Building IoT Trust: Budgeting, Community, and the Hacker Mindset with Ted Harrington

Phillip Wylie: Hello and welcome to the IoT Security Podcast. In this episode, I’m joined by Ted Harrington. Ted Harrington is a partner in a consulting company as well as a founder of the IoT Village. In this episode, you’re going to learn how to communicate with upper management and the business units to get that much needed budget to secure your environment as well. In this episode, you’ll learn how community plays a big part in educating people on IoT and connected devices. I hope you enjoy this episode.

Today I’m joined by Ted Harrington. Ted is one of my friends from the cybersecurity community and also the conference circuit. But another thing we have in common too, is Ted has done podcasts. Ted is an accomplished author, so there’s things we have in common outside of cybersecurity. But we’re going to focus more on the cybersecurity things. So I need to have Ted on my other podcast so we can dig into some other things. But welcome to the show, Ted.

Ted Harrington: Great to see you, Phil. Thanks for having me.

Phillip Wylie: Yeah, it’s great to see you. It’s awesome to see all the global traveling and keynoting you’re doing. It’s pretty amazing. And you got your new book coming out, so that’s pretty awesome.

Ted Harrington: Been keeping me busy, that’s for sure. Yeah. We’re approaching the final manuscript lock momentarily, so getting close.

Phillip Wylie: Yeah. Very cool. So have any idea how soon it’s going to be before it’s available?

Ted Harrington: Yeah, it’ll be available at the end of this summer, so it goes into production probably in the next few weeks, but I would say we don’t have the exact date yet, but definitely by mid September, probably by end of August.

Phillip Wylie: Very cool. It would have been a little bit earlier. You could have released around Black Hat, but at least it’ll be out for RSA.

Ted Harrington: Well, years ago, when we started this project, that was the goal and we’ll miss it just slightly. And that was actually a really difficult decision to say, do you rush a book and then forever it’s rushed or you give it the extra little bit that it needs? And I think just the commitment to quality that I myself feel personally and then all the people who work for us feel that was ultimately the choice. So we’ll still do something at DEF CON. We’re still going to do some book launch, like pre-launch party type of stuff that we’ll be announcing here pretty soon. We haven’t finalized everything yet, but the actual books in hand will follow that.

Phillip Wylie: Very cool. Looking forward to seeing it. Hopefully I can score a copy.

Ted Harrington: Oh, for sure.

Phillip Wylie: Well, you helped me to autograph copy.

Ted Harrington: Oh, for sure. I mean, you gave me some really interesting insights for one of the people I reached out to and I wanted to really understand the hacker mindset. So I’m like, well, who do I know that I admire that understands how hackers think? And you gave me some really awesome insights.

Phillip Wylie: Yeah. And I think it’s great that you see the importance of the hacker mindset because you know, a lot of folks, when it comes into cybersecurity, I think sometimes since you’re a partner in a consulting company, you probably see this a lot is sometimes people don’t take offensive security, their assessments serious enough. Sometimes they just take it as a checkbox. So it’s good to have folks like yourself that are going out kind of evangelizing the importance of the hacker mindset along with the importance of offensive security.

Ted Harrington: Yeah, it’s kind of amazing to me that here we are in the year 2025 and we still need to be educating people about why this matters and how to do it right. And I do sort of get it to some extent. I mean, it blows my mind that this is still a condition. But I can understand the business thinking, which is, what is a business incentivized around? A business incentivizes around top line revenue and bottom line profit. And it’s difficult oftentimes for a business to think about how does doing security properly deliver either of those things. And that is, I think part of what we need to be doing is talking about not just like, how do you approach security in the proper way, but like, how does that actually help a business? And so because that ultimately is the barrier I think that we’re facing. But yeah, a lot of times people are like, I’m told I have to do this. I don’t know what a pen test is. I guess I gotta do it. What’s the cheapest way I can check this box? And helping people understand the differences is, I think, pretty critical.

Phillip Wylie: That’s good. I think that’s really important for anyone listening. You’re looking for consulting companies. Find people that are going to properly set your goals and objectives and not just do the checkbox. Because, you know, there’s some people out there that say, and it can be true. If you’re just purely compliance, doesn’t mean you’re secure. You can accomplish both. So you want a consulting company that’s going to help you define, help you define those goals beyond PCI compliance or whatever.

Ted Harrington: Yeah, because I mean, the way to think about it, right, is that a secure system is often compliant, but a compliant system isn’t necessarily secure. In fact, if it’s just compliant, it probably is not secure. And that’s an important way to think about it because what we need to do is we need to realize that, like, how does an attacker think. An attacker doesn’t look at a system that they’re gathering OSINT on or performing whatever their research is. They don’t go to your website and your website says, we’re such and such compliant or we’re certified against such and such standard. They don’t look at that and say, oh, well, I guess I better not bother because you’re secure. That’s not at all what they do. They do not care.

They instead are looking at things like, well, if I care about obtaining this particular asset from this particular organization, how would I go about doing it? The question of whether you are compliant or not is completely immaterial to the attacker. And then when you look at, on the defender side, the companies who are pursuing compliance, that often is the only thing they care about. And that’s a really important mismatch. We think about it. It’s like imagine probably any sport, right? If the person trying to score a goal thinks about goal scoring and the person trying to defend the goal isn’t thinking about goal scoring or defending the goal, tons of goals are going to get scored and that’s a really big problem.

Phillip Wylie: Yeah, one of the things too, you know, kind of talking about the offensive security side. But I know getting budgets for security for any kind of security can be tough because, you know, people look at security as a necessary evil. They don’t really want to invest in much. So what recommendations do you have for people that are communicating with the board with senior management to try to get budget for the security assets that they need, the different types of consulting they need. Do you have any tips on being able to communicate that to have a better likelihood of getting that required budget?

Ted Harrington: Yes, I do. In fact, I think this is such an important question that I dedicated a considerable portion to my first book, which is called Hackable, to helping answer that question. Because if there’s not an incentive for the business to do it, they’re not going to do it. And that is a practical reality. Like when I was writing Hackable originally, I had nine chapters. And those nine chapters address nine common misconceptions that most organizations face when they’re thinking about security. Like, they think about how to share information. Wrong. They think about how to evaluate the severity of their vulnerabilities. Wrong. They think about how to fix them. Wrong. So I had these nine chapters originally, and then I started thinking about, well, why does anyone care? And I started thinking about why do companies hire us? And my gut reaction, my initial instinct was, well, companies hire companies like us. They must do it, because security is the right thing to do. If you’re building a solution, it should be secure. And that is true. I think of any company who hires someone like us, they do care about security. But I had to also put on my sort of like practical and capitalist hat and realize that’s not enough. That’s not enough for someone to spend meaningful money or meaningful effort. And as I started thinking about it, I started thinking about our customers. I realized that many of them, in fact almost all of them, fell into this other and perhaps even more powerful motivator, which is that security is a competitive advantage. So when we’re thinking about a marketplace where two companies are selling similar solutions to the same enterprise, and that enterprise has to evaluate between these two, they’re going to evaluate things like price, service level agreements, feature set, all these types of things. But important in there is security. So let’s say if these two systems are similar and no two systems are the same, but they might be similar from a marketing standpoint or the problem that they solve, security is a difference, because a lot of companies don’t take security seriously. So when one company does and they actually do the right things, that’s a competitive advantage. And so this is a long way of getting to answering your question, which is that there’s two ways that we can think about why to invest in security. And those two ways said simply, one way is to avoid a bad thing from happening. And the second way is to pursue a good thing from happening, make good things happen the first way, which is avoid bad things from happening. That’s the way almost everyone thinks about security. They’re like, we want to invest X dollars so that we can make sure that Y dollars of damage doesn’t happen. And the ratio between X and Y is what becomes debated, right? It’s like, well, how likely is this breach to happen? If it does happen, how big is the dollar impact? Okay, so let’s say maybe it’s a 10 million dollar impact and it’s 10% likely to happen. Then that risk should be computed as worth a million dollars. That is how we should be thinking about how much we spend on security. Like that’s the classic way of thinking about risk. And that’s a good way to think about it. We want to spend money that minimizes risk within a rational way of having it as a percentage basis of the bad thing of happening. Like you would spend $10 million to avoid a $10 million thing that might happen. You just, you’re not. That doesn’t make any sense. That’s the way most people think about it. And that’s a good way to think about it. But there’s a better way to think about it too, which is this idea of security is a competitive advantage. So being able to go to your customer and say, here are our core values, here’s what we stand for as a company. And one of those things, a lot of companies will say things like we put the customer first or we value quality or whatever. Well, security is a way that you can put your money where your mouth is and you can say as a demonstration of that belief, here’s what we do for security, here’s how we invest in these ways, here’s why that’s above and beyond what everyone else is doing. When they’re just trying to check that box that you were talking about, Phil, when everyone else is just checking boxes and you’re out there saying like, well, I think that an attacker thinks like this. Here’s how we invested in order to address that, and here’s why we’re more secure as a result. That’s really, really powerful. Because for anyone who’s ever been through the process of procurement, of trying to sell something to a large company, this is one of the questions that they’re going to ask. They’re going to ask about security. And what they’re really trying to understand is, why should I trust you? And if you can answer that question with the way that you’ve invested in security, it’s going to simplify that procurement process. It’s going to lead to sales faster, maybe lead to better sales. It might lead to sales that you otherwise wouldn’t close. And so while in one sense that feels kind of like gross to think about, security is a mechanism for sales and marketing, that’s the reality of the world that we live in. And that is a really powerful way to think about how you can get those security budgets is how can it support the sales mission, how can it support the marketing mission, how can it drive revenue? And if you’re listening to this piece of advice and you find yourself saying it doesn’t, then you haven’t thought about it closely enough. And that’s where we can get deeper into like, well, how do you argue that? And that’s why I wrote a whole book trying to argue about how you can actually go do that. But that is ultimately a really powerful tool that can be in your toolkit.

Phillip Wylie: Yeah, one of the things too, when you talk about customers, if people see that you’re serious about their data and their privacy, you know that’s going to make them a little more likely and willing to work with you. Because nowadays you really question whether companies really care about privacy because they take shortcuts and skimp on security sometimes, and then your data ends up in a breach.

Ted Harrington: Absolutely. Right. For two companies to work together, they there has to be trust established. And in order to establish that trust, there’s some burning questions that need to be answered. Some burning, not even just questions, but like fears. Right. And so think about the person on the other side of the transaction who ultimately someone signs on a dotted line that says, I approve that we’re going to do business with this vendor, supplier, or trusted third party. Well, if that vendor or supplier or trusted third party is the source of a breach of this buyer’s data, where do the fingers get pointed? Right. Of course they get pointed at that finger at that supplier or that vendor. They also get pointed at the person who authorized this partnership. And so this is more than just like, it’s not as abstracted as company data. Like, some people might even say, who cares about company data? Like, what individual person cares about company data? Like, people might say, that’s not my job, that’s someone else’s job. Like, I don’t care. But what every person definitely cares about is their own professional reputation, their job security, their ability to get promoted, to get raises, career advancement. And when you’re the person who has made a decision that results in this really bad thing from happening. That’s embarrassing. It’s in the headlines, costs all this money to respond from. It’s really, really bad for that person. So what we need to do is we need to say, like, how can we help that person who ultimately is making this decision? How can we make them look good? How can we make sure that they’re able to confidently be making these decisions? And the only way to do that is by truly and authentically building better, more secure systems. It’s not by saying hollow statements like, oh, we have bank level security, we use military grade encryption, like things that aren’t really relevant to the security mission, that sound really nice and buzzwordy, but actually trying to build better, more secure systems.

Phillip Wylie: So one of the things that I find kind of interesting is the fact that you founded the IoT Village or run the IoT Village. So out of all the different types of things you could have done, like at DEF CON these other conferences, what was your reasoning behind starting IoT Village?

Ted Harrington: Yeah, the IoT Village origin story was kind of interesting. So this goes back. This is our 10th anniversary IoT Village. So the story actually begins 11 years prior, maybe 12, I guess you could say, when we started having discussions. But 11 DEF CONs ago, there was a discussion that we were having with DEF CON. We had just published this research that looked at small office home office routers. And we found these really catastrophic security flaws with these devices that everyone uses, that you’re using right now, that I’m using right now, that people use in their home offices, that people use in their corporate offices too. And we found all these problems and we started talking with DEF CON about like, is there a way we can gamify this research? Can we turn it into like a hacking contest of some sort? And so we did, and we went to DEF CON to run this first version of this thing. We called it so Hopelessly Broken. The research was called. That’s what the research was called. So we named the contest after that. And if you’ve ever been to DEF CON or even if people haven’t been to DEF CON, you might be familiar with the idea that at any conference there’s like the main conference area and then there’s like the secondary areas, like maybe go down a hallway and then there’s like you go down another hallway, there’s like a tertiary area. We were down like a hallway after hallway after hall. We were so far away from the middle part of this conference and we were in a room that we shared with some other programming. Wasn’t like just a room for us. And we were in the back corner of it. We had one table. We were literally behind the trash can. So like people would like try to throw their, you know, like crumpled up wrapper or whatever from a candy bar. They try to throw it into the trash barrel, they’d miss, they’d miss and it would like land on our table. So that’s how like inauspicious our start was. But that event, it went great. It went really, really well. The somehow word of mouth got out. Our area was packed the whole time. Tons of people were coming. And we saw at that time that IoT was like becoming a thing. And at that time DEFCON had only like, maybe I could be wrong, the exact number, but it wasn’t many. It was like maybe eight villages or maybe it was definitely less than 10. It was like a small number of villages. And for people who’ve never been to DEF CON, a village is this idea of like almost like a conference within a conference. It focuses on a particular topic area. And we started talking at DEFCON about like well this is what if we expanded this idea into like a let’s. What if we started a new village focused on this emerging threat vector of Internet connected devices and they agreed to it. So we launched this new village which at the time that was a really big deal because for like whatever it was 25 years or something, up to that point there were only like eight villages. And now a new village being introduced was kind of a significant deal. And so we went out that first IoT village and it was like it went better than we could have imagined. You know, we had this like big beautiful space. One of the things that I really cared about and our team really cared about was we wanted to set an ambiance. Like we didn’t just want to have just like a brightly lit room with some tables and like that’s while that’s interesting content, we, we wanted it to be a place that was attractive to spend time in. So we had like, we bought all these like super cool Internet connected speakers and we had these amazing Internet connected lighting systems. So it was this like deep purple vibe, like almost felt like a club almost. There was ambient music playing with like very kind of like techno, like down tempo type beats. And then people just came, they set up for the whole time and just participated. And we had all these amazing things. We had like o day hunting where people brought in devices and we found zero day vulnerabilities in them. We had a capture the flag contest and it’s gone great in the now 10 years of IoT vlogs that’s been happening since. Our Capture the Flag contest is one thing in particular we’re really proud of because for people who aren’t familiar with DEF CON, there’s this like cultural norm there. We refer to it as badge culture. You have your badge to get into the conference and then there’s certain, like, special badges. If you have access to like maybe a certain special party or maybe there’s an add on to your badge. The badges, often, like the official DEF CON badges, are games themselves. Sometimes they interact with each other and then there’s this like really, really super special type of badge called the Black Badge. And the Black Badge is, for reasons unpublished, that basically is just like, if you did something so badass that the DEF CON organizers are like, you’re awesome, you get a Black Badge. And a Black Badge is kind of like a Hall of Fame jacket in a sense. It’s not literally hall of Fame, but it’s like if you have a Black Badge for the rest of your life, you go to DEF CON for free. And when you walk around the halls with DEF CON Black Badge, like, people want to take a picture with you. You’re like, you’re at this really high status in the community. And what was really, really cool is that that first year the winners of our contest were awarded DEFCON Black Badge. And in the 10 years since, we’ve now done it four times. So four times the winners of our contest have been awarded a Black Badge because winning that contest was so hard to do. There were like so many cool elements to it. So many cool things happened that DEFCON was like, hey, if you win that, you’re pretty cool. And I didn’t win the Black Badge. Our team didn’t win the Black Badge. It was the people who participated in the contest. But for us, we’re so proud that we created an opportunity for that to happen for those people. And I mean, that’s like as cool of a designation of the validation of what we’ve been doing that this matters. That, like, the way we’ve been focusing on improving the security issues in IoT is important. And then we just get to have so much fun. And I forget what the specs are this year, but it’s going to be big. We got a lot of floor space. Obviously being 10 years, we’re going to celebrate in a bunch of cool ways. So pretty exciting.

Phillip Wylie: Yeah, I look forward to seeing it. And so on the topic of connected devices and IoT, do you see that improving security posture wise, or is this still just a real area that people have a lot of difficulty securing?

Ted Harrington: So the answer is both yes and no to is it? You’re essentially asking, is it getting better? And I say yes and no because it’s almost like if you can plot two lines on a graph, one line is, are companies like, are mature IoT companies getting better at security? And that answer is yes. Like the number of companies that are mature in IoT getting better at security, like, that’s growing. So when we think about companies who’ve been in IOT for several years, a decade, whatever, are they getting better security? Largely, yes. Not all of them are. But the percentage of companies that are getting better at security is growing. A lot of the legacy problems are starting to go away. Like companies are starting to realize you just can’t, you shouldn’t hard code default credentials because that’s publicly available information. Security’s being considered in the design in many cases. So these are great things. So the percentage of mature companies that are doing a better job at security is growing. So that’s a good thing. However, the space overall is growing at a more rapid rate. And what that means is that there are more companies overall in the space. More of them are immature. And I don’t mean that in an insulting way. I just mean like their maturity of their product development or their corporate development life cycle. They’re just lower on the maturity spectrum. So when you think of it in absolute value, the absolute value of companies who are really struggling with security, that as a number is growing exponentially, the percentage basis is improving, but the absolute value is getting actually worse. So that’s why we got to think about things like IoT Village. We’re not the only groups advocating for change in this space, but that’s why things like this are really, really important, because we have to realize this problem, not only is it not solved, it’s depending on how you look at it, it’s getting worse. I would argue it’s getting better and it’s getting worse, but it’s getting better because of the advocacy of groups like people who attend DEFCON, talk about these types of things, organize IoT conferences, develop IoT security products, service companies, et cetera. So it’s a complicated answer, but I have reasons to be optimistic and reasons for concern as well.

Phillip Wylie: Yeah, it’s interesting to hear your insight since you deal with that on a frequent basis, but it’s also kind of interesting too. You kind of mentioned how more use of these connected devices. I mean, you’ve got these systems for booking rooms, conference rooms, all these teleconference devices. And one of the things I think people overlook sometimes is they think about IoT and they don’t really realize the impact it can have on infrastructure. Because back in my pen testing days, one of the things we would do is we would go after printers if we couldn’t get a foothold. Because sometimes you could get credentials from a printer, you could gain a foothold. And then like recently, the Acura ransomware attack where they attacked a security camera because they couldn’t get a foothold in the environment, then they were able to do an SMB share into one of the systems internally and then spread the ransomware. And it seems like it’s becoming more of a prime target for threat actors because EDRs are getting better on the desktop. Their traditional it is getting better, but not always the IoT and connected space is keeping the same pace to maturity.

Ted Harrington: Yeah, I love that story. As an example of the way that hackers think. Right, hackers. And maybe I should pause for a moment, just define what I mean by hackers, because I think you probably agree with this, that a hacker isn’t good or bad. A hacker is someone who’s curious, creative, committed, problem solver. And the difference between good hackers and bad hackers is, of course, their motivation. Like good hackers want to, you know, find the problems so those problems can be fixed so the system can be improved. And malicious hackers, they want to victimize as a pathway to gain something. And. But whether they’re good or they’re bad hackers, they, they think similarly. Like, different motivation, for sure, different ethical boundaries, for sure. But in terms of how you look at a system hacker, the hacker mindset is such a beautiful thing, right? It’s, it’s looking at something and saying, I’m supposed to do this or I’m not supposed to do that, or the only way to do it is X. And hackers look at something, they say, well, what if I did it differently? You know, I’m not supposed to do X, what if I did it anyway? It’s supposed to do X, what if I do Y? And your example is such a beautiful illustration of that, right? It’s like, well, we’re supposed to see if the IT infrastructure can be attacked. Well, what about devices that could give us a way to get into the IT infrastructure that might not historically be considered part of it, like Internet connected printers? And that is such an important way of thinking because when we just follow convention, when we are just conforming, like the way to do things is this way and everyone does it that way, that’s the way it’s always been done. And there’s no room for independent thinking. Well, then there’s these pathways that are completely overlooked. And that’s the beauty of the hacker mindset, is looking at something and saying, before I go along with the established conventional conforming way, let me first think independently about that. And your story is a beautiful illustration of it.

Phillip Wylie: Yeah, it’s pretty interesting to see because I was watching or listening to a podcast several years ago from Black Hills Information Security Group and they were mentioning how it was getting more difficult to gain footholds, the traditional ways from hosts. And so threat actors are having to spread to different ways of doing that, like these connected devices, which sometimes people just don’t really take serious enough, or they don’t have the education internally to secure those devices. So it’s good that there’s opportunities like the IoT Village to learn that. I was recently at Hardware IO in Santa Clara, a big hardware hacking and hardware security conference. It was pretty cool. Joe Grand was one of the speakers or one of the teachers there. He taught, was teaching a class. So it’s kind of good to have opportunities through the IoT village and these kind of conferences to educate folks, because if people don’t know, they don’t have the know how, it’s going to be hard to secure these endpoints.

Ted Harrington: Yeah, I love even the point that you just illustrated because I think it echoes part of what I was describing before, this idea that when we think about a security model, the parts we’re working on should get better. They will get better. I think we can be optimistic that the areas that get focused, get emphasis, get resources, security will improve. And you just described it as it’s harder to get a foothold the traditional way. But we also have to realize that at the same time, the world is constantly changing. The attack surface is constantly changing. And as the attack surface changes, those things that are newly introduced or considered in new ways, those are the weak points. And any emerging tech becomes that. So IoT is still maybe the later stages of its adoption cycle. Like, I don’t think we’re in an early adoption yet. IoT is pretty widely deployed by now. But you can contrast it with something like AI systems, which are in the very early stages of adoption right now, or you can contrast it with something like bring your own device, mobile devices, which are in the very, very late stages of adoption. And each of those three things, if you think about them in terms of security, what’s the most secure BYOD of those three scenarios probably has the least problems now because it’s been worked on for the longest period of time. The second would be the IoT devices. And the most problematic is AI because it’s so emergent right now. And that’s the way we need to think about emerging technologies, is that emerging tech changes the attack surface. And once the attack surface changes, we need to reconsider the threat model. So that’s what we’re doing here. That’s what we do at things like IoT Village, and hopefully that’s what conversations like this drive.

Phillip Wylie: Very cool. So, yeah, I appreciate your time today. It was great chatting with you and I look forward to seeing you at the IoT Village coming up soon at DEF CON. So thanks for joining today.

Ted Harrington: Yeah, can’t wait to see you there. And for anyone who’s interested to learn more about these ideas or just keep in touch with me, it’s pretty easy to get a hold of me. Just find me at just my name. Tedherrington.com.

Phillip Wylie: And for the listeners, if you want to learn more about how to secure your IoT and OT devices, check out Phosphorus IO. We have a solution to help secure those endpoints. And this is beyond just your industrial type stuff, going back to the printers, securing printers and cameras, it helps make that a lot easier because typically that traditionally that hasn’t been easy to manage. There hasn’t been really good solutions for that. And so if you like the podcast, please subscribe and share with your friends and colleagues. Thanks.