Unmasking Invisible Threats: Quantifying Cyber Security Artwork

Cyber Crime Junkies

Socializing Cybersecurity. Translating Cyber into business terms. Newest AI, Social Engineering and Ransomware Attack Insight to Protect Businesses and Reduce Risk. Latest Cyber News from the Dark web, research and insider info. Interviews of Global Technology Leaders, sharing True Cyber Crime stories and advice on how to manages cyber risk.

Find all content at www.CyberCrimeJunkies.com and videos on YouTube @CyberCrimeJunkiesPodcast

All Episodes

Cyber Crime Junkies

Unmasking Invisible Threats: Quantifying Cyber Security

August 11, 2024 • Cyber Crime Junkies-David Mauro • Season 5 • Episode 21

Rob Black, a security educator and Fractional CISO, joins us to discuss the best ways for quantifying cyber security and why it is crucial for small and medium-sized business owners.

David Mauro interviews Rob Black, the founder of Fractional CISO, about his journey in the cybersecurity industry and the challenges faced by medium-sized businesses. They discuss the importance of translating cybersecurity into business terms, the need for internal communication and making the case to leadership, and the role of AI in cybersecurity.

They also touch on the impact of cyber attacks on reputation and the struggles faced by SMBs in implementing effective cybersecurity measures. Overall, the conversation provides insights into the current state of the cybersecurity industry and the challenges faced by businesses of all sizes. The conversation focuses on the importance of endpoint security for small and medium-sized businesses (SMBs) in the context of remote work.

It also discusses the need for risk quantification in cybersecurity and the challenges faced by SMBs in implementing cybersecurity controls. The conversation concludes with a discussion on the future of Fractional CISO and the use of AI in cybersecurity.

Send us a text

Get peace of mind. Get Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com

Imagine setting yourself apart from the competition because your organization is always secure, always available, and always ahead of the curve. That’s NetGain Technologies – your total one source for cybersecurity, IT support, and technology planning.

Have a Guest idea or Story for us to Cover? You can now text our Podcast Studio direct. Text direct (904) 867-4466.

A word from our Sponsor-Kiteworks. Accelerate your CMMC 2.0 compliance and address federal zero-trust requirements with Kiteworks' universal, secure file sharing platform made for every organization, and helpful to defense contractors.

Visit kiteworks.com to get started.

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss an episode!

Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Google Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!

Quantifying Cyber Security

Rob Black, a security educator and Fractional CISO, joins us to discuss the best ways for quantifying cyber security and why it is crucial for small and medium-sized business owners.

Summary

David Mauro interviews Rob Black, the founder of Fractional CISO, about his journey in the cybersecurity industry and the challenges faced by medium-sized businesses. They discuss the importance of translating cybersecurity into business terms, the need for internal communication and making the case to leadership, and the role of AI in cybersecurity.

Topics: quantifying cyber security, how to quantify cybersecurity, measuring cybersecurity risk, how to improve your cybersecurity, best ways for quantifying cybersecurity,risk quantification, cybersecurity controls, Fractional CISO, how to measure cybersecurity risk, cyber security measurements, how business measures cyber risk,

Chapters

· 02:12 Translating Cybersecurity into Business Terms

· 09:52 Starting a Business and Perceived Risk

· 19:01 The Role of AI in Cybersecurity

· 24:42 The Impact of Cyber Attacks on Reputation

· 29:01 Challenges Faced by Medium-Sized Businesses in Cybersecurity

· 31:29 Endpoint Security for SMBs in Remote Work

· 39:40 The Need for Risk Quantification in Cybersecurity

· 52:49 Challenges Faced by SMBs in Implementing Cybersecurity Controls

· 58:14 The Future of Fractional CISO and the Use of AI in Cybersecurity

DIno Mauro: [00:00:00] Come join us as we dive deeper behind the scenes of security and cybercrime today. Interviewing top technology leaders from around the world and sharing true cybercrime stories to raise awareness. From the creators of Vigilance, the newest global technology newsletter translating cyber news into business language we all understand.

So please help us keep this going by subscribing for free to our YouTube channel and downloading our podcast episodes on Apple and Spotify so we can continue to bring you more of what matters. This is Cyber Crime Junkies and now the show.

All right. Well, welcome everybody to Cyber Crime Junkies. I am your host, [00:01:00] David Mauro. I'm flying solo today. The Mark Mosher, my counterpart is under the weather today, it looks like TMJ or something with his jaw, so we can't have him babbling and being in pain, that's not good.

I'm really excited about this discussion today. So, you know, Oftentimes, we talk about, you know, that internal communication and making the case, not only translating the complicated aspects of cybersecurity into business terms, but also the, the internal business case and making that case to leadership, stakeholders, whatever it might be.

If it's a larger organization, clearly a board, investor groups, et cetera, but, even in that SMB space, there's a lot of decisions being made. And there's a lot of internal business cases that that we really struggle with in the cybersecurity industry to make. And somebody that I came across with that I've been following for a while, who's just brilliant in the field.

And I encourage everybody to [00:02:00] follow him on LinkedIn is Rob Black. Rob, sir, welcome to the podcast. Dean, great to be here. Thanks for calling me Dean. I like it. There'll be more on that later, ladies and gentlemen.

So, I invited Rob, since he's my friend, to always call me by my friend name. So that's good, man. So, so tell us a little bit about yourself. Tell us about your current role. I mean, you're, you have this company. It's like fractional CISO, right? Walk us through it. What was the inception? What was the inspiration to do it?

Sure. So, so going back to the, the starting point, I was working for the man, six, seven years ago and helping companies with their cybersecurity programs and thought every company is going to need this. Why don't I go out on my own? And this is going to be awesome. So I went out on my own in June of 2017, thumbing my fingers on the desk, hoping for business to come.

Waiting for that phone to ring. I've done [00:03:00] that before, man. That's why I'm working for the man. It's okay. So, I actually was working the phones, meeting with people, having lunch, coffee, sending emails. And then by the end of 2017, you know, it wasn't necessarily paying the bills, but got two clients.

So that was good. My wife has been super supportive and, you know, we kind of made a financial plan and like it was, this was not, it wasn't like too much of a surprise. So we timed everything and anyway. And that's the key. No, but that's so important.

Cause we've interviewed a lot of entrepreneurs and they really talk about. This is not a decision that could ever be made in a silo right? This is not something we just explain that we're gonna do over dinner As the, as the male in the family, like kids, guess what? You're not going to private school You're not doing this, you do that.

Dad's gonna go start a thing. So let's, there's no vacations for the next three It's ramen noodles for everyone Back [00:04:00] to college days, kids. We are back to college days so yeah, so she was super supportive and believed in me probably more than I did.

So, you know, and also I would say just for anyone who's thinking about starting a business, my risk profile, I, I perceive it to be different than a lot of other folks. So, you know, if you're thinking about going out on your own, just think about what you're. perceived risk. Well, because really, and I've done that in the past, but you, you have to balance two things.

One is the long term goals, right? Like I know I can get this one or two type profile clients eventually, but then the short term goals are what kill you, right? As it went when you're first starting up, every month you've got a nut to hit of some kind, right? And, and no one's, no one's giving you that paycheck every other week.

So yeah, so you. And, and, yeah, I mean, the other pieces is just be prepared beforehand.

Your business plan, your website, all those things can be designed and planned for and thought through. You can talk to [00:05:00] a bunch of people beforehand, see, does your idea resonate? So there's, there's really, you know, so anyway, so I would say definitely start before you quit your job.

And so the name of the company is Fractional CISO? Fractional CISO. It's because I have a total lack of imagination. I was like, you literally called yourself like plumber. Like we are like plumber. Like you drive by, it says haircut. Like that's us, man. You need that?

That's us. Right. Well, so, so also just think back though to 2017 and beforehand. It wasn't so much of a thing as it is now. So, you know, when I was doing sales pitches, 2016, 2017. 2018. People didn't get the concept. I actually, honestly, I'm a big branding guy. I've studied brands. I do a lot of market research, and I gotta say, I actually, I love it.

Like, I think it was actually at the time you launched it. It's actually very creative, believe it or not. Like [00:06:00] it, it, look, Got Milk. Got Milk was super creative. They don't even talk about the product, right? Like, they talk about the absence of the product, but it gets to the, that moment in time when you need it, right?

And so, the Fractional CISO, it gets to the moment in time that people need it. The name is really good. Yeah, so, I mean, so it's definitely worked out well for us. I mean, obviously in search it's good if someone's searching for fractional CISO to come up. We, we have way less explaining to do in the sales process.

If somebody calls in a fractional CISO, they're not like, do you do plumbing? What do you do? Like, no, you know what we do. It's in the name. It's baked right in. You, you got it. So, that went really well. And then, it was actually 13 months later, I hired my first employee.

I had a part time admin beforehand. I hate, I know that that's a big, that's a big step. Yeah, well, the part time admin, that's the easy one because it's not a huge commitment and you agree to a number of hours. [00:07:00] Hiring a full time employee, though, is a big step. So we got a space, had an employee, payroll, you know, the whole nine yards.

We'll have a link right to Fractional CISO. And we do encourage everybody to check it out, because in my opinion, and the opinion of all the listeners, and it is something that every organization needs because they all know they like everybody we talk to in every industry, no matter what vertical they have "security" or "cybersecurity concerns" and they don't know what to do next.

They don't know that roadmap, right? Like they don't, they don't know if what they're doing is enough. Is it not enough? Like, will they be breached? You know, if they get breached, what does it mean to them? Like there's, there's so many open questions that, SMBs and even enterprise organizations have that we speak to, right?

It's, really interesting. On the SMB side, the, you know, the thing to me is, are you doing enough? The, the criteria to [00:08:00] really think through is someone thinking about security at least every week? Is someone meeting, let's say weekly? Is someone Talking to the executive team about it monthly or quarterly.

And if the answer is no, Which it, almost, it's often no, that's the issue, right? Yes. Before we, before we kind of, before we get into an organization, often the answer is no. It's, we do sometimes take over a security program, most of the time we're starting it from ground zero. And it's, it's concerning because like, oh, we think we're doing a good job, but like, it's It's, you know, some technical person's part time job thinking about a couple of things and you know, depending on how much bandwidth they're allocating and how much they're thinking about it can make a huge difference in the organization.

Well, Rob, what, what inspired you to get into cybersecurity originally? Yup. So always loved computers and technical stuff. I mean, when I was 10 years old, my parents. Got [00:09:00] me a computer and it was just the best thing and I became the director of IT and the black family as we all are right for the for the family and and then you know, always wanted to do some sort of technical thing.

You know, I didn't know exactly what it was. Got a computer science degree, worked as a developer, other technical roles. , and then went to business school, and then, was in the telecom space, maybe not the high growth space that it should be, and said, you know, I want to switch industries. Opportunity presented itself, and I got a job with RSA Security.

I mean, I've always been interested in security, I'm kind of ultra paranoid, which is, not always a good thing, but maybe if you're in security it's a good thing. We like to call it vigilance. We have, our newsletter is called Vigilance, it is what we call it, because I've been searching for a word that succinctly says it and it's like be politely paranoid like just [00:10:00] like trust But verify and I'm like I'm trying to use all these acronyms and platitudes I'm like vigilance like just do that thing and you'll be okay.

It's so yeah I mean, I think I think my family might appreciate it if I was less. Yeah, I know because I'm the same way And that's why we're on this technology that yeah, right the technology that we don't use in our houses Pretty stark to, I would say, most households, so. That's amazing. So, you know, we often get the question, people, You know, we've got three types of listeners to this podcast or viewers to, to our videos and it's, you know, either somebody is interested in following a certain leader, right?

A certain global leader, FBI people, former hackers, whatever, they've got these cult followings and we'd love to hear their stories. Like somebody like you, right? Love to hear the story. Then we also have the people that want to break into cybersecurity. Like they're, they're in a position, they're really passionate about it, they don't [00:11:00] know how to transition.

And from any industry, that's, any industry going into another, that's always a a scary jumping off point and cyber security is very confusing for a lot of where to start like, Oh, I didn't go to college for it. So what do I do? I have a business degree. It's like, that doesn't matter. Like you can still do it.

There's certain paths. , like what was one of the first things you did? Did you get a certification? I know now you have them, but did you, did you get a certification off the bat? What did you do? No. So in 2007, the landscape was Super different. So, I mean, this doesn't necessarily, I actually do have a valid point, I think, for the folks that are transitioning, but, it wasn't necessarily valid.

RSA security was just hiring for talent, not necessarily for cybersecurity knowledge, probably for certain roles they were. And so I just got a job as a product manager and, and so, and then, you know, that [00:12:00] kind of moved my path forward on the, On the security journey, and then I was there for almost five years and learned a ton of stuff while I was there.

That's a great segue, isn't it? Because you can go work for somebody that's in the cyber security space, in your similar role, in a business role, in a managerial role, in an operations role, marketing role, etc. And by being there, just through the ecosystem, you will learn so much. And then you can kind of evolve and decide where do I want to be?

Do I want to be in red teaming, blue teaming, management, sales, operations? There's, there's so many things like if you're, if you think you're going to go from selling you know, widgets or certain products or medical devices into selling cybersecurity services or things like it's, it doesn't work like that, right?

Like you have to really be invested in the, in the [00:13:00] ecosystem of cyber security. Is that a fair statement? For sure. And, you know, just as a data point, a majority of the marketing people, sales people, operations people that I know that were there, you know, maybe not manufacturing, cause we, we made a physical product, but the rest of the folks, a majority of them are still in cyber security and so, and, and they've moved on, we had a RSA reunion a couple months ago.

Almost everyone I chatted with was still in security or retired. I mean, it's, yeah. So, so, you know, in general, I would say if you're looking to make a transition, work for a big security company and take whatever role, you know, leverage your skillset to, to get a role there and then make a lateral move, do something to learn more about security.

You know, most of the time you're just going to learn a ton about security just by being there. Absolutely. Absolutely. And it's exciting. And I don't mean you couldn't come from like medical sales or something like that into cybersecurity. I just mean what you should [00:14:00] probably do is just is get into the organization, whatever skill set you have, get into the field, and then you'll learn so much in the field, like just by being involved in it, you'll understand it.

I just think it's a wonderful industry. There's that greater calling, right? There's that calling to kind of serve and protect. You see a lot of people from the military, law enforcement, a lot of teachers have actually segued into it. , a lot of teachers actually have segued. That have met over to the FBI and then gotten into private sector.

It's kind of interesting. Some of the, the trajectories that we've seen. The, you know, so what's, what's interesting to me on, on the example you gave on the selling in a medical space, I would say if that was your skill set, if you're good at medical sales, find a security company or just a company that has security products selling in the same space.

And, you know, you just need to learn the product. You, you know, you already know the [00:15:00] space. So, yeah, I mean, I, and, you know, in general, I would say work for a big security company if you're trying to make that transition. The smaller the company, probably the more specialized skills you're going to need. But, you know, who knows, maybe if you're in customer support and they need a customer support person, you know, maybe that's a great place to learn.

Absolutely. Well, before we segue into the main topic that I want to ask you about, and that's QUANTIFYING CYBERSECURITY in the industry because you've given several speeches on it and I'm absolutely enthralled by it. We've had a lot of questions from people about it but before that, let me ask you what is your take on the, on the industry right now?

I mean, I see so many startups, you know, everybody's got AI in their name now, right? It's like a badge of honor. But they all, like, some of the bold claims that I'm seeing from some of them are, are, like, frustrating some of the CISOs that we know. Right? Like, they're, they have one layer and they do a really good job.

Like, it's a really, it's a helpful [00:16:00] layer, let's say, that, that the offering is. But it's not, it doesn't mean social engineering is resolved. , what's your take on that? So evidently they're using different AI technology than is available to me, because every output, not every output, almost every output requires human tweaking afterward.

So, you know, to me, the current LLMs Are a tool like a calculator is so if you're doing a complex math problem, you take out the calculator, you, you know, probably Excel or whatever, but you know, the point is you use the computer to solve the math problem and then you use that output to whatever you're trying to do this for an LLM.

It's the same sort of thing. If you're processing a whole bunch of data, you haven't processed the data, but then you say, okay, now the human that was doing this before, where would it take in three hours? It now takes a half an hour. Because it's pre processed, they can say, Oh, that doesn't look right, you check [00:17:00] this thing, and then use it in conjunction with the human.

Now, it's possible that there are some things that don't require the human tweaking. I have not seen it. We've been playing, I would say, pretty extensively with a lot of different, AI tools. And, you know, we're looking to actually use it as part of our services, but the quality is just not there today.

And, you know, we're, we're not going to put our name behind it. So, these other companies, you know, unless if they're doing a lot of, engineering around it, or if it's a very skill problem, hard to believe that it's gonna be working. Yeah, it still needs, I mean, we, we use AI almost every day in some facet, but it always needs human intervention, human tweaking, but the processing, like I've just found it.

It can be useful. Very. It's a good analogy. The calculator is a good analogy. Like I could get the pencil out and start doing all the calculations, or I could literally just use the calculator. And that part. We'll take fat, we'll be done faster. And that component [00:18:00] of it, we're kind of doing the same thing with AI, but you can't go use AI for, you know, like it's good for, for me anyway, I found it's good for iterating.

Like, it's good for like, I've got an idea, give me some topics. What, what is the, what, what is all like, when you think about what it can pull from, like. What, what, what are some of the top things or the top trends? And then from there you can go out and go, Oh, okay. That's a good idea. Let me dig down deeper.

But then you still have to put your own human interface. The best use case I've found is writing a job description. You give it like this much text, it will generate a job description. That's 80 percent of the way there. Then you tweak it. So many folks, when they're trying to create a job description, it's like impossible, it's like a blank piece of paper.

I don't know. Whatever the role is, say the role, some qualifications, put it in there, tweak it, and, you have a job description. Yeah, because it can pull from millions of samples and they give you some of the trends and some of the best practices. Absolutely. [00:19:00] Yeah. Yeah, the other one, the other one we've liked is writing up procedures.

So oftentimes you might have some notes about a procedure. Put those notes in, give it a general direction, it gives you the procedure, then you tweak it some more. You know, things like that where you know what the output's supposed to look like. I think are the best uses of an LLM. The case where you're, I don't know, we've had some bad hallucinations that have really scared me off.

I've seen, I've seen a bunch. Yeah, yeah, and it's, it's, some of them were like, kind of the key point, which is, you know, and it's like, I, you know, in my prompt we expressly said, This is important, and, anyway. So, anyway, we'll, we'll Hopefully we'll, we'll make it more useful, but I would say in 2023, that's probably not the case, but who knows by the end of 2024, maybe things will be way better.

So in your role with Fractional CISO, are you, working with a certain segment of client? Is it in the [00:20:00] SMB space? Is it a particular industry? Anything? Yeah, what we say is we work with medium sized clients. So medium for us is maybe 40 employees to 400 employees. That's exactly the space to work. Yeah, that's exactly it's really not when you say SMB then people are like, well, I have a five person company.

Can you go? I'm like, no, that's the S of SMB. We would have said micro if we meant that, right? We're we might be a micro, but we're serving, you know that medium space Yeah, because that and to me that's that's the bulk of the employers in the United States At least like most people tend to work for a lot of companies companies It's a lot of companies, you know, if you think about any sort of, let's just imagine a hundred person company.

You go into your insurance broker and they have a hundred people. They're not gonna hire a CISO full time. No, they can't. And that would be right. There's there's no way. But yet, but they need [00:21:00] it. But they need it. They have, they, they, they have the same needs in, in some respects as, as larger companies.

Right. The, the attacks are coming to them. You know, they're vulnerable, their customer data is vulnerable, their finances are vulnerable. So, we focus on the mid part, and, and our, and I would say majority of our customers are SaaS companies, Software as a Service, but I would say in general, the, the drivers really, I would say, technology use cases, so, you know, so for instance, if you were a ball bearings manufacturer, unlikely that, you know, you'd be our customer, but if you were If you're building some technical product, then maybe you might be a customer of ours.

And, you know, it's basically has to do with the midsize company selling a large enterprise. The large enterprise says, Hey, your security program is not good enough. That's exactly right. So, what is that BA like is that business associates agreement, right? Like that, that contract that you have, right.

To, , because of the risk of third party [00:22:00] liability, when we think of, you know, back in the day before data breaches were in the news every day I always think of Target, right? Like when Target was breached, it was such big news, everybody was so surprised and they were bashing Target. And I'm like, Target was, I mean, there was a couple things there.

With how maybe they configured their FireEye at the time, but really it came in from the HVAC vendor. Right? And it really exposed that, that need to actually start asking your vendors. Right? All about what is your cyber security posture and to have those requirements that you need By any vendor that wants to bid on your work The other thing is is the PCI folks could have been doing a better job as well So, I mean if you remember back, I mean, this is 10 years ago.

No chips on the card, you know, just you know, basically You know, you're swiping the card with and that data is not being protected Well, and whenever we think of that [00:23:00] too, we always get some pushback and they're like, well, you know

Everybody keeps talking about, you know, a devastating cyber attack is going to destroy your reputation, but Americans still shop at Target, even post breach, right?

And it's like, but like, well, first of all, what are you, what's your, what do you, how do you reply to that? I'm, I'm interested in your Sure. So, so I think you want to think about reputation in two ways. So Target is a consumer brand that people shop at. Reputation. They're not a reputation vendor, right?

You go to Target because you want to buy back to school stuff for your kids, right? Or, you know, whatever the thing is. A reputation kind of attack might be, you know, if you think about, like A law firm. A big fo a law yeah, a law firm, but like, let's say a big fo yeah, a big for for accounting. You know, one of those big McKinsey, one of those big consulting companies.

And so, you know, that would be a re you know, a large financial institution. Those would be reputational type attacks. So, you know, for Target or Home [00:24:00] Depot, you're probably not going to have that reputational, long term reputational damage because it's not your core, your core thing is, Oh, we're great at cybersecurity.

Your core thing is we're great at delivering cheap t shirts that your kid can wear. The, the other side though on Target, so if you look at their SEC filings, they had, that attack was 300 million. It was a 300, 000, 000 cost to them. You know, fortunately for them, they had cyber insurance. Of course, their cyber insurance only covered 90, 000, 000.

Right. So they wrote a check, essentially, for 210, 000, 000. Now if you're Target, that works out totally fine. But I'm guessing a majority of the folks that are listening on this podcast, that would not be totally fine for your business. I mean, probably you're not quite as big, so it's not going to be the same sort of thing.

But, you know, that attack can be devastating in the sense that it could totally put People outta business if something like that happened. Yeah. And, and, and that [00:25:00] go, you just brought up a really good point, and that is when we've talked to SMBs and we've talked to some owners that have been through massive ransomware attacks, and they talk about the emotionals, the, the, the emotional fallout from it that they didn't anticipate.

They thought it was going to be technical in nature or financial or PR only. And it's like, they didn't realize they had to go like that. They're, I mean, their entire, their, their family life is tied to their small business, their midsize business, like all of their five year plan. All of a sudden they saw evaporate, like all of these things.

If they can't restore in time, they have to, they lose the trust of their customers and Target can lose thousands of. Customers, like just people that are purchasing those t shirts and things, and still be fine. Midsize businesses can't lose hundreds of clients. Right? Like, they can't. Because then, then [00:26:00] that's a bigger percentage of their overall revenue.

So it's a huge challenge that the industry has. Well, what do you For sure. So, so how do you address it?

What, what are you seeing small businesses struggle with what are some of the biggest challenges you're seeing them embrace?

Do, do they not recognize the cyber security threats necessarily? Well, the ones that hire us, you know, certainly they, yeah, because there are, they wouldn't, they're spending money. So, I mean, for sure, you know, they're recognizing the threats, but, you know, let's just say our starting point with a lot of them.

Your starting point is very basic. You know, sometimes I'm doing education even on, you know, end point, you know, antivirus, EDR you know, you know, maybe less so now, but a lot of Mac companies specifically, they've had a aversion to antivirus on their Macs, which You know, to me you know, that, that doesn't seem, that doesn't seem great.

You know, a lot of these companies, they may have [00:27:00] contractors or even employees that are using their personal computer for doing work stuff. And, you know, even if they allow you to put corporate controls on their personal computer, which probably is not going to happen. Second thing is, is, you know, when they leave the company, all of their documents are on their personal computer and their teenager has access to it.

You know, it's like. You know, all those things are, you know, so, so, so a lot of the advanced selling of tools is like all the sophisticated stuff and we're like down here on sometimes super basic, right? So there, then, you know, there's education piece you know, there's monitoring piece. You know, it's very rare for any of our customers when they start with us.

I mean, some of our customers are pretty sophisticated to start, but let's say. 80 percent of them don't have any sort of monitoring in place when, you know, once they, when they sign with us and You know, and not to say that we're not going to get them there, but that's also not happening on day two because of all these other fundamental things that need to, [00:28:00] need to happen.

So, now, these are the customers that are hiring us for cybersecurity. Just imagine the ones that aren't seeing cybersecurity as an important thing to spend money on. You know, you can only imagine where they are and why, when one of these attacks happens, it's totally devastating for their business and might end it.

The effect of the pandemic and the influx of work from home, what is your feedback on how that affected the medium business space in cybersecurity? Yeah. Well, certainly the endpoint became even more and more important. So protecting your corporate network has become less important for this size company.

A lot of them don't necessarily even have one or it's, you know, basically, let's say a printer and their laptops. And now the attacks are now all of a sudden, yeah. Now all of a sudden everyone's home network and they're all secured by that crack, Xfinity firewall that they gave you. Right. [00:29:00] So, which is why you want to make that.

Endpoint as hard as possible. You know, so you want to have MDM and the EDR on it. You want to make sure that, you know, encryption is turned on. You want to make sure that it's patched, you know, all those things like that laptop is the edge of your network. Not only does it house the data, your customer data and whatever access to your systems, but it's also at the very edge of your network or outside of your network, really.

So you want to really harden those laptops as best as possible. And, you know, that one, I would say most customers are receptive up to a point you know, but then at some point it becomes like, okay, what's the return on investment on, on doing this activity. And it's definitely harder to, to convince folks there because you know, because they started from such a low baseline and now it's like, wait, but like, look how much we've improved.

So you know, that's. You know, that's definitely a big change from everyone, or a lot [00:30:00] of people working from home. The you know, the other bits with everything remote, I think, just changed philosophically on the importance of The network. So now I would say folks have rotated maybe even too much on it's just our, you know, just our corporate network.

It's just like a coffee shop and you're like, well, but you have like your cameras for your office. Well, sure. I have the cameras for the office building. You have your printers. Yeah. I mean, I have that. Well, how about that server closet over there? Well, you know, we have a couple servers in there and then like, you know, right.

And then all of a sudden, like maybe it is a teeny bit more important than you let off. Right. That's exactly right. Yeah. It's, and it's in, in, there's a struggle oftentimes for them to know have a good asset inventory to actually know what all is actually on their network. You've got bring your own device.

You've got people using personal devices all over the place. So you know, one thing I wanted to ask you about, it's been in the news recently, and I'm just curious to get your take on [00:31:00] what do you think that, Trend will be.

We saw one of the ransomware cybercrime gangs, Alpha V, BLACK CAT, and now, granted, this is in the enterprise space now, but I don't foresee it always, and that is they not only launched ransomware, encrypted the data, made a ransom, threatened to publish the data, did the second, third layer of extortion, but then they went and they actually filed an SEC complaint.

against the victim for not reporting the data breach in time. And that's big. That's a bold brass move. And I'm curious what your thoughts are on what impact will that have on the SMB space? I mean, if they're, if they're in a regulated Industry to some degree. If they are, I'm, I'm curious if tactics like that would, if, if you think we might start seeing that.[00:32:00]

So, you know, so a couple of things specifically, so public, so the SEC part, there's, there's some private equity piece. And then for the most part, it's, it's publicly traded and they have a different rule for I can't remember what they call small companies, but basically under a hundred million publicly traded, slightly different rules.

So the date actually, even for this attack, the date of implementation is December 18th 2023. So, when they filed, it was actually in advance of that date, now maybe they're just trying to get in the press first. So that way, you know, people are going to be terrified of them. The, for the, for the under 100 million The date is six months later, so that's middle of 2024.

So I do think, you know, there is a little bit more time to react if you're a publicly traded small company. Good point. I, yeah, I, how about this? Okay, great, now you have an extra six months. I would, how about this, I would be, in general, do everything I can to prevent from getting a ransomware, because never mind the [00:33:00] SEC.

I mean, think about your customers, your employees, your, your owners, your, all your constituents. I mean, it's It's, it's going to be devastating most likely if it's a material and then and then on the SEC front, I mean, it's, it's, you know, potentially going to make something that's catastrophic, even more catastrophic.

Now the, the whole material bit, you know, for some of these larger companies, you know, is a ransom, let's say a segmented ransomware, is that material? I don't know. Right. And, and is the data that critical you know, if you're GE and have. tens of billions of dollars. And this is like one business unit.

I mean, do you care? I don't know. So so I guess we will find out. I mean, certainly it's one more thing to think about. And definitely you want to make sure that you're reporting things appropriately and bringing in the CFO and the finance team in addition to all the other folks you're already bringing in for any one of these.

Well, and it's always one of those things about At [00:34:00] what point does that breach reach reporting land, whatever your regulation, whatever your regulated industry is? I mean, there are a lot of people in the healthcare space that were concerned and that are concerned. You know, will these ransomware gangs, will these cyber criminal gangs now start filing HHS?

Notifications against us. Right? Like if, you know, like, are they, are they going to reach out to you know, and, and, and claim HIPAA violations or something like that, knowing that they're the, that they are the actual cause of it themselves. Sure. So. Yeah. Yeah. I mean, the, I mean, the reality is that the HHS may find out any, you know, may find out independent of whether they file something.

And. You know, the healthcare industry in particular has been, I would say, very poor at worrying about cyber hygiene and, and protecting their environment and their patient data and all those sorts of things.[00:35:00] You know, the, the irony to me though is in healthcare specifically, is the focus is on the data and not on life safety.

I mean, what happens when, what happens when your, you know, your machine used for surgery goes down? Oh, we've seen it. We've been tracking that because we do a lot in the healthcare space and there's, there's three known deaths that have been caused by ransomware directly. And there's several, many more that are just incidental, but there's a lot of, there's current ongoing attacks right now over in Texas and Oklahoma where emergency services, people have to be steered away.

And You know, when every minute counts, that's, that's really potentially catastrophic for sure, you know, right? Yeah. I mean, undoubtedly, I would imagine there's order of magnitude, more deaths due to cyber attacks that that is the data where the data is not clear, or it was a key. I would agree. So now let's segue into the most important part of, of our [00:36:00] discussion, because more important than life and death is how, when, so, so So, let's tee this up in the sense, what is the struggle that cyber security industry have had overall in communicating via metrics to stakeholders, to business owners in the medium space, owners in, in the, in the small space and then boards, et cetera.

In the, in the larger space. Well, I mean, why doesn't this work? Hey, CEO, we have a high problem. We need a million dollars to solve it. And how come the CEO didn't just write me a check? That's what we hear all the time. And yet you're like, did they under, did you educate them? Did you speak in their language, right?

Or did you throw a bunch of like, sim reports at them or something, right? Like they're not gonna, it's not gonna matter to them. [00:37:00] The, the concept of low, medium and high, if it's not defined is really bad. I mean, and if you think about like any other department. You know, the sales department is going to say, Hey, we're going to miss our sales target by 10 million if you don't invest in a new XYZ system or hire five more salespeople.

Right? And, and so there's a dollar and then there's a, you know, business ask. In fact, you know, the finance team is going to say, Hey, if we don't you know, if we don't upgrade these things, we're going to fail our SEC reporting requirements. And that's going to cost us a two million dollar fine, right? So there's, there's metrics in every other department.

HR is going to say, Hey, if we don't, you know, spend money on, on X, we're not going to hit our recruitment goals. And, and you know, then your business plan is not going to be met. Right. So every department can have a metric and yet in cybersecurity, we say, Oh, this is a high risk, high, medium. I mean, why, why do we, why do [00:38:00] we expect better results?

So what I've been, what we do with our clients and what I encourage others in the industry is to adopt risk quantification. And people are very scared because like, well, it's not accurate. What, you know, what if I'm not right? And the point is you just have to beat the term medium, right? You don't have to be right.

You just have to be directionally correct. Well, and let's be honest, sales is not right on their forecast anyway, right? Well, but they still have an estimate. They have a plan. and an estimate. But every sales organization is off to some degree in their forecasting, but they're still forecasting because they still need to know that for sure.

And then, you know, so why can't we say, instead of a medium risk, say there's a 10 percent chance of a million dollar loss if we don't do this and then, you know, someone's gonna say, well, it's not gonna be a million dollar loss. It's going to be a half a million dollar loss or a 2 million school. You know, that's the right kind of discussion to have.

Right. [00:39:00] So, so now you're in a business discussion instead of, Oh, it's medium. And so now you're talking about, it's not 10%, it's 15%, it's five. Cool. Like, you know, you don't have to be right. You just have to bring this up so you can have a discussion. Why do you think it's 10%? Well, I looked at the peers in our industry and of the 30 of them, three of them have had this problem and they had similar controls to us.

Cool. That seems like a reasonable estimate. You know, or, you know, look in the news, we see, you know, we saw this happening like three times in the past month, you know, our controls are no better than theirs. Why, you know, why isn't, you know, maybe it should be a 20 percent chance. But the point is, is that without using business language, you should not expect better results from business people.

Because you cannot expect the CEO to understand all the nuances of, you know, look at, you know, look at all these high CVEs. Well, you know. The CEO is going to say, well, what, what's the bad business outcome? I don't know. You know you know, you [00:40:00] need to say, this system has all of our customer data. It has X million records.

And, you know, if we're going to be, you know, we could be fine, bad reputation, all these things. We estimate this system's worth 10 million, right? And the CEO says, Oh yeah, I see. Yeah, we should probably should invest a quarter of a million dollars to help protect that better. That makes perfect sense. And then if they don't do it.

You've still won because you gave a mature risk discussion and now you have, you know, an action and you understand the risk tolerance of senior management. So it's, it's a win either way. Now, some of the, you know, that, that may be a frustrating win, but at least, at least you got an answer. I also see it almost as an affirmative defense open communication as affirmative defense, should there be.

An event, right? Should, should, should there be a breach? You can be like, I kind of explained this and that's why we needed this, these other security layers in place. Right? For sure. Here are my board slides. [00:41:00] I said this could happen. I mean, not that that does you any good, but it does do you more good than why were we breached?

Oh, we like, we didn't tell you, you should have invested more to, to, to, to do something. So, so. That bears a obvious question, and that is, how does an organization quantify risk? Like, what are some samples? Walk us through something. It's, yeah, it's, by the way, it is not easy. So, you know, if anyone thinks, oh, this, you know, I'm just going to switch over.

It's not easy. I mean, there's a whole system of rating CVs with, you know, a numeric score that may or may not correlate to risk. There's the whole concept of high, medium, low. You look at what NIST puts out. I mean, there's a whole infrastructure around this. So, you know, thinking you're going to just make a change like that is unrealistic, but here's some tools.

So the first is How to Measure Anything in Cybersecurity Risk. It's a book [00:42:00] by Doug Hubbard and Richard Searson, and it is excellent at explaining the business case. And then also walking you through how you do it. Who is the book by? It's by Doug Hubbard and Richard Searson. Richard Searson is a multi time CISO.

Doug Hubbard is like the guy in quantification. And I guess, you know, like a lot of actuaries listen to him. He's just, you know, super yeah. So, and, and what the point of the book, and it has a lot of details on how to do it, but the point of the book is, All you have to do is be better than medium.

You know, as long as you can, you can beat medium, you're winning because you're switching a, you know, let's say a magical discussion to a, to a business discussion, right? You're, you're, you're using a ill defined term to a well defined term. And by the way, if your organization says we have to, you know, we're required to use high, medium, low, et cetera.

Cool. How about this? [00:43:00] Define what low means. Low means. Below 1%, you know, it's a probability below 1%. Medium means, you know, above 1%, below 10%. High means, you know, whatever. Critical means some other percentage. And, and you get to define and you say, here's my definition for these terms. And so, you know, even if you're forced to use that, you can define it and that's still going to put you in a better business discussion.

Same thing for dollars. You know, you're a very large multinational corporation, right? A high might be over a billion dollars, but if you're, If you're a medium sized company, high might be half a million dollars. So so that's a great book. The other book, and the book is by Jack Frund and Jack Jones.

And it is the FAIR book. But the book name, the book's name itself eludes me at the moment. But it's also a great book. The, the FAIR methodology is a, I would say, more rigorous methodology than how to [00:44:00] measure anything in cybersecurity risk. But with the more rigor comes more difficulty in implementation.

So how to measure anything in cybersecurity risk, you can literally start with an Excel spreadsheet and doing Monte Carlo simulations. But with FAIR, you need a fairly big model. So, you know, if you're a large enterprise, I think FAIR might make perfect sense. But if you're a mid sized company, the learnings from the book, I think, are very good.

We actually take some of the elements of FAIR and use it in our methodology. But adopting the whole thing, I think, would be very difficult for most medium sized companies. Right. Are the benefits to a mid sized, medium business are what, by having this quantified? Yeah, so, so let's just imagine you have a punch list of ten things that need to be fixed.

From top to bottom. Okay. And so number one is turn on multi factor and number two, you know, [00:45:00] you know, some other control there may be more rigorous cybersecurity training is number two, but when you do risk quantification, you're going to tie those are the controls. So it's kind of backwards, but you're going to try to tie the vulnerability or the issue 2.

So whatever your first issue is, you know, let's say it's you know, uncontrolled access to your You know, some important system, it's going to say, okay, this expected loss on this is 400, 000. And then the second one, which would also be high, your expected loss is going to be 150, 000. And the third one, your expected loss is going to be 50, 000.

Well, if you saw, I'm just imagining, let's say, let's imagine high is is 50, 000 and above. So you have three highs on your list. Okay. But one is worth nine times the value of the number one is worth nine times the value of number three. So your decision making process is going to be very different when you see that you're like, wow, I can reduce almost half a million dollars of risk by, oh, I said 400, 000, so eight times.[00:46:00]

I, I'm going to, I can reduce 400, 000 in, in risk by just fixing this first item or just, just mitigating this first item. So it's going to really force a much bigger discipline. It's also going to allow for, okay, we need to invest in this new system. This new system is, you know, a few thousand dollars.

Cool. You know, whatever. That's fine. This new system is going to be 50, 000. Well, what's my return on investment? Now, if it's a expected loss of half a million dollars, okay. Yeah. You know, you know, that makes sense. If it's expected loss of a hundred thousand dollars, you know, maybe that doesn't make sense.

Right. So, you know, so maybe, you know, that's not the way to mitigate. Maybe we mitigate some other way. But you know, it's going to allow for you to make way more mature business decisions. And, and the point is, as long as you're directionally correct, you know, this is not like, you're not doing high finance here.

You're not reporting these numbers to your auditor. What you're doing is using these numbers to give you a directional, a, a, a direction [00:47:00] and point you in the right way and allow you to make more mature business decisions. So, you know, from that perspective You don't need the rigor on the finance side that you would need if you were you know, if you were actually calculating your revenue or your profit.

That's really good. So they can make better decisions just like they can when they're making investment decisions pertaining to put future sales revenue, right? Like, I mean, yeah, they might miss the forecast, but we knew generally what we were going to look like in a certain quarter or fiscal year, right?

Yeah, and then It also is a good opener for discussion, right? Because yeah, like you pointed out, they might say, well, no, it's not going to be a 500, 000 loss on average, based on our size organization. You can search. Now there's a lot of data points of what they paid out from these in from similar incidents.

And then you can be like, okay, maybe it's a 200, 000 or 150, [00:48:00] 000. Okay. Well, but now you're having that discussion. right? And, and you're actually bringing those things, bubbling them to the top. It's much better than just inaction, because not having those discussions, that inaction is a decision, right? Not having the conversation is a decision.

They are making a decision on their risk appetite, aren't they? They are, for sure. And yeah, it's, it's, it's really illuminating because you can have a mature discussion with business folks that don't have a cybersecurity background. Well, and that's the whole key. That's what's needed, right? Is to translate the technical jargon into what is the business impact?

Is there an ROI generally for this initiative that you're driving? And, and the answer, you know, and, and sometimes you might find, you know, I was pushing for this tool, but it turns out the business case actually isn't [00:49:00] there. So probably better that we spend our time elsewhere because. This might've been a flop and probably would have been, probably would not have reflected well on me if I'd pushed for it and then it didn't work out.

Right. Exactly. Yeah. That's, that's, that's really good. What are some of the controls that you're seeing Medium as, before we wrap up, and I want to ask you about what you have on the horizon for you and your organization, but what are some of the controls that you're seeing small, mid sized businesses struggle with the most?

Is it Is it ongoing user training? Is it implementing MFA? Is it having 24 7 eyes on glass for visibility? What is it? Or are you seeing any trends? Is it just all over the place? Yeah, I mean, I think, I think, I think the, the, the biggest common theme isn't so much e control. It's the time the organization has to spend on cybersecurity.

So, you know, we can all agree. So, you know, we're typically meeting with our clients on a weekly [00:50:00] basis. We talk to them, the owner of something says, yeah, I'm going to do this. You know, this is important. I got to close off, you know, every, every person in the company has access to this thing. I got to shut it down.

So it's only five people next week. Okay. So did you do it? Oh, you know, I, it's got too busy. Did it and, and so, you know, a lot of the controls for medium sized business are kind of, I would say more diligence. And the problem is, is that they're being pulled in many directions. There's a lot of business needs and to think that you're going to be able to clearly get all those things done, especially if it's not your primary job is very difficult.

So that's, that's to me is the, the bandwidth piece is probably the biggest struggle because most of the controls. That we have our clients put in place are not technically challenging controls like turning on MFA just is not that challenging Yeah, there's user impact. Maybe you do SSO So there's like, you know one system where you log in in the [00:51:00] morning with, you know Two factors and then you're fine for the rest of the day You know with you know, a lot of the other things It's it might be a one time thing the training so you take some training.

No big deal You know you You push some things out to people's laptops, cool. It's there now it's doing the monitoring or whatever it is. Like those things aren't usually the big challenge. The big challenge is the day-to-day stuff. The, am I doing a, an internal audit periodically and looking like who has access to all these things?

Am I checking to make sure that when that employee left the organization, they were actually off boarded? Am I actually looking at, oh, we got an alert in the alerting system. Cool. Oh, we're doing monitoring. Well, except no one's looking at the alerts. So, you know, so it's the bandwidth type things that are the biggest challenge.

Now in that case, we probably would recommend they use a, uh, SOC or an MSSP to do the 24 by 7 monitoring, but that's not the case with all our [00:52:00] clients. Some of them just, you know, haven't signed up for that yet or haven't been convinced that they need it. So you know, it's those types of things that I think are probably most mid sized companies biggest challenges.

Well, the first one is, do you have executive sponsorship? Yeah. And all our clients do, or they wouldn't be with us. So once you have executive sponsorship, then all of a sudden, even if they don't know anything about security, they're like, you're in charge of security, figure it out, and then things start happening.

So executive sponsorship is probably one. Again, not our clients. That would be, you know, folks probably that are not signing up for cybersecurity solutions. But then the second is, what kind of bandwidth is allocated? So, it's in the execution of, of the recommendations that are being made. Yeah. Right.

Right. Because it's easy to find security stuff to fix. Well, and one of the things that people struggle with is the difference between kind of regular IT support or operations and cyber security. Because they kind of think, well, it's all technology. It's plugged into the wall. [00:53:00] There's computers involved.

It's basically all The same and, and like they might have monitoring or they might have a smaller MSP doing monitoring of the servers, right, or the infrastructure, but they're monitoring for like the Whether it's online or offline, whether there's disk space, right? They're not monitoring whether a threat actor is inside moving laterally, right?

That's where the SIM MDR type thing comes in, where, where then you have somebody actually looking for in doing threat hunting. Do you, do you see having to kind of explain that to, especially in that SMB space?

I think the answer is it depends. You know, a lot of times when folks are coming to us, it's. It's very basic stuff that we're fixing for the first 18 months. So like, where do we do, yeah, where, where do we go after month 18? That's something we're trying to figure [00:54:00] out what, you know, what is going to give our clients the biggest bang for their buck because, you know, there's not infinite dollars obviously to spend.

You know, and and you know, how do you get them to the next level of maturity without breaking the bank or breaking the time? Yeah, that's a good point. So that's excellent. So tell us we can go, I can talk to you for hours. So I apologize. What as we're coming up to the to the end here, what share with everybody, what's, what's on the horizon for you, for Fractional CISO organization?

Yeah. So well, I would say more of the same in some respects. So we're, we're helping midsize technology companies solve their cybersecurity leadership problems. You know, we are one, we're, we only do one thing and that's virtual CISO work. Like, you know, all the other things we leave to our customers, existing partners or new partners that we might help bring in.

But, you know, it's, we really just do one thing. We're going to continue to do the one [00:55:00] thing. The, you know, the thing that we are actively exploring is how to use AI. to better serve our customers. So we'll do a lot of, we, we create a lot of content on behalf of our customers. And if we could even create more and better and faster, that would be good.

Now to date, our experimentation has been, um, yeah, the results have not been there. So, you know, for instance, we will do vendor write ups for our customers. But you know, the challenge is, can you explain what that is? Like, what do you mean by vendor writeups? Yeah. Yeah. So, so, you know, from a vendor management perspective, our clients might be looking to, to sign with a new vendor or they have an existing vendor, but they just want to evaluate their security.

And so we'll look at security documentation and then do an evaluation. Say, Hey, you know, this looks good, or, oh, okay, yeah, you might wanna ask for X or, yeah. So, so we've given. Some of the LLMs are the vendor documentation and the write ups seem to, you [00:56:00] know, 90 percent of it's right. And 10 percent of it is oh, so wrong.

Like totally made up. It, it hallucinates and then you're like, right. So, so if we can, yeah, so if we can use it to better serve our customers, maybe now, you know, instead of, yeah, we can give you a bunch of vendors, we can give you two times, you know, as many or whatever, or there'll be faster, you know, so we can imagine a better.

But right now, you know, that's a challenge. So we're doing a lot of experimentation with different models. We're, we're actually, we're using AWS Bedrock. So that's AWS's AI tool and you can use different models. So you could use Metas Lambda. You could use Clod that's Anthropx Clod. And there's a bunch of different models that you can use.

So we're kind of experimenting to see how that works. And the nice part is just like with other AWS functions, AWS is not looking at your data. And that data is not sent back to the model providers. Right. So that sounded like a [00:57:00] pitch of AWS but I mean, that's what we're experimenting with to see if that works well.

Interesting. Yep. Do you have any public speaking coming out? Not that I know of. I'm actually not the best person to ask about. Ah, okay. Yeah, I, I don't, I don't have, I don't have anything in the next week or two for sure. Right. And that probably not for the rest of the year, but, so we had, we had a pretty busy November speaking circuit.

There was one conference, the Boston Cybersecurity Summit that I was at. And we with one of one, another VC. So we did a presentation at the beginning. It was, it was awesome. There was like 600 plus people around and it was really cool. We actually were talking about quantitative cyber risks.

That was really fun. I'm talking to the board. You know, probably the answer is yes, but not that, not that I know of right now. That's fantastic. Well, we will have links to Fractional CISO and to your LinkedIn so people can follow you when you are doing it, you put out some fantastic content. So we wish you all the [00:58:00] best.

This will definitely not be our last conversation, my friend. So we thank you so much for your time and thanks everybody for listening.

Well that wraps this up. Thanks for joining everybody. Hope you got value out of digging deeper behind the scenes of security and cybercrime today. Please don't forget to help keep this going by subscribing free to our YouTube channel at Cyber Crime Junkies Podcast and download and enjoy all of our past episodes on Apple and Spotify Podcasts so we can continue to bring you more of what matters.

This is Cyber Crime Junkies and we thank you for joining us.

People on this episode

David Mauro

Host