July 26, 2022

Cyber Espionage & Entrepreneurship with Karim Hijazi

by Hacker Valley Studio

Show Notes

Karim Hijazi, Founder & CEO at Prevailion and host of the Introverted Iconoclast podcast, comes to Hacker Valley Studio to discuss his varied experiences in entrepreneurship. With a humble start in bartending, Karim explains how learning about people inspired his exploration into counterespionage and cybersecurity. Armed with stories from the streets of NYC to the hallways of his own companies, this episode is a look into the mind of a successful entrepreneur and founder of 2 incredible businesses.

Timecoded Guide:

[00:00] Bartending in NYC and its overlap with espionage and entrepreneurship

[07:14] Real-life knowledge application in cyber intelligence 

[12:15] Founding Unveillance and being acquired by Mandiant 

[18:22] Karim’s entrepreneurial mindset and his journey with Prevailion 

[24:51] DIY podcasting with Introverted Iconoclast and learning to tell his stories

 

Sponsor Links:

Thank you to our sponsors Axonius and AttackIQ for bringing this episode to life! 

Want to learn more about how Mindbody enhanced their asset visibility and increased their cybersecurity maturity rating with Axonius? Check out axonius.com/mindbody  AttackIQ - better insights, better decisions, and real security outcomes. That's why we partnered with them to create free cybersecurity trainings! Check it out at academy.attackiq.com

 

How do your experiences in bartending and espionage overlap?

The jobs taken as a means to an end just might teach something invaluable. This was the case for Karim, who took a job bartending to make ends meet while he figured out what he wanted to do with his future. At the time, cybersecurity and counterespionage weren’t on Karim’s radar, but bartending taught him about people; how they act when they want something and how to connect with them even in the busiest and most public places. Learning this changed the game for Karim when he got into the espionage world and assisted him even more so when he became an entrepreneur in the industry.

“It's just learning the way to slowly gain a confidence level with someone. It's actually where the word "con man" comes from, confidence man. Ultimately, that is how you get the information you need.” 

 

What are the different aspects that organizations or individuals look at with counterintelligence?

At Karim’s own firm, the shift from competitive intelligence to counterintelligence focused around three security aspects. One, identifying weak spots and vulnerabilities, noticing your points of exploitations and vectors of attack. Two, taking advantage of disinformation, using it to root out moles within an organization and throw off cyber adversaries. Finally, three, finding out where your information is going and noticing where there is weaker security than your own. Karim emphasizes that in this third aspect, it is not so much about an organization’s strategy when the information is still at home. It’s harder to secure information once it goes elsewhere.

“A controlled rumor within an organization can do several things. It can weed out a mole that you may have, a spy within your organization that maybe you don't know about, that's been able to be hired and gotten through the background checks and whatnot.”

 

When you look back to starting your journey as an entrepreneur, what are some of the wrong assumptions you made early on? 

Karim, like many entrepreneurs, was under the impression when he founded his first company, Unveillance, that he should be seeking to hire, not to do anything himself. While hiring is an important part of being a business owner, Karim has realized that it's better to learn how every piece of the machine of a company works before hiring. Trying things out for himself and taking a chance on his own abilities hasn’t been easy, but it’s made him a better leader for his employees. If they drop the ball or need his assistance, he’s able to lead from a place of understanding and call the shots with his own vision in mind and his own knowledge to back him up. 

“As a CEO, it's almost imperative for you to go and try it all, even if you fumble through it and you get by with something that is subpar. It's better to have tried it and understand it, so now you know how to call the shots a little better.” 

 

What prompted you to start your podcast, Introverted Iconoclast?

Ironically enough, Karim’s podcast was a do-it-yourself project born out of having an employee drop the ball on creating it for him. Relying on himself and struggling his way through the beginning, Karim realized that podcasting is not just about the equipment and the idea behind it, it’s about the stories being told. Focusing on the lead up and context around some of his own career stories and professional highlights, Karim was able to discover the rhythm for his podcast and build a solid foundation of content that opened up doors for new topics to be addressed and new guests to welcome onto his show. 

“It's very cathartic for me. Speaking the stories out loud, rather than just sort of regaling people over a dinner or thinking back on them nostalgically, is extremely interesting because you remember things you don't remember when you're casually talking about them.”

---------------

Links:

Keep up with Karim Hijazi on LinkedIn and Twitter

Check out Prevailion on their website

Connect with Ron Eddings on LinkedIn and Twitter

Connect with Chris Cochran on LinkedIn and Twitter

Purchase a HVS t-shirt at our shop

Continue the conversation by joining our Discord

Check out Hacker Valley Media and Hacker Valley Studio



Transcript

Hacker Valley Studio 00:07
Who says tech can't be human?
Karim 00:10
I think in the earliest days, a lot of it has to do with just getting started. That's the number one reason I found people to stifle their own dreams and actually withhold doing things for themselves. They say, "Well, I just can't afford someone, I can't get employees. I can't do it because of this or that," try it.
Hacker Valley Studio 00:30
Welcome to the Hacker Valley Studio podcast.
Ron 00:36
We get it. Another vendor running another podcast ad, trying to get you to check out their product. Instead of explaining to you what our amazing sponsor Axonius does, we've brought in an Axonius customer to fill you in. Take it from Jason Loomis, Chief Information Security Officer at Mindbody.
Jason from Mindbody 00:55
The sheer excitement of my team to have visibility into what's in our environment, and have it all in one location is just— I can't express how important that is for us.
Ron 01:06
Want to learn more about how Mindbody enhanced their asset visibility and increased their
cybersecurity maturity rating with Axonius? Watch the video at Axonius.com/Mindbody.
Chris 01:18
What's going on, everybody? You're in the Hacker Valley Studio with your host Ron and Chris.
Ron 01:30
Yes, sir.
Chris 01:34
Welcome back to the show.
Ron 01:37
Glad to be back again, along with a very special guest today. Our guest this episode is Karim Hijazi. Karim is the founder and CEO at Prevailion. He's also the host of his own podcast called Introverted Iconoclast. Check it out, he's dropping episodes all the time. Karim, we are excited to talk to you because of your experience in intelligence and espionage, but also your experience as an entrepreneur. It's a pleasure. Most importantly, welcome to the show.
Karim 02:08
Ron, Chris, thanks for having me. It's a pleasure to be here.
Chris 02:10
Pleasure to have you on the show. You know, you look at your resume, all the incredible things you've done. Intelligence, starting companies, doing cybersecurity stuff, but I'd have to say looking at that resume, the most interesting out of the bunch has to be you getting your start as a bartender in New York. What in the world? That had to have been such a learning lesson just in life in general, what were some of the big takeaways from that experience?
Karim 02:39
I'll tell you in one fell swoop, it's the best spy training you can possibly get anywhere in the world. You know, social engineering at its best. You're there to pitch drinks and get people to cry in their beer in front of you, or get really happy very quickly and drop their money on the table. It's incredible training, but yeah. Unbelievably, it wasn't linked, that bartending experience didn't necessarily link in any way directly to what I got into with intelligence, but without question to your point, the lessons you learn behind the bar, in New York City especially, are invaluable. You learn a lot about people. The sociology and psychology of people are kind of generally the same no matter where you are, around the world, and you see a lot of that when people are socially inebriated with alcohol. So, it's a very interesting
experience. And I was young, and so I was quite impressionable. I was able to kind of ingest a ton and just take it all in and then absorb it over the next few years going, "You know what? I wonder if this tactic might work." Because a lot of intelligence fundamentally is all about relationships, ultimately. You're out there building connections to people to be able to establish more connections, and they're a third or fourth degree of separation away. That's essentially what you're doing in any kind of social scene like that. So, that's a little bit abstract, but yeah, those stories are abound. I think I dropped a few of them in my podcast, but there's many, many more where those came from.
Ron 04:01
I love that. Chris keeping you on your toes, asking you about your experience bartending. You know, it's very interesting about your background, as you mentioned, the espionage, but also your entry of just working class in general, working at a bar. How do these two things overlap? I would love to hear your definition of espionage, and also tell us a bit about the highlights of working in that type of focus and industry.
Karim 04:30
Certainly, yeah. So, the bartending really was just a means to an end. I moved to New York City with the intention to become a photographer. I had formally been trained as a photographer, I had all these grand delusions that I was going to get to be one. I did indeed get to be an assistant for a pretty prolific photographer in New York, which was wonderful, but that didn't pay the bills. So, that's what led to the bartending. So, it was really just something I fell into it by happenstance. Interestingly enough, that led me down a path with, as I mentioned, getting to know number of people. And then, I decided, just in one day that I had enough of that, my days and nights were blending together, I was young enough to make a change, but I wasn't old enough necessarily to not, the best way to explain it. I moved back
overseas, which is actually where I grew up, we can get into that later in the show if you're interested.
Karim 05:17
I joined a company that was very, very boring, and the company did something very, very boring, but for very big, big companies. They basically helped them win contracts in the oil sector. I sat there, trying to do a job that was somewhat clerical in nature, and one day, there was an ask of the company to find out what a bid might be against a competitive company. I asked the management of the firm, I said, "What do you guys normally do in this case?" And they're like, "Oh, well, we leave it to the vendors to figure it out. They've got these teams, and they'll do their investigations and whatnot." So, to be clear, in order to answer your question regarding espionage, I was in a corporate side of this business, I was the one getting information on behalf of a client so they could win. There are certainly governmental agents
like this, that do a very similar job, but for socio geopolitical reasons and whatnot. We're very similar creatures, we just have a different target and a different audience.
Karim 06:14
Ultimately, I literally went on my own accord to try to get that information for my client within the company I was working for and managed to do it. I'm not telling any details here, but the short version of what it entailed was simply asking the right people the right questions that didn't know any better, and they would tell you, and it is usually that simple. It's just learning the way to slowly gain a confidence level with someone. It's actually where the word "con man" comes from, confidence man. Ultimately, that is how you get the information you need. Now, hacking, which is fast forwarding to where we'll probably get to in the conversation as well. It's no different. It's just the electronic version of the same thing. So, a lot of what I learned during my intelligence days, translated directly into my counterintelligence and then, ultimately, my cybersecurity career. So, all of these things are sort of linked together. All of it again, stemmed from bartending where I learned how people actually worked and how they think and what they do when they're interested or not interested, and how to get them
there.
Chris 07:14
Yeah, 100%. Ron, and I, we got our start in the intelligence community. I was in the Marine Corps, he was a contractor, but I do feel like there's a lot in our lives that we take from those experiences and bring into real life, and vice versa. Obviously, you had some life experiences that you brought in to your intelligence capabilities. Is there any story that you could tell that really personifies real life knowledge or experience that would apply to something like intelligence?
Karim 07:43
Oh, definitely. If you watch any person in a social setting, and one of the stories I talked about in one of my podcasts talks about a strategy we use that we used to affectionately call the trinity. It included using three operatives that worked for my firm, ultimately. One operative would get to know the target fairly well, by happening to run into them after a certain amount of recon and understanding where they may be, and the information that that first operative would gather from that first interaction would be conveyed on to the second operative. Then, that second operative would go meet the same target somewhere else at a predestined idea of where they might be, and this is the part to answer your question. It's amazing when you build any kind of rapport with someone, even if it's something as simple as, "Oh, I'm from the same hometown," or, "I grew up in the same way, I at the same things and I went to the same grocery store." People open up.
Karim 08:35
And then, the social dynamics between men and women. In many cases, I would have women
operators work with me, for the fact that a man is very quickly eager to share information they may know, just to gloat or show off. If they just do the right kinds of things, and we do this, I'm married with kids. So, I don't do this anymore, but when you're in your dating scene, you know exactly what I'm talking about. The amount of information that flows forward by people in an effort to gain the affections, or the validation, of someone is incredible. Real life is the training grounds for this, and I know you guys probably know this from the military as well. It's exactly what they would tell you when you're in a foreign environment, where friendliness, willingness to listen, and just keep your eyes and ears peeled to see what people are doing and how they're being leveraged is the way to get the information you need. Not to mention financial motivation, that's s a huge one as well. So, it's interesting because people think it's a mystic art. I'm sure, as you both know, it's really not. It's just understanding the psychology of how people function. Unfortunately, in the modern world, when it comes to cyber, the lack of education is what people prey on now. Clicking emails that shouldn't be clicked on, telling
people what they want to see or hear, and getting their curiosity piqued to where they'll click something, and that's essentially how these guys do it today.
Chris 09:48
When we're looking at the word espionage, especially providing a service with anything dealing with espionage, you typically hear counter-espionage, trying to stop these bad acts and prevent espionage from occurring. What goes into counter-espionage? I would imagine that, obviously, it's the defensive components, but what are some of the tenants or aspects that organizations or individuals look at?
Karim 10:14
Sure. So, my firm actually shifted from being a competitive intelligence company to being a
counterintelligence firm. The core principles of my firm were to do some very key things. One, identify where your weak spots are, your vulnerabilities, your points of exploitation or vectors of attack, attack surface, what kind of people are more susceptible than others within the organization. Who would be easily manipulated into giving away information? So, looking for, essentially, where someone like myself would be targeting, right? So, I literally would say, "Alright, if I were to do this, this is exactly who I'd go after." You need to fortify these parts of your organization.
Karim 10:54
The other thing that's interesting when it comes to counter, and it's not as well documented or shared as what I just mentioned, is the notion of disinformation. I know it's an extremely inflammatory word these days with everything going on, but it is absolutely a utility and a tool. A controlled rumor within an organization can do several things. It can weed out a mole that you may have, a spy within your organization that maybe you don't know about, that's been able to be hired and gotten through the background checks and whatnot, and is actually siphoning information out unbeknownst to you. That's a very powerful tool, and disinformation can send your adversary off on a wild goose chase and basically cost more money for them to come back on the course than it's worth, and they'll jettison the whole project.
Karim 11:37
Lastly, the whole notion of counterintelligence, basically finding out where your information is going, and what places it might go to that has weaker operational security than what you maybe have, and making sure those defenses carry it all the way through to its intended destination. It's one thing to build a castle moat strategy with your organization, it's an entirely different thing to secure your information in some fashion elsewhere, when it leaves your site. So, those are sort of three core tenants of how you would build out a sort of a system, or countermeasure system collectively. Of course, it's much more involved than that, but at a high level, that's sort of where that lands.
Chris 12:15
These systems that you can get from the military, or the government, or just your classic intelligence tradecraft, that really applies to a lot of different things. That's how I went from doing intelligence to doing more cybersecurity centric things, and I did it through starting my own company. I was at Cyber Command, doing all sorts of intelligence, or if you want to even think about it as threat intelligence., and when we decided that we were no longer going to be doing that for the government, I was like, "You know what? I'm gonna bet on myself and try something new." I decided to start a company, and I would say that that's probably one of the biggest ways I got experience, not only through having to sell threat intelligence, but also: How do I package it? What are my offerings? I really had to bump my head against all these challenges. In one of your podcasts, you talk about fumbling your way through that first startup that you pulled together yourself, because that's where all that learning happens. Can you walk us through a little bit of how you went through that first company and some of the learnings you took away from that?
Karim 13:19
Oh, yeah, that's a great, great point, Chris. So, that first company I'm referring to, where I did all of the competitive and then counter intel, was a consultancy. It was a service-based firm, right? So, I was selling myself by the pound, which, in my younger years, it was great. It fed the ego. It fed my appetite for travel and exotic experiences and locations, and I got to live out the fantasy of being this independent consultant that could flit around and make a lot of money and enjoy myself. At the time, that was a fair bit of money for me and I was happy. The problem with that, which I realized very quickly, is that it's only so scalable. When you're selling yourself as an individual, or you are the brand, there's only so much of that to go around. You do have essentially a limit to your abilities there. That was a hard lesson, because I was very happy with what it was and I realized that I was going to hit a wall very quickly or a ceiling, I should say, with how big it could get.
Karim 14:14
That led me to the building and the founding of my next firm, actually, that sold to a company that I think everyone knows and loves very well, named Mandiant. That company that I founded in 2010, was called Unveillance. That company was the first product company I'd ever really gotten involved with to build and start. Honestly, as a consultant, I had no business building product. Talk about fumbling along the way to build something, oh man, what an experience. But in hindsight, it was the best possible way to learn because when you're starting a company where you're talking about building something that you can divest and pull away from yourself and sell, and eventually sell as a whole organization, to where you can go with it for a period of time, steward it within the acquiring firm and then leave. That's the dream, right? That's when I was like, "Oh, no, that's what I should have been doing all this time." But a lot of my lessons learned as a consultant really went into that product that we built.
Karim 14:15
It was founded on, and Chris, you probably remember it from the days, I think that you probably shared some time in a similar place. We were now chasing and infiltrating command and control infrastructure of the adversaries with that company, not too distant from what I do today at Prevailion. That intelligence that we were able to collect, that telemetry from the victims that we were able to collect was exactly what Mandiant needed as fuel for their capabilities and what they did from an incident response standpoint. So, it was a tremendous opportunity for me to find the right thing at the right time, and that sometimes isn't perfect. There are things that you can control, and there are certainly things that are completely stars aligning, wonderful happenstance that things work out. You can try your damnedest to try to get it all right at the right time, and it's almost impossible. So, there's a little bit of luck here and blessing involved when it comes to having startups work.
Ron 16:00
Security controls fail everywhere, they fail constantly, and worst of all, they fail silently. That's why you need Attack IQ, the leading automated insights platform to continually validate your defenses. Better insights, better decisions, and real security outcomes. Get it all with Attack IQ. Plus, check out the Attack IQ Academy for free cybersecurity training, featuring the good people here at Hacker Valley Studio. Register today at Academy.AttackIQ.com, and let them know Hacker Valley Studio sent you.
Ron 16:40
The other piece I think makes startups work very well is their name. I think you got two unique names for your previous company and for your current company. What went into the naming of both of your companies?
Karim 16:56
That's a good question. So, yeah, it gets harder every day. If you want to get a dot com, I mean, good luck, it's tough. You know, you're seeing a lot more companies going and getting dot ios and dot cos, and all these other ones, all these other TLDs. Unveillance was interesting, because I was meddling around with two different words as it related to what we were doing. What we were actually doing was something between unveiling the adversary, and doing surveillance on them once we were able to identify them. I took those words and essentially smashed them together successfully and found that the dot com existed, and that's what really put the rubber stamp on it for me to get it. When I got the domain, it was like, "That's it, we're going with this."
Karim 17:40
That, for me, it was usually the litmus test of whether it was a good name or not, if we could get the domain to click. Prevailion is similar. In fact, that domain is even older than the Unveillance one. I think I bought that domain sometime in the early 2000s, for some other reason. When I started this company in 2017, I kind of went back to my little account where I keep all these parked domain names of interests and I said, "What's a good one for this?" What's got a preemptive, proactive, almost precognitive, notional idea around this? What's going to help companies prevail? I was like, "Prevailion, I have one here! Perfect." It's not as sexy of a story as the Unveillance one, but it's a good one, nonetheless.
Chris 18:22
You know, when you look at folks that have started companies, and then they sell them, or maybe they just kind of sunset whatever way they do, and then they do it again. There's a specific type of person that really just says, "You know what? I'm going to continue to build and grow and create these things," because it's hard. To have a successful exit is a tough thing, and then to say, "Let's get back on that horse. Let's do it again." I think it's even tougher. What would you say it is about your mindset that really is just like, "You know what? I'm going to continue to build and grow these different things all the way up through content?"
Karim 18:56
Oh, no doubt. I think, with me, in particular, I do have an insatiable desire to keep building and creating things. That's kind of the number one most basic premise of it all, but as it relates to the companies that I built here, where I'm trying to capture lightning in a bottle twice, Prevailion was founded on identification of a real problem. I talked to a lot of entrepreneurs about this, and it's interesting, because usually, when I'll speak to friends that are still trying to get their bearings and they're trying to get started in this, I'll say, alright. This is a very basic question, and you hear it a lot and I certainly didn't invent this, but— Have you created a solution and now are trying to find a problem for it? Or, are you looking at a problem that you found a solution for you, or have a good solution for? Depending on which direction, if you're coming in from the problem side or the solution side, might dictate the success or failure of the whole thing.
Karim 19:42
With Prevailion, in particular, this one was interesting, You guys will both know this, but number one vector of attack these days, unfortunately, is a partner that has weaker operational security. It's supply chain. It's the ultimate vector of attack for anything, whether it's physical, kinetic, or cyber. One of the things that was so inspirational about the Unveillance technology was that if we could somehow leverage that same methodology, but now deliver context about people's partners to them, they could preemptively limit their exposure to a cyber contagious. You're trying to get people to cyber socially distance from each other, and that's what that was.
Karim 20:29
Now, this isn't all rainbows and sunshine. We were a little too early. We were in 2017, trying to pitch this idea that, look, we can tell you that you've got to exposure to an organization that maybe you're working with, that has an infection that could laterally move into your environment, if you don't keep an eye on it, or you don't limit your connectivity to them. People were like, "No, it's okay," nd then when Solar Winds happened, which I think hopefully your audience remembers that. That was a pretty big supply chain attack that happened to this company. I thought, "We're done. We're good. We got it. This is it. This is going to be it." Unbelievably, still no. Still, people were like, "Well, we know it's a problem. We just don't have the team and the talent to address this yet. We understand it's an issue. But we're still trying to get budgetary approval and all that." So, even when it looks like guys like myself have it on
lock and we've nailed it and we got all perfectly timed, we don't. We're still struggling through the hard times, we're still trying to convince one person at a time, every day, to believe in our vision. So, it's tenacity, its resilience, it's a little bit of stubbornness that you need. You need to have a very willing family and spouse that will put up with your entrepreneurial crap. That is a big, big part of it. Whoever you are with has to be understanding of that. So, there's a lot of pieces that go together here, I wish I could claim it was all you, but it just takes a village for a lot of these things to work.
Ron 21:51
It really does. Interestingly, we've created a little village at Hacker Valley Media. Both of our wives work at the company, and it's been really interesting to have that dynamic to have husband, wife, husband, wife, all kind of partnering up to build something. I think there's been a lot of lessons I've learned. A lot of people say, "Never work with your spouse, or a sibling," but I found that to be one of the myths of entrepreneurship. Just like with anything, there's a lot of assumptions that you make. When you look back to starting your journey as entrepreneur, what are some of the assumptions that you made early on? What do you think has been just really dissolved as you got the swing of things with being a multiple time CEO?
Karim 22:34
Yeah, that's a good question. There's a lot of things. I'm trying to think of the one that might be really the most pungent. One of the ones I would say is really, there's zero question to it, is I was under the illusion that there was always a professional that was gonna be able to do something so much better than I could and let me go hire them. They're gonna know more about it than I will. Unbelievably, almost every single time— It's not that I know more, that's not the point. It's not that there's not people that are much more talented than I am at certain things. It's just that the belief that you can't do it and you need someone else to do it is wrong. In fact, as a CEO, it's almost imperative for you to go and try it all, even if you fumble through it and you get by with something that is subpar. Then, you do meet and find someone that can do it better than you can, but it's better to have tried it and understand it, so now you know how to call the shots a little better.
Karim 23:26
Understanding every little piece of the machine, learning how every little gear within the watch works is what makes a precise tuned machine function. When you're not good at the pieces, because we all have our favorite things to do in these companies. I like this part of the job, what we're doing right now. I like talking about things, I like explaining it, I like evangelizing the capabilities and things like that. I absolutely despise the accounting and the financial part of the business. Hate it with a passion. I suck at it, too. So, I certainly can use the help when I get a good CFO, but there are times where you just can't afford one. You can bring someone in that's going to do it justice, or if you bring someone that's junior, they're asking you as many questions as you'd ask yourself. At that point, you might as well just do it yourself. So, I think in the earliest days, a lot of it has to do with just getting started. That's the number one reason I found people to stifle their own dreams and actually withhold doing things for themselves. They say, "Well, I just can't afford someone, I can't get employees. I can't do it because of
this or that." They find all these negs to get themselves out of the mood to do something because they themselves are afraid to try to take it on. Try it, fail at it, do the graphics for yourself, go to Canva, even if it's horrific and it's all stock, at least you started and you're getting going. That helps, too, for every single new one I start. I don't start by hiring the most expensive firms day one. I still do it myself from the very beginning. The logo I did for Prevailion myself, first day started the company, and it's still there on website and business cards today.
Chris 24:51
I think there's an extreme value in doing everything yourself, at least for a little bit. I mean, if you look at something like our podcast, it was just Ron and I in the shop figuring things out, figuring out how to edit and how to market. What makes a good show? What makes a good question? All these things, when we broke it down into their most digestible chunks, in order to get better time after time. It seems like you're not done doing that, you're also doing that with Introverted Iconoclast. Tell us a little bit about that journey. What has that been like? What prompted the show? What are some of the memorable moments that you've had so far?
Karim 25:25
No doubt. So, that podcast was something that was originally intended to be a another channel of marketing for Prevailion. So, I had originally tried to get one of my teammates to start it, things got in the way, and it never got started. I was like, alright. Case in point, like I mentioned just 10 seconds ago, I did that myself. I was like, "Let me get to this, let me see how this all works." What was fascinating about it was that I did the usual, where I bought all these things I didn't really need to do a podcast. I got to mixer and I got this really great mic, and I got some really great headphones, got all the software, got the platform in which I upload my audio for the feeds to be distributed across all the outlets. I did all that. I even came up with the visuals around what I wanted the podcast to be called. I did what everyone does, I sat in front of an empty mic, and I just stared at it. I was like, "What the hell am I gonna say?" This is the guy with all the stories in the world from all these years. I had some incredible things to share, and it took me probably 8 to 10 tries to get the first one done, because I kept hating it. I
finally got to the point where I'm like, "This is just never gonna get better. Let me just get something out because if I don't, I'm just gonna constantly stall." That was the best thing I could do because Perfection is the enemy of progress. It doesn't allow you to move.
Karim 26:50
Then, I would say somewhere around episode three or four, when I started talking about the path of my career, very similar to what we were talking about a few minutes ago, all the way up to the acquisition of Unveillance by Mandiant. I had a very high profile, drop down, drag out battle with Anonymous, or a division of Anonymous, a splinter group in 2011. I thought, "Well, that would make a really good episode, but I can't just jump into that. So, maybe I should do a buildup." I talked about how I got there, talking about the bartending experience, going back to the Middle East for a while, doing this competitive intel work and then, ultimately to counter. I'll build up to this and I did and I got a rhythm.
Karim 27:29
The minute I got that rhythm, I was like, "Okay, now I've got some steam. Now I know what I want to talk about." Every time I would do an episode, I'd think of another thing I'd probably want to talk about and I would jot down as another episode. Before I knew it, I had probably a notebook full of 15 to 16 episodes I could do. I wasn't sitting in front of the blank screen going, "I have no idea what the hell I'm gonna say." I mentioned this before we started recording here. It's very cathartic for me, speaking the stories out loud, rather than just sort of regaling people over a dinner or thinking back on them nostalgically, is extremely interesting. Because you remember things you don't remember, when you're casually talking about them. There are details you remember. I remember meeting Kevin Mandiant, when he wanted to buy Unveillance, and I met him in the lobby of one of the big hotels in Vegas during Blackhat. I never got to the expo floor because we spent the entire Blackhat together in a conference
room with our entire teams doing the due diligence on the acquisition of the company. I forgot we did that, you know? I remember we went to a dinner, and the dinner was so extravagant, I leaned over to Kevin, I was like, "How does this thing cost?" He told me the number and I'm like, "Oh my God, I'm such an idiot. I totally negotiated terribly, I could have asked for so much more for my company." I had all these thoughts that came back and I was like, "This is great. I need to write these down." Wait, no, I don't. I just need to tell them in a story. That's how this has turned out, and slowly but surely, I did get into interviewing folks. That's been a lot of fun.
Chris 28:59
That constant fuel for iteration really makes me understand and believe your skill as a hacker, someone that's able to take technology almost like an alchemist and turn nothing into a lot, ultimately. I have got to ask. You've done so much, you've built businesses, you've worked in counterintelligence, and many other elements of cybersecurity, you are a great marketer, because your podcast is doing so well. You put all these elements together. How do you use this to become a better hacker? Someone that's able to kind of transcend where they've been to somewhere bigger, like where you're at today?
Karim 29:40
Yeah, that's a great question. I appreciate that. Again, I wish I could tell you this was all by design, but I had no idea what I was doing. They all sort of naturally fit together slowly, but surely. I started seeing that I had a brand aesthetic that I liked myself that I'd always do with a lot of the things that I was doing, whether it was my companies or, in this case, the podcasts. There's always a very specific type of font, there's a very high contrast visual associated with it. You know, to your point, I think, especially at my age now, I mean a little bit literally and figuratively—
Karim 30:13
Look, I'm getting to be a bit of an old timer in cyber. There're a lot younger, sharper people out there that know what they're doing. I don't think I trade the experience in for some of the newer stuff, but it's being able to translate this now to another generation of folks that have good ideas. I do think that after Prevailion, I'll probably get into some sort of investing, mentorship, helping people understand how to do some of what we're talking about today. All of these things kind of fit together as the perfect platform, and baseboard, essentially for that. The podcast is fantastic because it does allow me this. We were talking before we started the show, this is an uncensored, somewhat free platform to share a lot of very interesting ideas to people that maybe otherwise wouldn't get it anywhere else. You can't do that in a workshop as easily. You can't have it be as casual as this. I know that casual sounds contrary to something formal, from an educational standpoint, but sometimes it's the best way to learn. What we're doing right now really could be something very inspirational to someone young, that's like, "You know what" I'm gonna finally take that leap and try it." And being able to say, "You know what? He said, I don't need to go hire someone really expensive, I don't need to go and buy the best equipment, let me just give it a shot."
Karim 31:26
Maybe we've inspired a new company today. If I can do that, you know, 10, 15 20, 1000 more times before I'm done, then I have won. That's the professional side of the house. The other side, Ron, which is really interesting is now my interest is hacking my life, rather than my business. There's this old adage that I wish I had created, but I didn't. You work in your business, then you work on your business, and then you work on yourself. I'm at the precipice in-between the on business and on myself piece, rapidly heading toward myself. Things like health, wellness, we forget it a lot as entrepreneurs. We really fall out of line. We put ourselves in a really precarious position when we're older, and we have all this success, quote unquote, financially and monetarily, but then we're unhealthy. It's especially rampant within the cybersecurity and intelligence. Not everyone looks like James Bond here. It's sad, because people completely commit to this destination, and they forget the journey is more important in
many cases.
Chris 32:31
I couldn't agree more. It's really about making yourself better, so that you can be better for everyone else out there. It's been an honor to chat with you, and for the folks out there that want to learn more about you and your show, we're gonna drop all those details down in the show notes, where you are listening to this episode. Again, Karim, it was an honor. I love that you are here. We're gonna have to bring you back on because I know there's tons more stories that you can tell about your experience, but for today, that is it and we will see everyone in the next episode.
Hacker Valley Studio 33:05
If you found value in this content, it would mean the world to us if you shared it on social media, sent it to a friend, or talked about it over coffee

Representation Without Technicalities with Mari Galloway

August 11, 2022 Hacker Valley Studio

00:00:00