Joining us is Matthew Rosenquist, a renowned CISO, Cybersecurity leader and strategist, about the role of security leadership, cultural differences on data privacy, importance of choosing trustworthy vendors, and how to stop zero day attacks.

Connect with Matthew:

Webpage: www.cybersecurityinsights.us
LinkedIn: https://www.linkedin.com/in/matthewrosenquist/
Cybersecurity Insights channel: https://www.youtube.com/CybersecurityInsights

Send us a text

Get peace of mind. Get Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com

Imagine setting yourself apart from the competition because your organization is always secure, always available, and always ahead of the curve. That’s NetGain Technologies – your total one source for cybersecurity, IT support, and technology planning.

Have a Guest idea or Story for us to Cover? You can now text our Podcast Studio direct. Text direct (904) 867-4466.

A word from our Sponsor-Kiteworks. Accelerate your CMMC 2.0 compliance and address federal zero-trust requirements with Kiteworks' universal, secure file sharing platform made for every organization, and helpful to defense contractors.

Visit kiteworks.com to get started.

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss an episode!

Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Google Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!

Listen on

Apple Podcasts Spotify Amazon Music Podcast Index Overcast YouTube +

Share Episode

Share on Facebook Share on Twitter Share on LinkedIn

Connect with Matthew:

Webpage: www.cybersecurityinsights.us
LinkedIn: https://www.linkedin.com/in/matthewrosenquist/
Cybersecurity Insights channel: https://www.youtube.com/CybersecurityInsights

Send us a text

Have a Guest idea or Story for us to Cover? You can now text our Podcast Studio direct. Text direct (904) 867-4466.

Role of Security Leadership

Connect with Matthew:

Webpage: www.cybersecurityinsights.us
LinkedIn: https://www.linkedin.com/in/matthewrosenquist/
Cybersecurity Insights channel: https://www.youtube.com/CybersecurityInsights

Topics: role of security leadership, Matthew Rosenquist, cultural differences on data privacy, importance of choosing trustworthy vendors, importance of data privacy, how to reduce risks from nation states, how to stop zero day attacks, how zero day attacks happen, understanding zero day attack, why zero day attacks are dangerous, why zero day attacks are hard to defend, why zero day attacks are hard to detect, why zero day attacks are hard to stop, zero day attack risks, zero day attacks explained, difference between customers and enemies, do americans value their personal data, effective ways to protect business from cyber crime, exposing a cyber crime gang, how AI can be regulated and made safer, how ai can be used for fraud attacks, how ai will effect cyber security, how business measures cyber risk

Summary

We interview Matthew Rosenquist, a cybersecurity leader and strategist, about zero-day vulnerabilities and their impact on businesses. He highlights the increasing value of zero-day exploits, with aggressive nation-states willing to pay millions of dollars for them. The conversation also touches on supply chain attacks and the importance of bolstering defenses and choosing secure vendors.

The conversation covers topics such as: cybersecurity, zero-day vulnerabilities, exploits, nation-state attacks, supply chain attacks, defense strategies, trustworthy vendors, incident response plans, tabletop exercises, security leadership, measuring cybersecurity risk, deepfakes, regulations, privacy, cultural differences, education, cybersecurity predictions, nation-state attacks, supply chain hacking, quantum computing, cyber threats, the importance of choosing trustworthy vendors, the need for incident response plans and tabletop exercises, the role of security leadership, the challenges of measuring cybersecurity risk, the impact of deepfakes, and the lack of unified regulations in the US. importance of privacy, between the US and Europe, need for better education on privacy,

Takeaways

Zero-day vulnerabilities are unknown vulnerabilities in systems that can be exploited by attackers before they are discovered and patched.
Aggressive nation-states are willing to pay millions of dollars for zero-day exploits, driving up their value and increasing the number of exploits discovered.
Supply chain attacks, where attackers target a vendor to gain access to multiple organizations, are a significant concern.
Business owners should focus on bolstering their defenses and choosing secure vendors with strong security programs and bug bounty programs.
The rise of zero-day exploits highlights the importance of investing in cybersecurity and staying updated on the latest threats and defense strategies. Choose trustworthy vendors with a good reputation and a track record of security
Develop and regularly update incident response plans and conduct tabletop exercises
Effective security leadership is crucial for communicating complex technical concepts to non-technical business leaders
Measuring cybersecurity risk is challenging due to the difficulty of quantifying something that didn't happen
Deepfakes pose a significant risk, and behavioral changes are necessary to combat their impact
The US lacks unified regulations in areas such as privacy and AI, while the EU has taken the lead in implementing comprehensive regulations Privacy is viewed as a fundamental human right in Europe, while it is not explicitly stated in the US constitution.
Cultural differences play a role in how individuals approach privacy and personal information sharing.
Better education is needed to raise awareness about the importance of privacy and the potential consequences of not protecting personal information.
Cybersecurity predictions for the future include an increase in nation-state attacks, supply chain hacking, and the impact of quantum computing.
Staying informed and prepared is crucial in the face of evolving cyber threats.

D. Mauro (00:06.062)
What is the proper role for security leadership to play? Today, we sit down with Matthew Rosenquist, a CISO at Mercury Risk, a board advisor keynote speaker, a top LinkedIn voice on cybersecurity, a pragmatic cybersec leader and strategist like no other. We talk about the role of security leadership, the cultural differences between the US and the UK on data privacy, the importance of choosing

trustworthy vendors, the importance of data privacy, how to reduce risks from nation -stated tasks and how to reduce risks from zero -day exploits. This is the story of Matthew Rosenquist and the role of security leadership.
D. Mauro (00:02.542)
Well, welcome everybody to CYBER CRIME JUNKIES I am your host David Mauro and in the studio today is my always technologically advanced partner and sidekick, the Mark Mosher. Mark, how are you, man?

Mark Mosher (00:11.883)
I'm sorry.

Mark Mosher (00:19.403)
Wonderful David for those that didn't pick up the tongue -in -cheek reference Maybe watching other episodes I tend to have some what do they call them back in your day David gremlins gremlins in the system, right? That's what it is David. We have got a great show today I am really excited about this tell the listeners and the YouTube channel viewers who's in the studio with us

D. Mauro (00:31.79)
Yes. Yeah, absolutely.

D. Mauro (00:43.726)
We have the legendary Matthew Rosenquist, a formerly with Intel, now CISO at Mercury Risk a pragmatic cybersecurity leader and strategist, a board advisor, keynote speaker, and a top voice on LinkedIn. Matthew, welcome to the studio, sir. And coffee drinker.

Matthew Rosenquist (01:02.268)
And coffee drinker. I drink a lot of coffee. Yes. Add that.

Mark Mosher (01:04.491)
Now, seeing for a small fee, Matthew, we can introduce you on all virtual meetings in just such a form. So just keep us in that.

D. Mauro (01:11.406)
Just bring us along every before every zoom before every zoom. We will just be like, and now Matthew Rosenquist joins you.

Matthew Rosenquist (01:12.22)
Hahaha!

Mark Mosher (01:18.091)
Hahaha!

Matthew Rosenquist (01:18.972)
Hahaha!

Mark Mosher (01:21.291)
Talk about making an impact right out of the gate, right?

D. Mauro (01:24.398)
Anything you need, man.

Matthew Rosenquist (01:26.82)
Well, it's a pleasure to be here. I look forward to having a fruitful, productive, exciting chat with you gentlemen. Let's talk some interesting things about cybersecurity today.

D. Mauro (01:40.718)
So let's talk about your origin story.

Matthew Rosenquist (01:42.94)
HAHAHAHA

Mark Mosher (01:43.947)
you knew he was gonna go there you knew he was going straight there right off the bat first pitch

D. Mauro (01:45.582)
Apparently, Matthew has had a stellar career. Check him out on LinkedIn. He has like several hundred thousand followers on LinkedIn. When we were preparing for today, I was like, well, I always want to know how people broke into cybersecurity. He's like, I don't want to talk about me. I don't want to talk about that. That's boring.

Matthew Rosenquist (01:47.804)
You

D. Mauro (02:12.014)
But I do think that some people find it interesting. So just generally for two seconds in a pragmatic way, just share with us kind of how, well, like what, like when you were a kid, were you like, I'm going to learn how to hack computers and protect people from hackers? Like what, what, what was it?

Matthew Rosenquist (02:31.22)
Okay, okay, I'll give you this short version, right? You know, and I've been doing this, I've been in security for 35 years. So when I started, there was no such thing as cybersecurity. There was no such thing as information security. Back in the day, they talked about system security and it all originated from mainframe. So that tells you how far I go back. But, you know, originally when I started in this, actually I started...

D. Mauro (02:33.454)
There, that's the other one.

D. Mauro (02:38.638)
Hmm.

No, not at all.

Mark Mosher (02:42.475)
right?

D. Mauro (02:45.646)
Mm -hmm.

Mark Mosher (02:49.739)
Yeah.

D. Mauro (02:52.366)
Right.

Matthew Rosenquist (02:59.676)
not in the cyber information aspect. It was doing internal investigations for theft, fraud, embezzlement, things of that sort. And the thing that I loved about it was that intelligent adversary. Somebody is doing something and trying to get away with it. And I have to figure out what's going on, detect that that's happening, figure out who it is, and then be able to gather enough information and evidence to arrest and prosecute.

D. Mauro (03:08.462)
inset a risk. Inset a risk.

Mark Mosher (03:10.187)
Okay.

Matthew Rosenquist (03:29.564)
So that adversarial nature, I love that game, if you will, right? And it's how good are you versus how good they are. And so I love that. And I'd always been a geek. I loved computers, technology, programming, all that stuff. So it then came to an intersection when I joined Intel. And funny story, they...

Mark Mosher (03:29.803)
Mm -hmm.

D. Mauro (03:36.622)
Yeah.

D. Mauro (03:40.046)
Right.

Matthew Rosenquist (03:57.276)
the company didn't have a security operations center, right? This was very, very, very early on. And there had been several proposals up to the board, right? To say, hey, we need this, we need this. And they were shot down. And I had a great manager at the time. And I was very junior, very junior. But at Intel at the time, it didn't matter. It was just who was the best, right? And so my manager came up to me and said, hey, you know, I know you're, you know, you do security investigations.

Mark Mosher (04:01.963)
Wow.

D. Mauro (04:02.606)
I can't imagine Intel without a security operations center. Yeah.

Mark Mosher (04:07.116)
Yeah.

D. Mauro (04:10.734)
Right.

D. Mauro (04:18.094)
Right. Yep.

Matthew Rosenquist (04:24.988)
You want to propose a security operation center? And I said, sure. So I went off and drafted, you know, a forking page, you know, proposal and business justification, everything else and submitted. And he came back to me a couple of weeks later and he says, Hey, congratulations. They agreed your proposal. And I'm like, right. And I felt that was a huge feather in my cap. And I, that's great. And I'm like, what idiot did you get to, to, to manage it? And he starts laughing and he said, they wanted you.

D. Mauro (04:27.886)
very cool.

Mark Mosher (04:28.331)
Wow.

Mark Mosher (04:41.643)
Whoa.

D. Mauro (04:44.718)
yeah, that's fantastic.

D. Mauro (04:49.422)
You.

Mark Mosher (04:54.315)
Matthew Rosenquist (04:54.748)
And I said, I'm too junior. I'm not, they're like, you were the one that explained it to them in a way they could understand and get behind. They want you. So here's enough rope to go hang yourself, either succeed or fail. But, and that's, you know, that was the kind of big step for me is I was able to then bring together, I was about a 34 person team, the first sock and build it out.

D. Mauro (05:02.062)
That's the art. That's the heart of it all.

Mark Mosher (05:02.923)
that's it. Yep.

Mark Mosher (05:08.427)
Mm -hmm.

D. Mauro (05:23.182)
Wow.

Matthew Rosenquist (05:24.54)
manage it and off I went. And from there, it was just something new. The next impossible challenge. Once I got something in stable world class, it was OK. Now what can't be solved? And I want to go do that in cybersecurity.

Mark Mosher (05:35.819)
What's next?

D. Mauro (05:37.006)
Right. Well, that is that's a great story. See.

Mark Mosher (05:41.707)
That's really unique to a lot of people that we talk to. You gave inspiration to those that may have not had it.

Matthew Rosenquist (05:41.724)
that helps your audience zero, nothing, nil. There's nothing for them. You know, they should just jump ahead to right now when we're going to talk about good, interesting things.

D. Mauro (05:44.302)
You... Look at that! You created the sock!

D. Mauro (05:54.926)
Okay, well, that is a good story, though. And I am glad I asked because that was a lot better than my dad was a, you know, engineer and I learned it from him. Like, I'm like, okay, well, that makes sense. Like, I always like the people that came from like, I was a barber and then I became like a CISSP. I'm like, how did that happen? So anyway, so let's talk zero days. So for non -technical people,

and business leaders, right? Because you are so good at translating complex into impact in business terms. Walk us through what zero days are and why they pose such a big risk today. Because we're seeing them in the news from, I don't know, from Snowflake to Move It to a lot of different things all over the news. And they're leading to some of the largest breaches.

Matthew Rosenquist (06:35.228)
Mm -hmm.

D. Mauro (06:54.606)
And they're really long standing. They go on for months and months and years and years.

Matthew Rosenquist (07:00.124)
Yeah, zero days are actually really easy to understand. All it is, is it's an unknown vulnerability in a system of sorts. So it can be a technical vulnerability. It can be a process vulnerability, but it's one that isn't widely known or hasn't really been discovered. And that's why they say zero days. There's zero days since it's been discovered. So if you're an attacker, it's like finding a secret back door that gets you what you want.

D. Mauro (07:25.006)
Right.

Matthew Rosenquist (07:30.428)
If you discover this before the defense, the cybersecurity team even knows it's there, right? You can exploit it and you have free reign for whatever that particular zero day does. Now, once you do do that, you do use that exploit, then eventually people are gonna realize, hey, there's something wrong here. Somebody's inside the castle and yet the gate is closed. There must be another door.

D. Mauro (07:56.494)
Mm -hmm.

Matthew Rosenquist (07:59.612)
Right? They must be getting in and then they go on the hunt for it and try and figure it. And as soon as they find it, they then have the opportunity to close it. And your window of opportunity as an attacker, poof, goes away. But until that happens, that window of opportunity is supremely valuable. And that's why there's an entire market for zero days. Very smart security researchers or hackers, if you will, depending on their motivation, will go out and

D. Mauro (08:26.862)
Mm -hmm.

Matthew Rosenquist (08:28.828)
you know, take a look at software or programs or infrastructure or hardware or firmware, right? And can't forget operating systems, but they look at all these different things and try and figure out a vulnerability that nobody knows. And then they have a choice. They can sell it to the highest bidder. And in most cases, that's somebody that's gonna use it maliciously, or they may try and go back to that manufacturer.

D. Mauro (08:36.174)
That's right.

D. Mauro (08:42.254)
Mm.

Matthew Rosenquist (08:54.076)
as part of a bug bounty program, this is what we would call an ethical security researcher, go back to them and say, hey, I've discovered something in your product or whatever it is, I can give you the details. And many times they're recognized, they're financially rewarded, and they build up a good reputation. So these things play a huge impact in our industry.

Mark Mosher (08:56.075)
right.

D. Mauro (09:13.902)
Well, it's a bit it's a smart business move. Yeah, it's a smart business move for a manufacturer or software developer to reward bug bounty programs. In fact, they see a lot of software platforms that actually advertise that we have an active ongoing bug bounty program as. Yeah, it really is.

Mark Mosher (09:17.579)
Yeah.

Matthew Rosenquist (09:21.116)
Yes.

Matthew Rosenquist (09:31.324)
It's best practice nowadays. Now -a -days. Originally, it was not that way, by the way. Originally, it was, if you inspected my software, I'm going to sue you, I'm going to put a gag order on you, and all these bad things. And we were screaming to the industry going, you are insulting and impacting your best possible resource. These independent researchers could sell it for a lot more, but they're willing.

Mark Mosher (09:34.443)
Yeah.

D. Mauro (09:36.494)
Mm -hmm.

It was looked down upon.

D. Mauro (09:43.374)
Correct.

Matthew Rosenquist (09:59.388)
to share it with you for a lot less. Why are you harming them?

D. Mauro (10:01.966)
Right. Yeah, that's exactly right. And is here's my question. Why are we seeing it seems like we are seeing more of them in the last couple of years than previously? Is that because there aren't necessarily S bombs on products like there's no like like

Mark Mosher (10:02.891)
I'm sorry.

Matthew Rosenquist (10:20.092)
Yes.

D. Mauro (10:30.222)
software bill of materials like a cereal box that has all the ingredients. So you know this one has red dye number three, better not eat it. Is it because certain platforms lack that and then they're just cutting and pasting from prior code that could be vulnerable? Is that what's happening? Possibly? Nope. Okay. Well, this is what I want to know. This is why I ask. Yeah, this is good.

Mark Mosher (10:34.699)
Right, right.

Matthew Rosenquist (10:49.852)
Nope. Okay. First off, you're absolutely right. The number of zero days and the severity of those zero days being discovered is skyrocketing. And this is something that we've predicted and we're predicting it will continue to get much worse. Now it really comes down to business. Think about it. Innovation, which is really what...

D. Mauro (11:02.51)
Okay.

Matthew Rosenquist (11:15.004)
you know, discovering zero days is, right? It's trying to identify that. That takes time and effort and resources and tools and expertise. But the thing is, you know, that costs, again, time, money, effort, and to attract people to do that, right? There has to be a lot of incentive. Well, we saw original zero days come out and, you know, they would sell them for a few thousand dollars.

D. Mauro (11:17.582)
Mm -hmm.

Mark Mosher (11:22.475)
Yeah.

Matthew Rosenquist (11:41.5)
So you would spend as a researcher all this time, money, effort, tools, have to create your own tools and then be able to sell it for a few thousand dollars. And everybody thought, well, that was pretty good. And then the organized cyber criminals said, well, if you can do it to this platform, I'll pay tens of thousands. People's minds were blown, okay. And so it started to evolve. And then there was some competition. Well, I'll pay more than tens. We saw some come out at,

D. Mauro (11:41.998)
Right.

Matthew Rosenquist (12:10.172)
hundreds of thousands of dollars, but that fundamentally all changed when we saw aggressive nation states about a decade ago come on the scene. And we're not talking about, you know, high -end organized criminals that are willing to spend $100 ,000 on a vulnerability to, you know, get inside of a bank. We're talking about a nation state that can throw around billions of dollars into research.

Mark Mosher (12:12.235)
Whoa.

D. Mauro (12:12.814)
Yes.

Mark Mosher (12:20.363)
Mm -hmm.

Matthew Rosenquist (12:39.26)
and expertise and tool development. Right? Yes.

D. Mauro (12:43.47)
Right. And man, and just pure manpower, right? I mean, they just have 24 seven tiers of staffs that just go and. Yeah.

Mark Mosher (12:43.531)
Yeah.

Right. Yeah.

Matthew Rosenquist (12:52.092)
and they're willing to pay millions of dollars. We've seen them up to $20 million for a single exploit, right? And they put, and that's the starting negotiation price. That's to get your attention. So now you have entire organizations, clubs, and in some cases, business organizations intentionally going out to go after that. And so as you flood the market,

Mark Mosher (13:01.835)
Wow. Wow.

D. Mauro (13:02.062)
$20 million.

Matthew Rosenquist (13:20.348)
with research funds, right? It's an economic cycle to say, hey, these people are gonna go look for more, right? And then you have the support infrastructure to say, well, we're gonna develop tools for these people and sell them the tools, right? So you have a whole economy that's coming behind this. Why? Because there is money to be made. And nation states are the ones just pouring gasoline on the fire.

D. Mauro (13:34.83)
Mm -hmm.

Mark Mosher (13:42.379)
Yeah.

D. Mauro (13:42.958)
Well.

D. Mauro (13:48.27)
Why do you think nation states began doing that around 10 years ago? What did it have to do with the decentralization, the collapse of the USSR? Is it has to do with national security, international political relations, where there's sanctions, and then they can't get money from America one way, so they go after and target American businesses another way?

Matthew Rosenquist (14:16.7)
It's asymmetric warfare, right? When you look at those aggressive nation states. Now, keep in mind, every nation out there, big and small, has some type of cyber program. But we classify aggressive nation states as the ones that are developing technology and going after other countries in an aggressive way, typically for either political purposes, to push foreign policy, to get around sanctions.

D. Mauro (14:19.022)
Hmm.

Matthew Rosenquist (14:45.852)
you know, things of that sort, or sway democracies, voting, people, perceptions, all those kinds of things, right? And they have very, very active, professional organizations that do this. And then they also subcontract with private organizations, criminal organizations, and everything else. So there are many motivations when you look at this, but the same thing is why does a country have a military?

Mark Mosher (15:02.795)
Right. Yeah.

Matthew Rosenquist (15:11.932)
Right. It's to push foreign policy or to protect itself or to undermine a growing adversary or, you know, to influence something else. Cyber is just another tool in the toolbox. And from an expense perspective, it's really cheap. And the trend is everybody is moving to digital. All your critical infrastructure, every critical infrastructure sector out there has a dependency on on, you know, digital technology.

Mark Mosher (15:30.123)
Yeah.

D. Mauro (15:36.174)
Mm -hmm.

Matthew Rosenquist (15:41.692)
So there are tremendous opportunities, right, to achieve all those goals or at least contribute to all those goals that a country may have. So we've seen it all over the place and the big four, you know, truly aggressive nation states out there, I mean, they're billions, billions of dollars, and they're actually behind a lot of the attacks that you see today in the news.

Mark Mosher (16:08.395)
Hmm.

D. Mauro (16:09.646)
either ratifying after or looking the other way or funding it.

Matthew Rosenquist (16:17.724)
It tends to be a combination of different things and there's been an evolution. Right. And I'll pick on one, right. Russia is considered one of the big four, right. Russia prior to, you know, 2022 actually outsourced a lot of their cyber attacks and they were doing things, you know, political things, social, you know, changing social opinions within different countries. They were stealing money. They were doing all sorts of things, stealing secrets.

D. Mauro (16:20.11)
Mm -hmm.

Mark Mosher (16:20.171)
Yeah.

Matthew Rosenquist (16:46.076)
They were adding and helping their international espionage, right? To be able to gather data, turn information, all those kinds of things. So they were doing lots of stuff, but a lot of it was outsourced. And then in 2022, when they invaded Ukraine, they had a massive campaign ready and it shifted from a lot of, you know, ransomware and I'm going to steal your information. And they actually shifted to a wiper kind of malware, which was highly destructive.

D. Mauro (16:53.294)
Mm -hmm.

D. Mauro (17:05.389)
They do. Right.

D. Mauro (17:13.614)
Right.

Matthew Rosenquist (17:15.644)
and they targeted Ukraine, they targeted a few other things, especially as the Allies stepped up, but they figured, okay, this is going to be great. What they didn't count on is a lot of those kind of subcontractors they had were Ukrainian. And they thought, well, hey, criminals are criminals. If I pay them money, they'll do whatever I ask. They won't care. Well, as it turns out, if you shell and bomb even a hacker's grandmother's house, the Ryabushka,

Mark Mosher (17:28.811)
I

D. Mauro (17:29.294)
Right.

Matthew Rosenquist (17:43.772)
Right? They don't care the money, right? And they ended up turning on the Russian handlers and started exposing some of that infrastructure like Conti, for example. And so for a little over a year and a half, Russia kind of had to go, whoa, wait a second, and started instead of outsourcing a lot, invested internally. So now it's more of an employee internally sourced model. They rely a lot less on the external vendors.

D. Mauro (17:43.982)
Right.

Mark Mosher (17:45.611)
I'm going to go ahead and close the video.

D. Mauro (18:08.91)
rather than contracted services. Yep.

Matthew Rosenquist (18:12.572)
And they're doing it themselves because they learn their lesson. So yeah, it just the business cycles kind of change, but it's big business. It's really important. And we're seeing right now critical infrastructure is being the primary targets for all aggressive nation states out there, the big four.

Mark Mosher (18:12.651)
Right.

D. Mauro (18:29.39)
Yeah. And when a zero day gets exploited, it is just, it is, it's so, it just spreads like wildfire because there's, it seems like they're, they're finding them for the tools that organizations use across thousands of organizations. So once they find it, they are inside all of these organizations.

Mark Mosher (18:49.707)
Yeah. Yeah.

Matthew Rosenquist (18:52.604)
Yeah, you're talking supply chain, which is think of it as a force amplifier, right? If I find a zero day, and by the way, if you're in the business, you can put in an order request. You just say, hey, I want a zero day admin access remotely capable for Windows 11 or for the latest version of the iPhone, right? You can put these orders in and then put a bounty on it. But you know, the reality...

D. Mauro (18:54.926)
Yeah.

Mm -hmm.

D. Mauro (19:20.014)
And these are all sold like on marketplaces on the dark web. Yep.

Matthew Rosenquist (19:22.556)
Yes, absolutely. On the dark web and on the gray web as well, there are legitimate businesses who will deal with this and be that middleman to keep a certain level of anonymity on both sides of the equation. They take their cut. And so they're kind of in a gray zone as well. But yes, and again, tens of millions of dollars per exploit in some cases. But these governments,

D. Mauro (19:27.79)
Correct.

Mark Mosher (19:30.859)
Wow.

Matthew Rosenquist (19:51.068)
they can say, hey, I want to just attack you, right? I want an exploit for company XYZ, right? Acme Rockets, let's say. And that's all great. You may get that exploit. You may be able to get into Acme Rockets, but it makes a whole lot more sense to instead go to this other company, maybe an IT company that has a whole bunch of customers, including Acme Rockets.

D. Mauro (19:59.822)
Right.

Mark Mosher (20:00.043)
Yeah.

D. Mauro (20:13.678)
Mm -hmm.

Matthew Rosenquist (20:18.652)
and say, give me an exploit into this IT company that services all these others so that I will use them as a staging ground to impact every single one of their customers that I want. And, you know, we've seen this many, many times. Yes. And that's your supply chain attacks, which is again, it amplifies the stakes because one attack can compromise thousands.

D. Mauro (20:31.342)
like solar winds, kaseya, things like that, right? Yep.

Mark Mosher (20:33.675)
Yeah. Yep.

Matthew Rosenquist (20:47.74)
of downstream customers.

D. Mauro (20:50.446)
So what can business owners do? I mean, really, all they can do is just bolster their defenses, in my mind. Like, just have security layers in place, because if somebody's going to exploit a zero day on a platform that their IT service provider is using, how's a business owner supposed to protect themselves for that?

Mark Mosher (21:16.747)
Yeah.

Matthew Rosenquist (21:16.988)
Well, internally, you're right. They should have a good, well -thought -out plan and execute to that strategy to protect everything within their borders. But in today's environment, we have so many suppliers and vendors, right? Right now, we're on a third -party video supplier, right? So you're using that. You use cloud, right? Do you use Google or Microsoft is now all online, right? So you've got all these connected.

D. Mauro (21:31.598)
Mm -hmm.

Mark Mosher (21:34.731)
A perfect example.

D. Mauro (21:35.502)
Right. That's exactly right.

Matthew Rosenquist (21:44.476)
right in this spider web of services that you use. The other thing is these businesses really need to pay attention who those vendors are. Make a good choice. If you're gonna choose a vendor that has a good security program and has a good bug bounty program, for example, and manages their security and is very responsible if something happens to let you know and get on it quick to close that zero day quickly and they have a reputation like that.

D. Mauro (21:54.286)
Right.

Mark Mosher (22:11.563)
Yeah.

Matthew Rosenquist (22:14.396)
That's who you want to be with. If on the other hand, you have a vendor, maybe a little less, less pricey, but they don't have such a good reputation, right? They've had some data breaches. They've had some exploits. They were a little slow in telling people until it was actually exposed by another party. And then they said, well, well, yeah, yeah, that happened. Right. Little less trustworthy. You don't really know where your data is. They're not being audited. They're not on a certificate, all those kinds of things. Well,

D. Mauro (22:16.014)
Absolutely.

Mark Mosher (22:34.699)
Yeah.

Matthew Rosenquist (22:42.716)
you're probably getting what you're paying for. You're paying less, but understand the ramifications to your business, your customers, and everybody that you service, including your partners and your insurance and everything else, if you choose to go down that path. So act smart. It's just like any other business decision. You choose who your business partners are. You choose who your suppliers and vendors are. You need to have that same level of fiduciary care when choosing

D. Mauro (22:44.686)
Right.

D. Mauro (22:55.918)
Right. All of your customers. Yeah.

Mark Mosher (22:58.859)
Yeah.

Matthew Rosenquist (23:11.996)
your digital and security partners.

D. Mauro (23:14.926)
Excellent insight. You know, it still blows my mind how many American businesses do not have updated, like, incident response plans. They don't run tabletop exercises. And I'm like, how do you not? I mean, to me, a lot of, you know, a lot of organizations are going to get breached, but they're not all equal. Like, there are some that are an inconvenience. It costs money. It's repaired, but it doesn't

Mark Mosher (23:24.907)
my gosh.

D. Mauro (23:44.75)
It's not a torpedo that makes the ship sink, right? And there are some that absolutely torpedo an organization's brand. And to me, I'm always just boggles my mind how some organizations, they just don't even prepare for the day of a breach. I mean, to me, that could make all the difference in the world.

Matthew Rosenquist (24:05.5)
Yeah, unfortunately that's true. It's getting better though. You know, I have to say, and especially for the critical infrastructure, when we look over 10, 15 years, it is getting better. But you kind of have to go back to the first axiom of cybersecurity, which is very telling, right? It simply is cybersecurity is not relevant until it fails.

D. Mauro (24:10.862)
It is getting better.

Mm -hmm.

D. Mauro (24:30.926)
Right.

Matthew Rosenquist (24:30.94)
So you have a lot of these organizations going, well, you know, we didn't have any problems yesterday. We're probably okay. Right. And that works great until it's not true until you're now cratered and you're like, wait a second. Our reputation, our brand, our customers, the liability, the lawsuits, SEC is coming after us. Wait a second. Whoa, whoa, whoa. What? And then they go to the poor security, you know, director, cause they don't have a CISO either. You know, the poor security guy.

Mark Mosher (24:35.755)
Hahaha

D. Mauro (24:35.886)
Yeah.

Mark Mosher (24:41.419)
Yeah.

D. Mauro (24:41.582)
Until it's not true.

Matthew Rosenquist (24:59.644)
who's only part -time and going, it's your fault.

D. Mauro (24:59.662)
Yeah, who used to be just a network guy. Yeah, he used to be just a network guy, but because he does technology, they're like, you're the security guy now, right? Yeah. yes.

Matthew Rosenquist (25:04.703)
Yeah. yeah. Yeah. Yeah. You do security too. I know you're a network engineer, but now you're our security network engineer. Congratulations. You know, so again, you have to have good leadership. That's really one of the most important things. And when I go out and I talk with a lot of boards and I get brought in by a lot of, you know, CEOs and so forth to evaluate what's going on. One of the biggest determining factors in understanding the maturity level of that organization.

security leadership. Do they have somebody that actually has a background, that has experience, that has knowledge, that can communicate sometimes these kind of difficult concepts that can tie it back to the overall business goals and values, right? If you don't have good security leadership, you're sunk. I'll tell you that right now. You may have the best security engineer or architect or hire the best external company or something. You don't have good leadership.

Mark Mosher (25:35.691)
Yep.

D. Mauro (25:36.078)
Absolutely.

D. Mauro (25:41.87)
Excellent.

Matthew Rosenquist (26:03.804)
you will eventually lose.

D. Mauro (26:05.998)
Absolutely. And security leadership gets to the heart of what you are excellent at. But also it's what we touched on. And that is that translating of the complex technical components, operations, systems, et cetera, into what it means to a non -technical business leader. Because that art, that making it succinct, making it brief, making it impactful.

Matthew Rosenquist (26:16.188)
Mm -hmm.

Mark Mosher (26:16.395)
huh.

D. Mauro (26:35.566)
There's great sophistication in that, in my opinion. And that is where security leadership has its stake at the C -suite.

Matthew Rosenquist (26:46.588)
And that ability, I mean, if you're really technical, you can get so far in protecting an organization. But the simple fact is cybersecurity is not completely owned, run and managed by just the security team. It takes collaboration. You have to have different business group leaders also agree. You know, HR has to say, yeah, I want my HR records to stay confidential. Finance has to say, hey, I want to make sure somebody doesn't move a decimal point, right? A hacker doesn't do that.

D. Mauro (26:52.526)
yeah.

D. Mauro (27:00.686)
No.

Mark Mosher (27:01.451)
All right.

D. Mauro (27:06.67)
Right.

D. Mauro (27:14.67)
Right.

Matthew Rosenquist (27:15.996)
You also need to have the CEO and the board buy in and they're probably not cybersecurity savvy. So you have to translate the value of security investment into business speak, right? So they can understand and go, okay, yeah, that supports my share of market. That is gonna help me maintain my margins. Yes, that is, you know, and so they start to understand and they're gonna support you.

D. Mauro (27:36.302)
Right.

Mm hmm. That helps. That will help EBITDA. Right. That'll help us achieve our EBITDA goals by this. And a lot of cybersecurity guys are like, I don't know what EBITDA is. Right. Like they don't understand the business aspect. Right.

Matthew Rosenquist (27:46.46)
Yes!

Mark Mosher (27:47.787)
Yeah.

Bye.

Matthew Rosenquist (27:51.164)
Mm -hmm.

Yeah, a lot of my colleagues now are making that turn and they're going to get their MBAs. It's great that you're a CISO, but you start tying that in with MBAs and you can talk, right? Revenue and goals and margin, and you can give an example and work with the product teams to go, hey, I know we've got a freemium model, but let's explore adding security and move, you know, that pulls people from the freemium to the tier one paid model. Wow, you're helping us generate revenue?

D. Mauro (27:58.766)
Yeah. Right.

Mark Mosher (28:21.771)
Right.

D. Mauro (28:21.998)
Right. Exactly, exactly. Well, because different, different models of offerings and products, they can have enhanced security, enhanced features, and people will pay a premium for it.

Matthew Rosenquist (28:23.9)
Yes, I will. What? You know...

Mark Mosher (28:25.003)
Exactly.

Matthew Rosenquist (28:34.46)
Yes.

Mark Mosher (28:37.419)
Mm -hmm.

Matthew Rosenquist (28:37.628)
Security is now becoming a purchase criteria because people are tired of, you know, data breaches and they're tired of the systems going down and being unavailable. And they're like, no, I want something that I can trust. So yeah, that curve is going up. The expectations in our industry are just going up, whether it be the regulators, whether it be the boards, whether it be the executive peers, right? The, the.

D. Mauro (28:40.91)
us.

D. Mauro (28:50.67)
Right.

Matthew Rosenquist (29:02.844)
leaders of the profit centers within the organization, whether it be the customers, suppliers, vendors, partners, right? Your insurance agency has higher expectations this year of your cyber posture than it did last year, and that's gonna continue to go up. So again, leadership, you need to be able to see, right, not the accident behind you, but what's coming at you, right? You have to be able to look ahead.

Mark Mosher (29:15.883)
Yeah.

D. Mauro (29:16.846)
absolutely. Right.

D. Mauro (29:26.126)
Absolutely. Yeah. Well, let me ask you this. How has the industry overall and I want to ask you in your experience, too, how have they come along in measuring certain levels of cybersecurity risk? Because we talk with business leaders a lot and whenever we bring up security,

Mark Mosher (29:26.923)
That's a good point.

D. Mauro (29:52.526)
They are always like, here's the problem I have with security. Not that I don't need the layers, not that I don't understand that it will reduce risk, but that that people in the security field cannot quantify it for me. Everybody else can. HR can say 80 % of our organization is out there looking for a job. Sales can say, you know, we're going to miss our target by 14%. You know, everybody can name it. And then security goes

Matthew Rosenquist (30:04.764)
Mm -hmm.

D. Mauro (30:21.806)
medium risk, high risk. It's yellow. And they're like, I don't know what to do with that. I don't know what to do with yellow. I can't go to the board and be like, we just invested 4 .3 million. Yeah, we're at yellow. We were at red before. It doesn't mean anything to them.

Matthew Rosenquist (30:23.452)
It's a yellow.

Mark Mosher (30:24.139)
I'm sorry.

Matthew Rosenquist (30:31.004)
Mm.

Matthew Rosenquist (30:39.42)
Yeah

Mark Mosher (30:41.259)
Okay.

Matthew Rosenquist (30:43.644)
No, you're absolutely right. It is one of the toughest aspects of cybersecurity. And the reality is, right, just inherently it's tough for us to do quant, right, a quantification measurement. And...

D. Mauro (30:49.294)
It is.

D. Mauro (30:58.638)
Yeah, it really is. I've read books on it and I'm like, holy cow, the books are painful because I'm doing the charts and I'm like, my gosh, this is so much math. It was painful. It was hurting my head.

Mark Mosher (30:59.659)
Mm -hmm.

Matthew Rosenquist (31:02.78)
No.

Well, for your audience, let me explain why fundamentally it is difficult. Okay? Because all of our job insecurity is really focused on preventing something bad from happening. Okay? So if you think about that and you're successful, bad things didn't happen, how do you measure something that didn't happen?

D. Mauro (31:17.518)
Yeah, please.

D. Mauro (31:27.342)
Mm -hmm.

D. Mauro (31:37.658)
Right. It's exactly right. Like, how do you measure? That's exactly right. Like, how do you measure there were all of these potential things that could have happened where they tried to get in and they couldn't? But we can't track that. Like, we don't see that. We're not the criminals on the other end doing it, right? If we could get them, if we could pay them to give us a report, that'd be great.

Mark Mosher (31:38.315)
Yep. Yep.

Matthew Rosenquist (31:39.516)
Right? And that is the fundamental crux.

Mark Mosher (31:42.315)
Hehehehehe

Matthew Rosenquist (31:52.828)
Mm -hmm.

Yeah?

Matthew Rosenquist (32:01.052)
And even if they do get in, yeah, you don't necessarily know what they would have done. Would they have got in and just said, cool, I'm in and left? Would they've gone in and then destroyed everything in the company? You just don't know. So again, trying to measure something that does not happen is extraordinarily difficult. And yet, and yet...

D. Mauro (32:07.95)
Right.

Right. Yeah.

D. Mauro (32:16.11)
Yeah, it's a great point, Matthew. That's an excellent point.

Matthew Rosenquist (32:26.364)
there are some opportunities, right? We can look, so for example, in physics. In physics, you can measure temperature, right? Well, you can't actually measure cold. All you can measure is heat, right? So you can't measure darkness, all you can measure is light. So there are things that we already kind of know in other aspects that we have to look at. Now, I'll tell you right now,

D. Mauro (32:28.942)
Hmm.

Mark Mosher (32:35.019)
Bye.

D. Mauro (32:38.222)
Correct.

Matthew Rosenquist (32:55.036)
cybersecurity metrics has come a long way from 20 years ago, but we are nowhere near where we want to be. We can show many more insights and complex calculations, qualitative to quantitative transfers and everything else. But at the end of the day, there's just kind of a lot of magic involved, right? And every methodology is a little different.

We make steps forward. There are some brilliant people in the cybersecurity metrics field. And again, for 25 years, they've been working on this, the brightest minds. No, but none of them will say, yeah, we figured it out. None of them, right? The only people you will hear say that are salespeople and they're lying. That's it.

D. Mauro (33:37.006)
Right, exactly.

I was going to say the only time I see it, like the only time I see it out there are vendors saying, if you buy our SIM platform, we'll be able to reduce it by this. And here is your ROI. And I'm like,

Mark Mosher (33:41.163)
Yeah.

Matthew Rosenquist (33:50.096)
yes. Yes. we've got metrics. We can tell you how much you saved, right? And that's immediately when I turn it off and go, no, you're done. You're either lying or you're so ignorant that you don't even understand my industry. We're done. I never want to talk to you again. Goodbye.

D. Mauro (33:58.158)
Yeah, because I'm like, come on. Like, yeah, that's right. Right. Yeah. Such a challenge. Well, we'll we'll come back as they develop more. We'll come back in a couple of years and we'll sit down and we'll go now we've got this formula, right? We can start putting that formula in, you know, North Korea, Russia have a different scale, you know, and

Mark Mosher (33:58.251)
Yeah

Mark Mosher (34:04.747)
Right, right.

Mark Mosher (34:15.499)
Yeah.

Matthew Rosenquist (34:18.172)
Hahaha!

Mark Mosher (34:18.411)
I mean...

Matthew Rosenquist (34:22.684)
It is complex.

D. Mauro (34:26.254)
It all depends on what's going to be, you know, what the attack level will, there's so many variables.

Matthew Rosenquist (34:29.788)
It does, it does. Actually, I'm going to be doing a video and writing a paper on some of the newer techniques and kind of where I see it's going to go in the next few years. Again, it's not being solved in the next few years, right? But again, it's about baby steps, just like physics, science, everything else. You learn a little bit more, you get a little bit better, you iterate and you're in a better place after a while. But it takes a lot of teamwork across the entire industry to really move the needle.

D. Mauro (34:41.038)
No. No.

D. Mauro (34:59.374)
So I'd like to segue to something that I'm fascinated by and that is deepfakes. I got to tell you, man, like they've gotten really good in the last six months to a year. I mean, we looked at them a couple of years ago and I'm like, all right. I'm like, it's still years away. In the last few months, I have seen some that are just

Matthew Rosenquist (35:05.34)
Gah!

Mark Mosher (35:06.443)
Yeah.

Matthew Rosenquist (35:14.62)
Mm -hmm.

D. Mauro (35:27.854)
undetectable. I've been in a room with 20, 30 people, nobody could detect it. And I'm like, wow, that is really scary. What is the impact and the risk that you're seeing? I mean, obviously we've heard certain breaches because it's being used in conjunction with other social engineering tactics. What do you see is going to be some of the fallout because of this?

Matthew Rosenquist (35:47.868)
Absolutely.

D. Mauro (35:55.342)
Kind of, it's not a new tactic, but it is a, an improve, a greatly improved tactic.

Matthew Rosenquist (36:02.46)
So, you know, and we predicted, we predicted all this was gonna happen and we mapped it against the exponential rise in technology when you look at LLMs and specifically, you know, deep learning and so forth. So we knew this was coming and there it is very sensationalized because it's great eye candy. So you're gonna see it on the news cause it's sexy. It's gonna grab eyeballs and everything. Okay, but from a practical level, it's...

D. Mauro (36:12.622)
Hmm?

D. Mauro (36:22.798)
Right. Yes.

Mark Mosher (36:24.11)
Mm -hmm. Yep.

D. Mauro (36:26.798)
Right.

Matthew Rosenquist (36:31.996)
just another tool, right? So the objectives of the attacker are staying the same, right? They're just using another tool to achieve that. Now there are counters to tools, but the reality is when we're looking at these things, because they are getting good and it's exponentially good, we got multimodal now, it's not just a picture, it's not just a video, it's not just a video and voice.

Mark Mosher (36:33.579)
Right. Right.

D. Mauro (36:33.678)
Correct. It's right. I agree.

D. Mauro (36:39.79)
Mm -hmm.

D. Mauro (36:55.118)
Right.

And it's right now it's live. It's live. Yep.

Matthew Rosenquist (37:00.444)
It's not just a video and voice, it's also mannerisms, so on and so forth, biometrics or synthetic biometrics and all these other things, right? So it's going to get more and more and more complex. There are technologies organizations are working on to help detect those, but it is an arms race. Every time somebody comes out and says, hey, we can detect 95 % of it. Very shortly thereafter.

Mark Mosher (37:00.491)
Mm -hmm.

D. Mauro (37:09.55)
Hmm?

Matthew Rosenquist (37:27.356)
And I'm not talking years, I'm talking hours, days, or sometimes a week or two, the attackers come out with a new model that drops to nothing. Right? So it's just constant, you know, back and forth. And we've seen big companies actually pull back and go, you know what, we're not going to try and create a detection mechanism. Meta pulled back, Google pulled back largely. They've still got a couple of small ones. As it turns out,

Mark Mosher (37:27.563)
you

D. Mauro (37:32.942)
Mm -hmm.

Right. Correct.

Matthew Rosenquist (37:56.124)
History is a great lesson, right? A great teacher and provides great lessons. Let's turn the dial back to the days of when people took photographs with film, right? And all of a sudden you had digital photographs and people could edit those. And there was upheaval going, my gosh, we have to outlaw this because you could put aliens in this picture. You can do this. You can make somebody look different, younger, older.

D. Mauro (37:57.742)
Mm -hmm.

D. Mauro (38:13.037)
Mm -hmm.

Matthew Rosenquist (38:25.02)
Like they're standing next to somebody they shouldn't, right? This is, and technology say, okay, well, we'll try to build some tools to identify them. And that never worked. What worked was a fundamental shift in people's mentality going, I am so used to fake images. In fact, just about every image you will see in a newspaper or magazine is fake in some way. It's airbrushed, it's this, it's that. Now it's completely created digitally, right?

Mark Mosher (38:30.975)
I'm going to go ahead and close the video.

D. Mauro (38:41.102)
Right.

D. Mauro (38:47.95)
Right. Right.

Matthew Rosenquist (38:53.436)
we have trained ourselves to go, yeah, I don't trust that. I know that's really not what that person looks like, right? The same thing will happen with deep fakes. So, but it's a matter of our own behavioral changes, right? You guys remember the day, right? When people thought, hey, if it's on the internet, it must be true. Nowadays you're like, it's on the internet. It's probably false, absolutely false.

D. Mauro (38:59.822)
So we have to verify it through an independent channel. Right. Yep.

Mark Mosher (39:14.475)
It's gotta be true

D. Mauro (39:15.054)
Well, yeah, I mean, Abe Lincoln said that.

Right. Yeah.

Mark Mosher (39:19.979)
Hahaha

Matthew Rosenquist (39:23.26)
But it's a mentality change that will actually save us. That is the natural evolution of the individual to not be victimized. But we have to go through that learning process. So we're gonna suffer for a little while.

D. Mauro (39:31.726)
Absolutely.

D. Mauro (39:35.502)
That's excellent. Yep. Makes makes absolute perfect sense. You mentioned in our prep session that there were some upcoming regulations and some in the UK on licensing and question whether the US will follow. Do you recall that conversation or do you remember? Yeah.

Mark Mosher (39:37.995)
Yep.

Matthew Rosenquist (39:57.212)
so there's some AI regulations that, Europe has created. And, and again, the EU is, has been kind of at the forefront for a lot of these different things, whether it be competitiveness in the digital space, whether it be privacy, right? GDPR, GDPR, several iterations of that. The United States always says, Hey, we have an interest in it. but it's been very difficult to get.

D. Mauro (40:03.534)
Right.

D. Mauro (40:15.182)
Yeah, I think it's cultural. I think it's cultural.

Matthew Rosenquist (40:24.764)
all the states united or a federal umbrella to say this is, these are the guardrails. Even today, we do not have a single privacy, federal privacy law. There are 52 different privacy laws, 52 or 54. Every state has a different one and then even some of the outlying territories have their own. So there's no unified set of rules.

D. Mauro (40:31.182)
Right.

Mark Mosher (40:31.435)
Yeah.

D. Mauro (40:36.686)
No, we don't.

D. Mauro (40:45.262)
Mm -hmm.

Matthew Rosenquist (40:50.588)
We've already seen the White House come out and say, hey, you know, here's some guidelines. We want to have some rules, but nothing has been overarching or put into law or hard regulations yet. We hope that it'll get there, but EU has definitely taken the plunge much early. They've created some very advanced, thorough regulations around AI, which is good.

just as thorough as the privacy stuff that they've worked on and they got it out there faster. It took a while for them to get from the, you know, EU 94, 95 directives to actually GDPR. On the AI side, they moved much, much faster. So hopefully the US will also move faster.

D. Mauro (41:28.686)
Hmm.

Mark Mosher (41:32.395)
Mm -hmm.

D. Mauro (41:35.598)
Is that because, I mean, I was just talking to a CISO who's actually from the Midwest, from Wisconsin, but he's been based in the UK for the last 25 years. And he said, it is fundamentally different here. I've lived in both countries for years and he's like, it's fundamentally different. People are serious over here about their personal privacy. Like they believe their online privacy is a fundamental human right. My, yeah. And he, he, he shared a story where his sister

Matthew Rosenquist (41:38.973)
Mm -hmm.

Matthew Rosenquist (42:01.116)
Yes, absolutely.

D. Mauro (42:05.582)
went to a ball game and to get a bat, like a giveaway bat, they had to take a swab of her DNA so that she could, you know, sign up for like Ancestry or some genealogy company. And she was like all about it. She's like, give me that bat. Like only Americans, only Americans view. Like I'm going to give you my body and my whole family history if I can get that bat. Right. Like, like, what are we doing? We're like,

Mark Mosher (42:14.667)
What?

Matthew Rosenquist (42:17.468)
What?

Mark Mosher (42:18.475)
Yeah.

Mark Mosher (42:22.763)
I'm sorry.

Matthew Rosenquist (42:25.852)
Yes.

Matthew Rosenquist (42:29.564)
Mm -hmm.

Mark Mosher (42:29.771)
If I can get a free bat.

D. Mauro (42:35.47)
you know, curating our lives, showing our like background of our houses and our kids and our families on social media and stuff. And they just are much more careful. It is a culture. That's what I was asked. That's I wanted to ask. Really is. Yeah.

Matthew Rosenquist (42:46.524)
It's a culture thing, it really is. In fact, you know, within EU, privacy is a basic human right. In the United States, that is not in our constitution. It is not in our amendments. Individual states have now come out and actually put privacy in their state constitution. California was one of the first that said, hey, privacy is a constitutional right for California citizens.

D. Mauro (42:56.398)
No, it's not. Yep.

D. Mauro (43:06.894)
Remember that it's interesting

Matthew Rosenquist (43:11.772)
But we don't have that. And I honestly, I think we have done a very poor job in training each other and our children, the next generation, how important privacy is. Now in Europe, it goes back to World War II to some horrific things that happened. But we've seen very similar things happen in Arab Spring, for example, where a lack of privacy in social media

D. Mauro (43:29.166)
Well, that's exactly right. That's what. Yep.

Mark Mosher (43:31.627)
Mmm.

D. Mauro (43:37.326)
Mm -hmm.

Matthew Rosenquist (43:41.34)
were allowed govern oppressive governments to literally identify people going in the streets and peacefully protesting, right, for human rights or for freedoms or whatnot, peacefully protesting, but they were able to identify them and people started disappearing at nights, right? You know, government teams would come in, black teams would come in and come, you know, not.

Mark Mosher (44:01.291)
Yeah.

Matthew Rosenquist (44:08.796)
Wrong terminology, but secretive police teams would come in the middle of the night and kick open the door and take people never to be seen again. And again, you've got to press the governments that did that.

D. Mauro (44:12.654)
Great.

D. Mauro (44:18.606)
I wonder if it's because we haven't experienced something like that in modern memory here. We've been very fortunate. 9 -11 notwithstanding, we haven't had attacks like that where the government turns on you and starts coming in your house based on your religion or whatever. And you're like, well, I wish I had my personal views private. Well, you've been showing them on TikTok for three years. So, right? I mean,

Matthew Rosenquist (44:22.684)
Right? We've been fortunate! We've been fortunate about that.

Mark Mosher (44:25.483)
Yeah.

Matthew Rosenquist (44:31.708)
Yes.

Mark Mosher (44:42.539)
Yeah.

Matthew Rosenquist (44:44.476)
Right, right.

D. Mauro (44:48.174)
And hopefully something like that doesn't have to happen ever for us to turn the tide on that. Yeah.

Matthew Rosenquist (44:52.508)
Hopefully.

Matthew Rosenquist (44:56.444)
The more we share, you know, and in our country now, there's a lot in regards to political views, no matter what side or, you know, you are on the spectrum. There are fringe groups out there going, well, if I know that you are different than what I believe, I can now target you. I can put you on a list. I can track. I can look up your information and I can do some horrible things, not only to embarrass you, but financially crush you and impact you and...

D. Mauro (45:03.47)
Right.

Mark Mosher (45:04.715)
Mm -hmm.

Mark Mosher (45:13.835)
Yeah.

D. Mauro (45:13.838)
Right.

D. Mauro (45:22.51)
But maybe to write or to sway a vote, right? Yep. Yep.

Matthew Rosenquist (45:25.404)
I can send SWAT teams to your house and have them kick in your door. So yeah, you know, and it can get worse than that, by the way, guys. If I start messing with your medical records, let's change their blood type. And the next time you go to the emergency room, you're gonna have a really, you already started a bad day if you're in the emergency room, but I guarantee you it's gonna be much, much worse.

Mark Mosher (45:27.595)
Yeah, yeah.

D. Mauro (45:40.942)
Mm -hmm.

Mark Mosher (45:41.323)
wow.

Mark Mosher (45:48.555)
Right.

D. Mauro (45:48.942)
Right.

D. Mauro (45:52.782)
Right. Unbelievable.

Matthew Rosenquist (45:55.164)
So yeah, it can get dark. I don't mean to get too dark, but yeah. This is what I think about all day long, yeah.

D. Mauro (45:58.606)
No, man, I'm telling you, you always. Yeah, I know. But you you have got some of the best insight I have seen, man. It is just outstanding. So you are famous for a lot of things, but you are famous for making your predictions. And a lot of vendors when they make their predictions, I'm like, I predict people will buy more product from us. OK, that's great, man. Way to go.

Mark Mosher (46:06.251)
Yeah, yeah.

Matthew Rosenquist (46:21.82)
Hey, bad things will happen. That's my prediction.

Mark Mosher (46:22.507)
Yeah.

D. Mauro (46:24.814)
Yeah, bad things will happen by this box, right? I'm like, OK. But here you had, you know, for for 2024, for the year that we're in right now and we're at the end of June, smack dab in the middle of the year. You had top 10 cybersecurity predictions that you made at the end of 2023. Nation state attack dominance, critical infrastructure targets, supply chain hacking methods will increase.

Mark Mosher (46:25.963)
Yeah.

D. Mauro (46:54.638)
More vulnerabilities and exploits and heavily used business products generative AI becomes a double -edged sword Yeah, you're recent. Did you use AI to write this? No, I was kidding New cyber regulations force operational changes Greater visibility of cyber security will create fear but drive better ownership. I want to ask you about that

Matthew Rosenquist (47:00.764)
That sounds like I really know what I'm talking about. Ooh, I like this list.

Mark Mosher (47:04.523)
You

Matthew Rosenquist (47:06.46)
Hahaha!

Mark Mosher (47:19.211)
I like that one.

Matthew Rosenquist (47:19.612)
Mm -hmm.

D. Mauro (47:20.11)
Yeah, rising expectations of trust will crush weak cybersecurity strategies. Love that one. Resource constraints mutate from fears to nightmares. Absolutely. And cybersecurity responsibilities increase in scope and push organizations to adapt. How are those predictions doing so far this year?

Matthew Rosenquist (47:25.5)
Yeah.

Matthew Rosenquist (47:41.724)
Well, I'm biased. You can't ask me. Right. Mark, what do you think? Does it sound like nation states are attacking or critical infrastructures are going down? You know, is healthcare being targeted? Is finances, you know, if you wanted to buy a car today in the Midwest, are you going to be able to do that?

Mark Mosher (47:43.691)
What's your record for the year, Matthew?

D. Mauro (47:43.982)
But I gotta ask you.

D. Mauro (47:55.374)
Cybercrime is down. Yeah. Cybercrime is down. Healthcare critical infrastructure aren't being touched. AI is just a fad. Like what a... It's just a fad. Yeah, nobody's using that.

Mark Mosher (48:01.451)
You

Matthew Rosenquist (48:07.292)
Eh, fad. It's a fad. Nobody's using that.

Mark Mosher (48:13.419)
It's gonna go the way of the Velcro wallet, right?

D. Mauro (48:15.406)
Yeah, exactly.

Matthew Rosenquist (48:16.06)
I had one of those. I hated it, but I had one.

Mark Mosher (48:19.019)
I've still got one. I still carry one.

D. Mauro (48:19.054)
I did too. Sad. Sad. It was, do you keep it by your pet rock, Mark? Is that where it is? You paid 10 bucks for a rock painted.

Mark Mosher (48:25.611)
Yeah.

Matthew Rosenquist (48:25.916)
Yeah. You're going to have to explain that to some of your audience. What? A pet rock? What? Yes.

Mark Mosher (48:29.547)
I know, now, that may take a whole episode.

D. Mauro (48:32.91)
Yeah.

We're appealing to the 60 and older crowd at this point because Pet Rocks were the bomb, man. So, I mean, all of those are spot on, man. Like every single one that you said is happening. So let me get some, as we're winding down, let me get some, read some tea leaves for us.

Mark Mosher (48:39.851)
shit.

Matthew Rosenquist (48:44.604)
They were, they were.

D. Mauro (49:05.038)
about the next six months, year and a half. Any, what do you think is going to, I mean, we have an election year coming up, so a lot of misinformation I anticipate will happen, right? But, where do you think things are going? Are there any new waves coming? What do you foresee?

Matthew Rosenquist (49:27.356)
Well, you know, a lot of everything that I talked about before is going to continue to progress. It's none of those things are just gonna level off. Okay, we kind of have it under control, right? It's going to get more problematic, right? So all those different trends are gonna happen. We are seeing nation states, not only right now we're witnessing the result of a huge amount of investment.

D. Mauro (49:31.47)
Mm. Yeah.

Matthew Rosenquist (49:55.132)
and for some of them, some slight reorganization. As we see international events potentially take a turn, so for example, China, one of the big four aggressive nation states, predominantly their cyber attacks have been to harvest information, intellectual property, secrets, military designs, industrial designs, right? A huge amount of effort around economic espionage.

D. Mauro (50:08.43)
Mm -hmm.

Matthew Rosenquist (50:23.58)
which is just a fancy word for state -sponsored industrial espionage. If there were a war in the South China Sea between, let's say, the reunification of Taiwan, we would probably see a major shift from simply trying to...

D. Mauro (50:24.014)
Mm -hmm.

D. Mauro (50:40.462)
Mm -hmm.

Matthew Rosenquist (50:46.044)
obtain intellectual property, competitive information, things of that sort, to build their economy up and companies within their country to something more destructive, to something to more impactful into our critical infrastructures. They would want to dissuade and to have material impact on any potential support, whether it be militarily, economically, industry,

Mark Mosher (50:58.639)
Yeah.

D. Mauro (51:14.862)
Supply chain.

Matthew Rosenquist (51:15.516)
or even just via, you know, the social media and, you know, collaborating with other countries around the world in unified voices, they're going to want to use cyber to disrupt that. So cyber attacks become a tool. Right now, it's a tool for economic growth and everything else. If other actions happen, it's going to be in support of whatever their national initiatives are. We're going to see stuff like that.

Mark Mosher (51:43.051)
Yeah, yeah, that makes sense.

Matthew Rosenquist (51:45.66)
if that comes to fruition. We're gonna see again the rise of AI and let's keep in mind, right? AI is a massive umbrella. Within AI, you have machine learning, which is one little branch of it. Within machine learning, you have deep learning. And within deep learning, you have LLMs and things like generative AI, right? And so we're seeing this tiny little sliver of what

D. Mauro (51:54.478)
of course.

Right.

Matthew Rosenquist (52:15.356)
eventually will be massive and other branches of AI are gaining speed momentum. So we will see eventually more of those come into play, probably not in the next six months, but as we roll out more and more and more over time over the next many years, we'll see that. And then other disruptive technologies like quantum computing will also just throw a wrench into the system. Monkey wrench bananas, bring it all, right?

D. Mauro (52:27.086)
Right.

D. Mauro (52:36.302)
That's exactly what I wanted to ask you about.

Mark Mosher (52:36.331)
yeah. Yeah.

D. Mauro (52:43.31)
Right. Because, and for those that don't, that aren't necessarily technical, what we're talking about is the way we protect a lot of data is through encryption. We hear that phrase, right? It's coded in a way. There's a wrapper around it, for lack of a better phrase. Quantum breaks that wrapper. It cuts it wide open. Some of those wrappers.

Matthew Rosenquist (53:05.212)
some of those wrappers, right? It undermines a lot of the asymmetric keys, not the symmetric keys, but the asymmetric ones. Yes, yes. I don't wanna create too much fear, right? Let's keep it within realism here.

D. Mauro (53:13.614)
Mm -hmm.

Mark Mosher (53:19.467)
Hehehe

D. Mauro (53:19.949)
no, no, because there's already there's already ways. Yeah. And as soon as that happens, there will be another way of securing it. Like, it's just that that that needs to be right.

Matthew Rosenquist (53:29.212)
Yes, in fact, NIST has already approved four primary replacements for a lot of the asymmetric keys that are susceptible to quantum attacks. There are already a number of what they call quantum resistant algorithms. And just like their name, they resist quantum attacks. Okay, great. Just like our current algorithms, you know, resist the current types of computing attacks. No algorithm is bulletproof, by the way. Eventually, no matter how strong it is, it can be broken.

D. Mauro (53:43.982)
Mm -hmm.

D. Mauro (53:53.23)
Yep. Right.

Mark Mosher (53:57.291)
Right. Yeah.

Matthew Rosenquist (53:59.036)
but encryption is about keeping it secure for a period of time. So NIST already has four primary and I think two backups, if I remember right. So it's a matter of transitioning, but that's a lot of infrastructure, right? If you remember year 2000, everybody was panicked. We have to change all this COBOL programming and everything else. It's gonna kind of be like that. If people don't start shifting now to the new algorithms, it'll be, we have to do everything at once.

Mark Mosher (54:10.763)
Yeah.

D. Mauro (54:10.766)
Yes.

Mark Mosher (54:16.171)
Yeah.

D. Mauro (54:22.414)
Right.

Matthew Rosenquist (54:24.444)
because once you have the quantum computers that have the necessary qubits to do those calculations using things like Shor's algorithm, guess what? Yeah, I can crack passwords. I can crack encryption. I can read all those messages. And by the way, I have been storing all of those messages in encrypted formats just for the day when I get the quantum computer. Again, we've got nation states out there, including our own.

D. Mauro (54:29.838)
There'll be a lot of damage done in the short term. There'll be a lot of damage done in the short term. Yeah. Right.

Mark Mosher (54:32.683)
Mm -hmm.

D. Mauro (54:47.47)
Right.

think of that. I didn't even think about that. Think of all of the data that's been all of the data that's been taken that is online on the dark web or sitting on servers.

Mark Mosher (54:52.235)
yeah, I see what you're saying. Yeah. Yeah. Yes.

Matthew Rosenquist (54:54.748)
Let's store that.

Matthew Rosenquist (55:00.828)
Yup, I'm now gonna decrypt it and see what you've been talking about and everything else. it's massive, massive. And this has been going on for years. Yeah, and some people ask, right? When you get a nation state attackers, China or something else going into steal intellectual property, they'll ask, why did they steal all this encrypted data? They can't decrypt it. My answer is,

Mark Mosher (55:02.507)
Wow.

Mark Mosher (55:09.867)
Wow, that is huge. Wow.

D. Mauro (55:10.382)
yeah.

D. Mauro (55:16.206)
Holy cow.

Mark Mosher (55:28.555)
Not yet.

Matthew Rosenquist (55:29.756)
They can't decrypt it yet! They're like, you mean they will? Yep. Yep.

Mark Mosher (55:31.915)
Not yet.

D. Mauro (55:32.11)
Mm -hmm.

Mark Mosher (55:35.243)
Yeah. Yes.

D. Mauro (55:39.79)
Unbelievable. Unbelievable. Well, Matthew Rosenquist.

Mark Mosher (55:40.267)
Bro, man.

Matthew Rosenquist (55:43.676)
Well, food for thought for you. Hopefully I made your afternoon a little bit rosier.

Mark Mosher (55:45.355)
Yeah, yeah, no, that was that is a great cliffhanger.

D. Mauro (55:49.326)
Yet. No, I mean, thank you so much for your time today. Like this was just a remarkable view and insight from everything that you've seen. Like it's just it's it's you're you're really solidified a lot of our beliefs and you open our eyes to a lot of things. It was really fantastic. What's what's on the horizon for you? Do you have public speaking engagements? I know you do a lot of everything.

Matthew Rosenquist (56:16.06)
Yeah, I've got keynotes coming up. I know I'm in, where the heck? I was in Helsinki, I was in Paris. I think I've done three trips to Austin. I've got another trip to Austin that's coming up, but I'm all over the place. I mean, you can always go out to my website and see online and in -person speaking engagements. So yeah, I'm around.

D. Mauro (56:33.742)
Absolutely. We'll have a link to that. We'll link to that in the show notes for sure. And we encourage everybody to check out Matthew Rosenquist follow.

Mark Mosher (56:36.939)
in the show notes.

Mark Mosher (56:41.739)
Absolutely, yeah.

Matthew Rosenquist (56:42.748)
Follow me on LinkedIn too, because I'll post it out there. And if you like hearing my blitherings about cybersecurity, you know, I can flood your feed. So follow me on LinkedIn.

D. Mauro (56:48.654)
Yeah.

Hey, I will tell you, you have mastered what we've been trying to do in this podcast the whole time. And that is just to translate it, right? Is really just to break down, especially all the news, because when we sit with business leaders, they're like, I hear about this breach. So what does that mean? Right? Like, they're like, what does that mean for me? And like, well, because this breach happened like this, what are you doing for that? Like, do you have a vulnerability there? And they're like, well, yeah.

Mark Mosher (56:52.203)
There we go.

D. Mauro (57:20.142)
And I'm like, what are you doing for it? Have you prepared? And usually the answer is no. And so, you know, that's where the education comes in. That's where we're all on the same side, just trying to protect. So. Yeah.

Mark Mosher (57:29.515)
Yeah. Yep.

Matthew Rosenquist (57:30.652)
And that's what I do a lot of side work is, you know, I'm a fractional see -saw and sort of on demand and I've got several, you know, clients that keep me on retainer. So when they do have a question, right, and whether it's their see -saw or their board or their C -suite, they can pick up the phone or they can schedule a meeting and go, hey, explain what we just saw on the news. What should we be doing? Or we're doing this. Is this enough? Is this not enough? What are we?

D. Mauro (57:41.23)
Yeah.

Mark Mosher (57:50.251)
Yeah.

D. Mauro (57:50.318)
Right, that's exactly right.

Matthew Rosenquist (57:56.668)
Right. And it, it, in many times it helps getting an expert up from the outside, that may know more, right. It may have other feelers out there that can kind of fill in some of the blanks and give some recommendations and sometimes raise red flags and going, Whoa, Whoa, Whoa, you misinterpreted that. There's, you know, you know, there's, you're going to have a problem.

D. Mauro (58:01.87)
Absolutely.

D. Mauro (58:13.71)
Yeah, I'm a firm believer in organizations realizing that they know what they know and they don't know what they don't know and to rely on resources like yourself that see a lot of different things that cross different industries, right? I think that so often certain organizations just stay within a very niche hole and they don't see what's going on around them.

Mark Mosher (58:14.667)
Yeah.

Mark Mosher (58:38.187)
Yeah.

D. Mauro (58:42.382)
raising that awareness. It is.

Matthew Rosenquist (58:42.556)
Security is a teamwork sport, right? It requires a vast diversity and that's how we're stronger is leveraging everybody out there because we do wanna help. We do, you know, it's all of us against the bad guys, really is.

Mark Mosher (58:44.843)
Yeah, yeah, absolutely.

D. Mauro (58:50.702)
Right.

Mark Mosher (58:50.923)
Yep.

D. Mauro (58:57.102)
Right. And again, you know, we have to be right every time. They only have to be right once. So, well, thank you so much, Matthew Rosenquist. Thank you, sir. Great discussion. Thank you. And we will see everybody on the next one.

Mark Mosher (59:00.779)
They only have to be right once.

Mark Mosher (59:05.259)
Yeah, good stuff. That was good.

Matthew Rosenquist (59:09.756)
You got it.

Cyber Crime Junkies

Role of Security Leadership. Matthew Rosenquist Interview.

Listen to this podcast on