Richard Hollis of Risk Crew (https://www.riskcrew.com) in London joins Cyber Crime Junkies studio (https://cybercrimejunkies.com) for exclusive discussion on: cyber security differences between US versus UK, how cybersecurity efforts usually fail and Difference between customers or enemies.

Don't miss the video episode: https://youtu.be/5jjlJx_EyXI

Send us a text

Get peace of mind. Get Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com

Imagine setting yourself apart from the competition because your organization is always secure, always available, and always ahead of the curve. That’s NetGain Technologies – your total one source for cybersecurity, IT support, and technology planning.

Have a Guest idea or Story for us to Cover? You can now text our Podcast Studio direct. Text direct (904) 867-4466.

A word from our Sponsor-Kiteworks. Accelerate your CMMC 2.0 compliance and address federal zero-trust requirements with Kiteworks' universal, secure file sharing platform made for every organization, and helpful to defense contractors.

Visit kiteworks.com to get started.

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss an episode!

Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Google Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!

Listen on

Apple Podcasts Spotify Amazon Music Podcast Index Overcast YouTube +

Share Episode

Share on Facebook Share on Twitter Share on LinkedIn

Send us a text

Have a Guest idea or Story for us to Cover? You can now text our Podcast Studio direct. Text direct (904) 867-4466.

Video episode: https://youtu.be/5jjlJx_EyXI

Richard Hollis of Risk Crew (https://www.riskcrew.com) in London joins Cyber Crime Junkies studio (https://cybercrimejunkies.com) for exclusive discussion on: cyber security differences between US versus UK, how cybersecurity efforts usually fail and Difference between customers or enemies.

Cyber Security Differences Between US Versus UK

Topics: cyber security differences between us versus uk, differences in privacy and data protection between the uk and the us, privacy and data protection, uk privacy protection compared to us, cybersecurity differences between us and uk, Richard Hollis, risk crew, how cybersecurity efforts usually fail, why does cybersecurity usually fail, Difference between customers or enemies, importance of privacy online, ways to protect online privacy, Why Online Cyber Security Fails, why security fails to protect online privacy, how cybersecurity efforts usually fail, best practices for protecting personal data online,

Takeaways

The UK and Europe have a stronger focus on privacy rights and data protection compared to the US.

Industries like adult entertainment and NGOs prioritize privacy and take measures to protect sensitive data.

Cybersecurity vendors need to practice secure design and prioritize data protection to maintain trust and credibility.

Privacy should be a fundamental consideration for organizations, and risk appetite should guide their cybersecurity strategies. The cybersecurity industry lacks leadership, as many product vendors fail to practice secure by design and have breaches in their own systems.

Protecting against zero-day vulnerabilities is challenging, but product vendors should take responsibility for the libraries and components they use.

The zero trust model is often financially unachievable for organizations and can result in a poor user experience.

Generative AI has not yet been extensively leveraged for cyber threats, but there are concerns about deepfakes and AI-powered social engineering attacks.

Policies, procedures, and education are crucial in mitigating cybersecurity risks, and organizations should focus on training their staff to question everything.

A career in cybersecurity requires an inquisitive mind, pragmatism, and the ability to identify vulnerabilities and exploit them for gain.

TOPIC Headings

The Vulnerability of Cybersecurity Vendors

The Importance of Privacy and Data Protection The Importance of Secure by Design

Limitations of the Zero Trust Model

Sound Bites

"The UK and Europe have a different approach to cyber."

"There's a higher sensitivity to personal data in Europe."

"Privacy was the business model in the adult entertainment industry."

"And if you don't practice what you preach in this industry, you're not a leader."

"If your product is made of sub libraries that you don't know where they came from, meaning you don't know if there's a zero day."

"The market rewards quick and fast, new features. And also the market rewards data exfiltration."

Chapters

00:00 Introduction and Background

02:57 Differences in Privacy and Data Protection Between the UK and the US

09:22 The Privacy Focus in the Adult Entertainment Industry and NGOs

14:03 The Vulnerability of Cybersecurity Vendors

23:53 The Lack of Leadership in the Cybersecurity Industry

25:16 Challenges of Protecting Against Zero-Day Vulnerabilities

26:42 The Importance of Secure by Design

28:41 Limitations of the Zero Trust Model

32:55 The Impact of Generative AI on Cybersecurity

39:33 Advice for a Career in Cybersecurity

Keywords

privacy, data protection, cybersecurity, UK, US, European Union, GDPR, risk appetite, compliance, cultural differences, adult entertainment industry, NGOs, cybersecurity vendors, leadership, cybersecurity industry, secure by design, zero-day vulnerabilities, zero trust model, generative AI, career advice

Key Topics: Richard Hollis, risk crew, how cybersecurity efforts usually fail, why does cybersecurity usually fail, best practices for businesses to limit cyber liability, best practices to limit cyber liability, best ransomware protection for enterprise, best ransomware protection for small business, best security practices for business, effective ways to protect business from cyber crime, how ai will effect cyber security, how partnerships help in cybersecurity, how red team exercises help business, how security awareness training lowers risk of breach, how to limit cyber attack liability, how to limit cyber liability, new ways to protect business from cyber crime, newest methods to limit cyber liability, newest security expert insight, Difference between customers or enemies, importance of privacy online, ways to protect online privacy, Why Online Cyber Security Fails, why security fails to protect online privacy, how cybersecurity efforts usually fail, best practices for protecting personal data online, best practices identity protection, best ways to create a security culture, do Americans value their personal data, do people value their data, why do people not value their data,

D. Mauro (00:02.727)
All right, welcome everybody to CYBER CRIME JUNKIES I'm your host, David Mauro And in the studio today is Richard Hollis, one of the leading cybersecurity experts over in the UK with Risk Crew And Richard, welcome to the show, sir. Welcome back.

Richard (00:24.846)
Thank you, David. I appreciate the use of that term leading, by the way. And just as you said that, I thought, if I turn around, that means somebody would be behind me. And I'm actually leading, and I don't often feel that way. But thank you for that idea that sticks with me. Thanks. Good to see you again, David.

D. Mauro (00:33.287)
Ha ha ha ha.

D. Mauro (00:42.055)
That's great to see you again. So a little brief background for anybody that may not have seen the prior episode. Risk Crew, leading guider of businesses, especially in the finance industry, and you do a lot of security assessments, penetration testing, adversary emulation, things like that, right? That's fantastic.

Richard (01:08.174)
That's exactly the bulk of the market these days has been red team testing and then compliance, but yeah, no product, just services, product diagnostic services to risk management.

D. Mauro (01:21.703)
Excellent. And you are originally from the motherland here in the United States. Fuskai, your badger, that's great. That's fantastic.

Richard (01:26.382)
Yes, yes, the big mothership of, of Wisconsin actually. I'm a badger in my head. I'm a great, they call it the silver badger. I think is got the honorary title from the governor of Wisconsin a couple of years ago.

D. Mauro (01:42.631)
That's great. How do how have you adapted just off topic a little bit, but how have you adapted to life over in the UK? Is it any I mean, because it's I've been there. It's it's it's dramatically different, even though it looks very similar. It's dramatically different. But I loved it. So I was curious what your overall impression.

Richard (02:03.566)
Yeah, first of all, what do they say? Separated by a common language. I absolutely feel that's applicable. I've been over and working in London for about 20, 25 years now. I think I left the States about 25 years ago, came over to Europe and started a business in London. It was harder than I thought culturally, actually. You absolutely, the Brits, the Europeans have a different approach to cyber.

D. Mauro (02:10.023)
Mm -hmm.

D. Mauro (02:24.807)
Mm -hmm.

Richard (02:28.782)
I think it's by and large, honestly, I think it's far in advance than the US. Privacy is a very, very strong consumer driven, a driver here in terms of especially the Europeans and the financial capital of Europe was up until Brexit located here in London. So this is where cybersecurity for me, the seat of cybersecurity for Europe was. It's...

It's in some respects, I think it's light years ahead of the US in the privacy, the data privacy, personal sensitive data and the rights given to end users. That's been a blessing. But I think like everybody, I think here in the UK, there's been a lot of credence given to governance as a structure. And I think this thing I'm still shocked with is people haven't...

the Europeans haven't focused in on risk appetite. What is the risk appetite? And to me, that's a fundamental question that I learned as an American. It all starts from risk appetite and policies, procedures, your governance, everything stems from that. And I still find them being more compliance driven than they are actually risk driven. But I don't know if that's the market or if that's a cultural thing. But it's interesting being an American working in a European cyber market.

D. Mauro (03:55.015)
fascinating. So let's, let me let me address that real quick. So is the cultural difference? Do you think is it is one's privacy, one's the value of one's personal data? Is it more of a fundamental human right viewed as a fundamental human right over there compared to in America where we curate our lives on tik tok and don't care and can't believe they're taking it away from us stuff like that.

Richard (04:24.43)
It is, David, and I think you and I talked about this offline before. To me, I think there's a more heightened sense of the rights associated with a consumer of a service, of a platform, and the Europeans tend to believe and actually give credence to privacy rights as a born, you know.

especially what I call Europeans, Europeans. The UK is a little different. Everybody's a little different. North is a little different, South, Southern, but especially Central Europe, France, Germany are very, very focused on privacy rights. You've heard the argument on how hard it is to get GDPR implemented across Europe because there's so many international organizations who...

D. Mauro (04:57.959)
Mm -hmm. Of course.

D. Mauro (05:13.703)
Mm -hmm.

Richard (05:16.59)
not only can't do things like the right to forget, you know, you, you solicit a company, say not only delete my data, but it's like, I never visited your website. And that's, that's very hard to do. In fact, impossible to do.

D. Mauro (05:27.367)
It's a hard burden on the company, right? Like to figure out because they have to identify where did they contact us? What data do we have? That's a struggle. Right.

Richard (05:30.638)
Yes, exactly. It's.

Richard (05:37.358)
Do we have it in a backup of a backup of a backup of a backup? And if so, can we get our hands on that? So, but A, the Europeans never get up on trying to enforce it still. And B, companies that are still working as hard as they can to at least be accountable. I think at the end of the day, that's what I see the difference between American consumers of technology. They lack this, yes, transparency is always lacking, but this accountability from the vendors, that you should be accountable in the event that you lose my data.

And I think there's a higher sensitivity to that across amongst Europeans. Why do you need my data? I'm just coming to get my teeth cleaned or my hair done. Why do you need my postcode for that? I'm buying a light bulb at the local hardware store and I can't do the transaction without my postcode. And here in Europe, a postcode will tell you pretty much where you are, your GPS location right down to your, you know.

D. Mauro (06:15.527)
Right.

D. Mauro (06:29.831)
Correct. Right.

Richard (06:30.798)
where you live. And so there's a higher sensitivity to, wait a minute, that's my data. Why do you need it for this transaction? Is the data taken from the user in accordance with what's needed for the transaction, which I see is completely lost in the States. When I go back to the States and the data that's asked from me, no matter what I'm doing, and just taken for granted, I think that to me is night and day between the Americans and what's happening in Europe.

D. Mauro (06:59.815)
Yeah, and we we really get to the point where everywhere we go, every store that we go into every website that we visit, we just assume we have to give it all up. We just assume here's my home address. Here's my zip code. Here. Here's everything. And it's really just remarkable, especially as we dig into these individual stories about what happens when your identity is stolen, and all of the challenges we have here with data brokers.

right, because there are so many organizations that will sell that data, literally hundreds of hundreds of times over and over and over. And, and then one of them gets breached. And you're like, I didn't even know that they had all this information. Our data brokers regulated, and I apologize for not knowing this, but our data brokers regulated in any meaningful capacity over there.

Richard (07:44.91)
I get it now.

Richard (07:55.566)
I wouldn't say a meaningful capacity, but they're required by law. GDPR is the law. It's the law. It's legislation and you can be fined. Now what constitutes compliance is, you know, in terms of, it's a snowflake compliance. You would have to justify that what you've put in place is conducive to the sensitivity of what you're processing. So in some cases, that's very easy when you're processing medical data and other areas. It's not so obvious when you're processing.

D. Mauro (08:00.519)
Right.

D. Mauro (08:10.215)
Hmm.

Richard (08:24.974)
you know, voting preference data. And so there's, but, and that's what GDPR does. It mandates that you do a risk assessment and you justify. And so if you're ever asked, you'd show them the results of the risk assessment you did on, and this is why we're protecting this data the way we are. And they'd have to, of course, be aligned and there's a business sense, but at the end of the day, it's that transparency that you thought about it.

You did the math, you did the algebra and you came out with X equals Y and this is what we're going to, this is why we're going to encrypt that data or not encrypt that data, which I find very logical and very cost effective. You don't want to overprotect. Everybody's worried about under protecting, but it's for a business that's got to pay a lot of money for cybersecurity than products and controls. It's almost just as hard to have them overprotect.

D. Mauro (09:22.471)
Absolutely. Do you? No, no, go ahead. What were you gonna say?

Richard (09:23.15)
I was sorry, David, David, I'm thinking about a go ahead.

I was thinking about it. I just you just mentioned that I was thinking about the difference of Americans and I've lived in Europe for a long time and I just got in a fight with my sister who went to a baseball game and she she went and it was bat day. You know where they give you all the attendees of bat and it's a big day if you're a fan and so my sister is a fan and she went to support her baseball team and then she this year it was actually last year last last season she went to get and she was standing in line to get her bat. You know and as she.

came up and they were handing her a bat they said this year it's a little different we need a swab of your DNA and and they did and they did and and that's what this was here in the states yes it was there in the states and my sister yes they gave my sister a swab took her DNA and handed her the bat and for that she also got a one -year subscription to

D. Mauro (10:05.319)
They did not. They did. Wait a minute. Wait. This was here in the States? Was this here in the States?

A swab of your DNA for Bath Day?

Richard (10:25.742)
ancestry dot something something, which is, and a free, you know, and a free, here's what, here's where your family came from, and here's what this is. And my sister was really excited. She called me up and she said, Hey, I just got a new family tree from so and so. I said, really? And she told me this. Yeah, they gave it to me for on that day. I gave him a swab and I said, Whoa, whoa, whoa, whoa, whoa, stop. I said, and I had to remind her, you know, I said, my dear sister, your DNA is my DNA. No, no.

D. Mauro (10:27.687)
my gosh.

D. Mauro (10:48.647)
You've got to be kidding me. You've got to be kidding me.

Richard (10:53.614)
It's a transactional, it was a transaction that happened between, you know, and to me that was when I heard about it after I was done crying, I thought, well, of course, everything's a transaction. And it was presented to her, she's older than I am, and it was presented to her and she's been a lifelong fan of that baseball team as a, just a, hey, this year we've got a special, you know, here's what you get. You get a full family tree and this bat.

D. Mauro (11:04.807)
after.

D. Mauro (11:14.887)
course.

Richard (11:22.254)
and all we need from you is a DNA swab and your email address and you're in. And to me, that's the difference that there... Now, would that happen here in Europe? I cannot dream of it. And I've never seen anything close, but in the States, that's just one of a lot of stories I've had. That one is in my own family. And I thought, well, there goes my DNA. And I'm glad my sister got that free family tree from it, but that's the... We don't get it. We just don't understand.

D. Mauro (11:23.047)
One. Yeah. Right.

D. Mauro (11:44.871)
Wow.

Richard (11:51.886)
Yeah, we don't understand what's.

D. Mauro (11:53.895)
I'm still blown away. Now I have to research that because now I have to I have to go down that rabbit hole. I need to find out. my gosh.

Richard (11:58.734)
I'll send it to you, I'll email it to you offline, you know, who the team is. Now, is this done? It was a baseball team, it was a national baseball team. Is this, you know, I went online, looked it up, said, yep, sure enough, okay. Now, is it common practice? I don't know, but it struck me after I heard it from my own sister and saw her subscription to, you know, this family history platform, I thought, okay, I guess just another day in the life. There goes, you know, that's...

D. Mauro (12:06.535)
Well, of course.

D. Mauro (12:24.455)
Yeah, of being an American. Yeah, I mean, you know, if if it's free, you're the product, right? Like if it's free, you're the product like there like you are worth so much more. You're buying preferences, your interests, your location, all of that is a value. And it's sold for a lot more money than a bat, or whatever basic product you might be shopping for. That's why they want that data.

Richard (12:51.886)
It was a good bath though David. It was a good bath.

D. Mauro (12:53.575)
Well, I'm sure it was. So you had one of the best stories I've ever heard. And I've actually brought it up several times in security awareness presentations or public speaking that we do. And that is the time you were doing a a risk assessment penetration testing for an organization online and they did believe it was in the adult entertainment industry and they

Richard (13:21.07)
Yes.

D. Mauro (13:23.239)
they I mean, privacy is very important there, right? Like you cannot disclose that. And they basically said, online, you're either my enemy, or you're my customer. Right? And it was that mentality. And I guess, my question to you is, how often do you come across that? In that that viewpoint, that like, absolute certainty?

that we are locked down at least in this time, this segment of time, everything that we can see, we are locked out.

Richard (13:59.438)
Yeah, David, the reason I told you that story is I don't see it. And when I do see it, that story is about seven years old. And it is a, yep, and I told it to you to both illustrate an industry that you wouldn't, because this is an industry that's filled with spyware and crap. Meaning, if you're not a client, I'll give you spyware. But once you're a client, welcome to the inner sanctum. And so the story went a long way with me because,

D. Mauro (14:03.623)
Mm.

That's a great story.

D. Mauro (14:24.007)
Right.

Richard (14:28.718)
Not only we had never worked in the industry before and we were doing penetration tests for the large banks. And obviously with such a night and day difference, their approach, and it made me, you know, I told you the story was I asked him, I said, what do you know that I don't know? And he said, I know that on the internet, you're either my client or my enemy period. And it's a war zone out there. And if you want free product, I'll give you free product and I'll give you spyware and everything else and make as much money off of you as I can.

D. Mauro (14:56.328)
Absolutely. Anything that will serve their interests, right? Yep.

Richard (14:59.374)
That's right. But you give me your credit card and you're welcome to the family. And the reason that stood out to me, David, is privacy was their business model. At the end of the day, you know, that's exactly why they were so effective. There's zero tolerance for indiscretion. And you just, and to me, I've worked for, you know, I've held clearances and worked in the government. I've done nuclear facilities. I've done, I thought the closest, the industry that came to it was online gambling.

D. Mauro (15:07.943)
Mm -hmm.

Richard (15:29.646)
very, very tight on their cybersecurity controls, but not zero tolerance, not like the online adult entertainment industry. And so, no, no, the reason I remember telling you that story is I've never seen another industry that's come close. Not, and I've never seen another industry where I felt that they understood that what their users wanted. And this is, yeah, that was my complaint. Why doesn't a bank feel...

D. Mauro (15:30.023)
Yes.

Richard (15:59.086)
our users want, our users deserve the highest privacy possible in our transactions, just because it's their bank account or their online, but medical service providers, anybody, I'm just shocked at how people don't have the same expectations that they have for their own protection of the data. And I think what we were talking about is people...

D. Mauro (16:01.319)
Privacy. Yep.

Richard (16:23.95)
If you, one of the things I tell my clients is if you protected that data, I'll walk into a board and say, raise your hands if your personal data is in the systems that we're talking about and not one hand will go up. And you're like, well, you guys have no skin in the game, do you? You know, you're not connected to this data. It's just ones and zeros. This is data about people's lives. We're talking about, about somebody's husband or wife or children or, you know, their DNA, whatever it is. And until you make that connection, it's all just ones and zeros.

And it's a budget, it's a line item on a budget. But this is an industry, I think, that actually considers what their users want of them and delivers it. And I've not seen any other.

D. Mauro (17:02.919)
Well, ironically, it seems like other industries would benefit by viewing the data like they do, like the adult entertainment industry does. Right? Because, because here's, here's a question. Do you find that that the reputational harm that comes from a data breach? Is it more damaging in an industry that that has

privacy as part of the component of their product, meaning adult entertainment, people that visit it, they don't want other people to know that they're visiting it. So privacy is part of what they're buying, right? Same thing, same thing with a lot of industries, let's say, banking, let's say, online gambling, right? Like, there's certain ones that you that

customers want to go and partake in but they don't want the world to know it would be embarrassing for them. It could be, you know, reputationally harming. But are are you seeing is there a is there a different approach that certain of these vendors are taking? Or is the is the reputational harm more damaging?

Richard (18:24.974)
I think I don't, I still say that industry and that industry alone stands out to me. Now there's been other things that you've seen failures like Ashley Madison, a platform that offers, quote unquote, discrete users. And that always that makes me laugh because that was a mess, but literally what they were doing is, it's free to enter.

D. Mauro (18:36.583)
True.

D. Mauro (18:47.207)
There's a mess.

Richard (18:54.734)
pay to exit. Now, let me say that one more time, free to enter, pay to exit. So you come join our platform, you can have an affair discreetly, okay? But if you want to leave, you pay us, and I think it was very minimal, five or 10 Canadian dollars, and we'll delete your data. Well, you know, anybody in IT knows there's no such thing as a delete button. You don't delete my data. So, but pay to, you know, right there, the business model, free to join, pay to exit. That's like, you know,

D. Mauro (18:56.807)
Mm -hmm.

Richard (19:23.406)
Have you ever been to a nightclub where you get in free, but you got to pay to get out? You know, it says something's wrong there. And the way they were hit, the hack was beautiful because it was just some hacktivists who said, that's not right. You're lying to your customers. And so they went and got the backup and made the backup public because, and by the way, they were selling the data. They were selling the data too. So, you know, so, and Ashley Madison, you know, as far as I heard, went out of business and then resurrected, resurrected, but.

D. Mauro (19:27.047)
No, exactly.

D. Mauro (19:37.959)
Right.

Richard (19:52.142)
At the end of the day, the ethics of the business are, for me, are mirrored in their cybersecurity approach, their philosophy. Which is why I found the adult entertainment such a spin around, because you think, boy, that's the most ethical company of industry on the planet. I've worked with, I think the other idea that pops in my head is I've worked with religious organizations. We've worked with NGOs who have child data.

D. Mauro (20:08.999)
Right.

D. Mauro (20:16.867)
Hmm.

Richard (20:17.934)
you know, that's very targetable to bad guys. And they're very, they're socially, they're conscious of the right and wrong about child data getting into the wrong hands. But the problem is they don't have any money, you know, they don't have the money that the banks or, you know, scouting networks or exactly. But the effort is there, you know, and they have to make risk decisions about, and they process, you know,

D. Mauro (20:33.319)
Right, they really struggle to implement the right controls.

Richard (20:46.606)
child data in third world countries and my heart goes out to them because they know how sensitive the data is and they feel they have a social responsibility and obligation to protect it accordingly, but there's only so much that they can do because they're an NGO and they have limited funds. And that's an industry in general that I feel could use a lot of help from.

putting up an ISMS, putting up a framework together that would be conducive to here's what you can get, here's the most you can get for your money. But now David, you're picking out a scab for me that is, I spent 30 years in this industry and I've been extremely disappointed on how all vendors, all vendors, especially, let me tell you about one, cybersecurity vendors.

D. Mauro (21:21.703)
Yeah.

Richard (21:43.758)
you know, if in terms of trust, abusing our trust, we're buying products from cybersecurity vendors who aren't even practicing, you know, secure by design. And, you know, you just read a list of all the cybersecurity vendors. And if SolarWinds wasn't a big wake up about, hey, wait a minute, you know, we've got trusted connections to that we're buying these quote unquote trusted products. And yet Fortinet, SonicWall, RSA, you know, LastPass, all of these, and every...

D. Mauro (21:44.231)
Hmm.

Richard (22:11.726)
every day, every week, every month, there's another, hey, there's another security vendor. I'm sorry, these are security vendors. Isn't that the whole basis of why we go to them? These trust products and clearly we can't trust them. And when you find out it's a zero -day vulnerability, you're thinking, zero -day vulnerability? What's a zero -day vulnerability? It's a unknown, unknown? How can a security vendor have an unknown anything in a product they built and developed and sold to me?

D. Mauro (22:20.967)
Right.

Richard (22:39.118)
whether that's a firewall or an antivirus or, and to me, that's the biggest break of trust because I'm in the industry. You know, when, when, you know, in terms of expectations about the protection of data, I look at vendors and some vendors are off by a mile. Some vendors get it some, you know, and, but the vendors that I'm most disappointed with as a professional in this industry are the ones that, that I've recommended for years to, to clients who are trying to protect the sensitive data and that these, you know,

D. Mauro (22:39.591)
Right.

D. Mauro (22:46.343)
Mm -hmm.

D. Mauro (23:04.935)
Right.

Richard (23:06.414)
And clearly in the last two to three years, we're seeing that cybersecurity products, i .e. trusted vendors, have become the attack vector of choice because they're crap when it comes to this.

D. Mauro (23:18.599)
Well, it's devastating to them. I mean, it's really devastating to them. I mean, it's in a lot of it. You know, it's interesting, because I see a lot of practitioners in the field start to turn away from them, maybe not right away, because they have existing contracts. But when they go to renew, etc, they start to move away from them, because they're like, we can't get hit like that. We're here recommending you, and then you're letting us down.

Richard (23:45.006)
And if you can't trust, you know, it's like hiring a guard to protect your house or.

D. Mauro (23:49.575)
What undermines your credibility, right? As a security leader.

Richard (23:53.006)
And you exactly, and you lose, I mean, these leader, there's the word, leadership, where's the leadership? And if you don't practice what you preach in this industry, you're not a leader. And yet these product vendors who have incredible brand names and who are recognized as the leaders of the industry, don't practice something as simple as secure by design. And look at all of them who are having breaches in their own systems. And we talked before, I mean, that's just not leadership. These people are not shepherds. They're...

They're sheep, they're as lost as we are. They're struggling to protect their own systems and selling us things that we buy to protect ours. Yeah, to me, that's the biggest breach of trust in terms of expectations, or the ones I find in my own industry. I shame on us for not practicing what we preach.

D. Mauro (24:43.015)
Yep. So let me play devil's advocate for a second. So how can they protect from a zero day, right? It's a zero day, they didn't know there was a vulnerability. They, you know, and the cycle sometimes is challenging, because they may even discover it, they announce it, and they're patching it. But in that window of time, people with bad intent will come and exploit it. How does that get fixed? I'm just trying to think of what

somebody listening could could think of.

Richard (25:16.142)
Okay, well, I'm not, you know, we are generalizing. Commercial software is extremely, extremely complex. The problem is we don't seem to know what it contains, what it runs, you know, what it connects to or what data it connects, filtrate. All of this is a problem. But I'm coming to you, David, to buy a product. So I think that's your responsibility to make sure. Now, if you're buying, if your product is made of sub libraries that you don't know where they came from, meaning you don't know if there's a zero day.

D. Mauro (25:23.079)
Of course.

Richard (25:44.874)
The definition of zero day is an unknown unknown to a guy like me who's been doing this long. All right, so I'll say this again. If I'm manufacturing something, how could I have something unknown in it? Is...

D. Mauro (25:48.903)
Right.

D. Mauro (25:56.135)
Exactly. Well, it really gets to the need for like s bombs like like like software bill of materials kind of like on a cereal box, right? Like you need to know what you're putting in your body. Like you need to like you can't build something based on some code that you copy and paste it somewhere. Right?

Richard (26:00.718)
Yes.

Richard (26:05.422)
Thanks.

Good one, yeah.

Richard (26:13.582)
Good one. You're absolutely right. But the problem is economic incentives. The market rewards quick and fast. Quick and fast, quick and fast, new features. And also the market rewards data, data exfiltration. Give me an app that can pick up GPS data, geolocation data, biometrics. I mean, this is what the market incentivizes. So software out there today is the faster you can get it to market. That doesn't be...

D. Mauro (26:20.391)
Yes.

D. Mauro (26:35.367)
Mm -hmm.

Absolutely.

Richard (26:42.286)
That's what's rewarded. The more features, and of course the more features that exfiltrate data read, you know, that's an attack vector to guys like you and me. And so there's a, there's a, there's a disincentive to take the time to actually look at the libraries. If you're using open source libraries for your product, okay, I get it. But then guess what? You're responsible for what they contain. That's it. Accountability. And so, you know, I don't buy into this zero day vulnerability. Sorry, the buck stopped with you.

D. Mauro (27:00.423)
Mm -hmm.

D. Mauro (27:05.351)
Right. Yep.

Richard (27:11.502)
You don't pass that zero day of vulnerability along to me and suddenly it's my fault. It's my risk and you've given me that risk by using a library that you were not intimately, you know, wasn't intimately known to you, you know, zero by one.

D. Mauro (27:11.943)
Right.

D. Mauro (27:27.367)
Well, I mean, it's in in other fields. It doesn't apply when you think of medical malpractice or medical devices and things like that, right? They are required and liable and accountable for every subcomponent within those. Right. And so. Yep.

Richard (27:42.126)
Yes, yep, you buy a car and the brakes don't work and you go through the windshield, you got a nice looking lawsuit there. You buy a firewall and it lets traffic through a port that it shouldn't, you should have accountability from your vendor. And that's all I'm looking for, I understand. I understand in today's software market hardware, they're gonna be holes, it's not an easy, but the market rewards speed and does not reward security or privacy. And until it does, or until there's accountability, it won't.

D. Mauro (27:48.103)
Right.

D. Mauro (27:53.159)
Yep.

D. Mauro (28:06.247)
Yeah.

D. Mauro (28:11.239)
Yep, absolutely. Excellent. Excellent point. So I haven't asked you about the zero trust model and zero trust approaches. Are you seeing benefit in organizations that are trying to develop zero trust architecture approaches like that? What's your what's your what are you seeing in the in the organizations that you're supporting?

Richard (28:41.038)
I'm outing myself now in terms of my zero trust. No, no, I feel zero trust is kind of a buzzword that was given to us by the market. Okay, and there are, you know, time to time, there's something new and tasty and we should all use it then. But at the end of the day, I'm finding, honestly, of my client's portfolio that our company deals with, maybe 10 % are seriously interested in zero trust.

D. Mauro (28:46.503)
Hahaha.

D. Mauro (28:51.911)
Mm -hmm. I agree.

Richard (29:09.326)
and it's financially unachievable to them. So there's, and once that comes into play into a business,

D. Mauro (29:12.711)
Right. Is it because if it's too difficult, it's a poor customer experience, right? If it requires constant re -authentication, then employees get frustrated or consumers using the product or platform or whatever it is. Yeah.

Richard (29:19.918)
Exactly.

Richard (29:29.006)
That's it in a nutshell, David. And if it's a poor business experience, that means it's a poor business experience. And I've probably seen about 15 large organizations who were two or three years into a zero trust program abandon it because it was stopped revenue. And at the end of the day, they were still having the same problem. So because they could never round the corner to make it whole as it were.

D. Mauro (29:45.767)
Richard (29:55.278)
They would take it step by step and step by step and never finished the 27th step. And so, you know, by step 23, it became cost prohibited. So I don't know. To me, I'm one of these guys, David, that's just old, maybe it's old thinker. I'm just too, I look for pragmatism. So when I look at something like zero trust, I see that to me, the threat surface is divided between people, process and technology.

D. Mauro (30:03.591)
Yeah.

D. Mauro (30:15.815)
Right.

Richard (30:25.102)
If you're protecting anything from anybody, it's through your people, through your processes, and through your technology. Okay, so I look at any company who's not, if you have a budget of 100 ,000, if you're not spending 33 ,000 on your people, 33 ,000 on your process, and 33 ,000 on technology, I say you're not balanced. So anybody who starts to, and every company I've seen who's taken on zero trust, it's all about the technology and a little bit of process, but at the end of the day, their whole budget goes into this, and they neglect their process and they neglect their people.

by and so what that results in is you neglecting to protect two out of the three attack surfaces to your business. And that's what I think is one of the biggest fallacies here. In my mind, we will continue. Nobody's going to come up with a silver bullet for security education awareness training. But you know what, David? Nobody's tried. Nobody's tried in the last 30 years. Have you seen anything that you thought, well, that's interesting. Somebody must have put some money into that.

D. Mauro (31:16.935)
Right.

Richard (31:24.238)
And people are a third of our problems as far as I'm concerned, and even more so if you look at the statistics. But at the end of the day, that's why I see it, I think two years from now we won't be talking about zero trust, or we'll be talking about something else. But until we talk about something that gives equal importance to all three attack vectors, I think we're not doing our jobs.

D. Mauro (31:28.359)
Mm -hmm.

D. Mauro (31:48.903)
So what about, let me ask you this. This is why I enjoy speaking with you, because it's very pragmatic, it's very realistic. Since we last talked, generative AI was released and it's been everywhere and everybody was afraid that there's gonna be all of these massive...

you know, exponential increases in the types of threats and all of this. And for my I just I, I don't see it. And so I'm curious what what you're seeing? Have you seen you know, I mean, I think that social engineering, phishing emails, they've gotten a little better. Right? I mean, some of the examples, but other than that, I haven't seen AI been been leveraged to a degree that is

alarming yet because of generative AI and the commoditization of it. What is your input? What are you seeing?

Richard (32:55.374)
I see exactly that, David. I'd share that opinion. Meaning I was, and this is my Spidey sense is tingling because I'm worried that I'm not seeing something. And I have a good view. One of the blessings I have as a consultancy that doesn't sell product in large banks to small momandpop .com selling flowers is I see all kinds of things and I get a really good understanding of what the threat landscape looks like. And I've worked out in Europe for now for like 30 years.

D. Mauro (33:05.063)
Right. Exactly.

Richard (33:24.558)
And I started looking across the landscape about a year and a half, two years ago, as we started to get so close to generative AI and the potential for it to be used as a tool. And yes, just like you said, so what I see is what you see. I see better phishing emails, okay. I'm hearing voice pretexting on a phone, social engineering. Yeah, that's really good.

D. Mauro (33:42.439)
Mm -hmm.

D. Mauro (33:47.687)
Well, deepfakes. Yeah, yeah. I mean, clearly deepfakes have gotten and there have been some examples deepfakes are that significant. That's something but but that can be remedied through training of people. Right?

Richard (33:56.27)
It - it -

Richard (34:01.646)
Yes, yes, it is. And the thing is, it still needs a lot of data. So what I'm seeing is a lot of attempts right now that I think are gonna get so good that they'll be successful in six months to a year. Deep thanks on the telephone where they've got enough digital data from the CEO that the CEO that they can call and literally have the CEO tell his or her, you know, PA, I need some expenses cut to this, you know, change the...

make a deposit to this bank account or this credit card payoff so I can fly. Okay, that's getting, that's getting, but outside of that, which by the way is no small hill of beans. I mean, that is something I never thought I'd see in my lifetime, a telephone attack done by a computer who can pass as another identity. Yeah.

D. Mauro (34:46.375)
Or the live video attacks. I mean, we've seen them with the live video where somebody will send a business email compromise email, right? And then they'll say, no, I've been trained. I know not to do this based on this email. Great. Jump on a team's meeting or jump on a zoom with me. And then they get on live and it's their boss or it's somebody else and they see and they can ask questions and they get it resolved.

Richard (35:16.206)
Yeah. We're using it for...

D. Mauro (35:16.263)
you know, it's really, but it's all deep faked, right? But it's, but but but there still have to be policies in place, right? You still have to still verify independently, just have a process in place, where you still reach out through a different channel, just to verify before making a series of transactions, say that add up to $25 million.

Richard (35:37.39)
And that to me, David, is where people, businesses can put their money, invest right now in good policies, procedures, and start training, because as this threat grows, and it will grow, that at least they have, you know, we waited till the last minute to talk to our people about cyber threats, and this is, we're in the opportunity now, we're in the doorway of this technology where we can start sending the right messages in terms of, you know, what the potential is, just good practices, question everything, and start to train them to question everything, because when it...

D. Mauro (35:44.999)
Absolutely.

Richard (36:05.518)
AI does come into play in terms of an attack tool. I'm sure it will blow my mind. What I'm seeing now is just what I expected to see. And what I'm telling my customers is the key right now is invest in some policies and some education to your people. But I tell you, I started to think, you know, we are using, in terms of what we're using, we're rolling AI into Red Team testing, which is, you know, which...

which makes a better, in terms of telephone pre -texting, we've tried to do some SMS AI attacks and so on. So it's a useful tool to me as a running consultancy. And I'm hoping to, we're trying to make sure that we develop it in step by step with what the threat actors are using. But right now we're playing around with it and we're telling clients policies, start to teach the staff what this is going to be.

because when it comes up on, it's gonna be a wall when you hit it with your business, there'll be no start to break now. Governance is what I spend my time on is, what's the framework for control? What's the framework of policies and people in process that you need to educate yourself? But there's enough scary things out there from hallucinations to...

D. Mauro (37:02.886)
Yeah.

D. Mauro (37:06.951)
Absolutely. Hey, yeah. Yep.

Richard (37:23.47)
just unknown factors. And businesses are, every business I know is rushing into it. And the other ones don't even know they're using it, which is almost a bigger risk. They don't know it's already in their business and their marketing department is using it to rewrite blogs or whatever.

D. Mauro (37:39.655)
Well, and it's really this the age old concern of shadow IT, right? Because you don't know what everybody every platform, everything that you're using, they all advertise that they're all have AI, even though it's the same platform as it was three years ago. But now it's AI. And, and, and you don't know, I mean, there's so many organizations that still don't know everything that's being integrated into their network.

And that is a huge risk. But again, that's policies, right? That's governance, isn't it? Like that is still people capturing all of the data and knowing what is all out there.

Richard (38:14.478)
Yes.

Richard (38:20.174)
Yeah, and again, you get back to the basics. We always pivot back to the basics, you know, the fundamentals of the integrity of the code, the libraries, you know, it's the secured by design fundamentals that are going to drive this or drive the risk associated with how AI is used for us or against us.

D. Mauro (38:24.071)
Mm -hmm.

D. Mauro (38:39.591)
Yeah, that's fantastic. Well, sir, thank you so much. Before I let you go, what if for somebody wanting to get into cybersecurity, the field, starting their career or making a shift from another career, what's some of the advice you could share? What what advice would you give?

Richard (39:03.63)
You know, recently I spoke at a university and I was asked on a live stage, how did you get into your field? Because you're, yeah, was there a cybersecurity field 35 years ago? And I thought, well, yeah, that's good. Yeah. But you know what it is that I find, I'll tell you what I look for in people we hire is obviously it's not the technical, it's not technology. It's not your command of technology. It's an inquisitive mind that takes you far from me in cybersecurity and pragmatic.

D. Mauro (39:11.239)
Mm -hmm.

There wasn't when I was starting. So, yeah.

D. Mauro (39:28.711)
Hmm.

Richard (39:33.038)
pragmatism. But it's also something I found myself confessing on a stage in front of a lot of people I wish I didn't. And now that it's out there, I remember telling somebody that I, you know, I wasn't one of the when I was growing up, I wasn't one of these kids who knew what you would look at his hands and say, I should be a surgeon or a concert pianist or, you know, I couldn't, I wasn't a carpenter, I wasn't an electrician, I, you know, I couldn't play a piano, I couldn't sing or dance or, you know,

D. Mauro (39:51.911)
Right.

Richard (40:01.39)
bad at math, I mean, you name it. And so I had a struggle when I was looking, you know, looking at growing up figuring out what am I going to do with my life? And, and I remember thinking at a very young age, I was, I was born and raised, my, my parents were divorced and I spent a lot of time on the street. And quite frankly, you spend a lot of time on the street and you develop an eye for let's call it opportunity, you know, as I got older, I thought, okay, I have a, a talent for,

D. Mauro (40:21.287)
Yes.

Richard (40:29.454)
I remember I was a paperboy and I'd walk by and I think, well, that window's open. There's a bike that's not locked and there's a baseball that's left on the porch, you know, and I'd see all this vulnerability. Now I wasn't a thief, but I clearly found myself processing.

D. Mauro (40:41.959)
but you saw the vulnerability that somebody with malintent could take advantage of.

Richard (40:47.214)
Exactly, exactly. And I thought, whoa. And so I realized that I had a skill set for identifying opportunities or vulnerabilities, name what you will. And I thought, well, okay, A, I could be a thief, yes, or a professional thief.

D. Mauro (40:55.303)
Mm -hmm.

D. Mauro (41:00.423)
You could either be a detective, you could either turn right, be become right or a thief, right? Or a cybersecurity specialist.

Richard (41:07.47)
Yeah. And then I thought, then I thought, well, I couldn't carry a gun. I didn't. And I couldn't do time. I knew at a very young age, I can't do time. Yeah. Jail really. That's right. So I, I found myself gravitated to a profession that, you know, had at its essence, can you identify a weakness that other people overlook? My first job was, I was a store detective in college. My first real job.

D. Mauro (41:13.671)
Right. Yeah, exactly. Too pretty. The hair is too good to do time and you just can't do that. So.

D. Mauro (41:31.751)
Yeah.

interesting.

Richard (41:37.358)
And I remember I found it so easy. They thought I was the greatest store detective ever. And I walked in and it was common sense to me. You know how to spot a shoplifter in a store? You walk in, David, and you look across the horizon. And anybody looking back at you, there's a 90 % certainty you've got a potential shoplifter. All right? Of course, it's just exactly. They're looking for the same things you were if you were a store detective. Is that person looking at me?

D. Mauro (41:44.071)
Right. How?

D. Mauro (41:55.047)
They're looking to spot who the store cop is.

D. Mauro (42:04.679)
Interesting.

Richard (42:05.774)
Anybody not looking, all right. Then the second thing is you turn around, put your head down, walk around for three or four minutes, look again. If they're still scanning the horizon, just follow that person and they're walking out the store with something. And to me, it was this pragmatic, I was a kid, I never shoplifted, but I'm sure I thought, hey, I wonder, I looked around, looked for cameras, looked for other store detectives. Yeah, it's just that kind of thing came natural to me.

D. Mauro (42:25.447)
One, how would they think?

Richard (42:32.142)
And people would say, you're a born thief. And I'd say, not really, but I can just see opportunity. Anyway, the point is, I'm also saying that goes a long way in, well, security in general, but specifically in cybersecurity. Somebody can see a vulnerability and exploit it for gain, or at least likes the intellectual exercise. That's what I look like when we hire penetration testers.

D. Mauro (42:49.287)
Yes.

D. Mauro (42:55.783)
Mm -hmm.

Richard (43:01.198)
as well as GRC people who understand risk because that's what risk is about, risk and reward.

D. Mauro (43:05.799)
Absolutely. Yep. That's fantastic. Richard Hollis, thank you so much. We appreciate your time. What do you have on the horizon? What's coming up next? Are you doing any presentations and public speaking? What's going on?

Richard (43:20.27)
I've got a lot of we've got a lot of stuff. It's a busy busy year for us here. We've we've we do about two presentations a month on stuff like AI Red Team testing. So now we got a busy day. I'm also a trainer and I do security awareness training and that's that's a blast. So it's we got we got a busy year. So it's a things are hopping, especially for the summer. Usually things slow down in the summer, but we're looking at a pretty big year.

of doing fun things. Still fun, so still getting out of bed.

D. Mauro (43:51.527)
That's fantastic. I love doing, we do quite a bit of it. And I love doing the live security awareness trainings because it's just so, it just, people have like, even if they've seen it before, it always changes. And they're like, I cannot believe this is what's happening. And I'm like, yeah, every time you get online, we enter their world. Like it's really, yeah, absolutely.

Richard (44:13.934)
It makes all the difference. Face -to -face training to me makes all the difference. If you can run over their hearts and minds, it's not that people don't want to do it. They just don't know what to do or why. And if you connect the what to the why, it's a somewhat big gains to be had. So it's fun. It's a blast. Dave, thanks for having me. I really appreciate it.

D. Mauro (44:23.943)
Yep.

D. Mauro (44:30.855)
Absolutely. That's great. Thank you so much, sir. Appreciate it.

Cyber Crime Junkies

Cyber Security Differences Between US Versus UK

Listen to this podcast on