728: Lower Your Risk of Being Hacked, with Qasim Ijaz

Dave Stachowiak [00:00:00]:
You don’t need to go far in the news these days to find out that another organization was hacked. Data breaches are a nightmare scenario for both leaders and the people they support. In this episode, what you and your team can do to be a bit more prepared. This is Coaching for Leaders episode 728. Production Credit: Produced by Innovate Learning, maximizing human potential.

Dave Stachowiak [00:00:39]:
Greetings to you from Orange County, California. This is Coaching for Leaders, and I’m your host, Dave Stachowiak. Leaders aren’t born, they’re made. And this weekly show helps you discover leadership wisdom through insightful conversations. So often on this show, we are talking about the people aspects of leadership that is critical to the work of leaders. And, of course, we live in a world where so much is driven by the technology around us. Having a foundational understanding of technology, security, and what we need to do to prevent the worst case situations is essential for leaders of all kinds, whether you’re a professional in this space or as many of us are not, being able to understand some of the foundational concepts. And by the way, so much of it comes back to the people practices too as we’re gonna talk about in this conversation. I am so pleased to welcome Qasim Ijaz. He is the director of cybersecurity at a leading health care organization, overseeing detection, incident response, vulnerability management, purple teaming, and cybersecurity engineering. With a strong background in offensive security and risk management, he has helped organizations strengthen their defenses against evolving threats.

Dave Stachowiak [00:01:43]:
He’s also a dedicated educator, mentoring professionals, and sharing his expertise at conferences such as b sides and black hat. Qasim’s also a alum of our academy. Qasim, so good to have you here.

Qasim Ijaz [00:01:55]:
So glad to be here, Dave.

Dave Stachowiak [00:01:57]:
I’ve been looking forward to this conversation for a while because this is something that I think we all know is a huge issue of how do I keep from getting hacked personally, but also what are the organizational and team implications of this. We’ve all certainly heard about this. We’ve seen it in the media. We’ve seen the practices from organizations. But today, I think it would be helpful just to kind of what are the foundational things that we should know? And before we get into that, I’d love to just talk a bit about a term I think a lot of people have heard of, I’ve certainly heard of, is ethical hacking. Could you tell us a bit about that term and just your background and what it is?

Qasim Ijaz [00:02:37]:
Yes. Definitely. I remember the first time I used the word ethical hacking, there was a laughter in the room. And now we have come to the time in our lives where it has started to become more and more common and important. Ethical hacking or offensive security, as it’s also called, is you are hiring a cybersecurity professional to attack your organization, its people, its users, its applications, networks to identify and exploit weaknesses. And the objective there always ends up being and as it should be is to help you understand the impact a threat actor will have and then help you prioritize what you need to fix.

Dave Stachowiak [00:03:25]:
So if this is a Star Wars episode, you are wielding a blue or green light saber and not a red one. Right?

Qasim Ijaz [00:03:32]:
That is correct. And I think with that analogy, you are going to attract a lot of offensive security engineers to your podcast.

Dave Stachowiak [00:03:41]:
Indeed. Well, we we’re gonna look through a few lenses of this conversation, and let’s start with just some personal practices because we’re gonna get to the team and organizational lenses of looking at this. All of us can benefit from better personal practices and also just being aware of what’s happening in the world right now on this. And you are in the midst of this every day. And one of the things I know you’re big on recommending to folks is good password hygiene and passphrases and password managers. And I know some people in our audience use those as you and I do. Some people don’t. When you are talking with someone about this and just beginning on the foundational levels, where do you invite folks to begin?

Qasim Ijaz [00:04:26]:
My first recommendation to folks with that is start with multifactor authentication. I always fight over should I recommend better passwords or something else. And what it comes down to is if you are using multifactor authentication, that’s where the website, for example, your bank will send you a text message or you have an application on your phone or you have a token like YubiKey that gives you another code that you have to put into the website in addition to your password to log in. So you, one, you are proving that you are who you see. You are using something you know, and secondly, something you have, your password and maybe that phone, that code. So by using that MFA, that multifactor authentication, we have often been stopped, us ethical hackers, performing that engagement with the client. We figured out somebody’s password by either just guessing. Quite often, you would have company name one two three, welcome one two three.

Qasim Ijaz [00:05:29]:
You have your dog’s name as your password, or you’re using that same password with multiple websites. You had this password with your work account. You also used it on Adobe, on MyFitnessPal, on Facebook, on LinkedIn, and they all had data breaches at some point. When we go in and try to get into an organization or when the threat actors try to get into a personal account, they are looking for those publicly available data breaches. One of the more common ones I end up using is from Myspace from 02/2008, and those passwords still work.

Dave Stachowiak [00:06:07]:
Oh, wow.

Qasim Ijaz [00:06:08]:
And with that, what you end up with is even if I found a password of yours and tried to log in because you had MFA, I was stopped. And now you know somebody started to get into your account. Secondly, I highly, highly recommend passphrases over passwords. Instead of trying to coming up with an eight character randomly generated password with uppercase, lowercase, special characters, maybe, you know, a blood sample, try to instead use a long passphrase. Look around the room, pick four to six different objects, put them together. That is going to be an exponentially better credential than your randomly generated eight character password.

Dave Stachowiak [00:06:56]:
What is it that makes that better?

Qasim Ijaz [00:06:58]:
It’s the length because when the computers are trying to guess or humans are trying to guess, we are always running up against the exponential difficulty that every single character adds. So you’ve got a number of alphabets. There’s a possibility the person had it in a different order. Maybe they added a space in the middle. Maybe they used a word that I know. Maybe they didn’t. Right? If I’m trying to get into your account, for example, I may use something like coaching for leaders one two three. Maybe that’s a password.

Qasim Ijaz [00:07:30]:
But if you had used a passphrase by looking around the room, picking four objects, by thinking of your favorite song, something like that, it would make much harder for me to get in because the length would be much longer too, and so would be the pool from where I have to pick that password from, guess that from.

Dave Stachowiak [00:07:48]:
So many of us have so many different passwords, and I know that’s one of the reasons you also recommend using a password manager to keep track of things. And I think you said something really big a moment ago that I think a lot of times people don’t think of when they think of security. They say, okay. I’ve got my password. Maybe I’ve got my favorite password, and I use it a lot of services. And I’m really careful about it, and I keep it safe, and I never tell anyone the password. And it’s long, and it’s 20 characters, whatever. The thing I think sometimes people don’t think about is that that organization that you’re using the password with may themselves get hacked.

Dave Stachowiak [00:08:27]:
And as you point out, then the hackers have that information, and then they try that password with your credentials on all the other services, banks, places. That’s how a lot of these, hacks happen, isn’t it?

Qasim Ijaz [00:08:40]:
That is correct. That is one of the most common ways this happens. And if you go to Telegram channels or dark web forums, you’re seeing a lot of the stolen credentials like that being sold. Quite often, you can get millions of them for free. Quite a few of us in offensive security, ethical hacking field have copies of LinkedIn data breaches, MyFitnessPal data breaches that we just choose from every time. So, yeah, use a password manager that will create a new password for every website you use, and your phone may already have one built in. Your computer may already have one built in. Use it.

Qasim Ijaz [00:09:20]:
That may be the easiest one. There are some third parties you can use. In fact, I would go as far as saying you could also and I’m giving you this permission as an ethical hacker, as a cybersecurity professional. You can use a notebook as long as you protect it just like you protect your wallet.

Dave Stachowiak [00:09:39]:
How would you use a notebook?

Qasim Ijaz [00:09:41]:
I’ve had a lot of folks I’ve seen use notebooks with write down the username and password in there. I mean, it’s not the most secure way of doing this. But if I’m trying to help my grandma with password managers, it is such a difficult thing to do for myself as a cybersecurity professional. Imagine how my grandma would feel, how she would have trouble using it. But she already knows how to use a notebook. She can write things down so she could write down her usernames and passwords and protect it. Now as I’m talking about it, I can feel my fellow cybersecurity professionals just furious. But when it comes down to it, Dave, if the solution is not usable, if it is not user friendly, the users are not going to adopt it.

Qasim Ijaz [00:10:30]:
So I would rather have a somewhat secure solution that folks, the typical users can utilize than a solution that people just don’t want to adopt even though it’s very secure. Now somebody in RH bracket, very well works with phones. Yes, definitely. Use your Apple, your Samsung, your Google’s password manager or use the ones that your organization may recommend.

Dave Stachowiak [00:10:57]:
You also suggest thinking about freezing credit. And I don’t know actually as I’m saying that, like, if this is just a thing in The States or if it’s worldwide. Do you know as far as credit freezes how that works?

Qasim Ijaz [00:11:11]:
I actually do not know how that works outside of The States.

Dave Stachowiak [00:11:15]:
Yeah. I don’t either.

Qasim Ijaz [00:11:16]:
In The States though, definitely recommend freezing your credit because there have been so many data breaches of not just passwords. We talked about the passwords earlier, but also your Social Security number, your home address, your favorite child’s name, and their date of birth. All of that information can be very easily obtained thanks to data breaches from Equifax, Office of Personnel Management, Target, Home Depot. Many brands that you shop at have had data breaches. And many companies you have worked with in the past, maybe they have your HR profiles, well, they may have had data breaches. Lastly, because of the lack of cybersecurity and privacy laws that we have in The States, there are a lot of data brokers that are obtaining information from places you shop, from your credit reports, from many other places to build a profile on you. Cybercriminals can utilize that to build new identities. They can use that to shop on your behalf, apply for credit on your behalf.

Qasim Ijaz [00:12:27]:
So organizations like TransUnion, Experian, Equifax, they allow you to freeze your credit report for free. It’s a very quick process. I recently had to do it myself where I was applying for a loan, and the creditor asked for me to unfreeze my report. I was able to do that instantaneously using Equifax app, and they were able to run my credit. I went back and froze it right away. So if the threat actor tries to apply for credit on your behalf using your stolen information, they will not be able to because your report is frozen.

Dave Stachowiak [00:13:03]:
And you said something really big there that how simple and easy it is to freeze and unfreeze if you’re the person who’s doing it these days. I think I had first heard the good advice to freeze credit reports, I don’t know, ten or fifteen years ago. And and and I hesitated initially because I’d also heard the stories of, like, okay. If you do need credit, like, all the hoops you had to go through to unfreeze it again and then refreeze it. And I don’t know if that was true back then, but it’s certainly not true now. It is so easy. It just takes a few minutes to unfreeze, refreeze it through all the digital tools that all the credit agencies have. And it’s such a simple thing to set up.

Dave Stachowiak [00:13:39]:
I mean, it does take a few minutes to do it the first time, but, boy, for you and your family to set up, it is, it’s just a best practice for everyone to be doing these days.

Qasim Ijaz [00:13:47]:
Definitely. And as we’re talking about this, see my ethical hacker brain, my pen my offensive security brain comes into play. When you go and Google search how to freeze your credit report, remember, you do not need third party tools to do it for you. You can go to Equifax, TransUnion, and Experian’s website. Don’t fall for any sort of scams online where they will tell you they will do it for you, but they’re stealing your information.

Dave Stachowiak [00:14:15]:
Yeah. I’d like a good flag for that would be as if someone’s asking you to pay money, you’re not going through the agencies, right, because the agencies allow you to do it for free.

Qasim Ijaz [00:14:23]:
Exactly. That is a really good flag to keep an eye on.

Dave Stachowiak [00:14:26]:
Nice. Okay. Alright. So some personal practices there. One of the things that really is eye opening to me, and you have shared this with me and a few folks in our community, you’ve actually screen shared and walked through the practice you and your colleagues use of pulling up databases of Gmail accounts and passwords and, like, how many of these databases there’s just so much passwords.

Dave Stachowiak [00:14:44]:
And, like, how many of these databases there’s just so much information. And I I’m wondering if maybe you could walk us through when you’re targeting an organization to, like, they’ve hired you to come in. How do you do that? What’s available out there that you can use to to try to get access?

Qasim Ijaz [00:15:05]:
That is maybe a course or a podcast in itself, but I’ll try to summarize it. And it’s such such an amazing topic because the first time I came across that data that is available about myself, about my family and my friends on the Internet, it was mind boggling. And the way we would utilize this in our engagements is I’m trying to go after ABC Inc. I’m going to Google their name, try to find out where they’re located, look at LinkedIn. LinkedIn will have all of their employee names because everybody is signed up on LinkedIn. For your personal safety, maybe I will take a look at Facebook, Instagram, Snapchat. Snapchat now has a feature. I should have had that for a while where you can share your location with your friends or you can make it public.

Qasim Ijaz [00:15:55]:
That sort of feature, I see a lot of safety problems with. So I will take a look at information like that. If I’m trying to break in publicly into an organization, let’s take a look at their Facebook. Maybe somebody posted pictures from a holiday party, and I can see what their badges look like that I may have to clone to get into the building. Maybe I can see what sort of dress code people wear. Are they wearing very business casual? Are they wearing suits and ties? That kind of info. I will also, as I have built the list of employees on LinkedIn, take that to data brokers that are gathering data from places you shop, from your credit reports, from many other data sources available. This will include your name, your date of birth, your home address, the history of addresses you have lived at.

Qasim Ijaz [00:16:49]:
Last time I looked for myself, I found last 10 addresses going all the way back to school times.

Dave Stachowiak [00:16:55]:
Wow.

Qasim Ijaz [00:16:56]:
And then from there, you can also start to build who their neighbors were, who are they related to, what email addresses have they used. Put that email address into data breaches I was talking about earlier, you know, from my space, from my fitness pal, Adobe, LinkedIn. You start to get their passwords. Now I know what kind of car this person drives, what their home addresses are, who else lives at the that home address, what their phone number is, where they work, and what their password is. All of this information can be obtained for free, And it’s to this day scares me every time I think about it.

Dave Stachowiak [00:17:34]:
Yeah. And it’s really shocking, like, when you first see it, like, how much is publicly available and accessible or for a very small investment of someone who’s doing this nefariously, how they can access so much information. And one of the things that’s, like, really interesting and a bit scary with this too is when you and your team go in and you’re thinking about, like, alright. How do we get access to an organization either physically or digitally? Is you tend to target board members, CEOs, people who have power in the organization. What’s the reason you target those folks, and how does that play out?

Qasim Ijaz [00:18:18]:
One of the reasons we’ll target those folks is because of the access they will have to employee records, to financial records, then also the information we can glean from those employees, those c suites inboxes, can help us build a sort of a reputation profile. Imagine if I went to the CEO’s Twitter account and saw that the CEO is following a very certain industry of people, or they’re following a very specific political party quite often. That in itself could have an impact on the organization’s reputation. Imagine if we found how much the CEO makes for a maybe a privately held company where the information is not public. Now share that info with the employees, share that publicly, and that can have an impact on employee morale, or it can have an impact on just the reputation of the company. I remember we were delivering a offensive security report to a manufacturing plant a few years ago, and we were doing this remotely where the client was sitting in a conference room looking at the, front wall that we could see. Basically, they were looking at a monitor there with a camera. And all of a sudden, I see the CFO get up, walk towards the screen, and you could see his face in the camera.

Qasim Ijaz [00:19:42]:
That’s how close he was to it because that’s right where the monitor was. And he goes, that is our CEO’s passport. How did you get his passport? And turns out that passport was very easily publicly available to any employee of the company. Imagine if a disgruntled employee can get access to it. They could probably use that to impersonate them for quite a few different things.

Dave Stachowiak [00:20:07]:
There’s a power dynamic here at play two, I’m guessing, that if your CEO or have a position of significance in your organization, you might be the person who has decided either consciously or unconsciously that, like, oh, maybe I don’t need to follow this security practice. And maybe IT or whoever’s pushed back on you, but because you’re a person with power, maybe you get to not do some of the things that other people need to do in the organization. Do you run into that?

Qasim Ijaz [00:20:43]:
Oh my god. So often. So often, Dave. I remember one of my favorite clients, and I call them favorite because they really were very good at their cybersecurity. They were always following their recommendations very quickly, except they never could get their CEO to change their password. And the CEO’s password was the company’s name, all lowercase.

Dave Stachowiak [00:21:09]:
Oh, no.

Qasim Ijaz [00:21:10]:
And it took us to get into the CEO’s inbox and email a few board members with it the email content was basically, hey. This is us. We are doing a penetration test. Nothing to worry about. But what what we are trying to portray there is, look, if somebody had gained access to your inbox and they had sent something derogatory to your board, they had something negative to the employees or to local media, how bad that could be.

Dave Stachowiak [00:21:38]:
Okay. This is a good transition then to the organizational, like, big piece of this, thinking about some of the strategy behind this. And you mentioned to me one of the key principles, which there’s been elements of this we’ve already hit in our conversation is it’s the nontechnical pieces of cyber response that organizations aren’t prepared for. That usually people have the technology down better than the nontechnical stuff. Tell me about that distinction.

Qasim Ijaz [00:22:10]:
I’ll start with an example. There’s this practice we like to do, and I’ll recommend it, is incident response tabletop exercises or disaster recovery tabletop exercises. You are testing out how resilient you are to attacks, how resilient you are to maybe a tornado hitting your headquarters and everybody has to go home. Or COVID or another pandemic hits, and now everybody all of a sudden is working remotely. How prepared are you for that? And we were doing something similar a while back with a hospital, and the scenario we were using was a ransomware strain attacks the organization. A threat actor has attacked, deployed ransomware, and now the electronic medical record system where all the patient records are has shut down. Your nurses, your clinicians, your doctors are unable to access patient records. The IT lead for the organization stood up and said, well, our response to that is we will just shut down all network access.

Qasim Ijaz [00:23:13]:
All Internet access coming in or leaving the organization will be shut down. And then we will start to investigate what caused the incident, how can we eradicate it. And that on its face value seemed like a really good idea, except the physical security director stands up and goes, well, problem with this is all of our badge readers and doors and any sort of physical security mechanisms are going to also shut down when you shut down any sort of network access. We will have no cameras. All the doors to the hospital will be left open, and we’ll have no way of knowing who came and left. So when we think about that nontechnical piece to it, it’s understanding what your organization’s capabilities are, what its responsibilities are. If that hospital’s patient records were stolen, for example, do they know what their responsibility is for notifying those patients, what their responsibility is to notify the regulatory authorities? Do they need to call FBI? If they need to call FBI, are they going to call some +1 800 number they got from Google, or do they have a contact at FBI? So the way to really test that and understand it is you need to perform periodic, and I would say at least annual, although my recommendation would be quarterly, tabletop exercises. Just get together.

Qasim Ijaz [00:24:35]:
Somebody from c suite, somebody from IT, somebody from HR, somebody from public relations, marketing, sales, and just talk about your disasters that could occur in your area or a cybersecurity incident happens and how you will respond to it. There is a really good agency, CISA, that releases a lot of good material for tabletop exercises, and they already have slide decks prepared that you could use to perform these exercises.

Dave Stachowiak [00:25:07]:
So even if you don’t hire a firm to come in and do this, you could, as a starting point, if you’ve never done this before, use the CISA materials, begin there, start asking the questions. And and this all comes to, like, the principle, like, for so many things, but for cybersecurity too of you don’t wanna formulate a plan mid crisis. You wanna think through in advance. Yes. Every situation is gonna be different. But if you’ve got a plan going into it, you’re way more likely to respond in a proactive way.

Qasim Ijaz [00:25:34]:
Definitely. And I think as we’re talking about this, there may be some organizations thinking we have cyber risk insurance. We will be fined. However, cyber risk insurance is starting to realize that they are having to pay a lot more and they’re starting to make business decisions around, did you actually try to protect yourself? And as you are in midst of an incident, your cyber risk insurance may have their own requirements. Maybe they want to bring their own incident responders. So talk to your cyber risk insurance if you have one. If you don’t have one, maybe go and get one because that is going to help you a lot.

Dave Stachowiak [00:26:16]:
Cool. Alright. Two other things I wanna ask you on just what’s happening in the world right now, AI. AI is huge. Every organization has different rules and processes for how they’re using AI or not. When you’re seeing this through the lens of people staying safe themselves, their organizations, preventing from getting hacked, how does AI play a role in that?

Qasim Ijaz [00:26:41]:
I think it’s important for leaders in organizations to realize that AI is already here. Your users are already utilizing it. Your third party applications like your HR portal may already have an AI. Your email provider already has an AI. Your users with iPhones already have AI in them. So as a leader, work with your policy departments, with your cybersecurity department to build a strategy, a policy around how you will enable your users to use AI at work. If you’re not doing that, if you are just going to pretend that your users are not using AI, you’re going to just tell them not to use it. They’ll just use their personal devices, and they will add dump your organizational data into chat g p t, for example, and ask it to give them some solutions.

Qasim Ijaz [00:27:40]:
It happened at Samsung a couple years ago. I think it was 2023. Samsung engineers, they uploaded some source code and intellectual property to ChatGPT to ask it for help. I think they were just trying to solve this computer engineering problem, trying to help it write code. And it’s really good at that. It has helped me write a lot of really good code. It has helped me write a lot of good documentation because my organization enables me to use AI, and they have used, I believe we utilize Copilot. It has an enterprise model where your data governance policies can be applied.

Qasim Ijaz [00:28:18]:
I work with a zoo, and they have chat GPT enterprise model, which also allows them to apply their data governance policies. So train your users to be careful, to be good with their AI usage, train them on your organization’s policies around AI hygiene, and enable them. It’s going to make you a better organization. It’s going to help you with innovation while also staying secure and keeping your intellectual property confidential.

Dave Stachowiak [00:28:48]:
Boy, the key point for me there is people are gonna use it regardless. Like, whatever you say or do and, like, the assumption that, like, okay. We’ve locked it down and people don’t have access. They’re just gonna go to their personal devices. Just the like you were saying about earlier. Okay. We have to be real with this stuff, talking about passwords earlier and thinking about the notebook. You’ve gotta have the reality of, like, how people are gonna behave in a real situation.

Dave Stachowiak [00:29:09]:
So accepting that reality and then working within it is so key. And speaking of reality, we didn’t talk about the word backups yet. And I know folks who work for large enterprises, they have a team that’s probably figured this out, hopefully. But small, medium sized organizations, personal practices, that’s key in this too. If something does happen, you’ve got something you can go back to. Right?

Qasim Ijaz [00:29:30]:
Definitely. And that backup has to have some sort of strategy behind it. Now don’t just copy paste files into a backup and call it good. You need to make sure that you’re able to recover those files. There are two terms that we utilize whenever we talk about backups in cybersecurity industry and in IT industry. That is your recovery time objective and your recovery point objective. How far back can you go and how quickly can you go that far back? Quite often, when we have cyber attacks happening, the ransomware strains and other threat actors are also going after backups and trying to delete them. So that way, you just have no way of recovering, and they can force you to pay, which, by the way, even if you paid a ransomware actor, there’s really no guarantee they’re going to help you recover.

Qasim Ijaz [00:30:20]:
They’ll likely just let other threat actors know that you pay so they can target you too. So back to backups. Ensure that you have solid backups that go as far back as your business needs are and that they’re not sitting next to each other. There was one time I was doing an assessment against a hospital, and I saw their backup server sitting on top of a fridge in a kitchen. I was not happy with that, and I think that very much was the case with their IT director too. So ensure your backup servers are maybe in a different region. Maybe utilize backup possibilities that cloud offers nowadays with OneDrive, SharePoint, AWS from Amazon Web Services. Those kind of solutions are a bad idea.

Qasim Ijaz [00:31:12]:
Just know where you’re backing up, how far you need to back up, and how quickly you can recover before your business no longer exists.

Dave Stachowiak [00:31:21]:
And it is the reality that a lot of organizations, when they experience an attack, it takes down operations for a while, and sometimes it takes down an organization, unfortunately. And so, like, just doing some of these practices can be a good starting point. And we’re gonna put notes resources of in the episode notes and some of the places that folks may use as starting points, for this. If you’re hearing this and thinking, oh, gosh. You know, I’m hearing some things that we haven’t thought about as an organization or maybe I haven’t thought about doing personally. As a good starting point for that, we’ll have a few recommendations of some of the more popular services out there. Qasim, before I let you go, I you’ve listened to the show for a while. You’ve been part of our community.

Dave Stachowiak [00:32:01]:
I know you know I ask people a lot, like, what they’ve changed their minds on. As you think about navigating this world today, helping protect your clients, helping protect your organization, advising people on the best practices, I’m curious, like, what, if anything, have you changed your mind on in the recent past?

Qasim Ijaz [00:32:18]:
Dave, when I was starting out as a cybersecurity professional, the training material, instructors, other professionals, people much more senior than me, instilled in my mind that the user is your weakest link. Whenever breach is going to occur, it’s going to be because a user clicks something, because a user used a bad password. And after these many years of working in cybersecurity and helping organizations, what I’ve come to realize is it’s not the user that is the weakest link. It’s our processes, our policies, our bad cybersecurity culture in the organization that is the weakest link. An example of that would be our cybersecurity awareness training that we give to our employees every year that we force them to go through is extremely boring. I will admit on this podcast, I just clicked through it really quickly to get through that because it’s just boring. The computer configurations that we deploy in organizations, usually, we just leave the default configurations that Microsoft and Apple and other organizations build for a wider array of organizations who may have some needs that may not be fully secure, but we are not doing enough to ensure our systems are secure hardened before we deploy them. We are not sending our IT teams to security training, security seminars, to security conferences, and we’re deploying things like our cameras and printers with default passwords.

Qasim Ijaz [00:33:54]:
But all of those problems exist. When we are using software that is ten, fifteen years old, I don’t think it’s the user’s problem. I don’t think the user is to blame. I would like to start seeing the change occur with how we hold security to our organizational culture, how we adapt that into our organizational culture, and maybe make the user training much more fun.

Dave Stachowiak [00:34:21]:
Qasim Ijaz is a director of cybersecurity at a leading health care organization and longtime member of our community. Qasim, thank you so much for sharing your expertise with us. I so appreciate it.

Qasim Ijaz [00:34:32]:
Thanks, Dave. Thank you for having me.

Dave Stachowiak [00:34:40]:
If this conversation was helpful to you, three related episodes I’d recommend. One of them is episode 396, dumb things smart people do with their money. Jill Schlesinger was my guest on that episode. Jill, the host of the Jill on Money podcast that I’ve been following for many years, has been so gracious to come on the show a couple of times over the years and teach us a topic that I think leaders do need to know about, not only for their own finances, but also to be able to have context of conversations around compensation and so many of the personal finance topics that do come up in organizations and in leading people. In that episode, Jill walked through some of the common mistakes she sees really smart people do with their personal finances. We talked about credit reports in this conversation more in that episode. Again, that’s episode 396. Also recommended episode 603, where to start when inheriting a team in crisis.

Dave Stachowiak [00:35:32]:
Lynn Perry Wooten was my guest on that episode. We talked about her process of working through COVID, leading a university, and also all of the research that she has done around crisis management and then needing to walk that talk and and actually put her research into practice in a real time during COVID. We looked at some of the key tenants of that and where to begin if you are inheriting a situation like that. I hope that’s not you, but if it is, episode 603, a starting point for you. And then we mentioned AI a little bit in this conversation. I’d recommend episode 689 as well. How to use AI to think better. Jose Antonio Bowen was my guest on that episode, and he furthers the point that Casa made today that your employees are gonna be using AI whether you are or not, whether there’s a policy to use it or not.

Dave Stachowiak [00:36:21]:
And so understanding all of the aspects or at least some of the aspects on where to begin with AI, how people are using it, and how you might use it as a tool to think better even if you’re not doing that yourself. Episode 689 an important conversation for you. All of those episodes you can find on the coachingforleaders.com website. I’m inviting you today to set up your free membership at coachingforleaders.com because when you do, you’re gonna get access to the entire library of podcasts available since 2011. All the episodes there, searchable by topics. You can find exactly what you’re looking for. In addition, a bunch of things that aren’t on the podcast apps or on the public feeds, The audio courses, there are about a dozen audio courses that I have produced over the years that I think will really help you to drill down on some really key aspects of leadership. They’re all available for free.

Dave Stachowiak [00:37:11]:
They’re all part of the free membership. If you set up your free membership at coachingforleaders.com, you’ll get full access to all of that. And just the other day, I was listening and talking with one of our members who was telling me that he’s working on trying to get better at a specific leadership skill, and he’s finding he’s running into lots of obstacles and lots of headwinds in his organization with tons happening and not being able to dedicate the time to try and improve a skill. I know I’ve run into that so many times in my career, and I know virtually everyone listening has as well too. When you’re trying to get traction on something and you can’t, what do you do? Well, a lot of times our first thought is I need to do more. I need to work harder. I need to make more commitments. I need to set more goals.

Dave Stachowiak [00:37:55]:
I need to put more on my task list. My invitation to him was actually the exact opposite. How by doing less can actually get a little bit more traction. So one of the topics of my recent, one of my recent journal entries on Coaching for Leaders Plus. Every single week, I’m sitting down. I am spending a few hours writing up a journal entry that I think will be really helpful for you and your leadership and relate it to one of the topics we’ve talked about on the show, one of the guest experts, and also many of the topics I’m hearing regularly from our listeners and members, the things they’re struggling with, and what are the next steps on that. It’s all part of Coaching for Leadersplus. To find out more, go over to coachingforleaders.plus.

Dave Stachowiak [00:38:37]:
Coaching for leaders is edited by Andrew Kroeger. Production support is provided by Sierra Priest. Next week, we’re taking a tiny detour from our normal core leadership topics on a topic that I think is also really important for many leaders. How to lead well at home, specifically, how to lead well with kids. Many of us have kids in our lives, and we’re always looking for the best ways to be great leaders, not just professionally, but also personally too. I’m so pleased next week to welcome John Fogel. We’re gonna be having a conversation about how to raise kids without raising your voice. Join me for that conversation with John, and see you back on Monday.