Crisis fighting: How to plan a successful security incident

Transcription - Mike Le Fever and Roderick Jones 

Secure Talk - Mike LeFever and Roderick Jones

Justin Beals: Hello, and welcome to Secure Talk, a podcast where we explore the critical world of information security innovation and compliance. I'm your host, Justin Beals, founder and CEO of StrikeGraph. Together with our expert guests, we'll provide you with tools and tips to help your business thrive in the rapidly evolving cybersecurity environment.

Hello everyone. And welcome to Secure Talk. I'm very glad to have you back with us on the podcast today. We have two exceptional guests to chat with. Our first guest is Roderick Jones. He is the executive chairman of Concentric, one of the most influential privately held security firms in the country. He began his career with Scotland Yard Special Branch, focusing on international terrorism and has worked with a number of high-growth Silicon Valley companies.

We also have Vice Admiral Mike Lefevre, U. S. Navy, who is Concentric's CEO. After four decades of service, he completed his military career, and as the Director of Strategic Operational Planning at the National Counterterrorism Center. He's renowned for navigating cross-cultural environments and building high-performance teams.

Tthank you both, Mike and Roderick, for joining the podcast today. We're very lucky to have you. 

Mike LeFever: Yeah, thanks for having me. Thanks, Justin. 

Justin Beals: Excellent. So first, I'd like to ask you a little bit about your career, your background. Both of you had very extensive careers in counterterrorism. Mike, from the perspective of the U.S. Navy. And Roderick, from an intelligence perspective at Scotland Yard, I'm curious how these different experiences have shaped your perspectives on national security or security broadly. 

Roderick Jones: I think if I look at my, my time doing it, I mean, I actually grew up, in Birmingham in the seventies in the UK. And there were lots of,, bombs going off from, you know, Britain was being attacked by Irish Republican terrorism.

Then it was actually my mother evacuated me out of a department store when I was 2 when a bomb went off. So  it, terrorism formed a backdrop to my life as I was growing up and I became very interested in it, I think, you know, sort of around 16. So it wasn't really my career that started that. It was, it was part of life in Britain, which is sort of thankfully forgotten now, and not, not really part of it.

And then career-wise, you know, I got. We're interested in it in two ways academically, and obviously, I did it for a living for the government. And you know that it changed from Irish Republican terrorism being the biggest threat to the UK to Islamic or Islamist-based terrorism being our biggest threat during the period I was there.

I was very fortunate or unfortunate depending on how you view it to work in You know, from essentially 96 to 2004. So a very compressed period of time. And it's just every sort of terrorism going on all the time. And so I think the basis I have there is just really a deep understanding, almost instinctive understanding of kind of what those groups seek to do and how they use asymmetric pressure against large nation states or Companies for anything else.

So in terms of how that informs going forward, that actually informs how you think about digital risk, how you think about, uh, information risk, how we're thinking about it, it's all about essentially asymmetric challenge. You know, when you have a very large organization with lots of power, lots of money, lots of actually connected power in terms of.a country. How is a smaller group? Do you create asymmetric change there for them? Whatever reason, you know? So, I think I've used those patterns on ideas throughout my entire career. Obviously, then moving, uh, to America, very different national security setup and then creating private security companies.

You still sort of sitting in that space around asymmetry, you know, large corporations tend to face threats from small. Activist groups or individuals, actually, so you sort of still solving similar problems is a little difference in terms of how you diplomatically engage with national federal resources and things.

If you're a private company or a private private company or enterprise. So, yeah, I would say. You know, that arc of history has had one constant, which is fundamentally understanding how you manage people who are very adept at using asymmetric means to create threats to large entities. 

Justin Beals: Yeah, it certainly stands out that you had a childhood experience of dealing with, let's say, a conflict, right? And, how that's got to drive some interest in the space or resolution of conflict or understanding what's happening in the conflict.

Roderick Jones: and, you, one can have opinions, uh, either way on those things and tend to have them either way on those things.

But as someone, an American actually said to me last year, he said, fundamentally 300. Um, to people, you know, bogged the British state down in Northern Ireland for 30 years. It was very successful, I was like, yeah, I mean, it's not that many people were in the provisional IRA, you know, and you're like, yeah, it's that, that is, that is the effect of those things.

You know, they can, they can be very effective and I know Mike's had similar experiences with, you know, insurgent groups and such, uh, can bog lots of things down, but yeah. 

Mike LeFever:  Come at it from an interesting perspective from a Navy perspective, I had the luxury of working with the seals quite a bit in different operations in the Middle East, but it really came to the floor during the earthquake experience and then later, when I was a senior mill rep in Pakistan, and then later at N. C. T. C. 

And I think from my perspective, what it taught me from national security aspect in the, in the threat environment, that was. Really networking, how they use, how they syndicate it was how much a team sport. It was how much, uh, interagency and all the assets blended together to be able  to be effective in the fight, whether it was treasury department following the money, whether it was the other intelligence community agencies, the one, you know, what we normally call the F3EA process, which was find, fix, finish, exploit, and analyze. And so, you know, in that finding and exploiting was really the intelligence community and how much it had, as well as understanding all the different authorities that we have with Title 10, Title 50, Title 22, and other things, and how effective that is to be able to counter the, the terrorist threat that we're facing, you know, from simple things, you know, the non-kinetic stuff that had a quite a bit of impact.

I saw that from the earthquake. Our highest approval rating in Pakistan was from the winning hearts and minds during the earthquake, in a lot of ways was a lot more effective with the people and potentially some of the kinetic. Yet you needed some of the kinetic to take some folks off the battlefield, like Bin Laden and others. When, I was there in Pakistan. 

Justin Beals: Yeah, it's a whole different scale to the word security that both of you guys had dealt with. And I, you know, I imagine that in an intelligent situation, it's very subtle and quiet. But a lot of breadth and from a more overt, you know, nation relationship perspective, Mike, um, there's, there's just a lot of scrutiny.

Actually, you're getting watched a lot, aren't you?

Mike LeFever: Correct. Oh, very much, so. 

 Justin Beals: I have been reading on the Concentric website a little bit and, but would love a description from y'all about what Concentric does and, and you're both entrepreneurs now in life, so we can share a little bit of business. How has building a business been? Maybe Mike, you can kick off for us as a CEO. 

Mike LeFever: Well, it can touch me. It's just a really unique opportunity. I joined the organization about five years ago, and a lot of it was from my experience with national security and background, and I had an opportunity to join this great company that does a lot in the, premium security and risk business, ultra-high net worth, high net worth individuals, in supporting them across the full spectrum from being able to remove personal data online with our clips to be able to pull that offline because we go to about a couple hundred different aggregate sites and are able to pull that information down because nowadays with so much digital dust out there, it becomes a threat.

You know, kind of a threat spectrum that people can attack. They can find out personal information about themselves, their assets, and so forth. to all the way through armed security and, and the like. And then also providing embedded support to family offices or large corporations, both intelligence and security aspects as well.

And that's probably from the, you know, from the tactical side, working with partners, you know, across the world to be able to do that. I'll give it over to Roderick who really formed the company probably 16 years ago and took it over and had the vision for it. 

Roderick Jones: I actually think, 

Mike LeFever: yeah, Justin, that 

Roderick Jones: I think the private security industry is really changing.

It's about to go through quite an evolution or maybe even a revolution here. As, Mike said, we operate in some of the digital space through to,very physical security globally, 24 hours a day. So. you know, we have a lot of reach and capability, but I think what I'm seeing particularly this year is because your nation- state- level threats are very high against leading industries.

Now in the West, the capabilities required of a private security company, a hundred times what they used to be. So our job has become, and I think Mike does this very humanly and I do it more technically is to make sure that we have the right human and technical assets to be able to support our clients.

I think we're pretty unique in that being able to do that, but I think, you know, if I can just, just. Do a straw man example. if you look at, the growth in artificial intelligence, obviously, and that's the next boom, Microsoft spent a couple of dollars in that space in the last couple of years.

This, their threats are from nation states, you know, they have a, they have massive nation state threat in that space. And If you are now going to consult to those organizations like that, you have to have fluency in, in national state, uh, on national security in order to be able to translate that to your customers and bring relevant and legal capabilities to those customers.

And I think, uh, I would say that we're, we have a strong lead in that space, given the kinds of people that work for us who have worked in those spaces, and also. You marry that with a pretty strong history and in private security, I think, you know, we're able to do both, but I actually think this really is pointing to an enormous revolution in the kinds of companies that are able to operate in private security, there will always be a large behemoth.

You know, the three big sort of security companies in physical and the three or four big security companies in cyber, but increasingly that, you know, in order to be a new operator, I think you need those capabilities. And if customers aren't asking for those, they're asking for the wrong things. I would say, 

Justin Beals: Yeah, there's certainly like a lot of technical solutions to security, but I do think that at the end of the day, this is about feeling confident as a human being, being able to trust the relationships that you have, the tools that you're using. It's the asymmetry thing is interesting to me in this modality because a family office might have a high net worth, but the threat actors that want to go after them can be much better financed than they are. You may be shifting that asymmetry in some of these situations that you're dealing with. 

Roderick Jones: I think that's really, I mean, I would say from our experiences with family offices, here's, they have excellent capabilities in terms of financial analysis, deal-making network and be able to sort of, you know, deploy philanthropically as well.

So some public policy expertise in my experience, very, very shallow experience in national security by definition. The founders often are not former generals, but the founders who made the money are not, you know, with some exceptions, I mean, you know, obviously some people got rich doing cybersecurity, but they're a very small group of people.

I mean, everyone else has made money in social networking or, you know, services or mining or whatever. It's not the core expertise of that group of people. They're going to help you in that family office and then the family office industry, as they should be a set-up to manage the wealth and the, and the legal parts of that trust in the States.And, they'renot set up to think about actually what could stop the party. Which is security. 

Justin Beals: Excellent. You guys have written a book. I had the great chance to read it. Thank you very much. I did really enjoy reading it. It was topical for, I think, myself and our listeners, where we deal a lot of times in crisis situations, especially as a cybersecurity leader or security leader at a company, you're going to have one, it's going to happen.

As a matter of fact, I had a conversation where I said, It's amazing to me that we actually don't give CISOs a little more space because in any situation where you have an adversarial opponent, you're going to not win some days, you're going to lose. And that's going to be more common than you imagine.

The title of your book is “End Game First, A Leadership Strategy for Navigating a Crisis”. And my first question from the book is that I'm going to quote, you say a crisis follows a predictable, if dynamic path, and you can learn to navigate it. Are you sure? Because it never feels like that when we're in the moment.

Maybe Mike or Roderick, you guys might like to lean into maybe how you realize that there's a method to this madness some days. 

Mike LeFever: Uh, it was interesting. You know, from the story here, I was at a strike group of 5 500 Marines and sailors committed the, and then I got pulled in to lead the earthquake relief. So doing it throughout the earthquake, and kind of looking at it and watching how this unfolded. Fast forward, I was sent back to Pakistan again as a senior middle guy.

And then again, it was this horrific floods that if you mapped it out in, uh, on a map of the United States, the flood stretched to basically from Maine to Florida, um, tens of millions of people displaced. But what I found fascinating throughout that, there was actually a sequence that formed. And so the idea, those initial moments when the incident occurs, as you mentioned, it's kind of a 9 11 moment.

You're just triaging, you're trying to figure out how to save lives, you're, and it's just, you just grab it, just, you know, getting out there and being able to do, do a lot of things from the, from the reporting you're getting and, and being able to try to stabilize it. The second part came because. When we realized that when we started moving a little bit and getting some of the things settled in this, you know, horrific, the earthquake killed over 80,000 people, 178,000 injured, 3.5 million homeless, Himalayas, winter coming, you know, very tragic. The flood started way up north, and then it was like this tidal wave that flooded through Pakistan, and knowing what was going to anticipate. But then it was the idea that, jeez, in these environments, if you didn't get the. Understand the second and third-order effects that you had the spacing for sanitation.

You had [ clean water to be able to ride people. You were gonna have a tragedy inside the crisis already because of dysentery or cholera and all the other diseases that occur. And so it was anticipating what those things might be so that some of the decisions you're making could prevent those from ensuing.

And then, in any disaster, you want to try to get to normalcy as soon as possible. People wanted to feel that. In the earthquake and the floods, it was getting people back to schools, work being, you know, things that were normal, although it was a new normal that we all talk about. But the normalcy was big.

And then, you eventually got to the rebuild reconstruction phase. And what I noticed in these incidents and tragedies is that, you know, they followed a kind of pattern, and the pattern can overlap. You might have sections of the country that were in Phase 1 and others in Phase 2 or 3 and vice versa.

Or even lapsed in some cases, depending on what occurred. And so on that large scale, that's kind of what it presided. And then Roger, you know, got a call from one of his friends who was going through a crisis and he, he kind of on a personal crisis or, you know, then with the Rubica, the company that we had as well kind of following a similar, when things happen, it followed almost a sequence, and it helped shape how you were going to make decisions and how you went about business. 

Justin Beals: Yeah, you know, one of the things it's in the title of the book, but I found really interesting. You know, when I have had to deal with a crisis situation, maybe it's a business, maybe it's a security issue, maybe it's a personal issue.

There's a lot of adrenaline in the first couple of moments, I think. And you're grasping at, you know, how quickly can I solve this? And I felt like your first piece of advice was to define the in-game. Can you help help me? I think examples are helpful here. What's an example of an end game? Putting together a good one? 

Roderick Jones: Well, I mean, I can give you two, one probably. But I mean, I'll start with the startup one. I mean, if you don't understand how you want that company to end at the beginning, you're going to make some serious planning decisions. And I think a lot of people, me included, fall in love with an idea, fall in love with the company and just think you're gone forever.

Very unusual for that to happen, right? It's acquired, or something's got to happen that ends it. Right. And I think that when Mike told me that actually the story of, of, you know, the crisis management, I thought it was, well, actually running a startup venture-backed startup very much felt like just an ongoing crisis.

 And we hadn't got a very clearly defined end game for the company. And I think, you know, you, If I'd have known, had a better idea at the end, at the beginning, we'd have made better decisions. So, that one, and I think just right now, I can't help but think about the war in Israel, because clearly the Israeli government doesn't have a clearly defined end game.] They did not. 

Justin Beals: Yeah. 

Roderick Jones: I mean, and this isn't. Shouldn't be a controversial opinion. It's just a military one that, you know, invading a country or a territory and not having a plan on how you're going to leave and how it ends really does, you can see create these cascading issues. And I think, you know, we were fortunate enough, a former colleague of Mike's who's on the, our advisory board was sort of outlining this to us recently.

He'd been over to Israel and talking to the IDF and. Yeah. I mean, tactically, okay, they're doing what they're doing, but strategically, they're losing because they have no clear end. So I think, you know, the idea, and I use those two examples, one incredibly macro, one quite small, because I do think the idea around crisis, the ideas around crisis management do translate into such different areas and, you know, running a startup or actually something Mike and I have just recently done.

 We acquired a company that was, you know, had some. Financial difficulties and bring that in, but that very much relied on, okay, where do we want to be at the end of the year? What's the end state for this? And it just calms everyone down. It calms you down, but it also calms everyone. This is very recognizable.

We know what this is like. Oh, we got locked out the email, whatever it is. You know, that's the crisis of the day, right? Fix it, move on, next thing, because we know by January 2025, this is going to look this way. This is the end state for this. So I think it's a really interesting idea because it translates into so many different spaces.

And I think that's, that's really why we wanted to write the book because when Mike was telling me about his very intense macro experiences, I was translating them into our very micro business world and just being like, Oh, there's a lot of value here. Yeah. You know, because there is actually an anatomy of a crisis.

There is actually a set way these things happen. People are human, and it's almost like the reason why Shakespeare has resonance today, it's based on a set of human emotions. The stories are the same. They just look like die hard in 1980, you know,it's just changes, but that's why crisis, you know, human crisis is generally human.

So they, there are translatable things. 

Justin Beals: In that vein. And Mike, I think as you projected in games. I like what Roderick said about being calm. You know, it, it's easy, especially if you're a leader to soak up that adrenaline and start, punching out the paper bag,  but I've found, especially in working with a team that's in a Would you agree?

Mike LeFever: Yeah. Whenever you go in, and you go into environments where you see op centers or whatever, if you see a lot of chaos or noise, it's kind of like. Ooh, this probably isn't good. And, you know, as a leader, you have to create the environment, and people look to you as kind of that guiding light that be able to be calm and be focused on, on what you're on, what you're able to do and helping set the stage as Roderick mentioned, you know.

Focusing on an end game, it calms everything down, it helps shape your decisions, it helps shape that there is a path forward and we can get on board and there'll be a series of setbacks, ups and downs and, but at the end, you're still focused on that strategic end state of where you want to be at the end of it.And it provides that. Vision or that common purpose that everybody can focus on, 

Justin Beals: You know, especially in a cyber security incident, information is difficult that you're, you've got, you know, this moment where you realize there's been a breach, you're trying to respond with your team and I was a little curious because y'all have dealt with the deluge of data. And trying to make decisions, understanding that time is sensitive, you know, for the outcome you want, how, how do you kind of evaluate with the stress with the deluge of information and perhaps adjusting your end game as you're receiving new information? I'm just a little curious if you have any experience in dealing with that.

Roderick Jones: Yeah, I think, I think, you know, your end state obviously changes if new information comes in. I think, I think it's almost, I guess, I think the idea is just to have the practice of having the end game. I mean, I don't think you set it and forget it. I don't think it's anything like that. I think particularly with the cyber breach, One of the biggest issues there is you are desperate to understand very quickly what the limit of, the damage is because the cyber has got a different effect to a physical effect, where with a physical security incident, you can understand relatively quickly what the limits of that are, you know, if someone's died or if there's a building's collapsed or, you know, there's, there's this, you can get your arms around.

Problem with the cyber incident is that you actually don't know what the limit of the liability is or where all the data's gone. It's very hard to actually get that, get that marker put  down quickly. So I think, you know, whereas you're probably going to set a plan and have an end game in mind for a physical incident, a cyber incident, that's going to be a bit more adaptable, depending on what Mike would say, like some of these second or third order effects of where the data's gone, reputational impact, legal impact, you know, there's just, there are just the serious set of cascading efforts, you know, affects in a cyber incident.

So I think necessarily as that data comes in around what has been breached, where it's gone, what you're doing to remediate, I think your, your end state is probably going to change depending on that. You know, it might be that, you know, we're trying to limit reputational damage versus legal damage versus whatever.

You're just going to want to try and cap it at some point. And that's obviously going to be quite fluid. So I think, yeah, it does change. 

Mike LeFever: Yeah, what, what supports that is, you know, kind of most of the strategic planning aspect of that, you know, and knowing full well, we've done a couple tabletop exercises and red teaming to kind of go through what, what is it you can't, you can't do everything.

And of course, you know, the famous story is, you know, plan survives first contact, but at the same time, part of the strategic planning allows you to set, you know, kind of some examples and, you know, it's not always going to go like that. But, you know, at the end of the day, some of the things that could happen to all the branches and sequels, but to have that vision of where you want to be and solve for that from a company's perspective is, is, is quite impactful and, you know, highly recommend that portion of it to be able to do it.

And there's enough examples out there that you can look at from after-action reviews or whatever, and, and try to adopt or apply those principles. Because when it happens, it can be pretty dynamic. 

Justin Beals: When you guys do tabletop exercises or your own red teaming, do you break your exercises down to the four phases?

We're going to talk about the four phases of a crisis here in just a second. Do you use it as a part of the architecture of the crisis? 

Roderick Jones:  Yeah, I mean, I think it's, it's really interesting, uh, to see things that way, you know, and, and, um, but we're both kind of, we both like the idea of red teaming. I mean, like as a broad principle of security anyway, I think it's, One of the more valid things you can do, you know, uh, to kind of break, try and break things, see what's there and see how people respond to that.

 It's obviously very difficult in an exercise because you don't get the true panic. People know it's an exercise, but you know, yeah, absolutely. We, you know, the ones we've done, we, you know, we'll sit back, see how people respond. Like, Oh, well, you know, this is the communication phase. I'm sure it irritates people, but 

 Mike LeFever: it, but it does.It's kind of, cause it helps shape your, your initial responses, you know, when everybody's on the same sheet of music to have that, to kind of take a look and empower people and know what people's roles and missions are to be able to decide that, you know, kind of how quickly that interruption to break that connection from the cyber attack or ransomware attack and how does that happen and then, and then knowing those steps to be able to take those initial triage, man, let's see, you know, okay, what, what else can we save? And what do we know? And then to be able to proceed and get to the next phases. 

Justin Beals:I'm on a little bit of a tangent here, but. I also think it's critical to communication, right? Like if my team is practice, there are four phases to this, and we can say to each other, what phase we're in, we're just a lot more efficient in the moment about our teamwork, right? 

Mike LeFever: And also help shape your decision-making because there are some things in the beginning, you're not going to have perfect information, and you know, a lot of the things for those learned was maybe the first report isn't always the most accurate or most responsive and how do you respond to that and how do you understand that and through time how you can take more information to get better decision making. 

Justin Beals: Yeah, well, that leads us to the 1st phase here in the book. It's called the 911 moment. It's that just realize there is a cry. That email came in the inbox ,I got the phone call. Something is a miss. Someone raise something in our system. Slack security channel. And so maybe just one of y'all might like to briefly describe in your words, a nine one, one moment. But the other thing that I think is interesting, Mike, that you brought up is situational awareness in that nine one.

 Mike LeFever: Roderick, if you want that one or… Okay. Uh, 911  is just that it, man, it's the initial crisis. It's, triage at its finest, you know, for the earthquake and floods. It was about saving lives. It was getting people stabilized. There is millions of people cut off from roads and infrastructure. So how do you handle that with the cyber incidents?

It's, and just someone took over your system. What do you need to do? And immediately, you know, break that, you know, it's, you know, it's not a matter of, if it's when it's going to happen, a lot of, you know, a lot of things that we know about where. Where folks are and where they are on the network. And so, how do you isolate it to minimize the impact and be able to immediately get into those next phases to be the continuity of business and so forth.

And so it was kind of the rapid decisions that kind of, and that's in some of the most preplanned responses is, okay, let's stop. Let's figure out where we are, what's happening. Let's try to get that situational awareness or common operating picture. What do we know? And try to validate that across the team so that they can.execute and take different actions from the communication internally and externally to what you do on the system itself technically. 

Justin Beals: Yeah, I think the pre planning is really interesting, right? Because in the 911 moment, that's the information is so random that really, you need to have a process that you're going to execute. 

 Mike LeFever: Very much, so. 

Justin Beals: Roderick, you know, phase two is the second and third-order effects. And certainly, during a major data breach or cybersecurity incident, I often describe it like, uh, you're wrestling an octopus, you know, there's a lot of tangles to the thing. Tell me about your thoughts about the process of navigating this phase.

Roderick Jones: I think I, I mean, I know Mike has probably some more practical examples, but my. I'm going to make a comment here or a sort of a call out. I think this is where you need actually where the leadership calmness really comes in because okay, 911 you're running around, you obviously presence is really important there.

But while people are doing whatever it is to remediate their crisis, somebody needs to be sitting back and thinking, okay, what's the knock-on effect here? What else is this going to impact? How do I get ahead of that? So, how do I actually start like trying to create  a more steady situation? So I think my, my Call out here would be like, this is actually where the leadership of organizations comes very strongly to actually somebody needs to be  thinking about those and be able to, and to be able to start acting on those.

Otherwise, you're going to have a set of, you know, worse crisis than you needed to. So I would say this is where the calmness, the slight detachment comes in and the sort of. Okay. Right. Well, if we take that action over here, like a cyber breach being the example, the jaw, but like, if we, if we take this action over here, let's make sure that doesn't trip over a set of legal requirements that we have over here that are going to give us a worse headache and set up, you know, lawsuits down the line, you know, so we're trying to do the right thing to solve this thing, but we can actually make things worse if we don't understand knock on future effects of some of the actions we're taking.

 So, I mean, that's from my business perspective, but I know Mike had some real world, more examples from the, from the earthquakes and such. 

Mike LeFever: Yeah, I think what Roderick points out is, is key, having done some command and control experience in the background and watching things during the moment, that idea of someone sitting above the fray, so to speak, you know, because people can get very drawn into the tactical, but get very myopic about what they're trying to  solve and forget about the bigger picture that you're trying to solve.

And so having someone in the organization that can kind of, kind of oversee it all. And, and be confident on what's going on to be able to gather information, get the intelligence that you need to be able to build that common operating picture, to be able to see and map and look at, you know, what's next and what do we need to do?

But that is such a key figure in any organization that during a crisis about someone, as Robert mentioned, almost a detached that sits above it and is watching the entire team play. And have that overall view to be able to bring things together. 

Roderick Jones: Yeah, absolutely. Interesting. One, just talking about it as a really practical example, as young man, going back to counter-terrorism, you know, what's the IRA provisional IRA were very good at when they were attacking British targets, either on the mainland or in Ireland was to plant a bomb, but they'd always put a plant, a secondary device where they thought we would set up our rendezvous  point.

So if you were the first on the scene, you had to set. You have to be very mindful of setting your rendezvous point for ambulances and everybody else knowing that likely the attackers had already figured, you know, that you might run over there. And so you'd have two or three, and also not to communicate those over radio because they would blow those as well.

I mean, it's a really like, Almost a macabre example, but you know, we were trained in that and you know, for that period of time, if you were the first one there, you were in charge, right? Until somebody else comes in a higher rank. So I just, as we were talking, I just thought of that. It's that kind of, you can make the thing a whole lot worse by not just having these procedures or just thinking through just that moment of calm when everything's going nuts just to think, well, okay, this could go worse if I don't make some good decisions here.

Justin Beals: I think it's a prescient example, Roderick, and certainly Mike, I've made things worse in a crisis, you know, and to your point, Roderick, like having someone that's a little pulled back and that is watching the forest for the trees can help us, you know, make sure that we're not going to make the situation a lot worse than it already is over communicating perhaps before we have true information that we can share or or being led on a little bit of a wild goose chase or exposing a flank that was secure, but you're trying to solve a problem quickly and you create a worse situation. And we've seen that in some breaches. Uh, where a small breach led to enough intelligence to create a much larger data breach later on.

Yeah. Excellent. So let's talk about phase three here. I, I don't, you know, it seemed a little bit magical, honestly, as I was reading, but the steady state. Maybe Mike, you'd like to lead us talking about the steady state. 

Mike LeFever: Yeah. You know, as you, you know, kind of. Depending on how big the crisis is and then working the phase 1 and phase 2, and you've kind of get to a point, like I mentioned] earlier, getting back to normalcy is so key to stabilize.

Also, the folks that are being attacked, you know, are affected by the casualty or crisis to give them that sense that things are getting back to normal. You know, things are starting to operate, you know, whether it was even like for COVID, you know, everybody was shut down and, you know, locked in and unsure what was going on.

You know, and then be able to give them the stability, this is where we're headed. And so that normalcy then allows you more time to absorb and to make adjustments, and that's when you make adjustments maybe to how you're making decisions that all support that end game. What that strategic end state was fFor me, during the earthquake, it was, it started getting routine to be delivering supplies and medicines and shelters and food, getting folks back, having, Medical facility set up in a field and triage and they needed to come back, but that idea of, okay, we need to get schools. We need to get people back to work.

We had an opportunity to train some of the women in different skills, because now there are these internally displaced camps. So how do you educate so that when the time's right to get back to the village or get back to the testle that, you know, things are, things are more, you know, or even you get advantaged by that because and prevent that crisis in a crisis.

And then the B starts preparing as how you're going to rebuild and reconstruct to get back from that, from that casualty that was so devastating or crisis. 

Justin Beals: The steady state can be a little dangerous. It can start to feel like the new normal, but that's not it. There is a phase four, right? So you're driving inevitably at a reestablishing of normalcy.

Roderick Jones: Yeah. What we thought was interesting about this was that, I mean, this is sort of our own expert, but obviously some of Mike's. And then just again, why we think that these are somewhat universal principles is that somebody has to decide the end of the crisis. You know, it's kind of interesting.

 I mean, and I think, you know, I'm going to probably misspeak, but I think California maybe declared, an end to the COVID crisis, like sometime in 20, at the end of 2023, you know, it's been over years, you know, it was just like, well, you know, but I mean, so they were a little behind, whereas, you know, we realized that for the company, we just had to say it's over, you know, now we were like one financial quarter off that we sort of said at the start of 2022, it's over now, we're going back to work and we're gonna have a big party and all this, but then, you know, there was like another surge caught that first quarter and we had to adjust plans.

 But I think us saying that. Just was really important because, you know, there's always lingering reasons why the crisis can continue, but you just have to call it. And I think what was interesting about that is there's no magic kind of like power that does that. It's just, We're calling it, you know, so we were operating pretty normally at the start of 2022 and then we were going overseas, and still there were a lot of restrictions travelling back into the United States with, you know, COVID testing.

And so, you know, the world didn't agree with us, but it was 2022 and you just had to call it, you know, I think, you know, Mike has that great story about the kind of medical things people were asking for in Pakistan and you're like, yeah, okay, I think we're going to call this. 

Mike LeFever: We had a kind of a Marine Navy Marine Corps hospital up in one area of the FATAD and we had the MASH unit and others.

And so we were watching, you know, what type of disease or maladies and treatments and when we were no longer in very intense surgeries and rebuilding and so forth, when they started coming in for. Well, we know you're an American hospital. Can I get a facelift or can I get, it's like, okay, we're not, this is a match.

We've reached our end game. Close it down. 

Justin Beals: No, that's awesome. Well, that's exceptional. The book does a great job of laying out the four phases, but then I think one of the things that maybe is not explicitly stated in the book but seemed to me to be a really important lesson throughout the book was how critical preparation is in dealing with a crisis.

I mean, is it 80 percent prep to be an effective crisis manager, or 20 percent in the moment? Where would you put the dial? 

Roderick Jones: That's a good question. I think preparation is really important. you know, what we find, I think it's, I'm going to say again, it's very people orientated. So, I mean, it is, it's one of those areas that experience really counts, you know, it's people that have been in the room, I've seen it before, you know, you just, if it's your first time in a crowd, I think you're having a mentor there or somebody you can lean on or just somebody I was seeing, I think is really important.

And, you know, it just is. And it's not necessarily, you know, no crisis is alike. Things are always going to be different. So you're not going to draw on the same expertise each time. But it's just that knowledge that this will end, we will get through it. You know, , it's, there's lasting effects potentially, but like, it's not going to. You know, we'll get through it. I think actually very human experience really helps. And I think some training really helps organizationally and individually. Those are, those are always good things, but yeah, it's, I would lean heavily on experience really, really helps you. 

 Mike LeFever: Yeah. I think that mindset of, you know, preparing briefing, what to expect, how it's going to happen, whether it's tabletop exercise or planning.

And then when the event occurs, and then, you know, needless to say afterwards, the, what lessons did we learn from them? 

Justin Beals: Yeah. And it's not just. internal preparation, like the team we have internally, you guys highlight external preparation. And  Mike, I'd like to highlight an experience you had, and you describe in the book, you know, you served as a joint task force commander in Pakistan when the news broke of the Navy SEAL mission to capture or kill Osama Bin Laden.

And in your book, you highlight this as a crisis where these external relationships were critical to your success. And you specifically call out checking your ego as one of the methods of building those relationships. And I'd like to highlight it because I don't think we do very often in positions of power.

Whether I, as a CEO, you as a critical leader in the military, you know, how do you, how do you step away from yourself a little bit in that heart, heartwarm way? 

Mike LeFever: Yeah, that's a great point. You know, that idea, cause in a lot of ways, it's, it's our abilities and ego get got us probably in a position.

And now in the, the moment though, it was really about the mission, what you needed to do and what was best for the cause. What was best for your company? What was best for the interests in this particular case? And so there was a lot of, you know, competing priorities and institutions and organizations in the military and across government when, these occurred and, you know, taking the limelight for what was going on.

 But, you know, in the Bin Laden raid, what was fascinating is if you look back at the desert one incident and I ran to where we've developed joint special operations to where we were today, that I think people can be extremely proud of how these incredible organizations, powerful organizations across the the U.S. came together to be able to be supported. And we talk about it a little bit in the book, kind of this. Almost not a command and control relationship where I'm in tactical control and I can order you where to go or operational control and affect your money and whatever it was about, who's the supported individual or in this particular thing or supported organization.

 And then how did the rest of the units provide that. So it's a supported supporting relationship. And so when I, you know, from the earthquake or even from the military perspective. For the bin Laden raid, you know, of course, the joint special operations and all the capabilities that had, and it was under control of the Title 50, you know, CIA run, but, you know, as even though we had kind of the force, the talent, the goods, you know, I talk about, I had all the toys, all, all the people, all the assets, it was easily to say, excuse me, I'm in charge.

 But when you sat back and looked at what was the mission, what was it we were trying to accomplish, it was about how do we go about this and solve that for the earthquake? It was how do we present, you know, the U. S. support for a friend in time of need that supported us after the 9/11 attacks to be able to sponsor and to move stuff through. And we were still doing quite a bit of that in the same way that bin Laden thing. Is that even though it's like, you know, we still needed to carry on the attack against Al Qaeda and the terrorist groups. And so we needed to be able to do that. But how do you do that as a whole? It was about the US government, not about an individual.

Well, you know, it was, if it wasn't for me, it wouldn't have gotten done. And so that checking that ego at the door to be able to do that for the mission was I think quite critical, how you viewed it and how do you provide that supportive, supportive relationship? 

Justin Beals: I'm not sure if you've seen this, Roderick, I certainly have in building companies that if I step away, personally, in a way, but to Mike's point, make the goal of our combined entrepreneurship, our company that we're building, the thing that we're focusing on, it's not about me being the CEO. I'm actually here in service of building that business, just as much as a junior dev might be on the team. Right, Roger. 

 Roderick Jones: Yeah, I think, and I actually said this to someone the other day. I think I fired myself twice as CEO because I wasn't the best person for the job. And I mean, I think that's really important. I think, you know, you, cause you're not, I mean, because if you are forever, it just means that the thing hasn't grown, you know, I mean, the company and the organizations generally the different things at different stages and you, you know, you have to kind of change on this. I certainly, think I'm good. Probably like you, I just said like that very, that initial stage, get things going, like the rubbing the two sticks together and creating fire, I can do that, but you know, after a couple of years of going, it's probably, it's probably not, I'm not, not your guy.

So I think it's important that, yeah, as Mike says, you build its focus on, Yeah, you might be the CEO, but you're actually doing a job in the organization that you can clearly define, and probably someone else is better to do it, you know, as you go on. So it's yeah, I would say that's true. But you don't see that.  And it's actually a red flag. It should be a red flag as an investor. If people don't. I'm able to articulate that, you know, I was, maybe, maybe it could be like one of those crap questions that VCs ask founders, like, when do you anticipate firing yourself for this kind of thing? You know, maybe, you know, maybe they should add it to their barricade.

Justin Beals: Well, if any of my board members are listening, just let me down easy. I'm open-minded. Mike and Roderick, what a joy to have this discussion with you today. I'm really grateful for your book, and I actually highly recommend it, especially for teammates that are moving from a security researcher position or working in cybersecurity into a leadership role.

Uh, I think there's, this is a great roadmap for how to go from dealing with the tactical problems and actually leading a team through a crisis. I thought it was brilliant. So pleasure having you both on the podcast today. Thank you for joining us.