A critical infrastructure hack hits the headlines – involving default passwords, boasts on Telegram, and a finale that will make a few cyber-crooks wish the ground would swallow them whole.
Meanwhile we dig into the bit we don’t talk about enough: the human cost of defending companies from hackers – stress, burnout, and how better leadership culture can help make security teams safer and saner.
Plus we say a heartfelt “la di dah” to Diane Keaton, and tune in to a freshly re-released slice of pre-Fleetwood Mac history for the music-obsessed amongst us.
All this and more is discussed in episode 439 of “Smashing Security” podcast with cybersecurity veteran and keynote speaker Graham Cluley, and his special guest Annabel Berry.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
It's effectively like a knockout blow, isn't it, by some professional boxer, only to find out that the opponent was a scarecrow.
Smashing Security, episode 439: A breach, a burnout, and a bit of Fleetwood Mac with Graham Cluley. Hello, hello, and welcome to Smashing Security episode 439.
My name's Graham Cluley.
My name's Graham Cluley.
And I'm Annabel Berry.
Annabel Berry, welcome to Smashing Security. It's your first time here.
It is. And how the devil are you?
I am absolutely gorgeous, and I hope you're gorgeous as well.
Now, for our listeners who may not be aware of the Annabel Berry experience, which makes you sound like a Jimi Hendrix tribute act.
Now, for our listeners who may not be aware of the Annabel Berry experience, which makes you sound like a Jimi Hendrix tribute act.
Or a theme park, yeah.
Yeah. Tell us how you've arrived at Smashing Security.
So, I'm Annabel Berry.
I run an organization called Leading Cyber, and that means I get to work with cyber leaders and teams, looking at team performance, looking at leadership development and stuff like that.
And I run Ladies Hacking Society in the industry. And I'm involved in lots of other stuff outside the day job, all the stuff that makes this industry great to work in.
I run an organization called Leading Cyber, and that means I get to work with cyber leaders and teams, looking at team performance, looking at leadership development and stuff like that.
And I run Ladies Hacking Society in the industry. And I'm involved in lots of other stuff outside the day job, all the stuff that makes this industry great to work in.
Fantastic. Well, before we kick off, let's thank this week's wonderful sponsors, Vanta, SecAlerts, and Anon. We'll be hearing more about them later on in the podcast.
This week on Smashing Security.
We're not going to talk about how the UK's National Cybersecurity Centre says attacks in the country have surged by 50% over the past year, with it now handling a highly significant incident, roughly every other day.
You'll hear no discussion of how Microsoft has cut off support for Windows 10, even though many millions of people are still using it and may now be at risk.
And we won't even mention how as many as half of all geostationary satellites in Earth orbit are carrying unencrypted sensitive information, leaving it open to eavesdropping.
Annabel, what are you going to be talking about this week?
This week on Smashing Security.
We're not going to talk about how the UK's National Cybersecurity Centre says attacks in the country have surged by 50% over the past year, with it now handling a highly significant incident, roughly every other day.
You'll hear no discussion of how Microsoft has cut off support for Windows 10, even though many millions of people are still using it and may now be at risk.
And we won't even mention how as many as half of all geostationary satellites in Earth orbit are carrying unencrypted sensitive information, leaving it open to eavesdropping.
Annabel, what are you going to be talking about this week?
So this week, Graham, I'm gonna talk a little bit about some of the work that I do at Leading Cyber, but also I'm part of the Mental Health in Cybersecurity Foundation.
So I'm gonna talk a little bit about professional wellbeing and stress and why we need to be talking about this more in the industry.
So I'm gonna talk a little bit about professional wellbeing and stress and why we need to be talking about this more in the industry.
And I'm gonna be describing how hackers infiltrated a water treatment plant, disabled its alarms, changed critical settings, and then bragged about it on social media, only to then suddenly disappear.
Why? Well, that's where things get interesting. All this and much more coming up on this episode of Smashing Security. This episode of Smashing Security is supported by Anon.
Know that feeling when you Google yourself and find, well, more than you'd like?
Old forum posts, data broker listings, photos you forgot about, maybe even some dodgy things you now regret. Well, that's your life on the internet.
And that's where today's sponsor, Anon, comes in. Think of it as your personal privacy cleanup crew, powered by AI that actually does something useful for once. Here's how it works.
Anon scans the web, yes, including the dark corners you don't want to think about, and it finds all the data tied to you.
But here's the clever bit: it doesn't just show you a complete horror show of your digital past and wish you luck.
It actually identifies which links might contain sensitive information and, with one button press, fires off removal requests to get them delisted from search results.
Plus, it keeps monitoring for new data breaches and alerts you if your information turns up somewhere it shouldn't. It's your security researcher working for you 24/7.
You don't need to keep it fed with pizza and coffee. Want to take back some control? Head to becomeanon.com and use promo code SMASHING for 25% off. That's becomeanon.com.
Find, monitor, and remove your data online with ease because your privacy matters. And thanks to Anon for supporting the show. So Annabel, I need to tell you about a security breach.
One that recently happened. It's not just any old breach. This was one involving critical infrastructure.
Why? Well, that's where things get interesting. All this and much more coming up on this episode of Smashing Security. This episode of Smashing Security is supported by Anon.
Know that feeling when you Google yourself and find, well, more than you'd like?
Old forum posts, data broker listings, photos you forgot about, maybe even some dodgy things you now regret. Well, that's your life on the internet.
And that's where today's sponsor, Anon, comes in. Think of it as your personal privacy cleanup crew, powered by AI that actually does something useful for once. Here's how it works.
Anon scans the web, yes, including the dark corners you don't want to think about, and it finds all the data tied to you.
But here's the clever bit: it doesn't just show you a complete horror show of your digital past and wish you luck.
It actually identifies which links might contain sensitive information and, with one button press, fires off removal requests to get them delisted from search results.
Plus, it keeps monitoring for new data breaches and alerts you if your information turns up somewhere it shouldn't. It's your security researcher working for you 24/7.
You don't need to keep it fed with pizza and coffee. Want to take back some control? Head to becomeanon.com and use promo code SMASHING for 25% off. That's becomeanon.com.
Find, monitor, and remove your data online with ease because your privacy matters. And thanks to Anon for supporting the show. So Annabel, I need to tell you about a security breach.
One that recently happened. It's not just any old breach. This was one involving critical infrastructure.
That doesn't sound good.
It doesn't sound good, does it, when critical infrastructure gets hacked? Specifically, this was a water treatment plant, which obviously is pretty important, right?
We all love water. We need water. And we need water to be treated properly, otherwise, well, nasty things are going to happen if your water gets messed with.
We all love water. We need water. And we need water to be treated properly, otherwise, well, nasty things are going to happen if your water gets messed with.
Right.
So we don't want hackers mucking around with water. And this particular attack began at 8:22 one morning last month.
A pro-Russian hacktivist group called Toonette, not to be confused with tuna or Skynet, they broke into a water treatment plant to cause mischief.
They got their little fingers all over the controls. And you're wondering, well, how, how did they break in?
What highly sophisticated technique did they use to waltz past the high security in place at a critical infrastructure a water treatment plant, right? That's what you're thinking.
How did they do it?
A pro-Russian hacktivist group called Toonette, not to be confused with tuna or Skynet, they broke into a water treatment plant to cause mischief.
They got their little fingers all over the controls. And you're wondering, well, how, how did they break in?
What highly sophisticated technique did they use to waltz past the high security in place at a critical infrastructure a water treatment plant, right? That's what you're thinking.
How did they do it?
I am thinking that.
Well, it was really simple. Default credentials, specifically username admin and password. Hey, Annabel, look, I don't know if you're a mentalist.
I don't know whether you can read minds, but if a username is admin and you were a hacker, what would you imagine? Just think of a password.
What possible password could this person have used to protect this piece of critical infrastructure? Username admin, password admin. Absolutely correct. There you go.
ESP really is possible. It's having a mat outside your front door that rather than saying welcome says keys are under the mat and then putting the keys under the mat.
So the damage is done, the hackers get in. You know, mistakes happen, people goof up, we get it. And the hackers, once they're inside, they go to work.
They're running SQL queries, they're enumerating databases, they're establishing persistence.
So they can get in again, even if you do decide to remove the key from under the doormat.
And these hackers created a new user account at this water treatment plant, and then they started causing chaos.
They defaced the login screen with a popup that said, "Hacked by Barlatti," followed by a rather rude 4-letter word.
And they deleted the connected PLCs, the programmable logic controllers, that actually monitor and control the water treatment process. This is pretty bad stuff, Annabel.
I don't know whether you can read minds, but if a username is admin and you were a hacker, what would you imagine? Just think of a password.
What possible password could this person have used to protect this piece of critical infrastructure? Username admin, password admin. Absolutely correct. There you go.
ESP really is possible. It's having a mat outside your front door that rather than saying welcome says keys are under the mat and then putting the keys under the mat.
So the damage is done, the hackers get in. You know, mistakes happen, people goof up, we get it. And the hackers, once they're inside, they go to work.
They're running SQL queries, they're enumerating databases, they're establishing persistence.
So they can get in again, even if you do decide to remove the key from under the doormat.
And these hackers created a new user account at this water treatment plant, and then they started causing chaos.
They defaced the login screen with a popup that said, "Hacked by Barlatti," followed by a rather rude 4-letter word.
And they deleted the connected PLCs, the programmable logic controllers, that actually monitor and control the water treatment process. This is pretty bad stuff, Annabel.
Yeah, that's not good.
They disabled logs and alarms so no one could track what they were doing. Within 26 hours, the attackers had broken into this organisation and were tampering with key systems.
Not good.
Not good.
Absolutely not good at all. That's not what you want. No.
I would say on the thermometer of badness, this isn't just bad. This is, you better boil your water bad.
This is, perhaps you should go down the shops and buy some San Pellegrino rather than drinking anything from the tap. That kind of bad.
It's not so bad that you'd buy a bottle of Badoit. I have a very low opinion of Badoit.
This is, perhaps you should go down the shops and buy some San Pellegrino rather than drinking anything from the tap. That kind of bad.
It's not so bad that you'd buy a bottle of Badoit. I have a very low opinion of Badoit.
Oh, do you? I think it's superior to San Pellegrino, but okay.
Annabel Berry, what on earth are you talking about? Badoit, it has the wrong-shaped bubbles.
If you're a water connoisseur, and there are such, there are water sommeliers now, aren't there?
If you're a water connoisseur, and there are such, there are water sommeliers now, aren't there?
There are.
Who will actually advise you on what kind of mineral water to have. But anyway, it's that level of badness.
And then of course, the hackers, well, they've got to brag about what they've done, haven't they?
So they go to their Telegram channel, and they're posting screenshots of the admin systems they've hacked into. The technical details.
They're saying, look at us, we're cyber warriors, we've struck a blow against the enemy. Fear TwoNet, fear TwoNet. The usual kind of juvenile behavior you'd expect of hackers.
And everyone's freaking out because water treatment facilities are critical infrastructure. These systems control chemicals and filtration, everything that keeps our water safe.
We've seen these kind of organizations hacked in the past. And if you can mess with these systems and disable alarms, I mean, you could cause some real harm.
And everyone's asking, you know, how does this happen? How does a water treatment plant in 2025, how come it's still using admin and admin as a password?
What other facilities may be vulnerable? If this one is, are others vulnerable as well? These hackers, meanwhile, TwoNet, they're feeling great.
They start crowing about what they can do. This is us. We're amazing. They're up on their Telegram channel. They start advertising their other services.
They say, oh, by the way, if you're impressed by that, we've got a ransomware as a service operation. To you, just $830 plus a 50% cut of any ransom payments you manage to extort.
They're boasting and advertising their hacker-for-hire service. They're offering for sale credentials SCADA system in Poland, all kinds of things.
They're Uber, but with possibly even less ethics.
And within a few weeks, they are all over the various hacker Telegram channels, forming alliances, networking with other criminal gangs.
It's LinkedIn for hackers is going on for Telegrams. And then, Annabel, something funny happens.
And then of course, the hackers, well, they've got to brag about what they've done, haven't they?
So they go to their Telegram channel, and they're posting screenshots of the admin systems they've hacked into. The technical details.
They're saying, look at us, we're cyber warriors, we've struck a blow against the enemy. Fear TwoNet, fear TwoNet. The usual kind of juvenile behavior you'd expect of hackers.
And everyone's freaking out because water treatment facilities are critical infrastructure. These systems control chemicals and filtration, everything that keeps our water safe.
We've seen these kind of organizations hacked in the past. And if you can mess with these systems and disable alarms, I mean, you could cause some real harm.
And everyone's asking, you know, how does this happen? How does a water treatment plant in 2025, how come it's still using admin and admin as a password?
What other facilities may be vulnerable? If this one is, are others vulnerable as well? These hackers, meanwhile, TwoNet, they're feeling great.
They start crowing about what they can do. This is us. We're amazing. They're up on their Telegram channel. They start advertising their other services.
They say, oh, by the way, if you're impressed by that, we've got a ransomware as a service operation. To you, just $830 plus a 50% cut of any ransom payments you manage to extort.
They're boasting and advertising their hacker-for-hire service. They're offering for sale credentials SCADA system in Poland, all kinds of things.
They're Uber, but with possibly even less ethics.
And within a few weeks, they are all over the various hacker Telegram channels, forming alliances, networking with other criminal gangs.
It's LinkedIn for hackers is going on for Telegrams. And then, Annabel, something funny happens.
Okay.
Because at the end of September, just weeks after their triumphant attack at the water plant, TwoNet's Telegram channel shuts down. Just disappears. No warning. It's just gone.
It's weird, right?
It's weird, right?
Very.
I mean, they were on top of the world.
Mm-hmm. Yeah.
Have you got any thoughts as to why they would have shut down?
No idea.
Maybe they had their collars felt?
Internal differences?
Internal, yes, yes, musical differences, something that, yes. Well, here's the thing. That water treatment plant that they hacked wasn't real. It didn't exist.
The truth is that it was a honeypot set up by a cybersecurity company called Forescout.
The truth is that it was a honeypot set up by a cybersecurity company called Forescout.
Wow, okay.
And the guys at Forescout created it to specifically look critical infrastructure to lure in hackers and study their tactics.
And TwoNet, the hacking gang, spent 26 hours meticulously hacking and defacing and disrupting what was, in effect, a trap. So they ran their SQL queries against a fake database.
They disabled alarms that weren't protecting anything. They changed systems that didn't control any actual water.
And then, and this is the best part, they went on Telegram and bragged about it to the entire internet, saying, look at our sophisticated attack. We are elite hackers.
We compromise critical infrastructure.
And the researchers at Forescout were sitting there with their morning coffee, watching this all unfold in real time and chortling away at the stupidity of these hackers.
And TwoNet, the hacking gang, spent 26 hours meticulously hacking and defacing and disrupting what was, in effect, a trap. So they ran their SQL queries against a fake database.
They disabled alarms that weren't protecting anything. They changed systems that didn't control any actual water.
And then, and this is the best part, they went on Telegram and bragged about it to the entire internet, saying, look at our sophisticated attack. We are elite hackers.
We compromise critical infrastructure.
And the researchers at Forescout were sitting there with their morning coffee, watching this all unfold in real time and chortling away at the stupidity of these hackers.
It's effectively a knockout blow, isn't it, by some professional boxer, only to find out that the opponent was a scarecrow.
Yes!
Or something that, isn't it, basically? I mean, you're bragging around the ring, you're holding your belt up, and then— Ah, okay.
Yes, exactly. At some point, TwoNets realised their goof, and they basically just died of embarrassment.
And they decided, this is too embarrassing that we've been caught out in this way, and they shut down their Telegram channel.
They packed up their hoodies, they wiped their hard drives.
They presumably did the equivalent of going on witness protection so no one would know about the errors they've made in their past. And I think this is brilliant.
I think we need more of this.
I think we need more of the security researchers creating fake organizations for the hackers to waste their time breaking into in order to occupy them rather than hitting real targets.
And it turns out this isn't the first time FourScout have done this. In May 2024—
And they decided, this is too embarrassing that we've been caught out in this way, and they shut down their Telegram channel.
They packed up their hoodies, they wiped their hard drives.
They presumably did the equivalent of going on witness protection so no one would know about the errors they've made in their past. And I think this is brilliant.
I think we need more of this.
I think we need more of the security researchers creating fake organizations for the hackers to waste their time breaking into in order to occupy them rather than hitting real targets.
And it turns out this isn't the first time FourScout have done this. In May 2024—
Oh, really?
Yeah, they disguised one of their honeypots as a healthcare clinic with the intention of attacking ransomware gangs.
And they used generative AI to populate the clinic's website with doctors who didn't exist.
And they said in future they would use AI to generate messages between non-existent employees and social media profiles and litter the honeypot servers with documents salary databases to make attackers believe that they'd compromised real organizations.
So here's a good use for AI creating fake companies who the hackers can then try and break into and occupy the time.
And during some of these cases, the hackers actually end up trying to negotiate the ransomware extortion with the security researchers who know completely and fully well that it's not a real company which has been hit.
And they used generative AI to populate the clinic's website with doctors who didn't exist.
And they said in future they would use AI to generate messages between non-existent employees and social media profiles and litter the honeypot servers with documents salary databases to make attackers believe that they'd compromised real organizations.
So here's a good use for AI creating fake companies who the hackers can then try and break into and occupy the time.
And during some of these cases, the hackers actually end up trying to negotiate the ransomware extortion with the security researchers who know completely and fully well that it's not a real company which has been hit.
Wow.
So, I really rather this. I always love a story where the hackers get their comeuppance. I love it when they're caught with their trousers down.
Of course, if this hack by TwoNets against a water plant had been real, maybe their systems were protected with an admin admin password, or maybe there are systems out there which haven't yet been patched against vulnerabilities that are years old.
You know, what's happened here is TwoNets has taught people hopefully a valuable lesson. One is stop trusting default passwords.
Obviously, we know admin and admin are really dumb passwords, but there's hundreds of other really awful password combinations and choices.
So get some proper best practice when it comes to choosing your passwords and credentials and multifactor authentication and so forth.
But also, if you are a criminal hacker listening to Smashing Security, maybe wait before posting your victory selfie up on the social media, because are you absolutely certain you didn't just deface a website built specifically to make you look a bit of an idiot?
So well done to the security researchers for outfoxing the bad guys and bad guys well, maybe find a new career. Do you think we should try and see more of this going on, Annabel?
Of course, if this hack by TwoNets against a water plant had been real, maybe their systems were protected with an admin admin password, or maybe there are systems out there which haven't yet been patched against vulnerabilities that are years old.
You know, what's happened here is TwoNets has taught people hopefully a valuable lesson. One is stop trusting default passwords.
Obviously, we know admin and admin are really dumb passwords, but there's hundreds of other really awful password combinations and choices.
So get some proper best practice when it comes to choosing your passwords and credentials and multifactor authentication and so forth.
But also, if you are a criminal hacker listening to Smashing Security, maybe wait before posting your victory selfie up on the social media, because are you absolutely certain you didn't just deface a website built specifically to make you look a bit of an idiot?
So well done to the security researchers for outfoxing the bad guys and bad guys well, maybe find a new career. Do you think we should try and see more of this going on, Annabel?
I think absolutely, but I think there's two things here, isn't there?
First of all, it didn't seem suspicious at all to TwoNets that a really critical system could be secured by admin/admin. That's the first thing.
First of all, it didn't seem suspicious at all to TwoNets that a really critical system could be secured by admin/admin. That's the first thing.
Yes, which is alarming, isn't it? Yes.
I mean, it is quite alarming that they didn't find it alarming and think, hang on a minute, there's something a bit dodgy here. This might be a honeypot, possibly.
The second thing is, it also might do us a service longer term, because actually, if they do, from now on, think that actually, this looks it's too easy to hack into, maybe this is a honeypot, they might decide not to in the first place.
I don't know, but—
The second thing is, it also might do us a service longer term, because actually, if they do, from now on, think that actually, this looks it's too easy to hack into, maybe this is a honeypot, they might decide not to in the first place.
I don't know, but—
Hang on a minute. Are you proposing that organizations deliberately have really weak security so they look a honeypot? So the hackers think, oh, we're not going in here.
No, I'm just saying for those organizations who are, there may be a reverse play.
But yeah, I think the biggest thing here is they didn't for a moment think that this might not be dodgy from their side of things. And that speaks volumes, doesn't it?
But yeah, I think the biggest thing here is they didn't for a moment think that this might not be dodgy from their side of things. And that speaks volumes, doesn't it?
It does, it does. Well, it's great to share a story for once about poor security actually working to somebody's advantage in this case. For the security researchers.
Yeah, brilliant. Well done, them.
Right. Quick word about one of our sponsors today, Vanta. Now, I know what you're thinking. Oh, good. Another bit of software promising to make my security easier.
But honestly, Vanta is actually pretty handy. Here's the deal.
If you're spending half your week chasing down evidence for audits or updating endless spreadsheets or trying to prove that, yes, you do take security seriously, Vanta automates all of that.
It pulls everything together, keeps an eye on your systems, and basically makes sure you're ready for an audit at any time.
No panic, no last-minute scavenger hunts for screenshots or policies you forgot to upload 6 months ago.
It also plugs into the tools you're already using and uses a bit of AI magic to flag up issues before they become a proper mess.
So if that sounds like something that might save you from a few sleepless nights, check them out at vanta.com/smashing. That way they'll know that you heard about them on this show.
And if you use that link, you'll get $1,000 off, which is nice as well, isn't it? So thanks to Vanta for sponsoring this week's episode. And let's crack on with the show.
So Annabel, what are you going to talk to us about today?
But honestly, Vanta is actually pretty handy. Here's the deal.
If you're spending half your week chasing down evidence for audits or updating endless spreadsheets or trying to prove that, yes, you do take security seriously, Vanta automates all of that.
It pulls everything together, keeps an eye on your systems, and basically makes sure you're ready for an audit at any time.
No panic, no last-minute scavenger hunts for screenshots or policies you forgot to upload 6 months ago.
It also plugs into the tools you're already using and uses a bit of AI magic to flag up issues before they become a proper mess.
So if that sounds like something that might save you from a few sleepless nights, check them out at vanta.com/smashing. That way they'll know that you heard about them on this show.
And if you use that link, you'll get $1,000 off, which is nice as well, isn't it? So thanks to Vanta for sponsoring this week's episode. And let's crack on with the show.
So Annabel, what are you going to talk to us about today?
So I'm going to talk a little bit about the work that I do both in leading cyber, but also in the Mental Health in Cybersecurity Foundation.
Yeah.
Looking at our professional wellbeing really in the industry. So, there's been loads and loads of stories. People will have seen stuff on LinkedIn.
There's loads of reports that's been released about why we think the scale of the problem is increasing for the brilliant people who work in the industry.
And the story you've just talked about, Graham, kind of highlights the really great work that people are doing out there to—
There's loads of reports that's been released about why we think the scale of the problem is increasing for the brilliant people who work in the industry.
And the story you've just talked about, Graham, kind of highlights the really great work that people are doing out there to—
Yes.
Keep us safe, keep on the front foot and things like that.
But it's coming at a cost for some of the people who are working in the industry and the statistics and the research that's coming out saying that that's kind of heading in one direction at the moment and it's not a positive direction.
So, the work of the Mental Health and Cybersecurity Foundation is really to raise awareness of this, to talk a little bit about this, to get this aired a little bit more, 'cause it's still a bit of stigma about talking about mental health and stress and burnout.
So we're talking about this a little bit more just to get it raised, air it a little bit more, and that's only got to be a good thing, hasn't it?
But it's coming at a cost for some of the people who are working in the industry and the statistics and the research that's coming out saying that that's kind of heading in one direction at the moment and it's not a positive direction.
So, the work of the Mental Health and Cybersecurity Foundation is really to raise awareness of this, to talk a little bit about this, to get this aired a little bit more, 'cause it's still a bit of stigma about talking about mental health and stress and burnout.
So we're talking about this a little bit more just to get it raised, air it a little bit more, and that's only got to be a good thing, hasn't it?
I think so. I think so. It does feel to me like more people in the industry are feeling comfortable to open up about some of the challenges which they're facing.
It can be such a hard job securing a company and working in this field and the pressure which you're under— it's not uncommon these days to see on LinkedIn, as you say, people talking about some of the challenges that they face.
It can be such a hard job securing a company and working in this field and the pressure which you're under— it's not uncommon these days to see on LinkedIn, as you say, people talking about some of the challenges that they face.
It is getting better. I definitely don't think we are anywhere near a position where people are talking about it openly.
I think overwhelmingly people still feel embarrassed about it. And I think that they don't really know what they can do about it, because it feels insurmountable.
Feels like, you know, a lot of the work that we do, in essence, digital first responders.
I think overwhelmingly people still feel embarrassed about it. And I think that they don't really know what they can do about it, because it feels insurmountable.
Feels like, you know, a lot of the work that we do, in essence, digital first responders.
Yes.
Definitely, if you're working in SecOps and things like that.
And so, a lot of people feel, well, it's the nature of the job, job's never done, it's 24/7, we don't know where the next attack is going to come from or when it's going to be.
And so, the nature of the work is that actually, there's nothing much we can do about it.
And I think the good news that we have really within the Foundation, the work the Foundation are doing, and we're in the process of putting together a framework, which will be a good blueprint for the industry to follow in terms of the things that you can look at, the real practical stuff that you can do.
And this feeds a lot into the work that I do at Leading Cyber, so working with cyber leaders and teams about things that you can do, because there's quite a lot that you can do, even though obviously the environment that we're working in is adversarial in nature.
There's quite a bit that you can do in terms of how we improve, and then as a byproduct, resilience and performance of the industry, which is what we want, right?
Bunch of really great people doing really good work. We want to make sure that those people carry on doing that amazing work that they're doing and not leaving the industry.
Splunk released a report last year to say 70% have considered leaving the industry. 64% of people are saying that their productivity's affected.
CySec, their State of the Profession survey, is saying, you know, that 55% of security professionals are kept awake at night by the stress of the job. We can't go on like that.
We've got to find ways of creating better environments for people.
So that's the work that the Foundation are doing, both in research and some of the real practical stuff that you can do in terms of interventions and looking at things culture and work practices.
And the good news is there is a whole bunch of stuff that you can do around this. There's some stuff we definitely can't do anything about, right?
But there's a whole bunch of stuff that we can do, which is looking at our own daily workload, how we manage that. And there's a direct correlation.
For example, some of the research that's come out of the Flowguard Institute, and we have an amazing guy who heads up our research group called Cash, and they'd done some research about if you're in a flow state.
So, Graham, have you ever been in a state of flow in work?
And so, a lot of people feel, well, it's the nature of the job, job's never done, it's 24/7, we don't know where the next attack is going to come from or when it's going to be.
And so, the nature of the work is that actually, there's nothing much we can do about it.
And I think the good news that we have really within the Foundation, the work the Foundation are doing, and we're in the process of putting together a framework, which will be a good blueprint for the industry to follow in terms of the things that you can look at, the real practical stuff that you can do.
And this feeds a lot into the work that I do at Leading Cyber, so working with cyber leaders and teams about things that you can do, because there's quite a lot that you can do, even though obviously the environment that we're working in is adversarial in nature.
There's quite a bit that you can do in terms of how we improve, and then as a byproduct, resilience and performance of the industry, which is what we want, right?
Bunch of really great people doing really good work. We want to make sure that those people carry on doing that amazing work that they're doing and not leaving the industry.
Splunk released a report last year to say 70% have considered leaving the industry. 64% of people are saying that their productivity's affected.
CySec, their State of the Profession survey, is saying, you know, that 55% of security professionals are kept awake at night by the stress of the job. We can't go on like that.
We've got to find ways of creating better environments for people.
So that's the work that the Foundation are doing, both in research and some of the real practical stuff that you can do in terms of interventions and looking at things culture and work practices.
And the good news is there is a whole bunch of stuff that you can do around this. There's some stuff we definitely can't do anything about, right?
But there's a whole bunch of stuff that we can do, which is looking at our own daily workload, how we manage that. And there's a direct correlation.
For example, some of the research that's come out of the Flowguard Institute, and we have an amazing guy who heads up our research group called Cash, and they'd done some research about if you're in a flow state.
So, Graham, have you ever been in a state of flow in work?
I think you've seen me on the dance floor, haven't you? I mean, I am quite—
I don't know if we could describe that as flow, Graham.
You don't?
I mean, there's a whole bunch of words I could describe that as. I'm not sure flow would be one of them.
Okay. So a flow state. Tell me what flow state is.
Well, a flow state is when you are in the zone. You're being stretched a little bit, but that's where your performance is at its highest.
So, it's when you know the work that you're doing, you get very engrossed in it. You know very clearly what you're doing and why you're doing it.
There's usually gonna be some immediate feedback about that. So, you know, when you hear people talking about being in the zone, so that's basically that kind of flow state.
And people who achieve that in their work every day, the research shows that they have much less instances of stress and burnout than other people, for example.
So how you balance your stress versus performance on an ongoing basis every day, these are things that we can look at.
So being in stretch, what we call the stretch zone, for short periods of time is really good.
But being in that for too long on an ongoing basis every day is likely to lead you into strain.
And when you enter the strain zone, then that's where you were on the road to burnout and your productivity and performance drops off a cliff.
So, it's when you know the work that you're doing, you get very engrossed in it. You know very clearly what you're doing and why you're doing it.
There's usually gonna be some immediate feedback about that. So, you know, when you hear people talking about being in the zone, so that's basically that kind of flow state.
And people who achieve that in their work every day, the research shows that they have much less instances of stress and burnout than other people, for example.
So how you balance your stress versus performance on an ongoing basis every day, these are things that we can look at.
So being in stretch, what we call the stretch zone, for short periods of time is really good.
But being in that for too long on an ongoing basis every day is likely to lead you into strain.
And when you enter the strain zone, then that's where you were on the road to burnout and your productivity and performance drops off a cliff.
So, yeah.
So it's looking at those types of things.
Yeah.
How you can manage your own work. So I'm not saying you could do anything about the level of work perhaps, but it's how you can take short breaks.
Every 25 minutes, you should have a 5-minute break, for example.
Every 25 minutes, you should have a 5-minute break, for example.
Yes.
And then every couple of hours, you should have a longer break.
Okay.
And by all means, Graham, you could go and have a dance in the kitchen for that 5 minutes if you wanted to.
I did do that the other day and I twisted my ankle, so I'm not sure that would be— I was demonstrating to my wife my talent at the flamenco.
Right.
And maybe it just all got a bit too passionate. I'm not sure. So there are things we can do as individuals, obviously, but it also has to be part of the work culture, doesn't it?
Really critical. Yeah, that's it. So, a lot of the work that I do at Leading Cyber is around working with cyber leaders about how you set that leadership culture.
So, we hear a lot about creating a culture of trust, a culture of safety, and that's really, really important if you want highly performing, thriving teams, because teams have got to be able to flag when they've not done something, or something's happened, or there's a mistake that's been made, because of course, that's it, we all make mistakes.
To err is to be human, and that's it.
But we sometimes aren't very good at creating cultures where those things can be flagged up and people feel they're gonna be punished in some way for making a mistake.
And at the end of the day, we've got to work with our teams to make sure that we know what happens when we lose as a team, because we're not always gonna win.
No high-performing team is gonna win all of the time. That's just not the nature of things. So, we have to build environments for that.
And those environments, they don't happen by chance.
You have to design them, you have to be intentional about it, and you have to be able to bring in better quality of leadership and perhaps more people-focused, value-focused leadership as well.
Because actually, one of the other things that's come out of the research is that people who feel they're doing meaning-orientated work, which I think is actually quite a lot of people in cybersecurity.
I don't know about you, Graham. I think this is a real mission purpose-led career. People do this, they feel extraordinarily passionate about it.
So, we hear a lot about creating a culture of trust, a culture of safety, and that's really, really important if you want highly performing, thriving teams, because teams have got to be able to flag when they've not done something, or something's happened, or there's a mistake that's been made, because of course, that's it, we all make mistakes.
To err is to be human, and that's it.
But we sometimes aren't very good at creating cultures where those things can be flagged up and people feel they're gonna be punished in some way for making a mistake.
And at the end of the day, we've got to work with our teams to make sure that we know what happens when we lose as a team, because we're not always gonna win.
No high-performing team is gonna win all of the time. That's just not the nature of things. So, we have to build environments for that.
And those environments, they don't happen by chance.
You have to design them, you have to be intentional about it, and you have to be able to bring in better quality of leadership and perhaps more people-focused, value-focused leadership as well.
Because actually, one of the other things that's come out of the research is that people who feel they're doing meaning-orientated work, which I think is actually quite a lot of people in cybersecurity.
I don't know about you, Graham. I think this is a real mission purpose-led career. People do this, they feel extraordinarily passionate about it.
Absolutely.
And they're doing this for good reason. They're doing this to keep people safe, to keep organizations safe, to help thwart the baddies we were talking about earlier.
And I don't think that's acknowledged enough. And I think the byproduct of that is I think when you're really passionate about something, you will go above and beyond.
And I think we have to watch out for those things. So, those are brilliant things. Those are things that make us, I think, quite unique as a sector.
But also, those are the things that are most likely to mean that we are going to work above and beyond, we are going to work over the hours, we are going to check things when we're on holiday, we're not going to take the breaks that we need.
Anything, we need to make sure that we are in the position to perform really well if we want to do the really good work that we're doing.
And actually, some of the research suggests that having purpose-centered leadership in those teams, making sure that people understand the meaning that they're bringing, can make a big difference to how people feel at work.
And at the end of the day, that's it, isn't it? We spend most of our life at work, so we need to get better at looking at this, I think.
If we want to be better as an industry, and I think collectively we do, we've got to start looking at and talking about the impact of the people who work in that industry.
And I don't just mean CISOs. There's loads and loads and loads of research and narrative about CISOs and the pressure. And yes, they are under huge amounts of pressure.
The tenure of a CISO is much lower than a CIO, for example, and much less than a chief exec.
And there's a reason for that, because quite often they are working in very difficult environments.
But the research suggests that actually all roles across the whole cybersecurity domain really are experiencing higher levels of stress and burnout and mental health issues and leaving the industry.
And that's definitely not what we need. So we need to talk about this more, basically. And that's what the Foundation is there for.
And I don't think that's acknowledged enough. And I think the byproduct of that is I think when you're really passionate about something, you will go above and beyond.
And I think we have to watch out for those things. So, those are brilliant things. Those are things that make us, I think, quite unique as a sector.
But also, those are the things that are most likely to mean that we are going to work above and beyond, we are going to work over the hours, we are going to check things when we're on holiday, we're not going to take the breaks that we need.
Anything, we need to make sure that we are in the position to perform really well if we want to do the really good work that we're doing.
And actually, some of the research suggests that having purpose-centered leadership in those teams, making sure that people understand the meaning that they're bringing, can make a big difference to how people feel at work.
And at the end of the day, that's it, isn't it? We spend most of our life at work, so we need to get better at looking at this, I think.
If we want to be better as an industry, and I think collectively we do, we've got to start looking at and talking about the impact of the people who work in that industry.
And I don't just mean CISOs. There's loads and loads and loads of research and narrative about CISOs and the pressure. And yes, they are under huge amounts of pressure.
The tenure of a CISO is much lower than a CIO, for example, and much less than a chief exec.
And there's a reason for that, because quite often they are working in very difficult environments.
But the research suggests that actually all roles across the whole cybersecurity domain really are experiencing higher levels of stress and burnout and mental health issues and leaving the industry.
And that's definitely not what we need. So we need to talk about this more, basically. And that's what the Foundation is there for.
So Annabel, I've worked for a fair number of companies over my time, and I've worked alongside CEOs, the bosses of these organizations.
Some of them give the impression that they don't really care that much about this stuff. There's bad bosses as well as good bosses, aren't there?
So I think everything you've said is really worthwhile. I'm fully behind that.
But I also recognize there are people who will be working for companies where maybe the boss doesn't appreciate the staff quite so much and doesn't see the benefits of this kind of thing actually occurring inside the organization to improve the welfare of staff.
I would imagine that there is an argument to be made that, well, keep your staff happy and they will do a better job and they will save you money and they will work more effectively and they won't have to take time off and they won't be one of the 70% or whatever it was you said who are considering leaving the industry due to the stress which they're under.
So this actually, if you have some kind of psycho boss who only cares about the money, this actually is a way for them to help themselves save money rather than spending money on re-recruitment and all the other problems which can be associated with mental health within the workspace.
Some of them give the impression that they don't really care that much about this stuff. There's bad bosses as well as good bosses, aren't there?
So I think everything you've said is really worthwhile. I'm fully behind that.
But I also recognize there are people who will be working for companies where maybe the boss doesn't appreciate the staff quite so much and doesn't see the benefits of this kind of thing actually occurring inside the organization to improve the welfare of staff.
I would imagine that there is an argument to be made that, well, keep your staff happy and they will do a better job and they will save you money and they will work more effectively and they won't have to take time off and they won't be one of the 70% or whatever it was you said who are considering leaving the industry due to the stress which they're under.
So this actually, if you have some kind of psycho boss who only cares about the money, this actually is a way for them to help themselves save money rather than spending money on re-recruitment and all the other problems which can be associated with mental health within the workspace.
That's it. And you've just created the soundbite for my company, Graham. So that's brilliant. So if I could have that snippet and I'm just going to play that out there.
That's basically, that's exactly it. Even if you don't care about people, and I think if you don't care about people, then you shouldn't be leading people at the end of the day.
And too many people who've ended up by product in a role of leadership because it just was a way to advance and get more authority and more money.
But then there are loads of really amazing leaders out there as well who want to make a difference. And sometimes they don't know how to necessarily.
So, I think for me, all roads lead back to leadership is why I ended up starting this company.
And I've been in the industry for 27, 28 years now, is to help with that really, because there are so many things that you can do, which elevate the performance.
So, if that's all you care about is the performance, then you still have to care about this stuff.
That's basically, that's exactly it. Even if you don't care about people, and I think if you don't care about people, then you shouldn't be leading people at the end of the day.
And too many people who've ended up by product in a role of leadership because it just was a way to advance and get more authority and more money.
But then there are loads of really amazing leaders out there as well who want to make a difference. And sometimes they don't know how to necessarily.
So, I think for me, all roads lead back to leadership is why I ended up starting this company.
And I've been in the industry for 27, 28 years now, is to help with that really, because there are so many things that you can do, which elevate the performance.
So, if that's all you care about is the performance, then you still have to care about this stuff.
Yes.
Because there is a real link between these two things of making sure that the people you work with are well looked after, they're supported, they're happy, they have what they need, they know how to develop, then that is going to create a much happier, much more successful, much more productive team.
And that's what everyone is after now. People say, well, people are less engaged, people are less productive. I think the UK has the lowest productivity rates of all the G7 nations.
And there is a reason for that. But this is all stuff we can do things about.
It's just that because of how the sector's evolved, we are so technology focused that we started to look at people, obviously, when the breaches started to basically sail through all the VPN controls to the person at the end of the device.
But we haven't expanded that out quite enough yet to look at actually the people who are involved, the people who are looking at these controls, who are monitoring in the SOCs that are putting in these technical controls or looking at compliance, we have to look at who those people are and how are they doing, what is their professional wellbeing?
And as leaders, that's our job, or it should be our jobs.
And that's what everyone is after now. People say, well, people are less engaged, people are less productive. I think the UK has the lowest productivity rates of all the G7 nations.
And there is a reason for that. But this is all stuff we can do things about.
It's just that because of how the sector's evolved, we are so technology focused that we started to look at people, obviously, when the breaches started to basically sail through all the VPN controls to the person at the end of the device.
But we haven't expanded that out quite enough yet to look at actually the people who are involved, the people who are looking at these controls, who are monitoring in the SOCs that are putting in these technical controls or looking at compliance, we have to look at who those people are and how are they doing, what is their professional wellbeing?
And as leaders, that's our job, or it should be our jobs.
Okay.
So, whether you are leading the company, whether you're leading a team, whether you're just a professional inside a company who feels that you could benefit from some sort of development in this area in order to handle these situations better or change the culture inside your organisation.
We'll put a link in the show notes where people can learn more about some of the work that you are doing and some other resources that you can go and check out.
Anything else you want to say on that, Annabel?
So, whether you are leading the company, whether you're leading a team, whether you're just a professional inside a company who feels that you could benefit from some sort of development in this area in order to handle these situations better or change the culture inside your organisation.
We'll put a link in the show notes where people can learn more about some of the work that you are doing and some other resources that you can go and check out.
Anything else you want to say on that, Annabel?
I think that's it.
Exactly as you've said, even if you're working in a team where the boss doesn't feel like this is something that they care about, there's still stuff that you can do either as an individual or with the rest of your team that will make things better for you.
So, there's loads of practical stuff that's available and I know that work that the Foundation is doing is for that, and also the work I'm doing in leading Cyber is some really practical stuff there.
So, don't lose hope is what I'm saying.
Exactly as you've said, even if you're working in a team where the boss doesn't feel like this is something that they care about, there's still stuff that you can do either as an individual or with the rest of your team that will make things better for you.
So, there's loads of practical stuff that's available and I know that work that the Foundation is doing is for that, and also the work I'm doing in leading Cyber is some really practical stuff there.
So, don't lose hope is what I'm saying.
So, chums listening, if anything we've discussed today has resonated with you, or if you're going through a tough time, please know you're not alone.
There's always someone ready to listen without judgment. And for that reason, we're going to share a few resources that are available.
These are all UK-based numbers, but similar resources are available for other parts of the world. You can contact Shout 24/7. Just text 85258.
You can also call the Samaritans 24/7 on 116123. And between 6 PM and 3:30 AM, you can call the Suicide Prevention Helpline. Their number is 0800 689 5652.
And there's also SANEline, which is available from 4:30 in the afternoon till 10:30 at night UK, and that is 0300 304 7000.
For any more info about the research that Annabel's mentioned, please contact the Mental Health in Cybersecurity Foundation on LinkedIn. Links in the show notes.
Let me tell you about SecAlerts, who are sponsoring today's show.
Look, if you're drowning in vulnerability alerts and spending way too much time figuring out which ones actually matter to you and your software, SecAlerts solves that problem.
They monitor over 100 sources and automatically match vulnerabilities to your specific software versions. But here's the clever bit.
You can build custom queries that filter out all the noise. Want to see only critical Microsoft vulnerabilities with a CVS of 8 to 10 that have been actively exploited this week?
Done. No more wading through irrelevant alerts.
You can push those alerts directly to the people who need them via email, Slack, Teams, whatever works for you, and set the frequency yourself. One of their clients said it best.
They said, SecAlerts has been an absolute game changer. We've strengthened our security posture, and improved response times significantly.
They've got plans for businesses of all sizes, and right now you can try SecAlerts for free for 30 days. Use the code SMASHING and you'll get 50% off a yearly subscription.
Check them out at secalerts.co. That's secalerts.co. And thanks to SecAlerts for supporting the show.
And welcome back, and you join us for our favourite part of the show, the part of the show that we like to call Pick of the Week.
There's always someone ready to listen without judgment. And for that reason, we're going to share a few resources that are available.
These are all UK-based numbers, but similar resources are available for other parts of the world. You can contact Shout 24/7. Just text 85258.
You can also call the Samaritans 24/7 on 116123. And between 6 PM and 3:30 AM, you can call the Suicide Prevention Helpline. Their number is 0800 689 5652.
And there's also SANEline, which is available from 4:30 in the afternoon till 10:30 at night UK, and that is 0300 304 7000.
For any more info about the research that Annabel's mentioned, please contact the Mental Health in Cybersecurity Foundation on LinkedIn. Links in the show notes.
Let me tell you about SecAlerts, who are sponsoring today's show.
Look, if you're drowning in vulnerability alerts and spending way too much time figuring out which ones actually matter to you and your software, SecAlerts solves that problem.
They monitor over 100 sources and automatically match vulnerabilities to your specific software versions. But here's the clever bit.
You can build custom queries that filter out all the noise. Want to see only critical Microsoft vulnerabilities with a CVS of 8 to 10 that have been actively exploited this week?
Done. No more wading through irrelevant alerts.
You can push those alerts directly to the people who need them via email, Slack, Teams, whatever works for you, and set the frequency yourself. One of their clients said it best.
They said, SecAlerts has been an absolute game changer. We've strengthened our security posture, and improved response times significantly.
They've got plans for businesses of all sizes, and right now you can try SecAlerts for free for 30 days. Use the code SMASHING and you'll get 50% off a yearly subscription.
Check them out at secalerts.co. That's secalerts.co. And thanks to SecAlerts for supporting the show.
And welcome back, and you join us for our favourite part of the show, the part of the show that we like to call Pick of the Week.
Annabel, say Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily. Now, my pick of the week this week.
Well, there was some sad news in the last week, which is that Diane Keaton has died at the age of 79.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily. Now, my pick of the week this week.
Well, there was some sad news in the last week, which is that Diane Keaton has died at the age of 79.
I know, it's so sad, isn't it? I love her.
I've been in love with Diane Keaton for so many years. I was quite besotted with her. Was besotted with her. I'm still besotted with her.
I think it all happened for me the first time I saw her in one of my favourite movies, Play It Again, Sam. Opposite Woody Allen. Woody Allen is a recently divorced character.
He's urged to begin dating again by his best friend's wife, only to realise that he's fallen in love with her.
But being utterly inept, he seeks advice from the ghost of Humphrey Bogart on how to woo Diane Keaton. And I love it.
And I love lots of other movies she's been in, including Annie Hall, of course, Manhattan: Love and Death. And she was also in The Godfather movies, wasn't she?
In that movie with Jack Nicholson, Something's Gotta Give. I think she was lovely and an individual and charming and stylish and genuinely cool.
So as tribute to her and my teenage self, which fell in love with Diane Keaton all those years ago, my pick of the week this week is the movie Play It Again, Sam.
Go and check it out. It's very funny and she is utterly, utterly adorable and will be much, much missed as well, I think.
I think it all happened for me the first time I saw her in one of my favourite movies, Play It Again, Sam. Opposite Woody Allen. Woody Allen is a recently divorced character.
He's urged to begin dating again by his best friend's wife, only to realise that he's fallen in love with her.
But being utterly inept, he seeks advice from the ghost of Humphrey Bogart on how to woo Diane Keaton. And I love it.
And I love lots of other movies she's been in, including Annie Hall, of course, Manhattan: Love and Death. And she was also in The Godfather movies, wasn't she?
In that movie with Jack Nicholson, Something's Gotta Give. I think she was lovely and an individual and charming and stylish and genuinely cool.
So as tribute to her and my teenage self, which fell in love with Diane Keaton all those years ago, my pick of the week this week is the movie Play It Again, Sam.
Go and check it out. It's very funny and she is utterly, utterly adorable and will be much, much missed as well, I think.
Yeah, definitely. I saw something just after the announcement. I think it was a summary about her life, and they were saying, you know, we'd better know of her earlier films.
But I think some of the films that you've talked about, it's like Something's Gotta Give, I think they're great, great films.
I think it does her a disservice to say, you know, it's just the early films and that's what people will remember.
And of course, Annie Hall is iconic, but I think she's been a constant, hasn't she, her whole career? And yeah, she'll be missed enormously.
But I think some of the films that you've talked about, it's like Something's Gotta Give, I think they're great, great films.
I think it does her a disservice to say, you know, it's just the early films and that's what people will remember.
And of course, Annie Hall is iconic, but I think she's been a constant, hasn't she, her whole career? And yeah, she'll be missed enormously.
I was just really shocked, actually, to hear that she'd died. Great shame.
But yes, so many movies to choose from, but my pick of the week this week is going to be the movie Play It Again, Sam. Annabel, what's your pick of the week?
But yes, so many movies to choose from, but my pick of the week this week is going to be the movie Play It Again, Sam. Annabel, what's your pick of the week?
So, my pick of the week, and it had to be music-based because I have a slight music obsession.
Oh, right.
And when I say I have a slight music obsession, according to Spotify in 2024, I had 68,875 minutes of listening.
According to Spotify, that puts me in their top 3% of listeners worldwide, apparently.
So obviously, haven't had the stats in for 2025 yet, but yeah, that's 68,875 minutes of listening, apparently.
I've converted that into days, it's almost 48 days of listening to music. And given that you're asleep for a third of the year, I mean, it's a big chunk.
According to Spotify, that puts me in their top 3% of listeners worldwide, apparently.
So obviously, haven't had the stats in for 2025 yet, but yeah, that's 68,875 minutes of listening, apparently.
I've converted that into days, it's almost 48 days of listening to music. And given that you're asleep for a third of the year, I mean, it's a big chunk.
Wow.
So when I say slight music obsession.
You're probably keeping some musicians afloat actually. I mean, I know Spotify pay very badly.
Yes. You know, they do that nifty end of year.
Oh yes, Spotify Wrapped Up.
Yeah, yeah. So that's how I know.
I like to imagine that there is a team within Spotify that is the algorithm team, where just when they think they've got the algorithm nailed, then I play something that just sends the whole team— the dashboard will go red.
I like to imagine that there is a team within Spotify that is the algorithm team, where just when they think they've got the algorithm nailed, then I play something that just sends the whole team— the dashboard will go red.
Hang on, hang on, she started listening to her Guatemalan nose flute music. Where's this come from?
Exactly. So my— I digress. My pick of the week then had to be music related.
So I've gone with the newly re-released 1973 album Buckingham Nicks, obviously by the lovely Lindsey Buckingham and Stevie Nicks.
It's been out of print and unavailable for decades and has just been released a couple of weeks ago, and I've been wallowing in that for the past couple of weeks.
So for anyone who's obviously had a fascination about rock's most legendary exes— they are fascinating though, they are fascinating, yeah.
So I've gone with the newly re-released 1973 album Buckingham Nicks, obviously by the lovely Lindsey Buckingham and Stevie Nicks.
It's been out of print and unavailable for decades and has just been released a couple of weeks ago, and I've been wallowing in that for the past couple of weeks.
So for anyone who's obviously had a fascination about rock's most legendary exes— they are fascinating though, they are fascinating, yeah.
Yeah, so Stevie Nicks and Lindsey Buckingham, they joined Fleetwood Mac, didn't they? Just before Fleetwood Mac became utterly enormous.
Yes.
In the mid-'70s.
Well, this is the reason why. It's this album. It was recorded back in 1973. And apparently, they recorded at Sound City Studios, I think.
And the engineer who obviously worked on the album for them, I think the following year, I think Mick Fleetwood, who had an exodus from the band at that time, visited the studios and was looking for a guitarist.
And the engineer basically played him the track Frozen Love, which is the last one on this album.
And on the basis of that, Buckingham and Nicks obviously joined Fleetwood Mac and then went on to, you know, superstardom. So yeah, so basically I've been listening to that.
So it's Buckingham Nicks, which was the very first album they did. It tanked. The record company dropped them like a lead balloon straight afterwards.
And the engineer who obviously worked on the album for them, I think the following year, I think Mick Fleetwood, who had an exodus from the band at that time, visited the studios and was looking for a guitarist.
And the engineer basically played him the track Frozen Love, which is the last one on this album.
And on the basis of that, Buckingham and Nicks obviously joined Fleetwood Mac and then went on to, you know, superstardom. So yeah, so basically I've been listening to that.
So it's Buckingham Nicks, which was the very first album they did. It tanked. The record company dropped them like a lead balloon straight afterwards.
Annabel, I've just looked it up and the cover of this album is a curious thing.
It is, isn't it? I know, yeah.
It's of its time, I think. Would you like to describe it or shall I?
I mean, it's very '70s. And when I say '70s, I mainly mean the hairdos and the facial hair. And that's obviously going to be not '70s. And the lack of clothing, yeah.
Yeah, so yes, it's very captivating, isn't it? I think the album cover but yeah, it's quite something.
But basically, I've been listening to it because I'd not heard it before, obviously, because it hasn't been available.
And I love Fleetwood Mac, and listening to it, you can definitely hear, obviously, the influences that they took into Fleetwood Mac.
For me, if you're a Fleetwood Mac fan, it's definitely worth the listen. So my Pick of the week this week is the album Buckingham Nicks.
Yeah, so yes, it's very captivating, isn't it? I think the album cover but yeah, it's quite something.
But basically, I've been listening to it because I'd not heard it before, obviously, because it hasn't been available.
And I love Fleetwood Mac, and listening to it, you can definitely hear, obviously, the influences that they took into Fleetwood Mac.
For me, if you're a Fleetwood Mac fan, it's definitely worth the listen. So my Pick of the week this week is the album Buckingham Nicks.
Fantastic stuff. How extraordinary, it hasn't been available for decades, and you would think something like that would have been available.
I mean, it's such an important part of rock history, isn't it?
I mean, it's such an important part of rock history, isn't it?
Well, I'm guessing it must be something to do with the two of them giving their permission jointly for it, and obviously that's been the big kind of to and fro, hasn't it, for the last few decades.
They haven't agreed on anything for a while.
No, well, that's it. So definitely worth a listen.
Fantastic stuff. And that just about wraps up the show for this week. Thank you so much, Annabel, for joining us.
I'm sure lots of our listeners would love to find out more about the work that you are doing, follow you online. What's the best way for people to do that?
I'm sure lots of our listeners would love to find out more about the work that you are doing, follow you online. What's the best way for people to do that?
So people can find me on LinkedIn, just look up Annabel Berry, find me on there. Or if you go to the website, which is www.leadingandtransforming.com, lastpass-cyber.com.
And if you want to find the Mental Health and Cybersecurity Foundation, we also have a page on LinkedIn that you can follow, and that'll tell you all the news on there about what we're up to and stuff about the framework, and we're looking for volunteers.
So let us know if you're interested.
And if you want to find the Mental Health and Cybersecurity Foundation, we also have a page on LinkedIn that you can follow, and that'll tell you all the news on there about what we're up to and stuff about the framework, and we're looking for volunteers.
So let us know if you're interested.
And of course, Smashing Security is up on social media as well. You can follow Smashing Security on BlueSky, and you can find me, Graham Cluley, on LinkedIn.
And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of, oh, about 439 episodes, check out smashingsecurity.com. Until next time, cheerio, bye-bye.
Toodaloo. You've been listening to Smashing Security with me, Graham Cluley.
Thanks so much to Annabel Berry for joining us this week, and of course to this episode's sponsors, Banta, SecAlerts, and Anon, and to the chums who've signed up for Smashing Security Plus over on Patreon.
They include Justin Dale, Stephen Castle, Mark Luxman, Steve B, Michael Crumb, Peter Carter, Matt, David Cash, Sven Janssen, Colja Nathie, Amy Kwan, Brandon, Iain Flynn, Rob Ainscough, Paul Cummins, and Robert Cheek.
So, would you have your name read out at the end of the show every now and then? If so, you should sign up for Smashing Security Plus because it's one of the perks.
You can become a member of our happy little tribe for as little as $5 per month.
And you'll not only get your name mentioned occasionally at the end of the show, you'll also get the episodes without any of the ads. Can't say fairer than that.
So just go to smashingsecurity.com/plus for more details, and thanks to everyone who supports us that way. Now don't feel bad if you can't support Smashing Security that way.
There's other things which you can do.
For instance, you can support the podcast just by liking, and subscribing, giving 5-star reviews, telling people to give it a listen, spreading the word that way. All of that helps.
And some people have recently even been wearing Smashing Security t-shirts. And you can go visit our online store if you want to grab a t-shirt.
That's a great way of spreading the word as well. But please don't think that you have to support the show financially. I really appreciate it just if you're listening.
So thanks again for tuning in. And I look forward to chatting to you again next week. Toodaloo. Bye-bye.
And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of, oh, about 439 episodes, check out smashingsecurity.com. Until next time, cheerio, bye-bye.
Toodaloo. You've been listening to Smashing Security with me, Graham Cluley.
Thanks so much to Annabel Berry for joining us this week, and of course to this episode's sponsors, Banta, SecAlerts, and Anon, and to the chums who've signed up for Smashing Security Plus over on Patreon.
They include Justin Dale, Stephen Castle, Mark Luxman, Steve B, Michael Crumb, Peter Carter, Matt, David Cash, Sven Janssen, Colja Nathie, Amy Kwan, Brandon, Iain Flynn, Rob Ainscough, Paul Cummins, and Robert Cheek.
So, would you have your name read out at the end of the show every now and then? If so, you should sign up for Smashing Security Plus because it's one of the perks.
You can become a member of our happy little tribe for as little as $5 per month.
And you'll not only get your name mentioned occasionally at the end of the show, you'll also get the episodes without any of the ads. Can't say fairer than that.
So just go to smashingsecurity.com/plus for more details, and thanks to everyone who supports us that way. Now don't feel bad if you can't support Smashing Security that way.
There's other things which you can do.
For instance, you can support the podcast just by liking, and subscribing, giving 5-star reviews, telling people to give it a listen, spreading the word that way. All of that helps.
And some people have recently even been wearing Smashing Security t-shirts. And you can go visit our online store if you want to grab a t-shirt.
That's a great way of spreading the word as well. But please don't think that you have to support the show financially. I really appreciate it just if you're listening.
So thanks again for tuning in. And I look forward to chatting to you again next week. Toodaloo. Bye-bye.
Oh well. La di da, la di da, la la.
Host:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Guest:
Annabel Berry:
/ Annabel Berry FCIIS
Episode links:
- Cyber-attacks rise by 50% in past year, UK security agency says – The Guardian.
- What does the end of free support for Windows 10 mean for its users? – The Guardian.
- Satellites found exposing unencrypted data, including phone calls and some military comms – TechCrunch.
- Anatomy of a Hacktivist Attack: Russian-Aligned Group Targets OT/ICS – Forescout.
- Caught in the act: Ransomware attack sticks to our AI-created honeypot – Forescout.
- Human Performance in Security Operations: A Survey on Burnout, Wellbeing and Flow State Among Practitioners – NDSS Symposium.
- State of the Security Profession 23/24 – Chartered Institute of Information Security.
- Leading Cyber.
- Mental Health in Cybersecurity Foundation.
- “Play it Again, Sam” – IMDB.
- “Play it Again, Sam” clip – YouTube.
- “Buckingham Nicks” – Spotify.
- Fleetwood Mac – Silver Springs (Live, 1997) – YouTube.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
If anything we’ve discussed today has resonated with you, or if you’re going through a tough time, please know you are not alone. There is always someone ready to listen, without judgment. Here are a few of the available resources:
- Shout – text 85258 (24×7)
- Samaritans – tel 116123 (24×7)
- Suicide prevention – tel 0800 689 5652 (6pm – 3.30am)
- SANEline – tel 0300 304 7000 (4.30pm – 10.30pm)
Sponsored by:
- SecAlerts – SecAlerts makes your job easier by matching vulnerabilities to your software, using information as soon as it’s released. Use code SMASHING for 50% off a year subscription.
- ANON – Find, monitor and remove data about yourself online. Manage your digital footprint with ease. Use code SMASHING for a 25% discount.
- Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Join Smashing Security PLUS for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
