Ryan Rambo: 26-Year Counterintelligence Veteran on How to Prevent Corporate Espionage — Insider Threats, Spy Recruitment & Protective Intelligence | Be Yourself Podcast

Be Yourself Podcast

RyanRambo

26-Year Army Counterintelligence Veteran & Founder of IXN Solutions — on How to Prevent Corporate Espionage, Spotting a Recruited Spy, Insider Threats, Elicitation Tactics & Building a Culture of Trust

44 minutes

Counterintelligence В· Corporate Espionage В· Insider Threats В· Elicitation В· Protective Intelligence В· Trust & Culture

Watch on YouTube IXN Solutions

Listen to this Episode

About This Episode

Inside the Cat-and-Mouse World of Corporate Espionage: A 26-Year Counterintelligence Veteran on How Spies Are Recruited, Why Insider Threats Start with Culture, and How Companies Can Actually Protect Themselves

Most people think of espionage as something that happens in embassies and government basements — not in the cubicle next to theirs. Ryan Rambo spent 26 years proving otherwise. As an Army counterintelligence veteran who went on to build an insider threat program inside a $43 billion global corporation with 28,000 employees across 165 locations, he has seen, firsthand, how foreign intelligence officers identify, approach, and slowly recruit ordinary employees — and how counterintelligence professionals do the very same thing in reverse: identify, exploit, neutralize.

In this episode of the Be Yourself Podcast, Ryan walks through a real case — a corporate director of cybersecurity who came onto the radar simply because he planned a strange trip to Belarus to meet a "pen pal" from the Russian Embassy — and uses it to unpack how slowly and subtly espionage actually unfolds. From there, the conversation moves into the practical: why happy employees don't steal from their companies, why data classification has to come before personnel security, why the Tesla self-driving-technology theft case should worry every founder, and why the single best elicitation technique in American culture is simply making a wrong statement and letting people correct you.

It's a masterclass not just in protective intelligence, but in understanding people — their motivations, their vulnerabilities, and the quiet signals that, if you know how to look for them, can save a company from losing everything it's built.

What counterintelligence actually is — "protecting against adversaries outside your walls while catching the enemies inside"

Ryan explains counterintelligence through the definition he loves most, from author Robert Baer, and why it's best understood as the cat-and-mouse game between human intelligence officers who try to recruit spies and counterintelligence officers who try to stop them.

The Belarus case — how a "pen pal" from the Russian Embassy turned a director of cybersecurity into a potential recruited asset

A real corporate case Ryan investigated: an employee with access to "the keys to the kingdom" planned a trip to Belarus to meet a pen pal he'd known since the 1980s. Ryan unpacks how this looked like the early stages of espionage — and how his team intervened within days.

Identify, exploit, neutralize — the three-step process behind IXN Solutions and modern counterintelligence work

Ryan breaks down the literal meaning behind his company's name and how counterintelligence professionals identify a foreign intelligence officer trying to recruit their people, then either turn the relationship to their advantage or shut it down entirely — sometimes within 17 days of first contact.

"Happy employees don't commit espionage" — why culture and trust are a company's first line of defense

Quoting his friend and fellow author Jim Lawler, Ryan explains why he asks for organizational surveys and turnover data before anything else: toxic leaders and high turnover are the clearest predictors of where a company's next insider threat will come from.

Data classification and personnel security — the two-pronged framework every growing company needs from day one

Ryan lays out his core advice for founders: first classify what data and IP would actually end your company if lost, then map out who you trust most to least — and only then decide who gets the keys to the kingdom, including the cautionary tale of the Tesla self-driving-technology theft.

Elicitation — the art of getting people to reveal secrets without ever asking a direct question

Ryan reveals one of the most effective elicitation techniques in American culture: deliberately making a wrong statement and letting the other person correct you. People — especially experts — can't help but show off what they know, and that's exactly how secrets get extracted.

About the Guest

Ryan Rambo — 26-Year Army Counterintelligence Veteran & Founder of IXN Solutions

Ryan Rambo spent 26 years as an Army counterintelligence professional, working operations and investigations on the defensive side of one of the world's oldest disciplines — espionage, which he describes as "the second oldest profession known to man," with a history stretching back roughly 7,000 years. From government assignments overseas to building a counterintelligence program from scratch inside a $43 billion corporation with 28,000 employees in 165 locations, Ryan has spent his career identifying the people trying to steal information — and teaching others how to spot them too.

Today he runs IXN Solutions — a name that stands for the core of his philosophy: Identify, Exploit, Neutralize. The company works on both the government side, training the next generation of counterintelligence professionals, and the commercial side, where it offers training and awareness programs, fractional insider threat and counterintelligence support, a case-management technology called 351X, and a thought-leadership arm built around the CI Press podcast, where Ryan and his colleagues demystify counterintelligence and share the stories of the "legends" who shaped the field.

Ryan is also a close friend and frequent collaborator of Jim Lawler — a former CIA officer turned spy-recruiter-turned-novelist who appeared on a previous episode of the Be Yourself Podcast. As Ryan puts it, the two of them are "two sides of the same coin": one spent a career trying to recruit spies, the other spent a career trying to stop them.

What He Built

IXN Solutions — Identify, Exploit, Neutralize. A counterintelligence and insider threat consultancy offering training and awareness, fractional insider threat programs, the 351X case-management technology, and the CI Press podcast, which has published over 100 episodes featuring counterintelligence veterans.

The Belarus Case

a director of cybersecurity with access to "the keys to the kingdom" came onto Ryan's radar over a planned trip to Belarus — to meet a pen pal from the Russian Embassy he'd corresponded with since the 1980s. Ryan's team identified it as the early stages of a possible recruitment and intervened to protect both the employee and sensitive company information.

On Culture & Insider Threats

happy employees don't steal your stuff and commit espionage... if I can identify a toxic leader, I can almost guarantee you where your next insider threat's going to come from. I would also take a look at teams and figure out who has the highest turnover rate.

On Elicitation

one of the best elicitation techniques that anybody can use is to make a wrong statement... an American must correct you... other people that are like that are educators, professors, academics, scientists — they can't help but correct you.

Key Quotes

he defined counterintelligence as the discipline of protecting against adversaries outside your walls while catching the enemies inside. So, it's the cat and mouse game of the intelligence community.

Ryan Rambo

happy employees don't steal your stuff. They don't sell it for money. They don't take it to a competitor... if I can identify a toxic leader, I can almost guarantee you where your next insider threat's going to come from.

Ryan Rambo

one of the the best elicitation techniques that anybody can use is to make a wrong statement... an American must correct you... they can't wait to give you all of the information and show you how smart they are.

Ryan Rambo

Episode Chapters

0:00 Episode Intro 1:42 What is Counterintelligence? 3:20 What is so Intoxicating about Espionage 4:30 Counterintelligence Stories 8:59 Building Counterintelligence Programs 11:44 How NOT to Become a Spy 15:25 Identifying and Exploiting Threats 19:28 Preventing Corporate Espionage 22:03 Counterintelligence Services 25:25 What Makes a Great Counterintelligence Specialist 28:33 Cybersecurity and Data Breach 31:30 Advice to Business Owners 37:45 How to Hire Trustworthy Employees 39:40 Best Elicitation Method 41:43 Contact Ryan

Full Transcript

BTW: This episode of the Be Yourself Podcast is produced by Beverly Media. Also on the show:
Bradley Orford-Hall — From Burnout to Purpose: Reflecting on Why, Building Belief Systems, and Finding What Truly Matters →

0:00 Episode Intro

Ryan We had this one individual um and he was a director of cyber security. So he had access to the keys to the kingdom. He came up onto our radar screen because of foreign travel. He wanted to take uh a trip to Bellarus, which is odd, you know, and most Americans don't take a weekend trip to Barus uh just for fun.

Sergey You're coming from the other side. I had James Lawler who actually was recruiting spies. He also gave me these uh main motivators for people to betray their countries. I'm curious, do you have some antidote?

Ryan Jim and I were two sides of the same coin. He was on the human intelligence side, I'm on the counter intelligence side. He's trying to recruit spies and we're trying to, you know, prevent that. And so what we try to do from an education standpoint is teach them what an approach will look like. It's very subtle. Uh there's a lot of elicitation that happens.

Sergey Who are more prone to giving up uh intellectual property secrets?

Ryan In American culture. Um uh one of the the best elicitation techniques that anybody can use.

Sergey Welcome to the Be Yourself podcast, the podcast on expressing our true selves. Today, my guest is Ryan Rambo, who's a 26-year Army counter intelligence veteran who runs a corporate space with IXN Solutions. He's also a host of CI Press podcast that talks all things counter intelligence. Ryan, welcome to the show.

Ryan Sergey, thank you so much for having me.

Sergey My honor, I'm very, very interested in knowing more. So, can you tell me what have you done for the most part. What was the mission of your work as a counter intelligence officer?

1:42 What is Counterintelligence?

Ryan Yeah. So, there's a lot to counter intelligence. Actually, there's five primary functions of counter intelligence. I'm not going to name them this morning because I haven't had all of my coffee yet. Uh but the one that I was most uh involved in really were operations and investigations on the defensive counter intelligence side. So what does counter intelligence mean? Uh because people have this, you know, mystical thought process of counter intelligence. And it's scary to a lot of people, but honestly, uh the best definition I've ever seen was by an author named Robert Bear. And he's and he defined counter intelligence as the discipline of protecting against adversaries outside your walls while catching the enemies inside. And so really, if you're taking a look at intelligence disciplines, there's the human intelligence who are trying to use people to steal information. And from a counter intelligence side, we're trying to protect that information so it doesn't get stolen. So it's the cat-and-mouse game of the intelligence community. But what a fascinating career. I love talking about it. that I've been involved in counter intelligence now for over 25 years and it's just as exciting today as the first day that I became a counter intelligence professional.

Sergey What is the most exciting thing about counter intelligence?

3:20 What is so Intoxicating about Espionage

Ryan Well, I I love the history of it. I mean, espionage has is the second oldest profession known to man. I mean, it's been happening for 7,000 years. And uh so there's a lot of similarities in the way that espionage has historically been done, but each new addition of technology uh like AI and the internet back in you know 20 30 years ago. So every new iteration of technology just changes it just a little bit. But fundamentally it's about people and so counter intelligence to me um is fascinating because of the people that are involved with it. And I guess as I've gotten older, uh, Sergey, yeah, I start to appreciate people and the uniqueness of people more every day. And, uh, it just fascinating to me, the psychology of it, uh, the the intrigue of it and the history of it. I've just become I've fallen in love with counter intelligence as a discipline.

Sergey Okay. So, 26 years. Can you tell us a story that maybe stands out the most and that you tell your buddies that impress people the most?

4:30 Counterintelligence Stories

Ryan Well, I won't talk about my government time because some of that's still hidden behind a secrecy bell and I don't want to get in trouble. Uh but in the in the corporate space, the the closest thing that I can relate counter intelligence to is there's two different disciplines actually. Protective intelligence is what some people call it. And then the other one is insider threat programs. And so I was working for a major corporation. I was about a 43 billion dollar corporation with 28,000 employees and 165 locations worldwide. And so I would start in the morning and since we were a global company, my mornings would start with uh dealing with Middle East uh issues, you know, the Persian Gulf, Iran, Saudi Arabia, Kuwait, UAE. Then in the afternoon or late morning, I would deal with European issues. Uh then during the uh like afternoon time, I would deal with the United States and then in the evening I would be working India and Pacific region issues. So, a great great job. I had to be well-rounded and well versed on all of the geopolitical activities that were taking place at the time. So, it was fascinating. I mean, it was never a dull moment, but we had this one individual um and he was a director of cyber security. So, he had access to the keys to the kingdom. And one of the things that uh we discovered through the course of our investigation uh and he and he popped he came up onto our radar screen because of foreign travel. He wanted to take uh a trip to Bellarus which is odd you know and most Americans don't take a weekend trip to Barus uh just for fun. And through the course of having this conversation with him as he's telling me about this trip that he's about to take, uh he's he says, "Yes, I I had a pen pal uh who worked at the Russian embassy during the 1980s, which again people typical Americans don't have Russian pen pals." Um and so you know as he's telling me this story and he's and you know finally 20 25 years after he met this pen pal he's finally going to go meet me her and Minsk Beller roots. Well that sounds a lot like espionage to me or at least the beginnings of espionage. Um and and so of course I alerted the community and said hey I think this is a problem. I think this guy is either one a recruited asset and he doesn't know it or he's about to become a recruited asset and may be kidnapped whenever he travels overseas. And so just an example of understanding how espionage unfolds over time, understanding the psychology of this person at that moment. I mean, he was just going to meet a girlfriend in his mind. He didn't see any danger in this at all. Um but then putting all the pieces together and then involving the right government agencies to make sure that one we prevent him from getting kidnapped or even worse and then also protecting sensitive information the American citizen uh from those who may wish to do them harm. So that that's one of the most interesting cases I've run um in the corporate space. Now, there's been some great ones in the government space, but like I said, each case is different. Each case unfolds differently, and it's just fun to to be involved in in this business.

Sergey So, I'm curious, you were a part of the organization or you were like a contracted specialist? you were like so you were a full-time uh employee who was responsible for uh the counter intelligence support. Right.

Ryan Yeah. And it was very unique at the time. Uh it was around the 27 2017 time frame. So counter intelligence in corporate America hadn't really evolved yet. I mean everybody was still focused on cyber security. There was a lot of focus on counterterrorism. I mean because we were just coming out of the global war on terrorism at 911 and you know we're starting to transition from counterterrorism to counter espionage

8:59 Building Counterintelligence Programs

Ryan and so it I was in a unique position where I had the opportunity to build this counter intelligence program inside you know a $43 billion company uh which was unique at the time and boy I'll tell you our HR uh professionals were very nervous about it our legal team was very nervous about it cyber our security, physical security, our culture teams, believe it or not, were very very nervous about having a organic in-house counter intelligence until we we went around and had these conversations to say, "Look guys, I'm here to protect you for from the bad things happening, and that's my only role."

Sergey But you were using things like Polygraph, which wasn't pleasant, I assume, right?

Ryan Not in the corporate space. um we we really didn't do that in the corporate space. Uh I think that would probably be a little bit too far to to take a program. Now, of course, it's available to to companies these days. Uh however, in in my situation, we didn't do that. So, we leveraged more um one of the primary things that we did is training and awareness. you know, making sure that everybody understood the threat that we were facing and also what it looks like when somebody makes the approach to try to collect and gather information from you. And then there was a a whole liaison campaign that I did with each one of the different elements and leaders within inside the corporate environment to make sure that one they they could trust me. You know, I wasn't going to go tell stories behind people's back. I wasn't trying to be sneaky or or anything like that. So, they had to get a level of comfort with me. Uh, and so it spent I it took me about six months to really build those really trusting relationships. And then the the next key was was to set up oversight and control of the program. And to accomplish that, I I gave oversight and control to HR and legal and said, "Hey, I'm not going to do anything involving an employee unless you approve me doing it" and they immediately got buy in and they started to see the way that we went about our business. And they absolutely loved it. And what they found out was that it actually strengthen culture because now we have a security team that's down at the individual level. Hey, making sure this employee is safe. It's hard to do for 28,000 employees, you know, but I mean that that's kind of the the approach that you have to take with it and and you have to be a real person. You have to be authentic. You have to care for people um while at the same time protecting a high level organization.

Sergey You know, it's interesting because you're coming from the other side. I had James Lawler who actually was recruiting spies. So that he was interested in people associated with the government uh with from other countries that the United States were interested in. So uh and he named he listed like 10 qualities uh of uh highly efficient case officers. He also gave me these uh motivators for people to betray their countries. I'm curious, do you have some antidote? How do you prepare a person? How do you train uh an HR team to you know to train the people or whoever to not give away sensitive stuff? Do you have any mechanisms that can Yeah. can can can defend the the organization and its culture?

11:44 How NOT to Become a Spy

Ryan Yeah, 100%. So, first Jim Lawler, who I love and I consider a really good friend. Yeah. And a great author. And so Jim and I were two sides of the same coin. He was on the human intelligence side. I'm on the counter intelligence side. So there's this cat and mouse game uh that these two intelligence disciplines play. And I love it. He actually came to my hometown and we we gave a joint kind of presentation together. I just love that guy. He's so brilliant and such a talented person and a wonderful friend. So, uh, but you know, from a different perspective, I mean, he's trying to recruit spies and we're trying to, you know, prevent that. And so, what we tried to do from an education standpoint is teach them what an approach will look like. You know, it it and it's not uh it's very subtle. Uh there's a lot of elicitation that happens. Uh it's almost like a business transaction. It looks like a salesperson coming up to you and they're asking you different questions to identify those personality traits, motivations, vulnerabilities. And so through the course of our education process, we say, "Okay, look, this is what it looks like when somebody like Jim Lawler approaches you and starts asking you questions." And in Jim's world, what he's always trying to do is get to that second date and third date and fourth date. So, so whenever he makes the approach, I mean, after he talks to you for a few minutes, if he ever gets to the point it's like, "Would you like to go have dinner or coffee or something like that," a person should automatically associate that with, "I'm on the road to becoming a spy." And so, uh, so casual conversations usually are just casual conversations, but if it if it feels like you're being dated or hit on, you probably are. And so, uh, we teach employees to be non-committal. You know, it's not, it's like, yeah, coffee sounds great, you know, but can we maybe do that in a couple of weeks, three weeks, next month or something like that, uh, so that they have time to come back and report it to counter intelligence professionals so that we could kind of craft the scenario to put people like Jim in a bind. And it that's the whole point of that that process the counter intelligence process is to identify that human case officer and then identify exploit and neutralize which funny enough our company's name is IXN Solutions. Identify exploit neutralize that's what it all stands for. But you want to identify someone who's already converted in a way, right?

Sergey So you're looking for uh rats. Sorry for like this strong word, but in a in a way.

15:25 Identifying and Exploiting Threats

Ryan Well, it's not just that. We want to identify the person that's trying to recruit our people.

Sergey So you're trying to identify and find people like Jim. Exactly. Wow.

Ryan Yes, exactly right. We want to identify that person as a foreign human intelligence officer. He's trying to to cause harm either to our people, our technology, our companies, or our country. So, we want to identify him and then either exploit him. You know, it's like, oh, okay. So, you you're looking for let's exploit that.

Sergey Game within a game.

Ryan Yeah. Right. Or or neutralize, you know, is shut it down. Like nope this is you're not going to get this information. So I mean from a counter intelligence perspective once we identify somebody trying to collect information now we have all kinds of options available to us. Uh but it really starts with identifying and that's what we train uh our employees to to be very mindful of. It's like, okay, there are people out there that are trying to collect information on you, and as counter intelligence professionals, we see the world through your eyes, and we're looking to identify those people that are, you know, nefarious or trying to collect information.

Sergey Have you ever had instances where you successfully identify a case officer and your employee was working with you to exploit them?

Ryan Yeah. So, um it happens. Absolutely. I mean, that's the whole point of the game. And, uh I was in an overseas location, not going to name it. Um, and we had, you know, a foreign government official who was assigned to, uh, one of their consulates, uh, who had approached one of our employees. And that employee, uh, believe it or not, was properly trained, knew how to react to it, knew who to report it to, and within 17 days of that approach by a foreign national to one of our employees, um, we were able to neutralize them. So, we identified that that person was uh not who they said they were. Uh that they posed a threat uh to the United States government and to one of our employees. And working with, you know, the the host nation, the country that we were in, their their security and intelligence services, we were able to get that person kicked out of the country. Um which is a win for us. I mean, so there was no there was no opportunity to exploit the relationship, but neutralizing is just as effective. Uh because when you when you're a foreign country and one of your human case officers uh gets PNG'd as what we called it persona non grata and kicked out of the country. It sends ripple effects through that organization. Now they have to look at every operation that they run. You know, are they compromised? or you know is anybody has anybody penetrated our our office building? I mean so now they have to really do their due diligence and assessment to see if they're operating in a secure manner and so from a counter intelligence perspective it was a huge win and that those are the types of things that we're constantly trying to do and I don't know you probably read in the newspaper every day there's a spy or there's you know somebody being caught across the globe perhaps happens in Europe all the time. Uh it happens in the United States all the time. Uh and yeah, like I said, it's the second oldest profession in the world. I mean, people commit espionage daily.

Sergey Yeah, this is fascinating because the temptation to earn a money or as Jim told me a lot of people want to pay vengeance to to you know like a lot of people are not feeling that they are treated fairly or something and they just want to snap back. So, and it's interesting how there are people like you who uh on a human level and on a legal level, let them understand that it's not the best that's the best idea.

19:28 Preventing Corporate Espionage

Ryan Yeah. Well, Jim said it best. Uh I was having a conversation with him uh and he said it best. He said, "Happy employees don't steal your and commit espionage." Well, and he's very right. And so when if we go into an organization, we talk about culture a lot because happy employees don't leave the company. They don't steal your stuff. Uh they don't sell it for, you know, money and and all of that. They don't take it to a competitor. And so whenever we go in from a counter intelligence perspective, one of the things I like to do is give me your organizational uh surveys, show me where the bad leaders are, the toxic leaders are. Because if I can identify a toxic leader, I can almost guarantee you where your next insider threat is going to come from. Uh I would also take a look at teams and uh figure out who has the highest turnover rate in a team. Um I I was having a conversation with a client the other day and he said, "Well, what are the statistics for insider threats?" And we we gave him the standard Gallup poll, you know, 30% here, 30% there, 20%. And I just looked at him. I said, "What's your what's your turnover rate?" He said, "Well, you know, in our management and executive team, it's about 10%." He said, "But from our individual contributors to our middle management, it's about 25% annually." I said, "Well, there's your insider threat statistics that are very specific to your company." Those are the people that are going to leave your organization or unhappy and they're going to steal your information either give it to a competitor, start their own company or sell it on the open market to the highest bidder. And so it's a way of from an HR standpoint to really drill down and and take a look at your organization and assess do I have an insider threat program or a problem or not.

Sergey Let's talk more about your company, IXN Solutions. Who are your customers right now and uh what are the types of requests that you help uh right now? What is the prevailing one right now?

22:03 Counterintelligence Services

Ryan So we have we have two different sides to the company. Um, we have our government side where we provide uh training and awareness and services to the United States government, which is fun. I mean, it's our opportunity as a bunch of old, you know, gray beard guys to go and give back and teach from our experiences to the next generation and help build them up. Uh, which is something that we're totally committed to do and and we love doing that. And then on the commercial side, we actually have four different pillars that we offer as our offerings. The first one is training and awareness. Again, from a counter intelligence standpoint, that's our bread and butter. We want to get in front and train as many people as we can about threats and risk, how to react or recognize, react, and report it. R3 is what we call it. Uh and so that's that's number one, training and awareness. The second one is our fractional insider threat program or fractional counter intelligence offering. And so what I found in the corporate space once you build the program uh and it takes about a year to 18 months to fully build out a relevant functioning insider threat program or counter intelligence program. After that 12 months to 18 months, you're in maintenance mode and you probably don't need a full-time employee. And so what we do from a fractional insider threat program is to go and build it and then you call us when you need us. Uh and we teach people how to monitor it. So it saves the company money and it saves them from having a full-time employee that over time it's not going to have that much to do. The third thing that we do uh is we have a technology that we call 351X. Uh what what I experienced whenever I was in the commercial space is that we were managing these security programs through spreadsheets, share drives, emails and it was horrible and counter intelligence uh incidents and insider threat incidents aren't, you know, immediate red flag moments. It's not like a cyber security thing. It builds over time and you start to see indicators and patterns and that sort of stuff over time and then you piece that together to identify an insider threat. So, uh, 351X is that case management tool that allows us to to document and store information to tell that story over time. And then the fourth thing that we do is our thought leadership pillar and that's where we have the CI Press podcast. And so that's part of that thing. It's where we're trying to demystify counter intelligence to share the stories of the legends that were in counter intelligence and then also do special topic discussions where, you know, if new relevant news events come out or case studies, we dive deep into that to educate the next generation on hey this is what you should be looking at from a counter intelligence perspective.

Sergey Well, I'm curious to know because you mentioned that you had a unique chance to build the entire branch or division from ground up in that big company and um what makes a great counterintelligence leader? So, what do you pass on to the next generation of people who want to get into this space?

25:25 What Makes a Great Counterintelligence Specialist

Ryan Well, I will tell you um you know with technologies you if you're going to advance a technology a car, an airplane, what you just layer on more technology, you know, you add a better radar, you add full self-driving mode and stuff like that. for a counter intelligence professional, a human, uh the best way to to get better is through training, through reading, that sort of thing. So, uh I if I was to pass on some knowledge to a next generation counter intelligence professional, I would say read. And it doesn't have to be non-fiction books, which sometimes can be a little bit dry. It can be fiction books. We mentioned Jim Lawler. Jim's written three books and they're all fiction, but they tell a great story. And the reason why he writes fiction because if he told the true story, he'd probably get put in jail for violating security law or secrecy law. So, read your fiction, read your non-fiction, and really go and seek that training and awareness um to to get better. Now, within an organization, when you're building a program, it's the same thing. I mean, it's going out and having the ability to communicate with people, uh, to build trusting and lasting relationships, giving up control where needed so that people can, you know, actually look over your shoulder and see what it is that you're trying to do, and uh, have a clear understanding of what it is that you're trying to accomplish. So, if you have all of those things, one, you could be a well-rounded counter intelligence professional or insider threat professional. Uh, and then you'll build a program that people trust, that they can't wait to have a conversation with you. They think you're the most interesting guy in the room, and normally you're not, but you fake it to the point that you are. Uh, and then you make it fun for everybody. And I think that's the key to success from a counter intelligence standpoint. And I think one of the things that's really hurt the counter intelligence community is that we become too secretive. That we hide behind our vault doors in a building with no windows and so people are like they have no idea what you're doing and so they don't trust you. Uh and we have to change that mindset, that culture of counter intelligence to where yes, come and talk to us. You know, we're here to help you. Help us, help you, protect you. You know what I mean?

Sergey So, hackers become more and more, let's put it, creative. And with AI, I'm guessing things can really become difficult. Um, but I think this is a different topic. It's a topic of protecting data. Is this an adjacent kind of thing? How are you guys, you know, balancing this out?

28:33 Cybersecurity and Data Breach

Ryan Yeah, wonderful. Great question. And there was a recent statistic that came out that said all of 60% of all cyber security intrusions and data breaches actually involved a human somewhere. uh so there was somebody on the inside who compromised their credentials or allowed access. So what we're finding today in the corporate world especially and probably in the government as well is that cyber security tooling has become so advanced uh because they're leveraging AI too and they're really the firewalls the security that's in place that most adversaries can't do like a blunt force penetration of a network. And so I have to give it to the cyber security community, they have done most of the hard work to build that perimeter defensive approach and a layered approach to make sure that they stop most breaches. What we do find though is that uh like I said 60% of breaches now involve a human and so our adversaries understanding that cyber security tooling has gotten so advanced have tried to go around the wall and penetrate those systems by, you know, unsolicited correspondence, that's people, you know, reaching out to you through LinkedIn,

Sergey doing social media stuff. You won a lottery or something, yeah.

Ryan Yeah. And it's easier to manipulate and find vulnerabilities in humans than it is in cyber security systems these days. So, uh, so I think, you know, finding that disgruntled employee, and I think Reddit might be one of the more interesting social media platforms that hackers are using these days because people get on Reddit and really, really air all of their grievances. And for whatever reason, they're the ones, you know, and I think if I was a really kind of aggressive hacker, Reddit would be the platform that I would seek my targets out and form those relationships and say, "Yeah, you're really pissed off. You're really mad at that company. Great. Let's do something about it." You know, give me your password, give me access to the network, and let me do some real damage, let's get back at them together.

Sergey I never thought about, you know, protecting anything before I got something, you know. So it seems like in life, you know, I even make this joke that when you're not rich, you don't have this problem of trying to protect your fortune. So um what is the general advice that you give to people who are building businesses or building companies, hiring more people? Is there any best practice or philosophy that a founder like me, I'm growing my media agency right now? Uh we're in this really hockey-stick growth right now and I'm hiring a lot of people. So what are the things that maybe you advise people who grow businesses and who deal with lots of people and whose information could be potentially interesting to some parties?

31:30 Advice to Business Owners

Ryan Well, start now. It's number one, start today, you know, start. And really it's a two-prong problem, right? And so, you're going to have data and you're going to have intellectual property. So, there's the data classification side, you know, this is all of the the things that make my company great, you know, and categorize it like if I lose this, my company is over. Yeah. And then tear it down from there. And then on the other side of that is personnel security. Who do I trust the most? Who do I trust a little bit less? Who are the people I don't trust at all, but I still need them to do work? And then you marry those two together. So the people that you trust the most, you give them the most access to information. And then you tear it down. Um, and so I always tell companies, I mean, first, a lot of times I'll ask them like, "Do you have a data classification system?" They're like, "No, what's that?" I said, "Well, how can you, you know, if you don't understand your own intellectual property, your own data, and what's sensitive or not, then there's no way that we can protect it. So, you got to go through the data classification piece, then the personnel security piece. Um, you know, and as you're growing, it's a real challenge. I mean, because you have to get that information out. You have to bring people into the organization to help you grow. You don't have a lot of time to vet those people, to check their backgrounds and all of that. There's some laws that prevent you from really doing that due diligence in a prehire scenario, but once they're onboarded, you can do some more, you know, you can do some deeper dives. Uh but what happens in most companies these days, as soon as you go through the hiring process and you hire an employee, on day one they get issued their company laptop, they get issued a company phone, and then they gain access to the network, right? So before you even know an employee, you're already giving them the keys to the kingdom. And Tesla had a really good case. It's probably about four years ago and it involved a Russian immigrant and he came to the United States and applied and got hired at Tesla specifically to steal the full self-driving technology. It was that important to him. So he was tasked by somebody, we think the Russian government potentially, to get hired at Tesla to steal that technology and then leave and go back. And within a month of him being hired and issued his laptop, you could already start to see him do that exfiltration events on the network. He was stealing that code, that technology to bring it to somewhere. And so, so I would again just to kind of summarize, data classification, personnel security, marry those two up. So it should be trust levels, you know, and then be careful how you onboard people and maybe give them a period to kind of test out how much you can trust them over time. You know, maybe a 90-day probationary period where you give them access to this much information and then after 90 days you give them a little bit more and as they build trust and you start to see them as a person, then give them the keys to the kingdom is what I would recommend, if you can do it.

Sergey I just It's interesting because I just granted an access to files from my new big client to my new hires. So these are people who I hired who I had a number of conversation and they look trustworthy, but you might never know. I don't want to be paranoid, Ryan. I think this is the line that you have to walk. I mean, being paranoid and being adequate with your people, but actually I sent them a message saying, "Hey guys, don't try anything." And they replied, because in a way they're like a team who I've subcontracted, right? So, they're not exactly on my squad because in media production sometimes you hire more personnel, but yeah, they said that we're interested in long-term relationships. So, I'm more of a human type of leader, so I want to trust people, but I once I already had a pretty bad case when I was in my first business. Like I was not careful enough to sign something, you know, and that cost me a business pretty much. So right now all these things I pay much more attention to them. And yeah, and what you're saying is that yeah, you if you've been through blood and sweat and tears with this person, give them the access, right? But again, I think they might work with someone, so you got to teach them how to hire. So, so this sprinkles down through the organization.

37:45 How to Hire Trustworthy Employees

Ryan Yeah. And hiring is hard. I mean, because you really I mean, you know, there was a comedian, I don't know who it is, but it's funny. He said, "We never show anybody our real person. We show everybody our representative." You know, it's it's, you know, it's the person that we want everybody to think that we are. uh and so especially during the hiring process and I think that we do a very poor job of interviews uh because we don't use enough elicitation and I'll give you an example and I'll say, "Hey Sergey, are you a loyal employee? What are you going to, what's your answer?"

Sergey Yes. Of course I am. I'm loyal.

Ryan I mean I would be an idiot to say not that, no I'm not loyal at all. I mean so you really can't get a true sense of a person by asking them that direct question. But you can say in an elicitation kind of style is, "Hey, Sergey, how long have you been with your company now?"

Sergey Yeah. Yeah.

Ryan And then if you said, "Hey, I was with my company for 5 years," I say, "Well, that's very loyal of you to stay with that company for five years." I mean, most people don't do that. And if you respond back, "Well, yeah, loyalty is important to me, that's why I've been married for 30 years and I worked with companies for 5 years." And now you're getting a true sense of how loyal a person is. Uh so direct questions bad. That's what everybody uses today in an interview format, which is just not great. But elicitation and understanding how to ask a question without asking a question can actually get you a better, more honest, truthful answer and get past the representative that they're trying to portray to you and really dig down into personality traits and motivations and all of that stuff. So, I would love to change the way we do it.

39:40 Best Elicitation Method

Sergey Who are more prone to giving up uh intellectual property secrets? um quiet people or loud people or is there some kind of indicators in terms of temper?

Sergey Uh I would say American people.

Ryan I will tell you that in American culture um one of the the best elicitation techniques that anybody can use is to make a wrong statement and it can involve anything. Yeah. If I was to take a look at a car or something like that and I'm like, "Well, that car, you know, that car, it can go 1,000 miles an hour, can it?" An American must correct you. It's like, "Oh, no, that car only can go 120 miles an hour on a good day. And then because it has a 4.5 liter inside," and they will tell you all of the intellectual property. Other people that are like that are educators like professors, academics, scientists, engineers. They can't help but correct you. And so from an espionage standpoint, I'll just make a wrong statement and just let you correct me and I'll sit back. I'm like, "Wow, that's really, I had no idea, you know, tell me more. You know, what about this? What about that?"

Sergey Feeding their ego. Yeah.

Ryan Exactly right. And so I don't think it's really quiet person versus loud person even though they both can be manipulated in different ways. Um but you know one of the techniques that I love from an elicitation standpoint is play that kind of dumb person, you know, like wow that's so fascinating, tell me more. You know and people thrive on it. They can't wait to correct you. They can't wait to give you all of the information and show you how smart they are.

41:43 Contact Ryan

Sergey Ryan, let's wrap up. What was your what would be your final message to our audience and where can people get in touch with you?

Ryan Yeah, I will tell you that everybody whether it's, you know, government level or corporate level, we're facing espionage, foreign intelligence, insider threats every day. And everybody's looking for an automated solution that scales faster. They're looking for a cyber security tool, an AI tool that's going to solve all of their challenges. Well, I'll tell you what you need is a person that understands how espionage works and how to deal with other people. So, take a look at counter intelligence. I know it's scary, it sounds horrible, but corporate counter intelligence programs are uniquely suited to be the glue that binds all of your other security programs together. Whether it's cyber, physical, personnel, operations, compliance, counter intelligence can sit in the middle and make sense of all of it for you and really protect your company. To learn more about it though, I would encourage you to go and listen to our podcast CI Press. We just published, I think, episode 119. So we have over a hundred episodes of, you know, the legends that have done this business telling their stories. One, it's really funny and enjoyable, but they can also give you insight on how this whole game plays out. So, with that, oh, and by the way, I love to mentor people. I love to have conversations and help people along in their career. You can reach out to me on LinkedIn, Ryan Rambo, and I'll connect with you. I don't vet anybody. I mean, please, if you're a spy, you don't waste your time. I'll catch you, but by all means, connect with me and I look forward to seeing your post on LinkedIn.

Sergey Thanks, Ryan. That was a blast.

Ryan Yeah, man. Well, Sergey, this was a great conversation. Thanks for having me again on the show.

Sergey Absolutely.