Cyber Crime Junkies

Why Cybersecurity Efforts Usually Fail.

November 04, 2023 Cyber Crime Junkies-David Mauro Season 3 Episode 16
Cyber Crime Junkies
Why Cybersecurity Efforts Usually Fail.
Show Notes Transcript

Richard Hollis of Risk Crew in London joins Cyber Crime Junkies studio discussing key topics: why cybersecurity efforts usually fail.

Video episode: https://youtu.be/Aurw4jLL2a8

Topics:
💡how cybersecurity efforts usually fail, 
💡why does cybersecurity usually fail, 
💡best practices for businesses to limit cyber liability, 
💡best practices to limit cyber liability, 
💡best ransomware protection for enterprise, 
💡best ransomware protection for small business, 
💡best security practices for business, 
💡effective ways to protect business from cyber crime, 
💡how ai will effect cyber security, 
💡how partnerships help in cybersecurity, 
💡how red team exercises help business, 
💡how security awareness training lowers risk of breach, 
💡how to limit cyber attack liability, 
💡how to limit cyber liability, 
💡new ways to protect business from cyber crime, 
💡newest methods to limit cyber liability, 
💡newest security expert insight


Thanks for Listening and Watching. 


Try KiteWorks today at www.KiteWorks.com

Don't Miss our Video on this Exciting KiteWorks Offer!

Try KiteWorks today at www.KiteWorks.com

Don't miss this Video on it!

The Most Secure Managed File Transfer System. 








Why Cybersecurity Efforts Usually Fail

Richard Hollis of Risk Crew in London joins Cyber Crime Junkies studio discussing key topics: why cybersecurity efforts usually fail

Don’t miss the video: 

Audio Podcast available everywhere: 

Topics: why cybersecurity efforts usually fail, how cybersecurity efforts usually fail, why does cybersecurity usually fail, best practices for businesses to limit cyber liability, best practices to limit cyber liability, best ransomware protection for enterprise, best ransomware protection for small business, best security practices for business, effective ways to protect business from cyber crime, how ai will effect cyber security, how partnerships help in cybersecurity, how red team exercises help business, how security awareness training lowers risk of breach, how to limit cyber attack liability, how to limit cyber liability, new ways to protect business from cyber crime, newest methods to limit cyber liability, newest security expert insight


[00:00:00] It's always in the news. Cyber criminals attacking great organizations wreaking havoc on the trust of their brand. We socialized cybersecurity for you to raise awareness. Interviewing leaders who built and protect great brands. We help talented people enter into this incredible field, and we share our research at Blockbuster True Cybercrime Stories.

This is Cybercrime Junkies, and now the show.

Well, all right. Good afternoon everybody. Welcome to Cyber Crime Junkies. I am your host, David Morrow. In the studio today is my always positive, fancy foot, fancy free beside Mark [00:01:00] Mosher. It's on my insincere things to say to coworkers app that I've developed markets in all the, all the stores, and,

Yeah, very excited about today's episode. So, today we are joined by Richard Hollis. One of the leaders at, Risk Crew, a great, methodology and framework about why so many organizations are struggling with cybersecurity and really why so many efforts, have failed. And then he's got some, some best practices to share some ideas and insight.

Mr. Hollis, thank you. Welcome to the studio. Thank you. Thank you, David. Thank you, mark. Thanks for having me, gentlemen. Well, we are excited to have you here. So, great. So why don't you tell us a little bit about your, about your background, kind of, are you, did you grow up in the, London area?

Are you from England originally? Tell, tell us, tell us about your history. Sure. I'll give you the long story. I still haven't, which I still haven't sold the rights to, so. Ok. He's good. [00:02:00] Good to know. No, no, I'm an American. I'm actually from Milwaukee, Wisconsin, and, I've found my, well, that's fantastic.

 I grew up in Milwaukee and, the military took me overseas. I ended up back in Washington, DC where I started my career, by and large government, because I got out the military with a. A clearance. And so that's what you do. And I went to school in dc, worked for the government, and did that for about 10 or 15 years till I got, oh, it's great actually.

You work for the government when you're young, you can have a lot of responsibility in terms of, of budgets and things. Oh yeah. And, and and I was actually the, a deputy director on the Moscow Embassy Reconstruction project. I don't know if you remember that one. The, the old US Embassy. I do remember that.

We were rebuilding it. Yeah, I was on that. And it was fun. It was a lot of, fun. But then I got recruited my, I think it was Phillips and Luon, did a joint venture and took me to Paris to be the security director for their cell phones, which was, at the time, it was, I think late nineties, ninety eight, ninety nine.

Yeah. You know, cell phones were like these sexy technology. So I got out of what was at the time, but computer security at the time was, [00:03:00] was, you know, Wang desktops and, you know, Tempest, that was, you know, that was everybody's idea of, those were the days of y2k. No, really. Exactly. That was the thing. Yeah.

Biggest problem is y2k. And that was, that was when people were actually engaging security consultancies to help them sort out y2k. But long story short, I found my, I left Paris and started a business. I'm one of the founders and directors here at a company called Risk Crew. We started the business in London, and it's a product agnostic, consultancy not that big.

We're under 30, 35 people. I think we are. , but we do just, you know, we are early founders of Oasp out here. We were, it's a product agnostic consultancy, so everything from threat assessments, you know, to, from pen testing to business continuity, but it's all, it's all one to 1, 1 0 1 practicing the fundamentals.

We preach the gospel according to. It's a process, it's not a product. So, so we follow, taken away my sting. That was one of my questions later. Ok. I have a whole thing about it being a process and not a product. [00:04:00] Take that out in editing, can't you? No. No. And so it is, it is, it, it's what drives me though, David.

Then this is part of, you know, that's how I view thing. I'm a 1 0 1, I'm a fundamentals guy. And so, yeah. And that's the, the gospel I preach and it's found its way into. Into the consultancy. So, you know, it's not about, it's not about the firewall, it's about the configuration. It's about, you know, the, process behind, anything.

And, so that drove the ethic of the company. And, yeah, that's it. We're having a lot of fun doing things. You know, everything from, like I said, supply chain risk assessments to red team testing and, European market is very different, I think, as an American working over here than we were just, yeah.

We were just having this conversation. Do you mind if we, let's jump off right there. Yeah. Yeah. That's a great, what is the deal with America like? I cannot, like, I, like I don't have this, I was just talking on another episode with somebody and they're like, well, we do a lot. Over in Europe and we have all the, I'm from the northern part of [00:05:00] Chicago, by the way, just south of Milwaukee.

Spent my summers up there. Very familiar with the area that you grew up with in, by the way. Just talking with somebody that does a lot of consultancy over in, in, in the uk and they were saying the, with GDPR and everything, they, they have such a different. View of privacy, of, of personal data. They, they believe it is a fundamental human right.

Mm-hmm. And in America, we're like, I don't care except all cookies. Here's everything. My passwords, my dog's name. You know, like, they, like, we don't seem to care as a culture and I'm shocked by it. I, I, I don't get it either. Honestly. It's easier for me to do business here because when I look back at the American culture, I, I, I, I kind of have to fight that.

But here, it's not a sell here, here people actually read terms and conditions of Amazon before they sign up. Right. Here it's, it, it's, it's, it really seems to be understood that privacy is a, is a right. It's not, it's not to be given away. And, and, and Europeans in general, the Brits [00:06:00] are behind the Europeans because they're very Americanized in, in, in the way they do e-commerce.

Oh, that's a good. That's a good point. And so, and so data is cash more so to the Brits than the Europeans, but Europeans don't see, you know, they, they see data as data that belongs to me, not data that belongs to you because I visited your website. So GDPR is just one of many types of legislation that are very pro end user that we just don't see in the states.

And it, it's, It's disappointing to me because I believe in that as a, I'm personally a paranoid schizophrenic and I, I don't like people to know what shoe size, much less what, you know, the conditioner I i I use in my hair. And, and Europeans are very much like that. They're, they're, they're, they're very privacy oriented.

That's, that's mine, that's not yours. And so it's a different approach to technology, in terms of the protection of data. Well, it's really come to the head too recently in America when, other things get debated, like the whether to ban TikTok or not, or things like that. And, and people are jumping up and down about that and it's like, well, we have no [00:07:00] standards.

Like we have no codes. We have, we have different frameworks that are. Ideas, basically. Like, unless they, they have no regulatory enforcement power behind them, so they're just kind of lists of best practices out there. And unless you're in a particular vertical or field like HIPAA or, or C M M C, things like that, right.

But Right. But, it's really a struggle here. I mean, we, we, part of, I think that's a good point because part, some of the clients that we deal with are overseas. We're here in America. We don't have to sell them on the need for security consulting, security services. It's just us offering our best and then we compete against others.

Right? For some that are very more geocentric here in the us, we first have to convince them that they even need security service install, right? Because? Because their view is why I haven't had 'em for the last 20 years. Why do I need to have this expense now? I'm like, How can you not? Right. Like [00:08:00] it is, you know, when we get online, we're, we're in their world.

It's a global world once we get online and, it's quite interesting. So let me ask you this. When, when you talk about you have , the circle of failure and you have this, phenomenal kind of framework that you've built, I'm gonna put it up on the screen for, for the viewers.

 You talk about, the circle of failure, in cybersecurity, buy more products fail to define strategy. Implement product to secure systems, neglect people and process. It's so true. Products do not work. Systems are breached. And then we go back to buying more products. Failing to start off and the circle continues.

 What, you know, I, I, I really wanna first what caused you to develop the theory? Do you know that old guy, the old man in your neighborhood when your ball went into his [00:09:00] yard? You know, you know, I have to ask him. Oh yeah. I, I, I think my age actually, I, I, I, David Mark, I've been doing this for my whole career.

It's 30 some years. And, and you know, you get to an age where you put, you, you put your life into work. And we've been, I mean, I literally started before cybersecurity had a name when. You know, back when Y2K was and, and spam was a big deal. And, and so we've had, the way I look at it, this idea, this attitude is this, this, this headspace is, is by and large came from my age and my position, looking back on my as older.

People do and thinking, what have I done in my career? And I, I, you start to look for things, have I made a difference? Do, am I part of something that, that, that, you know, has made a difference? Have I changed the future in my career? And, and I struggle for that. And everybody thinks cybersecurity is so sexy, but when I look at it, cyber, the industry itself, I see more failure.

That confronts me than successes after 30 years of practice. Wow. [00:10:00] So it, it, it is. So a, a couple of years ago I started to, that's used to weigh on my shoulders and I thought, no, there's gotta be some, some wins out here. But every day I pick up the paper and there's, you know, Yahoo. 3 billion, breached, 3 billion, right?

You know, Facebook, a half a billion Adhar, a billion here, a billion there. And I'm thinking the breach is alone. Our, our, our will make you pull your covers over your head and not go to work. And, and, and the rise of regulation. For me, we talked about regulation out out here in the eu, but regulation in general for me is a sure sign that the industry itself doesn't work, you know, like aviation.

Because, because they need parenting. Right. They have to step in and somebody else says, wait a minute, we need seat belts in these cars because people are going through the windshield at 20 miles an hour. And that's, you know, but it takes 20 years and it takes suddenly some regulation steps in. And then, you know, Detroit starts putting, spending a dollar for another piece of canvas and, you know, and suddenly you have safety and, and then airbags and then shatterproof class.

And anyway, this hasn't happened in our industry. I don't [00:11:00] see, and so regular, you know, so when regulation steps in and you see regulation like gdp, P R or hipaa. That's, for me, that's a sign that the industry has failed to, to police itself to look after itself. Right? So there's regulation, there's the breaches.

And, and I just couldn't see a lot of wins. And I started to look at things and look at what are the, you know, and I told you I am a, a process, you know, is, is, well, let me back up and say I'm a computer security oxymoron. Alright. For, for, for me, that's what my tattoo says. Computer security up tomorrow.

Yours too. We've the same place. Exactly. Marks. Marks has that on one. On, on, on the other arm. I've got lock, lock. I, I should have considered it, but that's the way, that's the way I look at my profession. So I thought, okay, so computer security oxymoron. So the game is identified, minimized, and managed. That's a process.

And that's why we started out saying security is a process. It's, it's not a [00:12:00] product. It's a, it's a process of continually managing the risk of alright, but if the objective of the cybersecurity industry was to prevent a breach and prevent data theft, clearly you look around and I, I challenge you to find some sort of evidence of a success.

And this is what I do for a living. This is my profession. So after a while I thought, okay, let's, let me look at the evidence of the failure. And it was there in at least five areas. That, that I started to talk about as, as I put together this circle and figure out why do we continually fail and then fail again.

And then fail the next year. And the first thing I, I, I saw is that, is with our products, our cybersecurity products. I thought what we don't, I go to, I don't know what you guys, but you know, I go to at least 30, 40 events, cybersecurity events every year. And we don't talk about the fact that our, our products, they just don't work.

They just, they just, they just don't work. And, and, and No, when you go to the events, when you go to the events, they have a, a lot of the marketing has [00:13:00] unrealistic claims. Well, you've got vendors out there stating things like, Solving the human factor, you know? No, you didn't. Didn't. Right. Exactly. Exactly.

But, and of course, you know, the events are sponsored by the, you know, the events are sponsored by the Exactly. There's not a lot of people who are gonna go up on stage and say, Hey, I think prob one of the problems in this industry is our products don't work. Our vendors don't give us, Products that work.

All right? They're always a step behind the threats. They were good for threats two or three years ago, but, but they're, you know, it's like they sell us knives to take the gunfights, I say, because we show up completely unprepared to meet the challenges on the threat landscape today. And, and, and I say that and you know, I understand vendors need to make money.

I do. But but we have, I think we don't speak enough that, Our products that we rely on in our industry aren't fit for purpose. They just, they just, they're just not up to the challenge of the threat landscape And the threat actors today, not, they don't [00:14:00] meet the capability, the adaptability, they don't change fast enough.

And we're locked into something that worked 2, 3, 5 years ago and, you know, we're still using it and calling it cutting edge. I, I just, that, that bothers me. Yeah. So what about, let me let, let me unpack this a little. Let me play devil's advocate. You, you talked about the lack of success. Here's, here's the dilemma, I think.

Is to the degree that any service, and I don't think it's a product, I think it comes from a service of people really fighting and working together, building a security culture, things like that. When they succeed in blocking certain threats or minimizing things and, and stopping something from happening, it's never gonna be in the news.

And so we're never gonna really hear about it necessarily, are we? No. So that's, that's like, what do we say? I'm happy with that. What, what, what do we say to that? Because I don't disagree with what you're saying. I'm saying what do we say to the people that [00:15:00] bring that up? I, I, for, for me, that's what the fight is.

The fight is to stay out of the news. So the last in the news, more successful we should be. So it's it's that inverse thinking that, you know we should, we look at the breaches where, you know, and we look at the breaches every day that face us in the news. And I'm saying that's evidence of our failure.

But the opposite of this is the good fight. When we do have wins, when we do stop threats. That's our job. What, what do we want to take a victory lap and tell everybody about it? Congratulations. You did what you're supposed to. Right, exactly. There, there you go, mark. That's exactly what I mean, you know? Yep.

That if it, it, and it's, it's not that way. In fact, when you think about it, you, you know, one of the first things I realized, and when I said it out loud, people said, what do you mean by that? And I said, do you know that that cybersecurity vendors profit from the insecurity of computing? Correct. Now, I, I, I know this sounds stupid, but when you say it out loud like that and say, wait a minute, these are vendors who sell us something because something's not right, and if it [00:16:00] were right, they wouldn't make a profit.

And for me it's a little like the pharmaceutical industry. You know who for I grew up for years and they make a lot of money. Yeah. Selling things that treat the symptoms, you know? Right. Here's a cough syrup for that cough. You know, here's a, you know, but they, they treat the flues, the viruses, the, the, the symptoms.

And they make a lot of money. So if there was a cure for the common cold, the money goes away. The money goes away, but, and I'm not, and then I start to get really cynical and I, I used to, and I look at every vendor saying, you know, if there wasn't, here's another sign after every single breach, look at the top 10 guys in the industry and look at their profits.

Increase after one, acry after, you know, share and value increases. You know, so big. Any wave ransomware people, security vendors have made a lot of money out out of this latest ransomware wave. Why? Because that's part of the circle buy more product cuz we all rush. But why is it that security vendors profit from a breach instead of from preventing one as you [00:17:00] just said, David, and that should be the norm.

And Yes. Yet the reality is the market is the inverse. The market rewards security vendors after a breach. Because we all run out and we're scared and we buy stuff because our hair's on fire. And you know, we buy that next gadget, which doesn't work. And then we get rebreed and we've all wig out and go buy the next thing, which doesn't work because our threat vendors are well down the line.

And you know, something that came out of RS a's R and D lab, you know, they've been working on for five years, that's already O B E with my new Right. But they're gonna sell it to us anyway because they've got an investment in it. Yeah, right. Well, how about, how about, how about plain and clear language from vendors?

Right? If, if, because part of the reason, to me, at least in my experience, part of the reason the breach occurred is the clients. Didn't have certain services and things, systems in place in the first place, right? They didn't have you know, [00:18:00] anomaly detection, threat hunting in the first place. So when they were in, they had a dwell time of nine months because you didn't even have the basics involved, right?

Mm-hmm. It, it, so, so long as the layers of security are, are. Are presented to an organization as a, as a, as a needed layer, whether it's from them or from another vendor, whatever. At at least there's some, some best practices that are improved. But some of it rests on the organizations themselves and not, and not.

Wanting to spend the money on risk. And, you know, risk is kind of a dial, right? And, and some organizations don't want to turn that dial at all, and some will will turn it up halfway so it doesn't get in, you know, pure security, the dials all the way up and it's, and you can't operate. But, but, but when, when, when they hit that middle ground, it, it, it seems to keep them mostly out of the news.[00:19:00] 

What, what are we, what are we? Like what role is the role of education for the organization's play? I guess that's what I think it starts, what I'm getting at starts, I think it starts with, and one of the cogs on my wheel is we failed to define a strategy. Yes, I have, I have rarely met a CISO who could define their, their online strategy in one sentence.

And it's, it's, it's just, they're, they're just not that focused and because they can't articulate a strategy, and then the next step is to calculate the return on your investment for everything you buy. Mm-hmm. We don't, we've had 30 years and we can't calculate R S O I on any product, much less service or security awareness program.

And so the, you know, security becomes this. This technology problem, this, it, it goes to the tech to, to the IT department. They see it as a technology problem as I point out. Then they neglect the other two, two threat factors cuz we all got together and we said, wait a minute, this is about protecting people, process and technology.

Mm-hmm. And, and if you can't define a strategy that's gonna, that's gonna cover [00:20:00] those three attack vectors. Then what you end up doing and, and failed and you cannot articulate the return on investing in protecting Attack Vector one. Attack vector two of attack vector three. Then you just start listening to vendors saying, be afraid.

Be very afraid. Buy this product. Or you're gonna have ransom. You're gonna have, oh yeah, that, that. Then they just keep driving fud. Right. The fear of certain that's, it's Exactly. So it's our, it's our failure, guys. That's That's what, that's what I think. It's our failure. I would agree with that. Find the strategy and measure.

Absolutely. Put KPIs and measure rs o i against anything we buy and anything. And that way we can speak to the business in the terms, but I don't know. But you guys, but. 30 years. I don't see a CISO who can articulate, you know, in a That's a great point. Yeah. I just, and there's, this is what I do for a living.

Yeah. And there's great sophistication in that simplicity, right? If they can clearly articulate in one or two sentences what their strategy is. Then that's impactful. If it has to come in a 500 page document, then there's no thought behind it. It's [00:21:00] just reiterating of data and nice graphs and there's, they, they, they need to be able to sit across a table and, and kind of explain it.

Can I can I tell you a story? It's a little off color, but Well love Yeah. Welcome to, welcome to our podcast. Yeah. We're, we're born of this, I'm working for a company that's been doing penetration testing for, you know, 20 years and yeah, we were in business for about 10 years and, and then suddenly we get an incoming call from an industry we've never worked in before.

We've worked in, you know, for. Government and, and nuclear and, you know, and, and, and they call it grid anyway, and suddenly we get a, we get a call from, from an online adult entertainment provider. To do new one, to do apprentice. The hub of, of malware, right? Well, it, it, it is, it is spyware malware. I mean, these guys have a reputation, right?

You go to, you go visit one of their sites, you're gonna get inundated. So we get an incoming call. We think that's interesting. And this is about seven or eight years ago. I. And it was the, at the time it was the [00:22:00] number two online adult entertainment provider in here in the uk. And so, of course the pen test team's, like, wow, who we're, we're testing a, you know, health entertainment site.

So it was supposed to be a five day project. We put he put in five days, the tester comes up, looks at me, he says, rich, nothing. Zero. Not even a warning. And, and of course exactly if you do pen I and you know, there's no such thing. There is no such thing. I said put another two days into it. Are you sure you got the right ips?

What? Nope. Comes back. We doubled the time. A five day project. We ended up putting 20 days in and we found nothing. Not zero. Not even a warning. All right. We had 10 guys on it for almost two weeks. So I said, okay, print out the, print out the report for me. They're located offshore here in the IS of Mann.

And so I get on a little flight, I go, I sit down with the CISO in a, in a conference room. I give them a pen test report and I said, you know, I can't charge you for this. We've been in business 10 years, never done a pen test and not find one vulnerability, not one. And he goes, and he's looking over the report and he's saying, did you do this?

Did you [00:23:00] do that? Yes, yes, yes, yes. And he looks at me and he said, no, no. It's looks like a good test. Thanks very much. And I said, wait a minute. What do you know that I don't know. Yeah. He said, well, I know that I'm the internet. You're either my client or my enemy. I. I love that phrase. Exactly. I love that. I thought, I've been doing this for so long, I've never heard of ciso.

For a bank, articulate a more effective strategy. You are either my client or my enemy on the internet. That's it. And if you're my enemy, meaning you want free product, I'll give you spyware, I'll give you, but you want to give me your credit card. Welcome to the inner sanctum. And, and then I started thinking, what do these guys sell?

They sell privacy. Right. More so. Oh yeah. Yes. You get it. And, ah, connect. I've been doing this. Exactly. And that's what it took me to. And I was in business seven years before I connected the dots. Yes. And I thought, you know, online adult entertainment providers protect my personal details better than my bank.

Yeah. And, and I [00:24:00] just thought, these guys get it because what is your worst fear if you use one of these sites? That's your mother, father, uncle, aunt. Your dog finds out they're using it. He thinks less of you. They know it's all about privacy now, not if you don't give 'em a credit card. Right. But, and, and, and I went out and, you know, this was after California State Senate bill where all the listings you know, of who's had a breach.

And I, I look for the last 20 years. Now you find in the last five years a couple the, these sites have had but they've lost passwords. Not one of 'em has lost a pci credit card or had a PCI infringement and for me Oh, that, that's true. Yeah. That's an industry that gets it right. Wow.

Because they understand you use our services, you don't want people to, to, so they have a zero. My point is zero tolerance for breaches and that, and that's from the top down. And this is a business that makes a lot of money led the way for all of us to make money in e-commerce, you know, and, and truly a the, one of the only businesses, industries that stand out that, that gets [00:25:00] security because it's private.

That's so interesting. And, and he was able to articulate. His strategy. One sentence. In one sentence. Yeah. Either you're either my client or my enemy. Yeah, that's good. And he's absolutely right. There's nobody else looking after you. That is so interesting. You mention and he Yeah, and he, he created the dichotomy, right?

Yep. If you're not a paying client, then you're just a visitor and you can have all those spy and mind, we don't care. Condition. Yep. Free condition. Fine, fine. You gimme your credit card. That's seriously, and that's what he said. Welcome to the inter sanctum. We'll look after you. So they have a, let me just finish this.

They have one. Oh no, this is great. They find one thing they will fire a developer. And make him do the walk of shame. I mean, literally finally put some stuff in a box and walks around. Why? Because he did not do a cis admin and update a patch or, you know, it is just zero tolerance. That's what I was gonna ask you.

Like, what were they doing, what were their processes? That because, because they could have been using the same products that another organization that's been breached was doing. Right. [00:26:00] Right. But they weren't, they weren't managing it. Right. They didn't have the processes binded. They have a reputation for embracing technology.

So they were in virtualized platforms and cloud computing and cloud platforms before any of us were doing it. And, and, and, and they understood it. But the key was good cis admin and, and really, and, and secure by design. They actually take the time to develop the apps, you know, with an slc, do code reviews, do application.

All the stuff that we preach that we should be doing. They, this is an industry that actually does it. Yep. Well, now I feel better about using my debit card on those. Oh, God. Feel much better. I'm joined a couple tonight. No, mark. I've been using your card for years.

Wow. Well, and then we hear and then, and then was that, if you don't mind me asking timeline, was that before or after that? Ashley Madison breach. Yeah. Remember the follow that was a huge, that Ashley Madison breach [00:27:00] was really interesting to me because that was a, remember that was a, that was a third party.

These guys said, use our site and for free, it's like, remember the, the model was pay to enter sorry, free to enter pay to exit. It's free to join, but if you want to exit, you pay us like $5 Canadian or something, and we'll destroy your data. And everybody's Oh, I didn't know that. I haven't used the site.

Oh yeah. Oh, so that's how it worked. Oh, wow. That's how it worked. Free to enter pay to exit, and on your exit, we'll Deloitte your data, so it's like you will never use the service. Okay. There's no such thing as a delete button in it. And so and so the guys who attended said, oh, really? I don't think you delete that.

And went in and got it and made it public. And they did it just on, there was no, there was no theft of data other than making public data to embarrass the company because they lied. They were lying to their customers. They weren't deleting data. In fact, they, they were also selling it on but there was no such thing as [00:28:00] delete.

So that's what I was gonna say, getting with data brokers and then selling that data anyway for marketing purposes. Exactly. So I like that breach just because it overturned their business model they were telling. Mm-hmm. They were lying to their customers saying, oh, we'll delete it. Don't, don't worry about it.

And, and I thought, and, and in the world of pen testing then had a big, that had a big sound. That was a, an ethical hack that we thought, man, they were just proving the point. Nobody made any money. Maybe they just made a really good point. Yeah. And I thought it was, yeah. And that, that is not adult entertainment.

Remember? That was a, that was a, that was a site that was facilitating dating between Totally different, right. Yeah. But, but I was just curious cuz it's, it's relatively similar. No, similar type, but, okay. Oh, that's so interesting. So let me ask you, what does, in your role and in what you've seen, what benefit is there, or to what degree in understanding the behavior and the people behind.

Who's committing the cyber [00:29:00] crime, like studying cyber criminals, understanding what drives them, understanding the behavioral analytics. What, how does that play into what you see and, and, and what you guys do? I have a very simplistic vision of the threat landscape, and it's been nurtured throughout the years, but in general, I, I think part of the.

Part of our misunderstanding is that we have failed to understand that that data equals cash. Data equals cash. All data is valuable to somebody, some adversary. I don't care if it's, you know, what shampoo you use or you know where you buy your clothes, what you like, what you don't like. All social media data.

All data is intrinsically valuable to some threat actor. Okay. And I've seen databases, all kinds of databases being sold for all kinds of strange things. And I thought that's unbelievable. A, that people kept the database of that specific thing, and b, that you could, you could take that database and sell it on the [00:30:00] on the, on the internet.

On the dark night. So, so first of all, I think a big misconception is, you know, I, I think we don't, and by we, I mean, businesses don't see information, assets as, as monetary things that can be monetized, right? By our, by adversaries. All right? So, so, you know, that's how I've always looked at. Things when I go into a business and I say, what are you trying to protect?

Why are you trying to protect it? And what's gonna happen? And we start having this information about the value, the, the sensitivity of their assets and who else that can be valuable to Yep. As an to understand who might want to take that away from you, whether you have a A, a database of, you know, of, of, of children's, you know, under sixteens Facebook accounts or things in your charity, or that you have a nuclear launch codes you know, on your, on your system.

So if you understand what you have and, and who would want that and what benefit they could have from that, you understand the threat landscape and specifically you start to single out. Who would take that away from you and who would've reason? But it, it starts with the simple premise that. [00:31:00] All data. All data, and Jeff Bezos knows, taught us all that data equals cash, which, you know, the books that we're gonna buy, the places we've been, yep.

Our geo location, the billionaires, all these billionaires made that money off that simple premise data equals cash. And yet I rarely meet a business that understands that intuitively and looks at their information that they process, storage, transmit, and understands the monetary value to a, to an attacker and protects it accordingly.

Yeah, that's, and, and I think that is, that's the heart of it, isn't it? I mean, I think that is the, the key evolution step that especially we in America need to, need to educate organizations is because we come across market, gonna come across business owners, executives at large organizations or, or business owners of small and mid-size organizations all the time that are like, I don't have that much, I don't have a lot of data.

I have 120 employees, but I don't have a lot of data. [00:32:00] Like what we do is kind of commoditize. We just make our money off of this. Yeah. It's like you have millions of dollars of data. Yeah, yeah. Like there's so much right there just by having the employees, it's, it's, it's, it's out. It's out. And they have customer lists and they have, you know proposal documents, design document.

There's so much that can be monetized on the dark web. And, and the other thing is we feel this one, you know, I, I think there's a conceptual, a, we don't understand data equals cash, and B, we don't, we think we, when, when it behooves us, we look at it at the problem as this is ones and zeros and it's not Yeah, yeah.

Equals lives. Yeah. Mm-hmm. This is, this is, you know, this is data about people's mothers and fathers and sisters and brothers and children and where they go to school and what blood type they are. And, and, and we, we, it's like we disassociate it with that ourselves of database and we just see it as ones and zeros and it becomes a technology problem, and we never make it personal.

One of the biggest reactions I get is when I walk [00:33:00] into a boardroom and I say, okay, raise your hand if your personal data is in your sys your business systems. Where your children's go to school, you know, pictures of your wife and you on vacation. Anybody have that kind of personal and, and no, they don't do that.

They, it, you know, business systems are one thing, but they don't understand Our business systems are full of information about people Yeah. And their personal lives and what they buy and where they go and, and, and where their kids go to school. And, and, and that disassociation even from people in our industry.

Guys, you know, I talked to other cyber I, I just about two weeks ago I had a lunch with a. Guy who's the biggest firewall salesman out here in the uk, and he came in and he was really upset and I said, what's wrong? He said, somebody broke into my laptop. And I went, oh, the,

but he was mad because someone took pictures, took his pictures of vacation, of he and his kids and his wife. And took it off. It's like now he's mad and now it's personal. And I'm thinking, you sell firewalls for a living and just now you're making, you just, you just now came to that [00:34:00] epiphany. Right, exactly.

Well, I think to the, I think being in cybersecurity that, you know, obviously we understand it and in our, our. Threat hunters and the risk analysts and others on our teams need to understand the TTPs, you know, of who, who they're up against. But I think it's, it's our job. And this is, I, I'll look, and this is where I've struggled, I know to get owners in executive leadership to really understand that mindset, that your data is cash, and that that data comes from human lives, from people, and to get them to understand and have a clear vision of what the, the true threat landscape is.

And why that's important to them. And, and like David said, we just don't see it that often and it's hard to convince people of that sometimes. Right? Yeah. And, and that's the tool I use, is to try to make it personal and say, okay, if you, you know, when they're determining how much security should we spend on protecting this database?

And I would say, is your data in there, like I said, as an example, what if this were your data? What, and [00:35:00] whether it's buying data, what you did on the website, you know where, where your RGI location data, where you were last week, Thursday, you know, because your customers expect, you know, what would your, so I where's your personal expectations for the protection of that data?

And shouldn't you start there when designing the security to protect that data base as if that data belonged to you and your family, and you would protect it accordingly? And that changes everything. Everybody goes, ah, oh, that's good. Yeah, because they're disassociated from it. It's customers, ones and zeros and it's not, you know, and, and, and, but if we put some skin in the game, if we had our own personal data at stake, I think we'd practice security by design.

Yeah, I agree with that. Absolutely. That's fantastic. You know, one of my questions was is security a product or a process? I think I know the answer. It's a long, I got onto this. Well, yes, it is, it is absolutely a process and I, I have to, part of my struggle was, is I've always. I can't think of it.

Product and services absolutely have a [00:36:00] place, and I'm a service provider, but I know my place. I know my piece of the pie, what I can and can't do, where I'm effective and where I'm not, and where you know where products are effective and where they're not. And at the end of the day, I've spent my 30 years in this career and it is a process from the minute you get up.

Yeah. To the minute you go to bed and then you get up and you do it again. It's, it's, it's, you know, it is a cycle. Threats change. Vulnerabilities change, threat, landscapes change, technology changes. Change is the only constant in our industry. So it has to be a process thing, because we thought by, if we locked into something, it's, it's already past tense by the time it's effective.

Yeah, that security is a process, not a product. And change is the only constant in cybersecurity or is my other tattoo mark, if I could show that to you. But it's it's, that's just a common sense approach. So, but when I engage with customers and we talk about problems, I, I say, you know, they are you ready for change?

You ready for all that to be you know, past tense in a year from now? Are, are you seeing organizations that. [00:37:00] Have taken the time to create policies, right? An incident response plan, things like that. Are you seeing them actually. Implementing them or practicing them, like through tabletop exercises and things like that?

Or are you seeing very few organizations? Very few follow through on the process of a plan. Here we got a plan. It's business continuity plan. Well, I'm looking at the date. It's seven years old. Yeah, exactly. It's, it's, it's got dust on the shelf right here goes. So if that's a typo, when's the last time it's been tested?

No, no. That, that's part of the process. I mean, of even plans or processes. And you have to exercise that muscle to get it to be muscle memory. So when something happens, you just move my instinct and it, it all works. No, that's what I do for a living. And unfortunately people don't, you know, we have. Not become risk managers.

We have become compliance managers. I am very much, you know, and I, I know a customer immediately if he's a compliance box ticker or if he's actually in the game of waking up every day and [00:38:00] having the, having the landscape change. And that's exactly right. Isn't that so true? Like there when, when the, from the first meeting, I can tell whether this person wants to check the box or whether this person cares and wants to just.

Evolve the organization, get to the next level. We'll check the box along the way, but I want to evolve the organization. Yeah, because it's not an easy thing to hear that computer security is an oxymoron then. Mm-hmm. You know, people don't wanna hear that. People wanna just. Say, can I buy something for that?

And can we get better biscuits or better cookies mm-hmm. At this conference? So it, it's it, it's it's not something, it's not a profession for everybody. I guess you have to be a little resilient and have a sense of humor to be in cybersecurity. I think because I don't know. I, I like, I like the phrase you use flexing the muscle to keep the muscle memory.

You know, David and I talk about this all the time. You know, think back when you were a kid in elementary school and you would do, you know, tornado [00:39:00] drills, right? Mm-hmm. You would get down under your desk, or you'd go out in the hall and you put your hands up over your head, right? That was to prepare for an emergency, so you had that muscle memory.

Should it happen? Mm-hmm. You know exactly what to do. Or you have fire drills so you don't have kids running into each other up and down the hall, and they know where the exits are and they know where it goes. But when it comes to cybersecurity, when was the last time you did a tabletop exercise to execute on that planet?

This look like, what? What do you mean? What do you mean? I, that's exactly right. Exactly. And why is, what's, what's the purpose of that? You know, so they don't understand, you know, by doing fire drills every day you, you'll get out of, get outta life and you know, the majority of people will get out that door cuz you don't find it in smoke.

Cause they've walked that hole a times not a racy document. Like it's, it, to me it's, it's almost, it's like a living practice of a racy. Right like that. Who's responsible, who's accountable? Who has to be consulted? Meaning they have a say in it? Who just needs to know what we're doing because their task is coming up next.

Right? Who's gonna deal with hr legal, who's gonna deal with law enforcement? Who's gonna deal with the [00:40:00] media when? When does this happen? At what level does it have to hit until then? Instead, what they do is they have this nice policy and they don't practice it until this folder, start reading it during a breach from ransomware, and they're like, well, now it's time to start looking at that docket.

Yeah, let's go read it real fast. Let's go read that thing real fast. Like, what do you, why would you not have at least gone through the exercise so you know who does what? There come, there's, to Richard's point, there's why you gotta have a sense of humor, right? Yeah. It's crazy. Like, it, it's, it's, it's just, it's just remarkable when you get involved right in the triage moment and they're like, they, they just can't believe it.

Right. They just, they can't believe this happened. You're like, I could tell you exactly why it happened. Right. Well, let us, when this is all over, we'll sit down, we'll explain exactly why this happened, cuz we could have seen this a mile. Like I'm sure it did not take them long to find you guys. Yeah. So so tell, tell us about what you know as you're in your [00:41:00] experience.

Building a security culture for an organization. Best practices, what? What are some of the ones that bubble up to the top for you?

Wow. It, it's that, it's, it's certainly the fundamentals. I, I, I for me, when, when we said you could see it in their eyes, there's a certain amount of, you know, yes, there's muscle memory that can be achieved by practice, but at the end of the day, you need to, you know, you need to have somebody who understands.

Hey, if I do this fire drill, I'll get out alive. And so there's a certain amount of incentive that, that companies need and to instill into staff to understand the incentive behind following silly practices and changing passwords. And so I, I, I think one of the, you know, in terms of fundamentals to instill a, a, a culture in the company, you know, that's done by leadership.

And that's done. You know, whether you have cybersecurity leadership through a [00:42:00] CISO or you don't, and you're in a small mom and pop.code.uk or.com type facility. It's, it, it has always been said in our industry that it starts at the stop top because it is because mm-hmm. Cybersecurity is not. Easy to understand at all times.

And, and while you and I we might try to simplify to make it digestible and understandable, my attempt in doing that is that you get it and you think, well, that's not so complex. Okay, I can do that. And you find reason. That's why I think of things like, you know, hey, hey this is not ones and zeros. It's data about your life.

And when you think about it like that, you might. Be quicker to respond to, Hey, that's an incident or an anomaly, or, I don't, I've never seen that person in this, on this floor before and he's not wearing a badge or whatever and, and make the connection. So I think it's leadership. I've always had a problem with leadership, not just leadership when it comes to cybersecurity, not just.

By our CISOs, but by our by senior management. [00:43:00] And we've got onto that very early, and every conference I was in 20 years ago, they all said, oh, it starts at the top and the top builds the, and, and that's, that is unfortunately true. I've never seen a a, I never saw it start from the grassroots. I never saw a bunch of employees get together and say, we need to protect our data.

You just don't, don't see a strike on the floor saying, we need more cybersecurity or We're gonna, or this union's gonna strike coming soon to a union near you. I don't, you know, for, and for me, part of the problem is, like I said, you know, I, I, I think we're disassociated with the, the impact on our lives from the data that we're supposed to be protecting in a cybersecurity umbrella.

Yeah. And when I make that connection, whether I'm doing cybersecurity awareness training, and you see something click in their eyes and say, wait a minute, you're, you're right. You know, my grandma just went to Amazon and now. Amazon's pulling her, you know, credit record from, from their database and Amazon.

Yeah. When you connect it to real impacts in people's lives, they start to pay attention. Yeah. Like that guy who said, you're [00:44:00] either my on, on the internet, you're either my client or you're my enemy. For me, that's what we're not doing. We're not, we're not defining the problem on the internet. There's no oversight.

There's no, you know, good guy, bad guy's. The wild lust, it's right. And we assume, just like when we board a train that there's fire life safety, and if there's a problem, somebody will take care of me. So we log onto the internet, we think, well, somebody's out there gonna, you know, and it is, nobody's gonna look after you, except you on the internet.

Mm-hmm. So those kind of, mm-hmm. Just connecting the dots is what I don't think we do very well on what leadership needs to do to move this industry forward. Yeah, that's a good point. That's fantastic. Before we let you go, I want to ask you what are your thoughts on just the scale. Of, of cyber crime lately, like it seems to have progressed.

I mean, you didn't hear about that many breaches prior to 2011. In between 20 11, 20 13. They really productized, you know, ransomware as a service became a thing. Malware as a service, you've got all these [00:45:00] things. You've got initial access brokers. It's really become organized, extremely well funded better, better funded than the mafia.

Yeah, and I'm just so. It's, it's just a beast that is just so, so large. How do we address that when we're still struggling with jobs gaps and hundreds of thousands of security openings and we can't fill them yet? Any thoughts on that? Can't you ask me something easier? No, I, I just, you've got, you've got more experience and you're over the pond.

I just, I'm still looking for the answers from these interviews. I'm like, I'm like, I want pa like, I, I get like, I got great nuggets from you, like, I'm gonna, you, you know, we're going, I can see Mosher in the next meeting. You're either my client or you're or you're my enemy. I can see that coming up. That sounds like something Marlon Brando would've said, right?

Him using that? No, using that one. No, you're right. I'm just trying, I'm just pointing out the problems here. Like I just, there's money to be [00:46:00] made. That's what I'm. That's why my problem is, so I'm having a problem with my industry because I'm feel, I don't think we're rising. We, you know, there's so much cash.

I just read recently that, that right now there's more money being made in cyber by cybersecurity criminals than there are, than there was in the eighties by cocaine cartels. Yes, that is accurate. The, the FBI has, the FBI has, I lived through the eighties and I lived through the, a lot of money. That's a lot of money.

Yeah. And you just get, you can't get your head around that how much data. I, I, I've al also read, you know, conservative estimates that we've lost over 18 million personnel records. There's only seven or 8 million billion people on the planet. We've lost, I know twice the number of records that there are human beings walking around on the face of the globe, and I'm thinking, how much more can we lose?

I know, but it is. It is. We're, we don't, it's, sorry to pivot back to this, we don't get data equals cash. Data equals cash. Data equals cash. And if we did that, if we protected the, the information that we upload into Amazon, like we did with [00:47:00] the, you know, 12 or $14 in our wallet you know, if somebody grabbed their wallet and ran away with $14, we'd put our lives on the line.

You know? Yeah. We'd be chasing them down money to us, you know? Yeah. We upload things like it was going outta style. We haven't made that connection. So I, I think it's a really good point. It's an excellent, it's gonna get worse. That's not tangible to us. These losses aren't tangible to us. Like in the eighties, the cocaine money wasn't tangible to us.

Unless you're doing cocaine, I guess you were spending that kinda money. You, you didn't feel the pain yourself. And until you do, it's just gonna keep getting bigger. And that's the way, you know, people get religion after a near death experience. And by go into businesses and like you said David, you look in your eyes and you know if they get it and the reason they got it, they've had a breach.

Yeah. And they get, they get it. They know the pain. Now I don't wanna lose pain again. Let's, let's, let's do this. Right. What do I have to do? And, and so when will it stop? How it get bigger? You know, ransomware to me, come on. We didn't see that coming. You know, [00:48:00] ransomware 1 0 1, we didn't see that coming.

Right? See the, well, it's so funny cuz now that's like, that's one element of the code, but the whole ransomware approach involves like five different types of malware. It had like the, the people getting tattoos with the gang names on 'em, like it. Tattoo. Yeah. No, no. You're, you're, you're absolutely right.

But the evolution of threats, that, that's what makes me feel that we're all just ridiculous. So we see ransomware, they lock up a, they lock up a website, and then, okay, well, so we all jump, we spend a lot of money trying to fix up. Then you lock up a backup. You're, I know you're back up and you think we didn't see that coming.

You just Exactly. Stupid. That we don't anticipate what the next threat. We're always a step behind when we should be a step ahead. Yeah. Or at least in pace, you know on step with our threat actors, but we're not. I, I, well, and, and critical infrastructures like critical infrastructure. We, we saw, I mean, we, we were having conversations about that years ago and now you're starting to see it left and [00:49:00] right and people think of critical infrastructure.

Well, the government's taking care of that. I'm like, critical infrastructure is like the local water company. Like they don't even, they have like one IT guy. Like they are not taking care of that. That's right. That's right. And he only works scary two days a week. Yes. Right, right. This was good stuff.

Fantastic. And what you guys are doing at Risk Crews Top, top shelf, like, thank you, fantastic work. I love the mission. I couldn't agree more with you, but it would be a really boring podcast if I just sat here and just listened to you and just agree and like say, what do we say to people that say this?

What are we, you know, trying to, trying to have some debate. No, this was good stuff. Thank you so much, Richard. That was, yeah, Richard, absolutely fantastic. So it won't be, I'm sure we'll see you at some events or we'll meet in person soon. And thank you so much for your time today. We really appreciate it.

Any parting words are, do you have anything exciting? Are you speaking at any events, anything coming up that you wanna share? [00:50:00] No, nothing to plug, nothing to promote. I'm I'm on the circuit. No, I just wanted to thank you guys for a podcast. Well done. Keep, keep fighting a good fight and putting out the good podcast instead.

We certainly will. Will. Thank you so much. First time caller. Longtime fan. I You're welcome. Podcast will not be the last time we talked to you. No, not at all. It'll be a great conversation. Thanks for having me. I appreciate it. Thanks so much. Cheers. See ya.

Hey. Well, that's a wrap. Thank you for listening. Our next episode starts right now. Please be sure to subscribe to our YouTube channel. It's free, and download the podcast episodes available everywhere you get podcasts. To support our show and get exclusive pre-release episodes and bonus content, please subscribe to Cybercrime Junkies Prime Lincoln, the description and show notes, and thanks for being a cyber crime Chuckie.[00:51:00]