THEOS Cybernova
THEOS CyberNova is a cutting-edge podcast that explores the dynamic world of cybersecurity, hosted by THEOS Cyber CEO Paul Jackson.
Each episode delves into the latest trends, challenges, and innovations shaping the cybersecurity landscape, featuring insights from industry experts, thought leaders, and technologists. Paul brings his expertise and passion for cyber security to engaging discussions on topics ranging from emerging threats and data privacy to the future of AI in cyber defense.
Whether you're a professional in the field or simply curious about staying safe in the digital age, THEOS CyberNova offers an invaluable insight into the world of cybersecurity.
THEOS Cybernova
James McLeary: When a Nation-State Attack Tests a CISO
What do you do when a nation-state attack hits just days into a new CISO role and it’s already Friday?
In this episode of THEOS Cybernova, James McLeary shares real-world lessons from leading a live cyber incident response under intense pressure. From coordinating multiple DF/IR firms to fast-tracking procurement in Asia, this conversation reveals what cyber readiness really looks like when theory disappears.
A candid discussion on incident response, leadership, and resilience when it matters most.
Production Credits:
Presented by: Paul Jackson
Studio Engineer & Editor: Manny Peñamora
Executive Producers: Paul Jackson and Ian Carless
Co-produced by: Theos Cyber and W4 Podcast Studio
This week on the Theo Cybernova podcast.
SPEAKER_02:I had not put myself in the situation of being under such an immense nation-state attack. I ended up with a very crowded war room handling the response with three IR firms who initially did not want to talk to each other. I would say we did about one year's worth of work in the space of six weeks. You must fine-tune your communication, your presentation skills, and and your personal branding and gravitas that you can go in front of a board or or push back on a CEO and get what you need to protect the organization. It's one thing having credit card information stolen or ATMs hijacked, but if medical equipment stops functioning, if medical record platforms are encrypted, then it's a whole nother ballgame.
SPEAKER_00:The Theo Cybernova Podcast, hosted by Paul Jackson.
SPEAKER_01:Welcome to another episode of Theo Cybernova Podcast. Today I'm joined by the incredible James McCleary, who's joined us all the way from Thailand. And in fact, we're meeting here in Kuala Lumpur together in person. James, thanks for joining me today.
SPEAKER_02:Oh thank you, Paul. It's a it's a real honor to be here. Thanks for inviting me.
SPEAKER_01:Yeah, no, we we've known each other quite some time now, a number of years we obviously worked together, and so I'm really excited about this episode because you are one of the sharpest people uh I've ever met in this field. I know this is gonna be a really interesting session today, so we'll leap right into it. And uh, well, I want to learn more about you know your story that you told in the recent book uh written by uh David G, which uh obviously had a number of CISOs contributing to it, and we'll talk more about his book in a moment. But your first experience when you were with the bank in Thailand was quite an exciting one, wasn't it? You were a few days in, am I right? And suddenly you get hit with Lazarus.
SPEAKER_02:So that particular role, yeah. I mean, what uh just an absolute shock, terrifying. Yeah, you know, I knew who Lazarus was because I had read up on the the Bangladesh heist and you know all the case studies uh relating to that. I had heard about the Sony attack, but to actually see it in front of me, see that encrypted email that said uh Lazarus were instigating an attack against me, took it to a whole new level, and yeah, it's a little bit you know, you have a plan until you get punched in the face by Mike Tyson, right? That that's exactly how I felt at that moment in time. And you know, my my mind just went to is it true? You know, we better start looking, scanning to see if it really is true, escalation and and response. But yeah, that's it, it's a day I I'll never forget.
SPEAKER_01:Wow. I mean, you know, it was also a Friday, right? When when we often joke about this, you know, being the Friday fire drill, and uh it couldn't have come at a worse time, really. You know, the weekend kicking in, and uh you know, I mean, what what were the first steps you took? I mean, what what what was your initial uh actions?
SPEAKER_02:Yeah, the first step was to cancel my travel plans for the weekend, but beyond that, you know, I I said to my team, conduct some scans immediately to see is it true that we're having data egress uh from the network as as was stated in the uh the threat intelligence email that was passed to us. The second was immediate escalation because you know I knew how serious this was going to be. I had you know, before that occurred, I had not put myself in the situation of being under such a immense nation state attack, and I knew that the organization had not had that experience either. So it was important to to move quickly, get that escalation going, and then start the response activities immediately. And you know, quite fortuitously I had met that week, that very same week, with a incident response company and uh immediately contacted them and they started working on the weekend straight away.
SPEAKER_01:I'm I'm curious because you know, in the book it it says that you actually have three DFIL companies in them. Well talk me through that because I mean that's quite unusual to have three working on it. Why why did you have three different companies?
SPEAKER_02:Yeah, it it was unusual. It was a little you know, the the first one was, as I mentioned, I had just met with them, so they were front and foremost on my mind, and it was uh an Israeli group, they responded very quickly, very effectively. The second one was part of a an organizational relationship with Mandiant. So it it wasn't specifically a retainer that I was holding, but there was a relationship that resulted in us bringing them in. And then thirdly, was as I mentioned in the book, Microsoft, because you know they were helping us on a lot of the response activities. I knew many people there, so so yeah, I ended up with a very crowded war room uh handling the response with three IR firms who initially did not want to talk to each other.
SPEAKER_01:I was gonna say, you know, that that's you you've got competitors in there, right? And uh that must have been a bit weird.
SPEAKER_02:Yeah, it was weird. And I remember at one point standing up on the the table in the war room and demanding that all three of them work together, and uh and then things things changed a bit after that.
SPEAKER_01:I mean, and it's it's it's it's super interesting, you know, the the going through this experience because I think you know, we talk a lot about cyber resilience and being ready for these incidents, but are we ever really ready? You know, I mean you must have had a lot of learning points from there because uh clearly you didn't have this signed in advance. Was the contracting did that take you time and did that delay things, for example?
SPEAKER_02:Some somewhat uh what became an issue immediately was we needed yeah, to fast track procurement, which often in ASEAN countries is a challenge in itself. But I was able to get across the gravitas of the situation, which meant that the crisis management team was empowered to push things through from a uh procurement point of view. Secondly, and this took a little bit longer, but I got them to agree on uh an emergency budget, which then became a lesson learned afterwards that you know we we should uh CISO should have access to an emergency budget in the time of crisis where they can you know quickly procure any additional equipment or or vendors and not have to have uh you know a long approval process and uh in in as part of that. Yeah.
SPEAKER_01:That's a really good point. Uh yeah, I never really thought about that, but having a slush fund or an emergency fund, yeah, it could be uh absolutely critical. The other point I'd I'd like to touch on is perhaps culture, because you had an Israeli company and two American companies working with Thai staff. And well, we've both lived in this region for a lot of years, and we know there is a lot of differences in cultures. How did you handle that?
SPEAKER_02:That was really tough, I have to say, especially as you know, I was a CISO, my my counterpart, the uh the CIO, um, had to do a lot of the heavy lifting. You know, during a a cyber attack, you are changing network configurations, you are installing software, installing equipment, and that comes down on the on the IT teams as a whole, and and not only the security teams. So so there was a bit of a shock and awe uh a mentality, and especially as all of the IR firms were ex-military experienced, so they they approached it very much like a military exercise, and it it was, you know, get this done, buy this time, and report back, and uh, you know, and don't have excuses. Looking back, uh we did uh I would say we did about one year's worth of work in the space of six weeks just getting everything uh everything done.
SPEAKER_01:That's that's pretty crazy. I mean, uh, you know, and and for anybody who wants to, you know, really dive into this, you've written a brilliant chapter in in David G's book. Uh you know, I do we do strongly recommend that anybody who is uh is interested should buy this book, right? It's uh it's a great read because you're not the only expert in it. David's put together a uh you know a slew of real experts globally.
SPEAKER_02:Yeah, it's an incredible lineup, you know, all CISOs, uh pretty much, but with you know diverse backgrounds and each giving their expertise and in different different areas of cybersecurity. So it really is uh a bit of a a CISO manual, I would say, and and well done to to David for uh for pulling together such a such a cast.
SPEAKER_01:Indeed, yeah. The book is called A Day in the Life of a CISO Personal Mentorship from 24 Plus Battle Tested CISOs, The Mentoring We Never Got. Great title. And uh yeah, we'll we'll put a link to it in the podcast releases so that uh you know you you know where to buy it. But it is a great read, certainly, and uh highly recommended. So m moving on a little bit, you know, this this uh talk about resilience, right? Um retainers are the what what you know first of all, retainers are priceless, aren't they? I mean, you don't want to be s dealing with limits of liability and indemnity clauses while during a crisis, so retainers are a must. But how do you find the right DFIR partner? You had experience with three just in one incident alone. You've obviously worked together with me and another provider, Kroll, where we uh uh we'll talk about that in a bit, where we uh you know obviously did DFIR. How do how does uh you know a CISO who doesn't really know much about DFIR, how do they go about knowing which is the right company to choose?
SPEAKER_02:So one thing as part of my incident experience that that is in the book uh that resonated very strongly with me was one of the incident responders played more of a a breach coach role, and he you know gave me uh a shoulder to cry on almost. He he kind of explained this is what is likely to happen next. These are some of the messages that you may want to share with the regulator, share uh with other external stakeholders, and and just kind of put me at ease given that you know this was my first time uh going through such a major crisis event. So I you know, I I took that experience and and and what that particular coach did uh within the incident response and brought that into consulting. And you know, I think you know, Paul, when we were at we were at Kroll, we we you know realized that we had to not just have the uh the forensic response but also managing the C level of the client that's been breached, uh explaining very clearly to them in non-technical terms uh about what's going to happen, what they should do. And so I think finding a retainer partner that can offer you that business level coaching as well as the technical forensic response is uh is paramount.
SPEAKER_01:Yeah, and I think you know that's something I've obviously carried into my new role at Theos because there were a lot of lessons learned at Kroll. We had a brilliant team there, obviously, and uh, you know, carrying that those lessons in terms of uh you know, having the technical brilliance of the analysts, but with the uh communication skills, the handhold holding, if you like, of the uh of our clients, uh and understanding the impact from a business point of view is absolutely critical. You cannot just rely on the tech alone. And one of the good things we had going at Kroll was obviously the fact that someone with your background, having gone through a major crisis like this, would also participate in the DFIR investigations that we had and bring your experience in terms of guiding the CISO, terms of you know, next steps beyond just the breach, because as you explain in the book, there's more to a breach than the recovery part afterwards, and uh helping companies and guiding them on that path is also critical. So uh, you know, all too often I think uh companies look for responder or or you know retainer uh uh firms that may have a you know some sort of incident response background, but they really need to look at the full package that the uh the company brings to the table. And as I said, this is what I've tried to do with Theos. You know, we're as you know as you know, James, from our conversations, we we we're an Asia-focused company that's aiming to make a mark in terms of doing things right in this region. And uh, you know, we do hope that that's uh you know, um that's what our clients want and need. So it's good to hear you say that.
SPEAKER_02:Yeah, and and just to add on to that, the the Asia experience is obviously very crucial as well, right? Because dealing with an incident in in Asia is different from Australia or or from Europe, you know. So having the cultural experience and navigating that into the the response is is paramount if you're if you're going to be successful.
SPEAKER_01:Indeed. And and that's again why we we enjoyed having you on board at Kroll, because you know you've lived in the region a long time and you understand the nuances, and I think that's vital to somebody like yourself who's operating in this region. And uh and I think you know, same goes for all of us. But uh yeah, well, it's just a shame that Kroll decided to withdraw from uh cyber and uh the cyber operations in the Asia Pacific region, but it's provided other opportunities for others to fill that gap. So uh all good. Um now let's let's uh talk about your journey a little bit because you know you've you've lived in Thailand now for a long time, and um why? I mean, you know, you're obviously from uh Bonnie, Scotland, and uh what what was your journey briefly, you know, in getting there?
SPEAKER_02:I was a software engineer, I I I became a product of of the GE IT management leadership program, moved into as a Six Sigma Master Black Belt doing business transformation, ended up in risk management, which uh brought me uh back over to Asia and Hong Kong, and from there moved into cybersecurity. And I I remember seeing one of those mind maps back in, you know, what was it to be 2015 or or or slightly earlier when when cyber was really just coming out? Uh and and I looked at that mind map and I thought, oh my goodness, how can any one person do such a role because you need technical ability, risk management, change management, communication, procurement and managing vendors and uh budget management, and you know, there were so many different angles of that mind map of what constitutes a successful CISO. But I realized that you know I I had experience in in many or or actually most of those areas, and and that's where I decided that the CISO role was was one that I wanted to pursue. So I had the opportunity uh in Thailand. My my wife is is Thai, also a New Zealand citizen, and uh we had some property in Thailand. So we moved over oh I I guess it must be about 17 years ago now.
SPEAKER_01:Wow, that's uh I mean that's a long time to be living now in this part of the world, and you know, it's pretty important, as you say, for for understanding the culture and being able to operate effectively in this region. But you've also done in-house and as a consultant, obviously, when you were with together with me at Kroll, pros and cons. What what do you what you know what's the uh you know you've you've got experience from both sides of the table, and any other CISO perhaps considering a move to the dark side to consulting, what advice would you give?
SPEAKER_02:So pros and cons. You know, for the in-house role, you're dealing with day-to-day problems that you cannot walk away from, you know, after the engagement is finished, you you own it, and uh you know that means that you you have to you're there for the long haul. So it it it does drag you down into a lot of areas which you you know are my minutia, dealing with very task-level uh matters, uh maybe getting involved in intercompany politics, you know, those are some of the cons in an in-house role. For some of the pros, I would say, is you know, you you really get to to build the culture and and uh and build the the team, the organization around you. So you you leave a a legacy uh behind you, if and hopefully it's a good one where you have been able to deliver a lot of value to the to your end customer. On the consulting side, for me, I got a real buzz out of helping customers and uh helping such a variety of customers across different sectors and different engagement types, and being able to see the different levels of maturity. So maybe you you gained uh a best practice experience from one customer that you're then able to bring into another customer that's not at that level. And so that that's very satisfying to see the the the valor of your trade bringing customers up in terms of a level of maturity. I guess the downside or the cons on the consulting side, it's you know, it the market has been turbulent, and you know job longevity can certainly come into mind. Uh and uh you know that's so that's not for everyone, right? Um uh we might even see some of that now with AI, where uh you know some consultancies are laying off uh roles due to AI and and the impact that they expect that may have. But it's uh you know, it's I would say it's it's not going to be for everyone. If you are currently in an in-house role uh and you are considering consulting, I would say, you know, what what is it that you're passionate about? Are you passionate about that customer success? Do you enjoy sales and and enjoy those regular meetings with customers across different industries?
SPEAKER_01:Yeah, I and and obviously I watched you uh you know whilst you were working uh together with me at Kroll. And I think one of the things that energized you wasn't just focused on the advisory piece, on the on the um, you know, the the V CISO type work, but rather also getting involved in incidents as we've just talked about. You used to thrive on those, I remember. And the opportunity I think in consulting is much broader, isn't it, to get in involved in those kind of exciting uh types of cases. So yeah, it's pros and cons, and uh it's not for everybody though, because there is the selling component. You have to be a good communicator, you have to be able to articulate your value, and I think uh that's something that anybody who Considering perhaps going into consulting from an in-house role should be very cognizant of you need to have that sort of confidence to go into uh to sell. Let's step back a little further below that. You know, how do junior people, or junior professionals, I should say, um, get to be a CISO? What sort of career paths should they be looking at if you know any youngsters listening to this today thinking one day I want to be that CISO, what advice would you give them in terms of a career path?
SPEAKER_02:So in in the different cybersecurity teams that I've managed, that there tends to be two types of people. Uh one are the more risk management mentality, you know, they will manage projects, they will look at the vulnerabilities, uh, formulate strategy, do the risk assessments, and then the other people are those that are more technically orientated, they they get a buzz out of doing the red teamwork, uh doing the you know pen testing and so on. But to be a CISO, I I think you need you need to understand both sides of the house very strongly. So one of the things that I did before I became a CISO was, and I came from the the risk management side of the the shop, uh but I signed up with on bug bounty programs, I did capture the flag uh initiatives, and uh I got into the more technical aspect, having been a software engineer in in my previous uh roles. So having that that balance of the technical understanding, but also the the strategy, risk management, uh risk assessment side is very important. But then you have to overlay that uh in its as a CISO you're you're presenting yourself to the board, you're meeting regularly with your fellow C level, so you really need to be a change advocate. You need to be able to communicate very technical matters in a in a way that will resonate and get you buy-in uh to solve uh problems and and get budget. So you you must fine-tune your communication, your presentation skills and and your your personal branding and gravitas that you can go in front of a board or or push back on a CEO and and get what you need to protect the organization.
SPEAKER_01:Yeah, that meshes with I I get asked this all the time, the same kind of question. And uh every time I'll answer communication. It's absolutely vital. It doesn't matter how technical you are, how gifted you are, if you can't articulate and explain what you're doing to a in a business context, then unfortunately in-house as a CISO you will really struggle. And I think uh, you know, uh even doing things like Toastmaster courses, you know, learning how to do public speaking really enhances the value of a future CISO. So yeah, I can only uh say that put yourself in those difficult positions, you know, go and volunteer to speak at conferences where you can. It may be out of your comfort zone, but the more you do it, the more you learn, right?
SPEAKER_02:Uh absolutely.
SPEAKER_01:And you know, you might find that you really enjoy it. 100%. So that yeah, that and that's actually leads into the next question, which is where should a CISO report to? Because obviously you've got to communicate to somebody who who in the ideal world, who do you who do you think the CISO should be reporting to?
SPEAKER_02:Uh uh without a shadow of a doubt, it should be the CEO. Right. You know, companies I I don't know why companies are still wrestling with this one today. It has to be this the CEO. And because this the CISO needs to be on an equal standing as the CIO. If not, security will always play second fiddle to IT investments. So uh, you know, you need to be there amongst the other C level. And I this one concerns me, particularly in Asia, because we are seeing you know, the CISO role has not yet gravitated in every country to the level it needs to be. And what we're seeing now is the emergence of chief AI officers or chief ethical integrity officers. You know, there's other sea level roles which are being pushed out now, and and quite frankly, I think the CISO, if they were at the right level in the organization, should be taking ownership of a lot of those requirements and uh and and representing the sea level committee in those subject matters.
SPEAKER_01:Yeah, and I I 100% agree. Uh you know, it should be a boardroom discussion, it should be you know a conversation with the CEO and the board. And uh yeah, I I I 100% agree with your your approach there. This is switching gears slightly, but um, you know, when you were working with me, obviously we got involved in quite a few crisis exercises, but can you, you know, from your position now as a CISO, can you articulate the importance of these and the value and how you would conduct them in your own organization?
SPEAKER_02:Yeah, so I'm I'm actually um about to do one in my my own organization, and and the reason I I'm doing it myself this time around is not because you know I think I'm great at them, but rather it's for a lot of the people involved, it's the the first time that they will have experienced it. So there's a little bit of uh uh uncomfort zone that I'm gonna have to break down. So I thought, okay, for the first instance, we'll run it internally. It won't be as polished as you know as an external firm can do, but it will allow me just to set a level of expectation and comfort. But then absolutely for the second exercise, I would bring in a third-party company like Theos to uh to help us run such a uh a cyber exercise and and really give it that external uh realism and and threat intelligence uh overlay. But you know, to me, tabletop exercises are absolutely crucial. It's you know the analogy of a pilot, uh, every time they they know how to fly the the 747, but every time they go out, they still go through their flip chart and check everything is is in place as it should be. And uh so that's really what we're doing by running regular uh cyber tabletop exercises. It's making sure that your checklist is is known to everyone, that people practice, and those lesson learns hopefully start to come down the more that you do them, the more that you drill it.
SPEAKER_01:Right, muscle memory kind of thing. And uh and that's uh you know, but but yeah, I think you're right because all too often I've seen companies go, yeah, come on in Theos, you know, do an exercise for us without having done one before, and it turns into a bit of a disaster, and um yeah, you know, because they're just not ready for it. And I think you're doing it the right way, you know. You start off gently, do it in-house, and build up to some of the more advanced ones. But the sooner you can get to the advanced ones, the sooner you're more at a uh at a level where you feel comfortable to deal with incidents. Because the initial ones I think that you you're doing will help you to check whether your playbooks are are working, whether people have actually read them for starters and and actually um know their roles and responsibilities in a in a fairly simple scenario, I would guess, you know, a ransomware type scenario or something. But um ultimately I think the the real meaningful ones are when you get a kind of red team or pen test approach where they come in and look at the actual technology they are using and develop a realistic scenario based on the um you know what's in place and input it in the injects rather than at the senior level. In input the injects at the working level, because in reality it'll be the working guys, the cyber guys who have to try and explain to the the bosses, you know, we won't be there in a crisis explaining things. So the sooner your team gets used to talking to the bosses about the potential impact of a crisis, the better prepared they will be, I guess. So that those are the kind of evolution I think of of crisis exercises. But I'm glad you said they are a must, because yeah, definitely. It's uh you know, you don't want to be going through your playbooks in a real incident for the first time.
SPEAKER_02:Absolutely not.
SPEAKER_01:Right. So one one last question before we um uh go into a couple of uh uh cheeky questions that I've got for you at the end. But uh you you've been in the uh CISO in the financial world, and obviously you then went into consulting and now you're in the hospital healthcare world. I'm curious, what what differences have you seen between the financial world and the and the hospital?
SPEAKER_02:So in in financial services, obviously the the regulatory environment is very strong. Even across Asia, you know, there's a very strong demand on cyber uh within the financial regulators and and that drives change and it drives budgets. So, you know, in financial services, budgets are are uh tend to be a little bit more healthy for cybersecurity. And uh if you look across the industries, financial services will be the most mature in terms of their capabilities within cyber healthcare, on the other hand, although there are regulations globally, uh you know, the likes of HIPAA in in the US, they they're they they they're plain catch-up with financial services. And in Asia, we've still got a ways to go. Uh many countries have been introducing, of course, critical infrastructure laws. Hong Kong did it recently. Uh a lot of the ASEAN countries have have their cyber cybersecurity for critical infrastructure, and healthcare is is part of that. But um but it's not yet at that same level of um demand, I would say, uh, in comparison with the financial regulators. So unfortunately, that does reflect somewhat on on budgets and and maturity uh within healthcare. That said, the pressure within the hospital environment uh you know can be even worse than in financial services. It's not so much about the regulator coming down upon you, but you are protecting people's lives. Right. And you know, the is one thing having credit card information stolen or or ATMs hijacked, but if medical equipment stops functioning, if medical record platforms are encrypted, then it's a whole nother ballgame. So the the severity level is is very uh extreme. And and we've seen that, you know. I think uh it was last year uh one of the largest cyber attacks ever in the the US was uh in a healthcare hospital environment, and because they had encrypted much of the infrastructure, the hospital could not process insurance claims, which meant they had to turn away patients, and you know, so it had a massive impact not only on the ransom that was paid, uh, but also the regulatory fines and then the overall reputation of the hospital uh in uh uh in in addition.
SPEAKER_01:Uh yeah, I can only imagine that being stressful as well. Uh and uh Thailand also prides itself on being a centre for medical tourism. The hospitals there are first rate, right? They're some of the best in the world, and any damage to that reputation would, you know, obviously the government would be um not happy. But uh the the other side, I mean, I I've you know, uh Theos, obviously, you know, we do um a lot of pen testing and red team as and we're getting an increasing amount of requests for AI, testing of AI bots, etc. But also, of course, IoT devices, and that must be very different in your world because you must have a completely diverse set of devices that you need to protect. I mean, because almost everything is networked nowadays, right?
SPEAKER_02:Yeah, yeah, it's um and similar with with manufacturing, you know, it used to be equipment on the the manufacturing floor or on the the patients, like the scanning machines, uh, you know, the radiologist x-rays and so on. They would all be standalone, but that's no longer the case. Much of that equipment is using AI to analyze results, to to share information with doctors. So it's interconnected not just with the IT network, but very often with AI uh platforms, uh LLM models. So the attack surface has grown uh massively. You know, I I I need to protect my IT environment, I need to protect my medical device environment, the IoT environment, the cloud environment, and now the AI modules which are being increasingly used. Even in you know, you we used to have shadow IT, now we have shadow AI. And so uh as as as CIO and and CISO, I I have regular arguments with myself about uh well how what's the best way to control these risks and at the same time allow the the hospital to move forward and uh in transformation.
SPEAKER_01:Right, yeah, it's the age-old battle between you know allowing the use of technology which helps uh you know and makes things more efficient uh versus making sure it's secure. I tell you what, our ethical hackers at Theos, they love these challenges, though. All these new devices and new technologies, it it makes life more interesting for them, and they love uh trying to hack these uh these devices. Right, we've run out of time, but uh before we close up uh today, I'd just like to thank everyone for listening. And please do hit that like and subscribe buttons. It helps us to get out the to a broader audience with all this important information. But I've got a couple of questions for you, James. Uh you're my second uh Scottish guest, and I did ask the uh my my previous Scottish guest, can you say the phrase purple burglar alarm?
SPEAKER_02:No, I cannot, but I will try. I can say 11.
SPEAKER_01:I was gonna ask you as well, is your office on the 11th floor? I'm sure uh those who've seen the memes will understand where we're going. Purple burglar alarm. Very good. There you go. All right, my final question is as always. Um a music lover, right? And it's my way of decompressing with um uh from stress of work sometimes, is by putting on a good old-fashioned vinyl record. What's on your playlist at the moment, James?
SPEAKER_02:Paul, uh, I've I've I've watched you uh ask this question to other uh guests, and this was the one that put the fear of God in me. So, but funnily enough, this morning my Spotify just had the 2025 uh review, so up on my list was some good old Scottish bands. Texas was number one, uh Franz Ferdinand was number two, and then number three and four were some obscure Spanish and French bands uh Novelle I can't even remember the name, but the very chilled-out music that I often just put in the background, and you know, so that's that's uh been my playlist.
SPEAKER_01:Fantastic. All right, James, thank you so much for being my guest today. It's really a real pleasure having you.
SPEAKER_02:Thank you, Paul. It was uh really enjoyed it and uh congratulations on the on the podcast.
SPEAKER_01:Oh, and by the way, one last question. Did did the uh Theos Cybernova podcast appear on your end of year list?
SPEAKER_02:Believe it or not, it was number four uh on my top podcast list just behind Joe Rogan.
SPEAKER_01:Wow, there we go. Just behind Joe. I'll take that. Thanks very much for being with us today, James.
SPEAKER_02:Thank you.
SPEAKER_01:Theos Cybernova was presented by myself, Paul Jackson. The studio engineer and editor was Roy DeMonte, the executive producer was myself and Ian Carlos, and this podcast is a co-production between Theos Cyber and W4 Podcast Studio in Dubai.
SPEAKER_00:The Theo Cybernova Podcast.