Cyber Crime Junkies

Why We Must Measure Cyber Risk. CEO Interview.

Cyber Crime Junkies. Host David Mauro. Season 5 Episode 55

David Mauro and Ryan Leirvik (CEO of Neuvik) discuss why we must measure cyber risk, effective ways to protect business from cybercrime and how business measures cyber risk.

The discussion also highlights why businesses need incident response plan today and  the impact of social engineering.

Send us a text

Have a Guest idea or Story for us to Cover? You can now text our Podcast Studio direct. Text direct (904) 867-446

Get peace of mind. Get Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com  
 
Imagine setting yourself apart from the competition because your organization is always secure, always available, and always ahead of the curve. That’s NetGain Technologies – your total one source for cybersecurity, IT support, and technology planning.

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss an episode!

Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Google Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!


Why We Must Measure Cyber Risk

 

Summary

 

David Mauro and Ryan Leirvik (CEO of Neuvik) discuss why we must measure cyber risk, effective ways to protect business from cybercrime and how business measures cyber risk.

 

The discussion also highlights why businesses need incident response plan today

and  the impact of social engineering.

 

Takeaways

 

  • Generative AI has significantly impacted cybersecurity discussions.
  • Understanding vulnerabilities is crucial for effective risk management.
  • Trust but verify is a key principle in cybersecurity.
  • Organizations often lack awareness of their cybersecurity risks.
  • Compliance does not equate to security.
  • Demonstrating deepfake technology can raise awareness of risks.
  • The dual nature of AI presents both benefits and challenges.
  • Data privacy legislation varies significantly across cultures.
  • Incident response plans are often underdeveloped in organizations.
  • Asset management is essential for effective cybersecurity strategies.

 

Chapters

 

  • 00:00 Introduction to Cybersecurity and AI
  • 02:48 Understanding Nuvic and Its Services
  • 05:46 The Importance of Risk Management in Cybersecurity
  • 08:56 The Role of Compliance and Security Standards
  • 11:50 Demonstrating Deepfake Technology in Cybersecurity
  • 14:38 The Impact of AI on Cybersecurity Threats
  • 17:37 Data Privacy and the Value of Personal Information
  • 20:44 The Challenges of Data Management and Security
  • 23:38 Cultural Differences in Data Privacy
  • 26:45 The Need for Incident Response Plans
  • 29:35 The Future of Cybersecurity and Business Growth


Topics: Benefits For Having Security Assessments Done, Best Cybersecurity Practices For Business, Best Practices To Limit Cyber Liability, Best Security Practices For Small Business, Effective Ways To Protect Business From Cyber Crime, Effective Ways To Protect Business From Cybercrime, Exposed Secrets Of Cyber Crime Gangs, How Ai Will Effect Cyber Security, How Business Measures Cyber Risk, How Emerging Tech Helps Cyber Security, How Hackers Help Business, How Penetration Tests Help Business, Risky Cyber Business, Why Businesses Need Mfa, Why Businesses Need To Assess Their Cyber Security, Why We Must Do Penetration Tests, Why We Must Measure Cyber Risk


D. Mauro (00:00.29)
That's big news. Hey, welcome everybody to Cybercrime Junkies. am your host, David Mauro And in the studio today is returning guest and cybersecurity expert Ryan Leirvik with Neuvik Ryan, welcome back, sir.

Ryan Leirvik (00:17.689)
Thank you, David. Great to be here.

D. Mauro (00:19.956)
I always enjoy talking to you. think the last time you you you graduate of Purdue, you went to Purdue, I'm here in Indianapolis. I'm a I'm a reborn or born again Hoosier. And tell us what what is new and what is the latest I think since the last time we spoke, generative AI has made a massive splash. I mean, it was around when we first

Ryan Leirvik (00:47.928)
It has.

D. Mauro (00:49.94)
spoke like it was around, but it wasn't as it didn't take up the social media feeds like it does now because like everybody, every single everybody everywhere has like AI infused into it, you know, like, we make the chains that connect the pens that are attached to the desk, there's AI infused and I'm like, how in the world is there AI involved in that chain? But anyway,

Ryan Leirvik (00:50.968)
Mm -hmm.

Ryan Leirvik (01:19.129)
Yeah. It's like my thank you. Great to be here. Yeah. It's like my refrigerator has AI enabled. Wonderful. But the beauty of this is that it's kind of taken a little bit of attention away from like the hype of cyber security for awhile. So, so there is a silver lining in a way, you know, even though it's

D. Mauro (01:19.274)
I digress. So welcome, sir.

D. Mauro (01:25.975)
Yes, exactly.

D. Mauro (01:34.764)
Yeah, that's That's true. Yeah, because if we didn't have vendors saying, if you buy this box, you would be totally secure. If we didn't have that in the world, then it wouldn't be a regular day in cybersecurity.

Ryan Leirvik (01:50.613)
Exactly. Now we have buy this box and it comes with its own AI. What? Wonderful. That's right. It'll know to be secure before you even think about security.

D. Mauro (01:54.277)
Now it has AI, so it'll keep you secure even better.

D. Mauro (02:01.528)
They'll know what's coming even before the bad guys know what's coming. So walk us through, for people that may not realize, so walk us through what is Nervic and who are the clients and services that you guys serve and provide to those clients.

Ryan Leirvik (02:24.155)
great. Yeah. So for those listening, Nuvic is a cybersecurity services company. So pure play services. So we put people on keyboard doing red teaming, pen testing, risk. We always tie it up with risk management, which means what did we find and why does that matter to you, right? To prioritize your efforts. Yeah.

D. Mauro (02:44.054)
Yeah, which is fantastic. So I mean, you guys actually employ ethical hackers that are certified and background checks and everything else. They get to commit felonies like against a company because it's allowed. Right. I'm teasing about the filing part because I mean, it's but otherwise, if they weren't engaged, it could be right. Like they are going to break in and then show the companies their vulnerabilities and then see where that sits in their risk management.

Ryan Leirvik (02:52.729)
You

D. Mauro (03:14.464)
maturity assessment essentially.

Ryan Leirvik (03:16.109)
That's exactly right. In fact, we think of it like this. The vulnerabilities exist, right? They're there. Question is how long have they been there? Right? So you can either have a developer that mitigate it in development, which is the right spot, right? That's why we've spent a lot of time in training software development life cycle. But a lot of times those miss the manual and other type testing, know, static code, code testing, push to production.

D. Mauro (03:21.858)
Mm

D. Mauro (03:32.161)
Mm -hmm.

Ryan Leirvik (03:43.737)
Then it gets into your customer environment. And in there you have integration testing, Deployment testing just to make sure that vulnerabilities can create there. Then they get pushed to actual production and in use. And you have kind of two options at that point, right? One is you're either going to find the vulnerability internally. Hopefully that'd be great. Or a customer is going to tell you about it. Or you'll get it at Penn, you know, some sort of Penn test or Red Team. I mean, that's where we come in, right? Or the FBI is going to call you or you'll find it in the dark net.

D. Mauro (03:46.006)
Right.

Ryan Leirvik (04:13.471)
Right? So we try to catch it before, right? That's right. So.

D. Mauro (04:14.252)
Right, yeah.

for all of that happens. Well, yeah, and when you think about it, some of the, especially when you get into the code in the production stage before it winds up in a customer environment, that is so critical because we've seen massive supply chain issues in the last couple of years. I always think of the move it breach, right? And how just, how just that just caught fire, right? And then you had the clop.

Ryan Leirvik (04:29.583)
Mm

D. Mauro (04:45.942)
ransomware gang, not even worrying about ransomware, just living off the land and just exploiting that vulnerability everywhere that tool was installed. Really damaging.

Ryan Leirvik (04:56.147)
Yeah, these deep supply chain, they do. these deep supply chain, third party risk, it's kind of third party. I conflate third party risk and supply chain. They're different physically, but they're all in the same boat because it's, yeah, they're not internal. But the issue is we rely on software in this case to do what we intended to do. But there's this trust but verify model that

D. Mauro (05:07.584)
Yeah, they're very similar.

Ryan Leirvik (05:23.587)
you know, we believe in, which is trust that it works, but verify that there aren't any gaping holes or vulnerabilities in there that you're, that you're then pushing out to your base or your customer base, right? That you will rely on without discovering the vulnerabilities in the development stage. be it some library that you borrowed from somewhere else or pieces of code that you put together that are, you know, configured with two or three different sources before you push the production. If you're not testing for it.

D. Mauro (05:31.415)
Right.

Ryan Leirvik (05:53.315)
that vulnerability could be existing for a long time, right? And then it's just a matter of time. And the issue, David, really becomes the longer that vulnerability exists without catching it, much more of a hassle and the much more of a cost it is to deal with it, right? So makes sense to hit it in production, but we...

D. Mauro (06:10.616)
Absolutely. Yeah. Yeah, because the because the but I mean, isn't that true of so many aspects of cybersecurity? Like, they're like people tend to just avoid it. Pay the minimum amount of budgetary assessment toward it and and just assume that's not going to happen to them. And then when it happens, it is like 100 times more costly than had they just infuse some preventative. I mean, not that not that

Ryan Leirvik (06:17.505)
Everything. Yeah. Yeah.

D. Mauro (06:40.056)
100 % of preventative measures would stop it, right? But we've seen it stops a lot of things and it at least mitigates it and limits the impact once things happen.

Ryan Leirvik (06:55.819)
Exactly. Yeah, it's, you know, laxness. It is.

D. Mauro (06:58.232)
Cause it's really about risk. It's really, I mean, I I'm still shocked. I mean, I'm, I'm doing several public speaking events next week and you know, it's, it's a lot of it is just the stats are overwhelming. Like it's, it's in, and so we, we always approach it educationally and not just with shock and awe and not just fear, uncertainty and doubt, but like, what can we do about it? But I mean, you know, we all had fire drills as kids, right?

Ryan Leirvik (07:13.373)
Mm

D. Mauro (07:27.458)
That was for a reason, obviously, and yet we build these multimillion dollar brands and we don't ever practice about what would happen if there's a data breach. I don't understand that, right? It's still something that really needs improved.

Ryan Leirvik (07:48.387)
Yeah, it's kind of, remarkable, isn't it? Just to tease that out for a minute. Lack security leads to exploitive vulnerabilities, right? Under budget or misappropriate funding leads to lack security. And so, when we don't look at the fundamentals, there's some risk threshold there of like how much budget is enough to get to what level of confidence in our systems.

D. Mauro (07:57.836)
Yeah.

Ryan Leirvik (08:14.539)
And every single organization looks at that differently as they should. It's a yeah. Exactly.

D. Mauro (08:17.92)
Of course, because they each one has a different risk appetite, right? Or like they all want to do that. But when they all when they do nothing, or they do just very minimal, I don't know that they're aware that they are flying their plane without landing gear, without parachutes, without enough fuel, like I don't think that they're aware of it.

Ryan Leirvik (08:24.793)
Yeah.

Ryan Leirvik (08:42.041)
that may be the issue. And that's where a little bit of demonstration could come in. Because look, most people are running a business, let's just be very general here. Like most organizations exist for a specific mission. And that mission is to do whatever it is, right? And typically in the US, it's mostly gain market share or revenue, right? In some way, shape or form. I even nonprofits want market share, right? They wanna penetrate the market. So in there is not.

D. Mauro (08:54.37)
Hmm?

D. Mauro (09:03.351)
Mm

Right. Yep.

Ryan Leirvik (09:09.785)
you know, hey, let's do it securely with all companies. Some companies do, and many companies are focused on security, but not everybody does. So the question really is, this is where the thinking, where I've seen it work is the thinking gets baked into somewhere in the executive team says, hey, where is the risk? Like, what's going to take us out somewhere that we otherwise wouldn't expect? And do we, or do we even know about it? Right? Cause you can't expect everybody to know, you can't hardly expect anybody to know about everything about IT, much less security.

D. Mauro (09:30.488)
Mm

Yeah.

D. Mauro (09:39.885)
Right.

Ryan Leirvik (09:40.596)
So as an example, for those that don't see it, even if they're in the industry, sometimes it's helpful to give a demonstration just so they understand what's really at risk. Right? Yeah. I mean, we talked about, yeah, go ahead.

D. Mauro (09:51.293)
yeah. So you so you mentioned you so I go to banking associations and part of the reason why a lot of people in security attend banking associations is it's the first vertical of all the verticals, health care, legal, right, schools, etc. But it's the first vertical that is like, you won't get your money from the feds.

Ryan Leirvik (09:57.155)
Mm

D. Mauro (10:14.66)
at a good enough rate if you aren't compliant, right? And compliance is not security, but compliance is kind of the evidence that certain security controls were met at a certain period of time. But that industry is really the forefront for America, at least, in embracing more security standards. So we tend to all bump around those associations. So as we were talking about AI and deep fake,

before we began in your last session to one of these associations, did you deep fake yourself or what did you do?

Ryan Leirvik (10:44.366)
Mm

Ryan Leirvik (10:50.569)
this is great. Yeah. This is so tying these two together. This is where demonstrations really help. So, yeah, the situation was invited to go talk to a banking conference on deep fakes, AI and the ability to commit fraud. So sitting back and thinking about it for a minute, I thought, well, you know, in the industry, we talk a lot about about this, right? We, we, we write policy about it. We think about it, but have we actually seen it? Do we know what the real impact is?

D. Mauro (11:02.327)
Hmm.

Ryan Leirvik (11:20.451)
So we decided, let's do it. And so one of our researchers here at Nuviq with no background in AI, by the way, curiosity, but zero background, we pointed them towards a bank account and said, look, create a deep fake that does these things. One gets access to the account, two closes it down and third, actually three things, and three sends it.

sends a check to an unregistered address or something they don't have in the profile. Let's see if we can do that using generative AI to create effectively a deepfake.

D. Mauro (11:55.55)
like commercial grade generative AI. isn't like NSA level stuff, right?

Ryan Leirvik (12:00.303)
wait for this. This is the best part. So we did and it worked. It took about a minute and a half. We recorded it and so we played it at the event to say, look, you know, who here has seen an actual deepfake work in real life? Okay, great. Of the large crowd, only a small, a very small fraction, like one to 2 % at most had seen one. So we're like, look, let's change that. Let's show you what this actually does.

D. Mauro (12:05.705)
my God, that's so disturbing.

Ryan Leirvik (12:28.237)
So we did, it was successful, account closed, balance of account sent to another address, not on file, right? So, you know, clearly very easy action on objective of alert.

D. Mauro (12:42.579)
all flags that should have been quashed.

Ryan Leirvik (12:45.647)
We passed every single authentication capability and check for the entire process. And here's the interesting thing. Yeah. But here's the thing to get to your commercial grade side. It took this person who had no background in it whatsoever. It took them, I think it was $11 for commercial for just to buy a day's license for the generative AI tool and train it properly. Right. All publicly available information, one hour worth of

video off of exactly publicly available information.

D. Mauro (13:18.028)
like a YouTube or something that they had, right? Just so that they can get their voice down.

Ryan Leirvik (13:24.683)
Mm -hmm and eleven eleven dollars and eight full hours That's it and

D. Mauro (13:30.038)
That's unbelievable. That's unbelievable. Now, was it walk us through the attack? So is it a social engineering call? Was it that along with an email? how, how, how did the, how did the compromise occur?

Ryan Leirvik (13:47.043)
Yeah, single point social engineering call center. Yeah. So step one was.

D. Mauro (13:50.816)
Unbelievable. Acting like they were an employee.

Ryan Leirvik (13:56.021)
acting like they were the customer.

D. Mauro (13:57.888)
acting like they were the customer calling, so from the outside of the customer calling, that's what I assumed. I just didn't know if there was an inside angle. So acting like they were a customer calling the help desk. And as the help desk would ask questions, they would type in the answer. The AI would spit out the answer.

Ryan Leirvik (14:05.956)
Yeah.

Ryan Leirvik (14:09.665)
Mm hmm. Calling the call center.

Ryan Leirvik (14:17.653)
Exactly, with the proper inflections and tone. Yeah, to bypass the authentication mechanisms, all of them.

D. Mauro (14:20.236)
yeah, absolutely.

D. Mauro (14:25.4)
It's unbelievable. Well, what I was trying to demonstrate for people is how advanced it's gotten in just the last six months. mean, two years ago, a year and a half ago, I, know, three years ago, four years ago, I discovered deep fakes and I was like, wow, this is crazy. 10, 15 years from now, right? Fast forward just a few years.

Ryan Leirvik (14:27.587)
Yeah, it's.

Ryan Leirvik (14:35.289)
Mm -hmm.

D. Mauro (14:51.64)
And just in like the last six months, it has gotten so remarkable. So I took, I went to 11 labs or I forgot what, what vendor it was, but I did a sample of my voice and I got it deepfake because in podcasting we'll use it for like, and even on the Riverside platform, they'll let you do an AI sample of your voice. can never be used for social engineering or anything bad, but the reason you do it is that way when you're editing in, you don't have to

say and re and boot up your whole studio each time you just want to put in a word when you're editing the transcript later, right? And so they do this. But I played with it while and then I called my son and I like typed in the answers and he's like, dad, yeah, hey, yeah, of course. And like it totally fooled them, like completely fooled. But then after a while he's like, now I can tell he's like

Ryan Leirvik (15:29.708)
Mm

D. Mauro (15:50.684)
Because he knew, because he, I'm, I talk too much. So I think he knew I was playing with it anyway. And so he's like, it sounds just a little bit off, right? But it's my son, it's somebody that I talk to every day. So that was it did work for a little while, which was amazing. Yes.

Ryan Leirvik (15:57.858)
Mm -hmm.

Ryan Leirvik (16:04.685)
Mm -hmm.

Ryan Leirvik (16:08.247)
Yeah, so that was the timeline worked properly up to a certain point where then cognitively he's like, wait a minute, hang on, this doesn't sound right. That's right. Yeah, they only know what's on the, well, they only know typically what's on the screen unless you do relationship banking, right? Yeah, that's it. And reality is to your point of why it's accelerated so fast, that's exactly what machine learning and AI is kind of doing, right? It's collapsing the timeline between what you,

D. Mauro (16:14.028)
But a help desk doesn't know who the person is. Like they just know a little bit about them, right?

D. Mauro (16:23.479)
Right.

D. Mauro (16:32.568)
Mm -hmm.

Ryan Leirvik (16:37.517)
what you can automate, you wanna automate, and the insights you wanna get there usually take time, and that's just gotten collapsed, and the speed of which it's now commercially available.

D. Mauro (16:44.322)
Yeah.

D. Mauro (16:47.906)
Well, there are some phenomenal benefits to this, right? People that have medical treatments where they lose their voice, they can capture their voice, still talk in their voice to their family. It's got, you know, memory preservation of capabilities, it's got health care benefits, like there's a lot of good that is going to come from this. And then there's a lot of in the world we live in. It's it's

Ryan Leirvik (16:51.321)
Mm -hmm.

D. Mauro (17:16.436)
It's just it just made the Wild West have like Terminator level guns now. Like it's. Yeah.

Ryan Leirvik (17:22.677)
Mm -hmm. that's our world. In the world of technology writ large, I usually think of it in terms of yin and yang. For as much good as a technology brings, it opens up the capability to bring just that much bad. But there's so much good that machine learning helps. I look at the vaccines distribution and the ability to identify quickly.

D. Mauro (17:33.485)
Mm

D. Mauro (17:38.551)
Mm

Absolutely.

Ryan Leirvik (17:52.323)
broad public health issues, right? Not to mention, you know, corporate intellectual property protection or creation. There's so much, so many things that we, you know, the ability to take data sets, glean insights from them and produce those insights in a material way that helps advance, you know, sort of, you know, the human race, if you will, are tremendous. The challenges, the world we live in is...

D. Mauro (18:17.708)
That's unbelievable.

Ryan Leirvik (18:20.803)
the first thing we think of is how is this going to break and how is this gonna be used against people? I mean, that's kind of our world. Yeah. And that's the security community. It's like, wait a minute, you know, we're the skeptics sitting around going, I can see how that might be used by a criminal, right? So, and in our world, we wanna split those two and say, all right, let us be the people.

D. Mauro (18:25.618)
Right, exactly. Because that's what's going to happen at work. And we're like, no. Yeah. Right.

Yes.

Yes.

D. Mauro (18:43.412)
anything that's going to involve litigation eventually is going to be a mess, right? And as soon as you see that and you're like, the lawsuits and the class action lawsuits and all that stuff, it's just such a, it's so, it's so harmful for the economy, for society. Like it's just, if we could just reduce some of it, we can just keep building the good stuff, right? So.

Ryan Leirvik (18:46.657)
Right.

Ryan Leirvik (19:06.965)
Exactly. Yeah, that's it. Or bake security in there at every, you know, at every level or at the most important levels where, you need them, right? Like where are the critical inflection points and where do you need to check to make sure there's nothing glaringly bad that's you're going to push out to production, you know, to, use it. And that's, that's the hard part. Just to take a quick step back with like that type of, you know, a genitive AI deep fake.

D. Mauro (19:13.868)
Hmm.

Absolutely. Absolutely.

D. Mauro (19:24.406)
Yep.

Ryan Leirvik (19:36.257)
Now think about how hard that is for call centers and organizations who haven't been able to think this through. by the way, a lot of times can be very widely distributed from an organizational standpoint and the multiple connection points in which it takes, an organization could be entered through from a call center or a client facing location. And all of a sudden you've just made this problem.

D. Mauro (19:59.857)
Absolutely.

Ryan Leirvik (20:05.847)
of authentication really hard for almost every organization, quite frankly. So there's no immediate quick fix for it, but it just exacerbates the problem of trying to provide a service to your clients and authenticate them without slowing down the very thing that they're trying to accomplish by calling the call center. Yeah.

D. Mauro (20:29.728)
Right, exactly. Well, and that's, mean, we saw it in MGM and Caesar's Breach, Scattered Spider called working alongside Russian ransomware gangs, but they were doing the social engineering, doing their OSINT, making sure a certain person with great knowledge of who they were trying to be makes the call, socially engineers, and resets.

Ryan Leirvik (20:37.487)
Exactly.

Ryan Leirvik (20:44.846)
Yeah.

D. Mauro (20:59.296)
you know, resets their MFA or resets their device and they get into the system. And then from there, they unleash the ransomware gang. So that's where you get loose groups that are excellent at social engineering like scattered spider. Shoring up with the black cats of the world and the lockpits of the world. it's a formidable foe, as the FBI says.

Ryan Leirvik (21:04.11)
Mm -hmm.

Ryan Leirvik (21:15.855)
Mm

Ryan Leirvik (21:26.179)
It is, it's very formidable. And speaking of technology that helps, that can be used for good and for bad. mean, where did they find out that the individual was part of the, you know, could be at the call center and know who they are, LinkedIn, right? You have this great platform that, you know, they've had their own troubles with security here and there, but hey, you know, I want to connect with certain professional individuals.

D. Mauro (21:41.666)
right, yep.

D. Mauro (21:51.644)
It seems like LinkedIn, and we can always edit this out later, but it seems like they haven't had as many problems with security as they've had with bots scraping the data and then selling that or claiming that they have a sales tool that can access things and stuff like that. It's more about being abused than anything else.

Ryan Leirvik (22:04.739)
Mm -hmm.

Ryan Leirvik (22:10.541)
Yeah.

Ryan Leirvik (22:14.659)
So now the issue that's exactly it. The issue has become data. Data. If we remember the movie, The Great Hack, I won't say her name, but one of the primary principles there that worked at Cambridge Analytica said, the price of data is more than the price of oil. I mean, we've kind of been following that kind of concept for a while. I don't have any empirical evidence on that. But individual is data. look what just today, I think we're just, well,

D. Mauro (22:20.385)
Right.

D. Mauro (22:24.639)
Mm

D. Mauro (22:33.57)
Mm

Ryan Leirvik (22:43.073)
At some point this week or just now the FTC just find the large service providers for using personal data of users and non -users. So you get a platform like LinkedIn and yeah, they had early days, they didn't solve their hashes and they had issues with encryption. But the security days seem to be sort of far behind them.

anything can happen tomorrow, but it's more about the collection of individual personal data. Managing the data. That's it. It's, mean, look at, you know, I'm going to call them all out here, but you, do you know the, offenders? and it's, you know, the, challenge here, the real problem is look in America, we're a capitalist society, right?

D. Mauro (23:17.514)
in managing the data. Yeah.

D. Mauro (23:36.458)
Right. And for business, we want the data for the business decision makers. We want to know what they're doing and who they are and how to contact them, et cetera. But on the other hand, you know, it's there's a lot of data that we don't know that is being collected on us. And to that point, it is more and it's being sold in package to people that we're not aware of. And so

Ryan Leirvik (23:39.246)
Yes.

Ryan Leirvik (23:44.864)
Mm -hmm.

Ryan Leirvik (23:55.951)
sure.

Ryan Leirvik (24:04.504)
Mm

D. Mauro (24:04.79)
Again, it kind of crosses to me, I view it almost like the right of privacy, like physical privacy, right? Like if you're alone in your bedroom, like you have a belief that you are private, right? If you're alone in your bedroom and it's outside and it's all glass windows and there's a big party over there, you know that you're not private, even though you are in your room, right? But what's happening to us is they're like,

exposing the walls and doing stuff and repackaging and taking pictures of us and all that stuff without us even knowing it. Right? Like we had no idea.

Ryan Leirvik (24:40.943)
Yeah. Yeah. Well, think about Facebook back in, up to 2016, 2018. If you downloaded the app and you use the app, it would pull data on users and non -users. I mean, and so there's this interesting thing that we kind of live in here in America, which is like, it's really hard to keep your data private and protected. have to, you have to work really hard to do it because we put

D. Mauro (24:53.494)
Right.

D. Mauro (25:03.808)
It is very hard.

Yep.

Ryan Leirvik (25:09.315)
you know, I'm not saying it's good, I'm not saying it's bad. I don't really want to take a position on this, you know, I mean, I have my own personal views. I'm not going to share them publicly, but like, you can probably tease them out. But the reality is like we put business and, know, either market share or growth, you know, first and not the consumer or the individual. In fact, a lot of the, you know, the interesting thing, you used to this back in the day is like, Hey, if you can't figure out the business model, it's probably you. Right? Yeah.

D. Mauro (25:13.271)
Hmm.

D. Mauro (25:28.226)
Right.

D. Mauro (25:35.652)
That's exactly right. Well, and if and if it's free, if if the apps are free, then you are the product. I mean, it's exactly right. Like you are the product. Everything you like, everything you scroll when you stop scrolling, how long you how long you stay on there, what you're looking at, who you're looking at, who you're connecting, what you're clicking through and then going to all of that has value to people. It's looking for intense. It's looking for what they like.

Ryan Leirvik (25:40.473)
That's it. Precisely. Yeah. Yeah.

D. Mauro (26:04.696)
because it's based on your, I mean, it is part of your insurance rates. It's part of your healthcare rates and all of that. And meanwhile, us Americans are just tick tocking ourselves, showing our houses all along, right? Like showing pictures of our kitchens, everything, like just sharing it. And we just have a view that, it doesn't really matter compared to our brothers and sisters in Europe. And

maybe it's cultural or maybe it's historic, right? Because World War II is just not that long ago, like in the grand scheme of things. And they still have relatives that experienced that and they know what happened when people can make harsh decisions based on who they think you are on some list. And that's kind of...

Ryan Leirvik (26:55.341)
Yeah, and I always, that's it. I always think of these things about systems and systems thinking, right? That's what drives the culture, right? And over there, it's, know, they wanna put the individual first and just the reality is it doesn't necessarily need to center around what you're doing with the data. Just give the person the option to opt in or out, right? A conscious decision about where.

D. Mauro (27:02.198)
Mm -hmm. Yeah.

D. Mauro (27:20.877)
Hmm.

Ryan Leirvik (27:23.523)
You know, the data is being used. think that's more of the argument there. Here, the argument is more of, you know, the system isn't designed to protect the individual, right? It's, mean, you know, let's not even get into the election cycles, but you, know, again, back to sort of the great.

D. Mauro (27:26.849)
Hmm.

D. Mauro (27:32.684)
Right. Correct.

D. Mauro (27:39.042)
Well, the election cycles and deepfakes would be an entire like episode series, frankly. Like you could just go into data misinformation, AI deepfakes, both political parties. You could just go on.

Ryan Leirvik (27:44.31)
sure.

Ryan Leirvik (27:53.675)
Yeah. And the, but the challenge, just like privacy, the challenge is most consumers, if you're consuming strictly, if you're consuming your information from, know, let's just say broadly, you know, social media, not, you know, news outlets, let's just, let's just draw the line there. You may not be aware of how much of that information is just fundamentally not real. Right. And quite frankly, structured to keep you engaged.

D. Mauro (28:07.543)
Mm

D. Mauro (28:17.112)
Correct.

Ryan Leirvik (28:21.879)
Again, back to you become the business model. So the privacy argument there is just like, you most, most, can't expect most consumers to, you know, sort of follow the caveat of turf, like, you know, buyer beware, right? But you can, you should be able to, you know, from an ethical standpoint, say, look, we're going to use your data. Here's how we're going to use it. You okay with this? And just give them the ability to opt in. they, know, you can see a world where most don't even think about it. They kind of operate in this false sense of trust.

And that's where the challenge becomes, what are you actually using it for? then are you taking my data or are you taking the data of my contact list, Who I'm writing, what I'm writing. I mean, one of

D. Mauro (29:04.438)
Right, exactly. Well, and are you, are you, you know, when you, when you click agree on the T's and C's for an app, right, nobody reads those, right, you would have to quit your job and drop out of school and, and never see your family if you were going to read all that stuff. And half the time, what you don't realize is that is

Ryan Leirvik (29:16.889)
Did you read it? No? Yeah.

Ryan Leirvik (29:27.385)
That would be pretty funny.

D. Mauro (29:34.112)
you know, they're granting so much more permission than they need really to run that app. Like they're, you know, capturing keystrokes, capturing what you do on other apps, even like, it still shocks me that they're able to do that. But meanwhile, we just let them do it. Yeah.

Ryan Leirvik (29:41.547)
Mm -hmm. Yeah.

Ryan Leirvik (29:53.783)
Yeah. And well, it's continuing. No, of course. Yeah. And it's look, this is why the system's thinking so it all starts with regulation. Right. It all starts with like, look, look at them again, just the system we work in is, you know, we're a, we're a constitutional Republic. Right. So we vote for our public leaders. Right. And then the question there is, all right, do we vote for the people that are going to stand up for things we want or not? Right. That's our choice. But it starts there with legislation and say, Hey, look, you know, we're going to protect our constituents. And this is what that looks like.

D. Mauro (30:00.578)
Mm

Ryan Leirvik (30:23.207)
Or we won't. And here's what that looks like. But it's got to start there. In Europe, they have it because, for the reasons you point out, there are things there that are very sensitive and they put it first for maybe cultural reasons. But it does start with legislation. I'll tell you what's really interesting. For me, I've been spending a lot of time flying back and forth to Europe over the last year.

D. Mauro (30:46.348)
Yeah, are you guys thinking, are you guys moving there? Is your company moving there? Are you guys moving there? Wow.

Ryan Leirvik (30:49.645)
Yeah, we've got a headquarters there now. So we're truly global. Yeah. But the cool thing is when you land, depending on the airline you're in, right, they'll say, all right, you know, we're getting ready to land in whatever airport. They're like, you're in Europe now. you're not allowed to take, anytime you take a picture on this airplane with any other individuals, you must get their permission first. That's an announcement that the airline makes.

D. Mauro (30:55.946)
Wow, that's so cool.

D. Mauro (31:16.418)
Right.

Ryan Leirvik (31:18.595)
before you land. first, kind of takes you, know, if it's the first time.

D. Mauro (31:22.208)
So that's interesting. Is that something new? mean, I've traveled to Europe before, but I not in the last year or two. like, is that something new that, that, that they say now? Like you can't, I wonder if that's a GDPR implementation, right?

Ryan Leirvik (31:34.511)
So I don't know as the actual regulation. Yeah, so I don't know the specifics, but I can tell you my experience. So in the past seven months, I've flown to five European countries, two of them three times. And every time before I'm landing, that announcement comes on. Yeah, and it is the same airline, so maybe this is just, no, that's not true. It was two different airlines. And the first time I heard it, I thought, wow, that's.

D. Mauro (31:49.293)
Hmm?

D. Mauro (31:55.298)
Wow.

Ryan Leirvik (32:03.343)
That's really interesting. wonder why that is. And then by the time you hear it the third and the fourth time, like, okay, yeah, this is a regulation issue. This wasn't just a one -time thing. But what's interesting about culture, right? It starts to shift your mindset, right? Into like, yeah, you've now brought into my awareness the privacy of others. When I've got a device in my hand that I could capture everything. And by the way, without them being aware, and by the way, know, right, we're landing in an international airport.

D. Mauro (32:05.281)
Yeah.

D. Mauro (32:12.289)
Right.

D. Mauro (32:23.244)
Right.

D. Mauro (32:26.924)
without them even being aware of it.

Ryan Leirvik (32:33.049)
from another location, it's like, maybe some of these people don't want to be known that they're there. Maybe some of these people, right? And it's not my right to expose that, right? They have the right.

D. Mauro (32:38.696)
Right. Yeah.

D. Mauro (32:44.386)
When they make the announcement, is it when you're in this country you can't do it or is it while you're on the grounds of the airport?

Ryan Leirvik (32:53.219)
So this is great, now you're really parsing it, because I don't really know, they say just as a reminder, if you take any video or audio, you must get, or take any pictures, you must get permission from the people before you take a picture, that's what they say. They don't get geolocation specific. yeah, that's pretty cool. I mean, now that we're talking about it, I should really look it up and be like, all right, why are they doing that? This was just sort of an observation, yeah.

D. Mauro (33:01.504)
Hmm.

D. Mauro (33:10.22)
Wow, so they don't limit it. Interesting.

D. Mauro (33:19.016)
Yeah, it's actually kind of interesting. Yeah. Well, it makes perfect sense. And like in America, it's like, feel free to fire up those phones. Like take pictures if you got anybody like in any compromising thing, please videotape it and throw it up on social media.

Ryan Leirvik (33:23.374)
Mm

Ryan Leirvik (33:29.828)
Yeah.

Ryan Leirvik (33:37.443)
This is the interesting thing. now, now let's play this whole thing out, right? You facial recognition software. It's pretty easy to find out who's who now, right? I mean, it just, there's so many places to go to find out. With everybody just, there's cameras everywhere that can push public information. Everybody has got a, you know, a device, almost everybody, like most people have a device in their, in their, and how many times, like how many times you've gone to a concert, right? Or something where there's a, there's a stage.

D. Mauro (33:46.64)
Mm -hmm. Yeah. Yep. And there's cameras everywhere. There's cameras in buildings everywhere.

D. Mauro (33:59.137)
Right.

D. Mauro (34:05.74)
Well, gone are the days of like a lighter. Everybody just holds up their phone with a flashlight.

Ryan Leirvik (34:08.608)
Right.

Which is its own interesting thing because it's like, or recording it and you're like, you're all sitting here watching the show and everybody's recording it. So like this one event has just created tens of thousands of minutes of content just for this one event. So think of that just as one event. Now think of that happening all the time, almost everywhere, not to that scale and think about where that goes. That is extremely important data because what happens if something happens to that venue?

D. Mauro (34:17.578)
I know. I know.

D. Mauro (34:24.076)
Yes. Yes. I know.

D. Mauro (34:34.637)
Right.

D. Mauro (34:39.532)
Right. Right.

Ryan Leirvik (34:41.068)
Or what if you're trying to find somebody? what, like you now have massive amount of, well, it's large data to sort through, but using the facial recognition technology, you can, if you have access to the data, right, you can parse it and try to find out, it there? Now you have to scrape a lot of stuff to do that.

D. Mauro (34:58.274)
Right. Yeah, but you could still drill down and then draw conclusions or find that. know, last time we spoke, what I loved about your book was just the storytelling and the translating in business terms. So what are you seeing when you're speaking with business owners? And are you, you're

Ryan Leirvik (35:01.485)
Yeah, and this was, -hmm, yeah.

Ryan Leirvik (35:16.387)
Mm

D. Mauro (35:23.712)
your organization is mostly in the enterprise space or are you in the SMB space, like the mid market? Who are the business owners that you guys generally deal with? Just generally.

Ryan Leirvik (35:33.101)
Yeah, yeah, first full commercial, we work across all verticals, largely big enterprise, but we love SMB because small businesses become big businesses. And the earlier you can think about security, it's actually less costly to start early than it is to start later. Yeah.

D. Mauro (35:43.372)
Yeah, exactly.

D. Mauro (35:48.64)
Right. Absolutely. That's good. So what are some of the things you were hearing from business leaders, especially in that mid tier or that growing SMB space? Like, what are they struggling with? Like, what do you find you have to translate the most? Is it just the balance between convenience and security or the balance between productivity and security or the cost? Like, what are the big challenges?

Ryan Leirvik (36:03.885)
Yeah.

D. Mauro (36:18.956)
that you're seeing. I always want to ask that people that are actually working in the industry.

Ryan Leirvik (36:19.044)
There

Ryan Leirvik (36:23.917)
Yeah, there are two main challenges that I see almost every time for those kind of getting started. One is what is this actual problem? I don't understand it at all. two, what questions do I need to even ask to understand, do we have the proper controls in place or just what I need to do about it? Those two things, what is this and what do I need to do about it?

D. Mauro (36:30.551)
Mm

D. Mauro (36:36.034)
Mm

Ryan Leirvik (36:53.249)
just getting their head around those two things or the two questions that I see almost at every level, right? There are a variety of different steps inside of there, right? So from the understanding side is like, do I really understand? Yeah.

D. Mauro (37:04.088)
That's a great viewpoint. You know, no one has ever actually synthesized it like that. And I don't know why. But I think it's that was really good. No, it's so true. what is the problem we're really trying to solve? And and like, how would like what questions do I have to ask in order to find the solution?

Ryan Leirvik (37:10.207)
from

happy to be the first, but I don't know if that's the case. Yeah.

Ryan Leirvik (37:20.643)
Mm -hmm.

Ryan Leirvik (37:33.515)
Exactly. Yeah. I'm flattered by that. Being in the space. Yeah, thanks. It's, I mean, that's it. Like every time, no matter what level of executive we're talking to, right? They have a different understanding of what the problem actually is. And then of course, given that different understanding, they have a different, you know, inability or just, I these are smart people, but maybe they just don't know how.

D. Mauro (37:34.498)
Brilliant. It's really good. I knew there's a reason I invited you on this show again. That is fantastic. Now that's really good, man.

D. Mauro (37:50.284)
Mm -hmm.

Ryan Leirvik (38:03.481)
to ask the right questions because they may or may not have exposure to the whole system. And one of the ways you can tell right away is how they discuss risk. So what's my risk of ransomware? Okay, well, it's not a risk. Ransomware is a technique. That's a threat. Are you vulnerable to it? That's the question to ask. And so just working down through

D. Mauro (38:09.645)
Right.

D. Mauro (38:20.183)
Hmm.

D. Mauro (38:25.89)
Right.

Mm

D. Mauro (38:33.342)
and how vulnerable, how do you measure it? And, and measuring risk is hard in any field in cybersecurity as a whole. Now there are exceptions. There's great books that use like, like all these formulas, a whole bunch of math to figure it out. And I was like really getting into the book and then they got into all this math and I'm like, I got to call Ryan because this is too much math for me.

Ryan Leirvik (38:33.433)
through that.

Exactly.

Ryan Leirvik (38:44.17)
It is.

D. Mauro (39:02.392)
I took math for the Grateful Dead in college. That's why I my law degree, not my MBA. And I'm just teasing, but it's kind of true. But it was a lot because you've got all the formulas that really to measure it. But as a whole in the industry, we really haven't done that great of a job of translating that measurable quantitative amount, right? Because it's still, you know,

Ryan Leirvik (39:28.845)
Mm

D. Mauro (39:31.16)
HR can say 10 % of our workforce is looking for another job. Sales can say we are going to hit our targets or if we miss them, we will miss them by 7 % this quarter. And then cybersecurity goes, we're yellow. Like it's a yellow risk. It's not green, it's not red, but we're kind of yellow. And I'm like, as an executive and I've owned businesses and I'm like, Hey, I need a little bit more than yellow.

Like you got it, you got it. I'm paying a lot of money. I want more than yellow. And they do more than that. We all do more than that. But it's tough, isn't it? Because every business is different. Every configuration is different. The way they're leveraging technology is different. Where they have their data is different. What their risk appetite, like we talked about before, is different. And so all of those are factors that go into those formulas.

Ryan Leirvik (40:27.255)
100%. And what problem are we actually solving for? Right is also the question of, you know, what, what risk are we trying to identify? You know, it's different. What makes it so complicated is it's different than other industries, you know, formal industries, like, you know, finance, accounting, the language of business, right? Even marketing, there are specific measures you can get to see, like, what is the actual goal I'm after?

D. Mauro (40:31.291)
Mm -hmm.

D. Mauro (40:37.185)
Mm

Ryan Leirvik (40:56.321)
What data do I need to identify whether I'm moving towards that goal? And then how do I adjust based on where I am with that goal? So in finance, it's how much debt, how much equity do I have? In accounting, it's do my assets equal my liabilities in owner's equity? In marketing, it's I want outreach and exposure. Okay, great. How many clicks did you get?

D. Mauro (41:06.786)
Mm

D. Mauro (41:16.888)
All right, that's exactly right.

D. Mauro (41:23.405)
Right.

Ryan Leirvik (41:24.407)
You have these empirical data sets that you can actually draw on. and then of course, you know, the closest thing to cyber risk kind of is the insurance industry, but you've got years of empirical data, decades, decades, you know, almost millennia of like empirical data based on weather patterns. If you're, know, if you're in the property insurance game, right. It's like, okay, what's the probability of a hurricane or some, some catastrophic event. so you can. Yes.

D. Mauro (41:33.484)
Yes.

D. Mauro (41:36.951)
Yes.

D. Mauro (41:43.008)
Mm -hmm.

D. Mauro (41:47.202)
but that industry has really struggled with ascertaining risk in cybersecurity, haven't they? They really have. And so they really focus on the application process and really honing in on that and saying, we have to have these, I mean, it's similar to what the auto insurance carriers did in 70s and 80s. Like you have to...

Ryan Leirvik (41:53.599)
Mm -hmm, here's what's interesting

Ryan Leirvik (42:00.057)
That's right.

D. Mauro (42:10.602)
have insurance now, you have to have seat belts, you have to have a certain, you know, ABS brakes, where you get discounts for all of those things. It's kind of like the more controls you have when you submit your application, you know, the more effort you're doing to manage your risk, the lower your premiums would be.

Ryan Leirvik (42:29.815)
Yeah, exactly. I always liked the phrase that I always liked to hear or say, I've heard it somewhere else. I'm going to borrow it from somebody. You get what you inspect. Yeah, exactly. I was, I wanted to say it and I was like, I didn't make this up. So I got to find out who I attribute the ads. But reality is you get what you inspect, not what you expect. You can expect whatever you want. That's all good. But unless you inspect it and find out what's actually going on, well, then you have data to work on.

D. Mauro (42:38.292)
That's all we do here at Cybercrime Junkies. We borrow it. Yeah, exactly.

D. Mauro (42:49.25)
Yes.

D. Mauro (42:54.445)
you

D. Mauro (42:58.913)
Right.

Ryan Leirvik (42:59.383)
In our world, the question is, are you solving the right problem? Right? So the thing about measuring risk that I've always found is you have to set a goal somewhere, right? Like what are you trying to accomplish? Are you trying to accomplish, you know, security of all things? Okay, that's going to be really hard, but why not break it apart into digestible mutually exclusive pieces? Right? So number one thing in,

D. Mauro (43:03.224)
Mm

D. Mauro (43:10.188)
Mm

D. Mauro (43:19.224)
Hmm?

D. Mauro (43:25.634)
Right.

Ryan Leirvik (43:27.843)
You know, this is my view. The number one thing in security is know what you own and then know how important that is to you. We do the same thing in our daily lives, right? It's much more difficult at the corporate level. mean, except, you know, wildly different, but if we know what we own and then we know how to protect why that's important. Now, you know, what's important to protect, right? That's a great starting point.

D. Mauro (43:40.641)
Mm -hmm.

D. Mauro (43:54.967)
Right.

Ryan Leirvik (43:57.433)
So the question is, all right, here are my list of really important assets that my business relies on to do the business, right? So if these things, if I lost confidence in these assets, if they were compromised, the integrity, confidentiality, availability of these assets were affected in some way, my business would suffer at some level, right? Either monetarily.

You know, it's always going to come down to some monetary, you know, number, right? We don't have to get too much in the calculus and the math, right? But the, the, the framing is know what you own, know why that is important and then put protective measures around it. Right. As, as a starting point. yeah.

D. Mauro (44:39.542)
Mm -hmm.

Exactly right. Because that allows them to create a reasonable roadmap. Because, because, yeah, and so often they don't know what the problem is that they're trying to solve because they're bought in by vendors. and I say vendors, but I mean vendors that have like the one size fits all box or whatever it is that's like, this will keep you secure.

Ryan Leirvik (44:47.855)
That's right, because you know what you're protecting. Yeah.

Ryan Leirvik (45:11.309)
Yes.

D. Mauro (45:11.616)
And I'm like, really? Like your guys at your company would love to blow up that box, right? Or bring that box to DEF CON. And after about an hour, I want to see how alive that box is, right? Because it doesn't work like that.

Ryan Leirvik (45:28.877)
Yeah, we used to love the phrase, you know, when someone says this is totally secure. Look at him back. You're at a security conference. I mean, you know, we can pull calls in that pretty quickly, but there is that and that doesn't help necessarily solve the problem. Right. And so this is what makes it really hard for, you know, executives and managers to try to figure out like, where do I point? Because like, imagine yourself in that position.

D. Mauro (45:32.621)
Yeah.

Ha, dude.

D. Mauro (45:41.068)
Yeah.

D. Mauro (45:46.636)
No.

Ryan Leirvik (45:58.307)
Right, like, okay, you know, I'm in this corporate entity. have to protect, I have to keep us safe at some level. I don't know exactly what that level is, but I have a general sense of what that is. mean, some work, I'm talking about most organizations, like some organizations have a very clear mandate on what safe and security looks like. But generally here, imagine yourself in this position, you have to think through, wow, like I have to protect all these things, and by the way, I have to report on it, I have to tell people what I'm doing, I have to go get a budget, I have to show some sort of return on that budget, right?

D. Mauro (46:27.682)
Mm

Ryan Leirvik (46:28.141)
that justify the budget if I can't show a return, right? And I need to get it organized in some sort of roadmap so that I can at least articulate what it is that I need and why to another group of individuals or multiple groups of individuals that have no idea what I'm even talking about. So I got to use no terms that say cyber vulnerabilities, threats, ransomware, right? Different types of threat groups or threat intelligence. And next thing you know, you know, I've lost them.

And so the way I've seen that work is just, you know, what is important to the business to do the business? Do you, first question is, do you know it? Cause most organizations don't and it's not by, you know, their own necessarily fault is, you know, from the systems engineering side, there may not have been a good asset management system started in the beginning. Cause the mandate was go. my gosh.

D. Mauro (47:19.808)
Right. And shadow IT and all this other stuff that comes in. mean, it's just everybody's and now everybody's trying new apps and companies are out there saying don't use AI. Meanwhile, people are like, OK, we won't use AI. Meanwhile, they're using AI. Right. Like, of course, they're they're going to use it. So, man, it's it's so good. That's such a that boils it down so well. Like, what are the problem you're trying to solve?

Ryan Leirvik (47:28.11)
Mm -hmm.

Ryan Leirvik (47:33.963)
Mm -hmm. Right. Exactly. Yeah. I know. But here's one other piece.

Ryan Leirvik (47:47.084)
Mm

D. Mauro (47:47.254)
What questions do you have to ask to find the solutions to that? having that, you know, what data are you trying to protect? Where is it? Where is it kept? Right? And then how do you, how do you, how do you protect it? Because it can't just be, I'm trying to protect a massive rent, like a massive data breach. Okay. But what about fraud? What about fraud? What about insider risk?

Ryan Leirvik (47:55.502)
Yeah.

Ryan Leirvik (48:11.843)
Yeah, exactly.

D. Mauro (48:15.17)
What about there's so many other aspects to risk? Right.

Ryan Leirvik (48:19.427)
Yeah. so, then now flip it, right? What's the one thing you really need to be able to do well? Like let's say you don't do any of this. Let's say you don't do any asset management. Say you don't do any protections. You have no controls. Everything's wide open. Is it a problem? I mean, the reality is probably not. Actually, no, it is a hundred percent not a problem until a particular threat goes after it, right?

D. Mauro (48:46.716)
until it's a problem.

Ryan Leirvik (48:48.131)
Yeah, that's the only time it matters. So what really matters is your response. Are you prepared to respond?

Ryan Leirvik (48:58.969)
That's it. If you do nothing else, just be prepared to respond, right? Because that's where the realized wrist happens. Yeah.

D. Mauro (49:00.748)
Yeah.

D. Mauro (49:04.376)
Well, that's I mean, can I can I tell you and I want to get into the stats and I'm like, like less than 20 some percent or less than 30 % of SMBs have an incident response plan that they've actually practiced and yet we all did fire drills as a kid. But now we're going to go build these multimillion dollar brands and not practice.

when there's gonna be a fire, like when there's gonna be data breach, it's like, we've got a disaster recovery plan. No, no, I'm not talking about a flood or a fire, right? I'm talking about a data breach, like people that are floods or fires are, they're horrible, but they're accidents, right? They're, they're, they're accidents. weren't there. Here you have threats that are intentionally aiming at you, like, and you're not going to prepare for that. Like, yeah, it won't happen to us. I'm like,

Ryan Leirvik (49:34.127)
Yeah.

Ryan Leirvik (49:44.143)
Mm

Ryan Leirvik (49:52.185)
That's right.

Ryan Leirvik (49:55.779)
Yeah, I love the fire drill example because it's why do you do fire drills?

D. Mauro (49:59.568)
That's me translating, trying to socialize cybersecurity. Like, I have to boil it down to the things that everybody can understand because, you know.

Ryan Leirvik (50:09.079)
Yeah, that's it. And why do we do fire drills? Because if there's a fire, you want to get everybody out safely. So practice and you don't want to practice at the time it's happening, right? Because that's the danger. Right.

D. Mauro (50:17.805)
Mm

D. Mauro (50:22.398)
No, no, because you're going to dust off that incident response plan and go, okay, in our one, Carl's supposed to do this. Carl left last, he quit the job six months ago. So who's stepping in right now? Meanwhile, your icons are turning white. Ransomware is spreading by the minute and you're like, we got a Bob, you step in, you know, like, meanwhile, we're going to blame you when this is all done anyway. So it's like, yeah, it's just, it's a hot mess.

Ryan Leirvik (50:28.813)
Yeah.

Ryan Leirvik (50:36.558)
Right?

Ryan Leirvik (50:41.187)
Yeah, exactly.

Yeah, Bob stay here. You're the scapegoat. Yeah. And by the way, you're panicked. And so nobody makes good decisions when you're, you know, threatened or scared. Right? Yeah.

D. Mauro (50:52.926)
No, no, it's amygdala hijack. It's all you've got the fight or flight. Yeah, I mean, we we've interviewed people that do the the negotiations with ransomware gangs. We've interviewed people that are the ins of the first responders. And they're like, we've had people have heart attacks. We've had people have pass out on zoom. We've had people throw up. It's it's a it's a very, very emotional time. I mean, just

Ryan Leirvik (51:09.838)
Yep.

Ryan Leirvik (51:16.526)
Yeah.

Ryan Leirvik (51:21.358)
Yeah.

D. Mauro (51:22.7)
get locked out of your LinkedIn account and you're like, what, it's cool when I got a reset, what's cool? And like, that's nothing. It's nothing, right? Yeah, here it's on a posted note somewhere. Let me find it, right?

Ryan Leirvik (51:26.561)
Yeah. Total panic. Yeah, exactly. Yeah. Yeah. You just misplaced your password and you know, there's no issue, right? But yeah. Yeah. Yeah. Now imagine if somebody calls you, this is, this is the thing going back to the vulnerabilities. Like the vulnerabilities exist somewhere. You got to find them, right? The big ones on your, on your assets that matter. And you don't want the bureau to call you. You don't want to find out that you're breached on the dark net. Like you, you don't want.

D. Mauro (51:44.343)
Yeah.

Ryan Leirvik (51:55.993)
find out from some way that you have just realized that it's already out there and that by the way, the clock was ticking and you just, you don't know when it started, but you know, it's been ticking for a while, right? Now you got a real problem. So why not push all the way up in the stack and try to get it when it's less of a hassle, right? And less costly to deal with it. And if you don't catch it development, you know, hire a pen tester, red teamer, you know, to find it, you know, for you and then let you know when, when

D. Mauro (52:06.118)
Mm

D. Mauro (52:16.29)
Right.

Ryan Leirvik (52:24.973)
It's on your terms, not the attacker's terms or the customer terms that everybody's upset now because their client data is out. No, by the way, your fines are increasing, your regulatory issues are increasing, your legal fees are increasing, your incident response are increasing, and you're supposed to make rational decisions then. Yeah, that's not gonna happen, right? Yeah.

D. Mauro (52:45.216)
Right. It's not going to happen. Man. Well, thank you so much. I could talk to you for hours, Great discussion, man. I love the questions. I've been typing them down. I've been writing them down because I'm like, these are just great questions. You boiled it down so succinctly. So what's on the horizon? Just as we wrap up here, what's going on? You guys are, you and the family moving? Are you going to?

Ryan Leirvik (52:52.407)
I love talking to you. Yeah.

Ryan Leirvik (53:12.189)
no. Yeah. So no, we're staying here in the, in, in the U S the corporate headquarters or Nuviq will stay in the U S we've opened up a full, EU business, to do issue. Yeah. It's, a lot easier to work inside the ecosphere when you are in the ecosphere and yeah, we, yeah, we provide a service. So we like to be authentic and true. So, that's true too.

D. Mauro (53:28.568)
sure it makes perfect sense. Yeah.

D. Mauro (53:33.772)
Well, and data too, right? The data that they find in the meetings and everything could be done there and stuff. Is it going to be London based or is it Belgium or Germany or where is it? really good. Yeah.

Ryan Leirvik (53:39.712)
Mm -hmm.

Ryan Leirvik (53:43.811)
So we have an office in The Hague. Yep, in the Netherlands. And there's a lot of talk and push now about another one in the UK and just outside of London. we may have a couple. that'd be great. Yeah, we'll be there. We'll be there quite a bit over the next few months, you know, getting things established. And yeah, it's neat. And it's nice to be able to be authentic in the space and be able to provide,

D. Mauro (53:55.212)
Yeah, I'll come visit you there. I like that. Yeah, I love it.

D. Mauro (54:06.422)
That's great.

Ryan Leirvik (54:13.165)
a service because, for us, like you mentioned at the top of the, the, episode it's, you know, we're, we're, deploying measures that are typically used by the attacker. we have to be trusted to do this, to be able to provide the information to, you know, the corporations that need it when they need it and can do it on their terms rather than the adversary doing it. they're the same techniques, right? They're just, you know, on your terms, not on their terms.

D. Mauro (54:25.335)
Right.

Ryan Leirvik (54:42.529)
And so integrity matters, yeah.

D. Mauro (54:43.552)
I love it because I just think, you know, adversarial emulation, red teaming, know, penetration testing, like true penetration testing where you actually are hacking in. that is just, that's some rock star stuff. Cause then, because you get in and you know, the internal group is like, they didn't get in, we didn't see a thing. And you're like, here's the report. And you're like, let me walk through. And you're like, my gosh, had like, it's.

Ryan Leirvik (55:05.963)
Mm -hmm. Yeah.

D. Mauro (55:12.678)
They're tough conversations, you know? Yeah.

Ryan Leirvik (55:15.331)
They are now imagine you're, you're a small business trying to sell or medium business trying to sell and you've never done one. And like that's where a lot of times we've come in and we've done them like, wow, there's a lot of problems here. And guess what happens? This is the unintuitive consequence of, of this. The buying team is like, well, you're worth a lot less now. Cause your risk is a lot higher and the small businesses like, wait, what? Like, right. Like you're, you're in, we're in, we have to inherit your risk.

D. Mauro (55:21.741)
Yeah.

D. Mauro (55:33.068)
Right.

D. Mauro (55:37.1)
Right.

Ryan Leirvik (55:45.699)
because you didn't do a pen test or red teaming a little while ago and fix the vulnerabilities that are out here that you may or may not have known about. And you know, you can't blame them for it. They just didn't think about it. Right. Yeah.

D. Mauro (55:55.818)
No, I mean, and when they started the business, it may not have been a thing. You know, I mean, like a lot of these businesses that started in the early 90s, like cybersecurity wasn't a thing. Like I was in a totally different industry. I jumped on board, seems like forever ago, but it was like the Y2K thing. Like how funny was that? We're like, this is going to be a big thing. Meanwhile, I'm like, I don't see anything that's going to come from this, but let's You know, it's so interesting.

Ryan Leirvik (56:00.025)
That's right, probably wasn't.

Ryan Leirvik (56:06.607)
That's right.

Ryan Leirvik (56:14.263)
Yeah. Yeah.

I

Ryan Leirvik (56:21.475)
That's right. Yeah. Yeah, I was building databases. And for me, it was like, wait a minute, this data has to be protected. And then I was asked how I protected it. And I told him, like, that is like solid grade protection. like, well, I'm signing for the data. So I don't want this stuff out. the regulations were lower than I liked. So I was like, I got tapped to be able, can you actually penetrate these? I'm like, yeah.

D. Mauro (56:26.956)
Yeah.

D. Mauro (56:30.891)
Right.

D. Mauro (56:39.958)
Hmm?

That's good.

Ryan Leirvik (56:49.709)
Let's do that. that was, that was my introduction. It was like, all right. Yeah. I yeah.

D. Mauro (56:50.016)
Yeah, absolutely. Yeah, that's so great. That's so great. Well, Ryan Leirvik at New Vic. Thank you so much. We'll have links to everything in the podcast. We'll have links to your book as well. And always a pleasure talking. It will not be I don't want to wait this long to talk again. So I love catching up with you. And I'm sure there will be things that happen that we can discuss. So thank you so much for your time.

Ryan Leirvik (57:04.185)
Thank you, David.

Ryan Leirvik (57:20.045)
I look forward to it. David, thank you so much. Talk to you later. All right, bye -bye.

D. Mauro (57:22.508)
Thanks buddy, I'll talk to you.


People on this episode