um, overseas, uh, or, or maybe not just growth, but urgency as well in protecting critical infrastructure, um, compared to the.
Robert Lee: Yeah, absolutely. And so there's, there's different reasons. Um, differences. And we can talk about those, but, um, by and large, the awareness is there. And some places, the awareness is more, but like, I, I also sit on the world economic forum and they stood up a world economic forum, CEO level buy-in committee, explicitly on electric and oil and gas.
And it was focused almost entirely on OT cybersecurity. And so when the world economic forum with CEOs and state leaders around the world is taking on the issue, you know, it's got some awareness, so it's, it's there and we're seeing some urgency. However, [00:47:00] I would say maturity, and this is where I don't wanna put any customers and companies and countries down, but just to have an honest, candid, transparent conversation, The awareness generally gets informed by two places.
One, you either have really close ties with an intelligence community and government that historically have been really good about informing the private sector about what they see. So where do you see a lot of maturity? The five eyes countries, UK, Australia, and New Zealand, Canada, the United States.
They're there. And private sector have been collaborating, forget the services and the goods and stuff we were talking about earlier awareness briefing at a board level, sharing the insights they see that's been phenomenal. It's been there and it's helped raise the profile of it. The second place is you got attack and you see those attacks.
You, ah, that's a big. So all across the Gulf coast cooperation or the GCC, the middle east, you won't find a company that doesn't isn't, you know, they're, they can point to their threat actors on a map. They [00:48:00] know where they are, you know, they're, they're, they're well aware that they're coming after him. The, the problem then is the maturity and the culture in those organizations to have this discussion, I was able to get in front of that fortunate.
And say, Hey CEO, your whole expectations is off. And when they left the room, they were still proud of that CSO for all the work they've been doing. And now they're reading. How many companies around the world, they have that level of maturity that they don't turn around and be like, oh, you misled us and so on and so on.
And now there's a culture of almost hiding things and Hey, let's not surface this up to the board level and well, let's fix this first and then we'll show it and never gets done a resource appropriately. So I would say the United States, and I hope this isn't just a Western bias, but I would say the United States infrastructure companies I work with on the whole are much more mature than anywhere else in the.
For those reasons and the culture that gets built there. Um, I would say there are other regions, Australia, New Zealand, you know, Saudi Arabia, UAE, UK, Germany, other places that they're coming up really quickly. Um, but I am very [00:49:00] worried in some of those places about the copy and paste from it mindset. I don't see it as much in the GCC.
I see it a whole lot in Europe of, well, here's these ISO standards and here's this and here's that. And we should just apply these standards and copy and paste over OT. And it's like, ah, no, no, no, no, no. I'd rather you do
Jeremiah Roe: Did you
Robert Lee: than take your more, absolutely more power sites have been taken down from well-intentioned it people.
Then I ran China and Russia combined, you know, please don't do the bad stuff. You either do it right. Or don't do.
Jeremiah Roe: So a question around taking things down, right. When attackers are nation states or malicious entities, whatever you want to refer to them as right. Obviously nation states have a lot of backing and a lot of resources and a lot of time at their disposal to focus towards these things that being said, I'm curious around the specific types of TTPs or tactics or techniques that you, uh, your company's identifying and how that directly relates to what MITRE is putting out with regard to the OT space.
Are they [00:50:00] relevant? Are they different? And how does that tie.
Robert Lee: absolutely. So MITRE they're different miter had their enterprise attack. Right. And, uh, it was really good and I was really glad to see that come out and yeah. I think, not speaking out of school here to say a lot of that originated in the NSA early in the days. And then MITRE did a really good job of picking up and making it really good and then got community buy-in and publish it out.
And a lot of wonderful people really took it and ran with it. And it was a good resource, but it's a lexicon. It's an ability to have conversations between people and analysts. If you do this, whatever, you know, we're done now, there's analytical breadth and analytical depth. Analytical breadth is do you have coverage across the tactics?
Analytical depth is how many different ways can you prevent, detect, respond to those different tactics and the different ways they manifest. And so minor did a great job of launching MITRE attack for life. And they engaged us and I'm sure others. And we contributed all of our public knowledge and others contributed there's and left out is 70 or 80 tactics and [00:51:00] techniques specific to ICS.
And on the surface, I've seen some pushback from people going. That's lateral movement. Like, yes, we also have lateral movement and an ice bath. Well, I could just do that with my it stuff. Like, no, um, in your environment you might do lateral movement over these protocols in our environment. We might use lateral moving over OPC between two controllers.
And so the, the high level language in many ways can overlap, but the way that you actually implement in the detections and the prevention response of those things changes drastically. And so. I would say that there is some overlap, otherwise it is fairly unique and, and you know, what was fun for us because we are biased.
We like ICS. We think ICS is special. You know, my Intel team stood, uh, sat down when might've reached out about this. And we tried to disprove at first, we said, can we take all the incidents and threats? We have. Fit them into enterprise attack. Do we really need yet another thing? Cause [00:52:00] you know, people are tired of yet another framework or standard.
Do you really need something? And we proved to ourselves, you had to have something different and it was these 70 or 80 unique tactics and techniques you needed articulated as well. And it's going to grow over time as we get more visibility in these attacks, because you know, to one of the earlier comments, we see a lot when the attacks are taking down an electric system in Ukraine, we don't see a lot when it's preparation and espionage and so forth.
And we hear a lot. Compromises and electric utilities, because they're pretty mature. And they're looking, we don't hear a lot about that in mining companies. Is it that the adversaries aren't interested in mining or is it that most of those companies haven't started their OT security programs yet? And so we're not seeing that.
And so I usually joke with people. We have the equivalency of like, Schrodinger's ICS. There's a lot of us that need to start opening up the box and figure out what school.
Bella DeShantz-Cook: So I want to talk a little bit about something that I think we often end up talking about on this podcast is like, uh, working in tech and cybersecurity, just like what that's [00:53:00] like. And, um, I saw something interesting, uh, on, I think I thought, I think I saw it on your Twitter, uh, that you've really emphasized compensation, transparency at Dragos.
Um, and I wanted to know why that's important for you and how compensation transparency affects employees or future employees, or like, you know, the
Jeremiah Roe: Which is a huge topic right now, by the way, interestingly.
Robert Lee: Yeah. I love doing stuff that everyone says you shouldn't do. If that's not a theme in my life, everyone's like, ah, you shouldn't do ICS. No, won't mark it. Won't move. And people don't care and blah, blah. I was like, well, let's do it anyways. Then everyone's like, oh, I see us as pig. And then we pay transparency like, oh, you can't do that.
People will poach your people, whatever. Like they're not my people. They're, you know, w what are you talking about? And it's like, of course we should. And so, anyways, there's a lot of stuff that drag us that we do. That's different. And some of it's smart. I'm sure some of it's probably not. You know, back in the day, we, we, uh, we don't have capture forms if it's a white paper or webinar or whatever else.
I always hated putting my email for people. I was like, screw it. We're not gonna do it. If they like it, what we [00:54:00] do thank you for the time to go read it. They'll come back and contact us. All my marketing people originally. Oh, you can't do that. We'll sacrifice leads. And like, we won't do it. And the next thing I know, I turned around and other companies started copying it because people were tweeting angrily at these other company will Dragos.
Doesn't do it. And I'm like, okay, it's working. Um, but to, to your point, a couple of the things we do around. Number one and we have complete patrons currencies. Uh, on our applications, on the job website, we list exactly what the salary is. And then we tell you, in addition, here's how we value the equity and the benefits, everything else.
And that's the total compensation package. So you get to make an informed choice and, um, there's no negotiations, it's it is that package. If that package works for you. Great. Um, if it doesn't, don't. And what that's done besides the obvious of helping some people self select out, which has its pros and cons, um, is it also abuses, uh, it also sort of avoid some of the classic abuse.
Now we still have to monitor everything else as well. You don't get out of sexism, [00:55:00] racism, biases, et cetera. In one fell swoop. But it helps put a dent in it to say, you know what, historically, by any research we can find, uh, white men tend to be more aggressive in negotiating compensation packages and, uh, people that are in some level underrepresented.
Uh, and we remove that and say, screw it. You know, if, if you can do that position, then you should be getting that. Let's take out the negotiation of it. And another thing we do is that pay is the same that that person makes internally. And if you're in that career path, so let's say you're one of our engineers or one of our service analyst or whatever else you have full pay transparency, even up to the VP of
Here's what everybody in my career path makes. And what that allows is more informed choices. So you can sit there and go, Hey, if I got promoted three times, what would I be made? And now you can make it a choice if it's worth, you know, worthwhile to stick around and, and you can have an informed choice and then you're not bitter about it.
You may leave sooner. You may stay longer, but you're not upset about it because you had all the information, make a good choice. But if we [00:56:00] decide, and we do this all the time, where. We might find that the market's changed and it's changing a lot in like engineering. A hundred percent of our engineers are in the United States.
We don't outsource anything where they're related to our product, because if we're deploying a software into like nuclear power plants and similar, I'd like control of the supply chain. It's not that I have anything against other countries teams, but I'd like to have full control over it. So a hundred percent of our developers in the United States and the United States engineering market is intense.
And so every now and then we have to adjust, but if we adjust to go get someone. Everybody internally at that level also gets that same adjustment. So then nobody ever feels that they got screwed over or whatever else. And routinely people are getting pay bumps. So they weren't even, you know, articulating or negotiating for, because that's what the market said.
Um, and we never take it down either. If the market changes down, it only benefits you. So I feel that wow. We may not be the highest paying, always compared to everybody. Like somebody came along and said, Hey, Amazon's offering this person 60 K more. I was like, yeah, they're, they're a little bit [00:57:00] bigger than us.
It's okay. You know, I hope the implantables of the value of our equity and the work from home aspect that we've always had the culture. Everything else is enough, but if it's not, that's fine. Good. Thank you for being a Dragos alumni, have fun. You know, we wanted this to be a step in your career. We don't expect you to stick around for 20 years.
Um, and so I just, I believe in letting people have all the information to make informed choices, and if they do that, then they're going to be happier, more productive. Uh, you know, they're going to be better team members and, and when it's their time to leave, they're going to do it on their terms and it's going to be a good discussion.
Um, and so. A transparency level, transparency, job descriptions for everything. Uh, no more than three interviews. We don't waste your time. You know, we do a number of things, just try to make this easier. And we did it because we felt it was the right thing to do, but in the backside it also turns out we now start having data to go, oh, it's actually also beneficial to them.
Jeremiah Roe: I think that's a huge step in the right direction. So first off, uh, for what it's worth, I'd like to commend you on that. I think it's hugely mature of you and your organization. And. I [00:58:00] appreciate that. So, um, little bit of a switch because we're coming up, uh, a little bit, uh, I wanted to ask you lastly, a question that we ask all of our guests, which is also something that we ask, uh, new personnel here as well.
Uh, without, you know, what's something that we couldn't tell from you by looking at your LinkedIn profile or company.
Robert Lee: No. Um, it's going to be a cliche thing. I'm sure, but I'm, I mean, I'm massively introverted and like people see me author sands classes get up on stage. Places and whatever else and do all this stuff. And they, I think they assume that like limelight or whatever else, my happy places, sweatpants at home with my wife, that my three-year-old, we don't talk.
We just sit in a room, drink some tea, enjoy life. Like I can't stand talking to people, hanging out, doing anything like that. And so I enjoy these types of things because it's value to the community and people can learn things and all that, but. Um, it, it's not that I dislike anybody when they're like, oh, let's [00:59:00] meet up sometime.
Let's go to the bar and do whatever. I don't think I've ever accepted one of those. Um, I, it's not that I don't like the person. I just, I really don't. Um, I get my energy from being alone. Not from any of this it's again, I want my kid to have lights and water, so I'm willing to do it.
Jeremiah Roe: I thank you so much for your time. I've got a three-year-old as well. Um, I actually I'm, I'm doing, uh, dad duty right now as, as I'm babysitting, uh, while she's sleeping. So yeah, man, a three-year-old daughter. That's really awesome. Again, I'm really stoked that you even came on the show.
Thank you so much for your time. And.
Bella DeShantz-Cook: Yeah, this was a great conversation.