Episode Cover Image

182. Prioritizing Your Approach to Cybersecurity with Rob Carson

Dissecting Popular IT Nerds
Dissecting Popular IT Nerds
182. Prioritizing Your Approach to Cybersecurity with Rob Carson
Loading
/

Rob Carson

Rob Carson is the Founder and CEO of Semper Sec. His company is a cybersecurity consulting firm that helps small to mid-sized businesses build security programs and navigate compliance to maintain competitive advantage. Before joining the IT industry in 2012, Rob was a military man and a member of the United States Marine Corps where he was an Infantry Officer and High-Risk Training Manager.

Prioritizing Your Approach to Cybersecurity with Rob Carson

Rob discusses how to make cybersecurity relatable to companies, creating a personalized and prioritized approach to security, and the problem with the overabundance of information in the cybersecurity space. He also tells us how Semper Sec demystifies the process of compliance for companies.

Disclaimer: The views, thoughts, and opinions expressed by guests on this podcast are solely their own and do not necessarily reflect the views or positions of their employers, affiliates, organizations, or any other entities. The content provided is for informational purposes only and should not be considered professional advice. The podcast hosts and producers are not responsible for any actions taken based on the discussions in the episodes. We encourage listeners to consult with a professional or conduct their own research before making any decisions based on the content of this podcast

Prioritizing Your Approach to Cybersecurity with Rob Carson

3 Key Takeaways

Episode Show Notes

[06:15] Tell us about Semper Sec.

We do the arts and crafts of cybersecurity. A typical engagement is when a customer has signed up for something and needs to ensure compliance, so we go in and make that process sucks less. We craft the policies, facilitate the surveys, and create everything in the company’s vernacular.

[08:00] A lot of people don’t understand that this is a big deal. If you don’t do it right, it can have serious repercussions.

Exactly. You have two metrics as a CSO – did you pass your audit, and did you get hacked? You need to prove that you can act in good faith. People say compliance isn’t security and that’s technically true, but if you can’t meet compliance, you’re in trouble. This is the easy stuff. Every company’s culture is different, and you have to make it work for them.

[12:30] Often, companies don’t understand the requirements needed to work with businesses such as credit card companies.

They don’t think they can meet all the needs and certifications, but they need to realize that they can and they can do it cheaply. A lot of cybersecurity companies will try and upsell you on unnecessary software for an extra cost, but we don’t do that. All you need is the ability to run the required programs correctly.

[14:45] How do you help companies figure out what they actually need?

We try to teach people how to identify priorities. It’s your job to identify risks, so go to the risk owner and let them help you to prioritize.

[16:08] A common theme I see is businesses thinking they have to have it all or it isn’t worth it. It’s actually a balance.

Often, you can treat it with policies. You need to get them outlined, in writing, and specific. You need to factor in how your business operates. I recommend breaking training up into two groups: sales/customer service, and devs. It’s about tailoring the conversation to who is listening.

[19:00] Tell me about your podcast, Blue Team Warrior.

I built the podcast based on talks I did regarding guerilla tactics and the Blue Team. With any tactics, you need a certain amount of propaganda with any action. As the Blue Team, it’s your job to inform. What is your message? How are you communicating it and keeping people updated? My recommendation is to make your tabletops like a “choose your own adventure” book. Map out scenarios and various consequences so that you can demonstrate real-world repercussions and reasoning for actions. If you want people to care, make it about them. If they are part of the story, they are much more likely to pay attention.

[27:30] When I talk to companies about security, I find it’s a matter of narrowing the scope.

It’s also about activities. What business processes matter? Some matter more than others and are more of an availability thing than a confidentiality thing. What does it mean to secure things? This is where we come in. Sometimes, internal IT departments aren’t effective communicators, but if a consultant comes in, they get listened to. Even if it’s the same thing that the internal team has been saying.

[30:00] CIOs and CSOs have to be incredibly flexible in today’s world and have to balance everything.

Exactly, it’s hard to keep track of everything and what to actually care about. There’s a lot of information coming from all angles. Start with the basics. If you don’t have cybersecurity insurance, get it. To do that, you need a program. You need to ensure you have the correct certification and compliance for whom you are doing business with.

[40:00] A good starting place is to ask if your company was to go down, what would you bring back up first?

Exactly. Not only that, but what is the minimum level of security? I prefer working with ISO because you can write the rules for risk and cover the whole company with it and add on things as needed. There are always aspects where you may need help. There’s always something you can outsource to make life easier and smoother.

[51:00] What is the future of IT security?

I think the future is the past. Everything people are doing is the same stuff that has been done but with new tech. Automation is good in moderation, and I think we will be stepping away from the Cloud.

Transcript

Speaker 0 | 00:09.626

Hi, nerds. I’m Michael Moore hosting this podcast for Dissecting Popular IT Nerds. I’m here with Rob Carson, founder and CEO of SemperSec. Rob, how are you doing today?

Speaker 1 | 00:18.833

I’m doing awesome, Michael. Thank you so much for having me.

Speaker 0 | 00:22.175

I’m glad. We had actually rescheduled this podcast due to my continual ailments. uh um kidney stones over and over again it was uh it was pretty awful so i really appreciate the fact that you jump on and reschedule this with me uh you saw me probably at my worst kidney stones like nope i don’t even want to talk to me like that hurts yeah it was it was not fun uh spent some time in the hospital not a not i don’t recommend it it was not the uh actually had to push my honeymoon out to march it was gonna be my honeymoon and i hit the I’m like, all right, forget it. No honeymoon. Instead, I’ll just spend it in the all-inclusive hospital.

Speaker 1 | 01:03.338

Yeah, but at twice the rate.

Speaker 0 | 01:06.060

So I was going to go to St. Augustine, Florida. And the joke is that I didn’t go to that St. A’s. I went to another St. A’s, which was the St. Anthony’s Hospital instead. But now we’re here. And since you had a great idea, which is let’s.

Speaker 1 | 01:23.032

let’s get the bourbon flowing right what what are you what are you drinking so i am drinking colorado state straight bourbon because i live in colorado this is made by peach street distillery oh uh and i tell you like colorado was leading the micro brewers back in the day now we’re reading the micro distilleries like breck bourbon also another excellent bourbon but i am drinking the peach street because this is probably my favorite bourbon period i’m gonna have to try that out the uh

Speaker 0 | 01:51.080

I got the Ghost Hill, Texas bourbon that I was trying out for the first time. It’s actually really good, very smooth going down. I usually drink what’s called Old St. Pete. It’s a whiskey, and that’s made right down the street from me, so being in St. Petersburg, Florida. So both really good bourbons. So today we’re going to be talking a lot about security. Before we get into that, I want to… hit you up with a little segment we call random access memories all right okay this is just a fun little segment it’s like rapid fire i’m gonna throw a question at you and just whatever comes to your head first right the first question is what is the craziest wi-fi ssid that you’ve ever seen oh

Speaker 1 | 02:43.906

well mine’s free nsa wi-fi i have mine

Speaker 0 | 02:49.728

Mine is Virus Infected.

Speaker 1 | 02:52.429

Virus Infected. I like that.

Speaker 0 | 02:53.869

Which is always hilarious because if I set up a laptop and send it out or something, they always have that kind of in their setting. They’re like, I’ve got a virus. No, you don’t have a virus. It’s just the name of my…

Speaker 1 | 03:04.154

Well, my guest wireless is in Lawnet because, like, why am I letting them come into my network? I don’t know where that laptop’s been. I love it.

Speaker 0 | 03:14.058

Those are good names. I like the Free NSA Wi-Fi. That’s a good one. I like that. What is the most useless IT invention?

Speaker 1 | 03:25.918

There’s so many.

Speaker 0 | 03:27.119

Can

Speaker 1 | 03:33.245

I just say acronyms? Yeah. No, I’m saying like period acronyms.

Speaker 0 | 03:39.030

Oh, just acronyms in general. It’s so many.

Speaker 1 | 03:41.932

All of a sudden it’s like maybe the most useless.

Speaker 0 | 03:46.296

I don’t know. Bob came, Microsoft Bob came to mind.

Speaker 1 | 03:49.097

Oh, you know, the Clippy?

Speaker 0 | 03:50.759

Not Clippy, Bob, the precursor. Precursor. That would, this was a, an entire like,

Speaker 1 | 03:56.743

I think the worst thing is Minesweeper because that will suck your time away on Minesweeper.

Speaker 0 | 04:02.286

That’s true. That’s true. I do remember Minesweeper and I would always, I can never get it. Zipdisk.

Speaker 1 | 04:07.830

Remember Zipdisk? Like those did not look that strong.

Speaker 0 | 04:10.192

I had Zipdisk and that was another thing. That was.

Speaker 1 | 04:12.393

On Gateway. On the Gateway.

Speaker 0 | 04:14.735

Oh man. Yeah. There’s so many useless pieces. And it’s amazing how quickly you’re like, I need to have this. I need to spend a ton of money on it.

Speaker 1 | 04:26.231

And then no longer need it. It’s not even an IT invention. The Sega CD, because I bought one.

Speaker 0 | 04:32.395

Sega CD? I’m not sure. What’s that?

Speaker 1 | 04:34.616

Exactly. Exactly. And I’ve never bought another gaming console since. Because I’ve been like, I bought one. It’s like buying the Nintendo 3D. Yeah. Remember that thing where you had one game of tennis that people got headaches from? It was actually better than that, but it lasted a year or two.

Speaker 0 | 04:56.758

Yeah, that’s not…

Speaker 1 | 04:58.220

You think you’re buying the next console and it’s like…

Speaker 0 | 05:01.055

I think I’ve had my Xbox One now for probably a good five or six years. That thing just keeps rocking. It still plays great games, so I don’t have an issue with it. All right, here’s the last one. Here’s your last one. You ready for it?

Speaker 1 | 05:19.430

Ready.

Speaker 0 | 05:19.990

If you could be haunted by an IT ghost, who would you want it to be?

Speaker 1 | 05:27.096

Oh. Ooh. They can be alive, though, still?

Speaker 0 | 05:35.047

Huh?

Speaker 1 | 05:35.847

They can be alive still? Well,

Speaker 0 | 05:38.368

sure, why not?

Speaker 1 | 05:39.129

They got to be dead? They got to be dead? Because I’m like, I don’t know. If they’re an IT ghost. So we’re talking, oh,

Speaker 0 | 05:47.092

Ross Perot. I would be a ghost that it just would continually be in your ear. Absolutely. Yeah.

Speaker 1 | 06:02.205

You got to love Ross. Like, I mean, talk about pulling a Ross, bro. It’s like, you’re just going to pay me to leave.

Speaker 0 | 06:09.668

Oh boy. All right. So tell me about Semper Sec because I saw this thing and I, you know, I actually, people don’t know. I actually appeared on your podcast. Well, I will appear on your podcast when it gets out there. Um. And then we were chatting and I said, hey, you should jump over on mine as well. And we can be podcast buddies, right? Yeah. But tell me about SemperSec. I’m interested to understand this.

Speaker 1 | 06:37.522

Sure. So we do what I call the arts and crafts of cybersecurity. Like, I know the people who hack Teslas, but we’re not the people who do that. Like, there’s a guy named Carfalker, there’s Digital Science. A lot of people do that. We don’t do that. So what we do is… We come in and typical engagement is customer is trying to, they’ve signed up for something and their sales team wants to go sell to this big customer and they need to get ISO, SOC2, FISMA, FedRAMP, NIST, whatever acronym it is, some sort of security compliance certification. And that’s where we come in to go make that suck less. Like we will craft the policies.

Speaker 0 | 07:23.315

facilitate your risk assessment we interview you make sure the policies are written in your vernacular we do the internal audit we sit there as your battle buddy during certification to make sure that you pass and you don’t say something stupid um which has happened um this is this is there’s an art form by the way to this and people don’t quite understand they think it’s just read off a list and and stuff like that but there’s a there’s an art form in the way that you frame the information the way you write the policies. We’re going to get into this a little bit later in more depth, but there, there is a, this is not just a pick anyone off the street, be able to do this type thing. This is not the case. You can really, by the way, if you’re a company and you don’t do this, you don’t do this like a, the right way, right? You can get all sorts of problems, you know, people coming back to you, auditors coming back to you. uh you’ll lose uh business with the with the companies you’re trying to do business with those big guys that that do it oh this happens a lot this is a big deal this is a really big need for companies i get this all the time absolutely i mean i look at it as like you get two you got two metrics as a city sale did you pass your audit did

Speaker 1 | 08:35.682

you uh did you get hacked right right and like how do you show you’re acting in good faith like that it is an art form right like you have to and also like I make the argument for those of you haters out there that are like, ah, compliance isn’t security. You’re right. A hundred percent. I agree with you. But you know what? If you can’t do compliance, what makes you think you’re doing security?

Speaker 0 | 08:56.491

That’s true.

Speaker 1 | 08:57.251

That’s the basics, bro. Like this is the easy shit. But it is an art form. Like you’ve got to hold a CEO’s password while they change their password for the first time. Hold their hand while they change their password. Like you’ve got to, I know more about cults than I should. Because like. this 16 character password is going to change your life. Michael, you are going to grow hair. You’re going to lose weight. You’re going to get girls. It’s going to be awesome. Like, you know, like,

Speaker 0 | 09:23.626

but I don’t even know half my passwords anymore.

Speaker 1 | 09:27.088

That’s a beautiful thing. Right.

Speaker 0 | 09:28.108

I don’t even know.

Speaker 1 | 09:29.289

But it’s like, but you have to, you have to be able to get in. Every company’s culture is different and you’ve got to make it work for them. And like, cause when we come in, like you brought in the Marines, right. You brought in this group. That’s like, we’ve got to figure out your culture. We’ve got to advise you what works within you. And like, I mean, we have customers, like we wrote an entire set of policies and procedures in Markdown on GitHub. I wouldn’t recommend it. Kind of like driving a Ferrari on a golf course. Go to a Ferrari on a golf course. But we did it. But it’s like, they have trigger words. But if you say the word change meeting, they will flip out. So you have some companies that are like hardcore, ITIL. We have a change board. We have two meetings a week. Awesome. We have other customers that like, you got to figure out how to be compliant and do a thousand pushes a day.

Speaker 0 | 10:12.908

Yeah. Yeah. This, this is actually, this is a great, this is a great discussion, Rob, because we, so often I go into companies and I talk to them and they’re like, here, I just want to pay you and get me up to date. I’m like, well, that’s just not how it’s going to work because I need to know a whole bunch of information about your company to figure out how this, how the security is going to work. Right. And just like you mentioned, you know, you know, it’s about the culture. I mean, some companies are like, I want everything and put it in place and I don’t care what it is. Other companies are like, how do we put this in place? But let me still do the things I need to get done. Right. And you just have to weigh that and figure what that is.

Speaker 1 | 10:54.424

We don’t want to have any change. Yeah. One guy was awesome. This board member was all worried about ISO. He was worried it was going to change everything. And I sat down with him. And I was like, sir. I’m just trying to make sure your insurance pays out right now. Like, like you leave a laptop at a Starbucks. We have a reportable breach. I am just trying to get to the point where like a self-inflicted woman doesn’t cause a problem.

Speaker 0 | 11:18.282

Exactly.

Speaker 1 | 11:19.462

Like I’m worried about China. I’m worried about you.

Speaker 0 | 11:23.464

It’s a, it’s amazing. So I, you know, when I was, um, uh, when I was, uh, uh, you know, learning all, all the security pieces, I actually did it in a company that was all healthcare. Right. So perfect. way to learn about security and one of the strictest spots like if you’re in healthcare financial or government you’re going to learn security really well right yeah you’re going to be audited to be able to work with other companies you’re going to have to be uh trading information back and forth and signing documents and everything like that um this it is such a needed now what i always find interesting is when you take a group um and you’ll see these like um either they’ll be startup companies or there’ll be companies that are operating kind of like the, hey, we’re new, we’re freestyle, we’re going to do all this type of stuff. And they find a client that is like a well-known credit card company and stuff like that, and they want to do business with them. And all of a sudden, they get slapped with this giant list of requirements, and they’re like, ah! You know? And it just boggles my mind sometimes, you know, because they come over, they’re like, I can’t do all this. I’m like, but you can. It’s just you need to. I mean, yes, you’ll need to invest a little bit of money here and there. It depends on what you want to do, but you can do it.

Speaker 1 | 12:50.788

It’s true. Like, and it’s what I think a lot of people not only can do it, but you can do it for cheap. Like, there’s a lot of good security can be done for free. Like, if we’re being honest, like. There’s a cybersecurity industrial complex, right? And they sell you all this fucking shit. Do you want to cuss on this podcast?

Speaker 0 | 13:09.910

I don’t know. We’ll see what happens. We’ll find a way to delete it.

Speaker 1 | 13:14.414

They sell you all this stuff. And like, you know, remind me about the Swiss Army knife later, about the software. But they sell you all this stuff and then they tell you it’s magically going to solve all your problems. It’s like magic beans.

Speaker 0 | 13:30.728

Yep.

Speaker 1 | 13:32.401

You still have to run the program, but you can also do a lot of security by just running your program effectively. That’s one of the things we teach our clients. It’s funny. A lot of our clients renew. I’m not trying to hustle you. I’m just giving you our experiences. I say this because they renew, but they don’t renew at the small rate. Some of our best reference customers didn’t renew at all. We actually teach them how to run their program. It’s great. They don’t have to have to stop with us for life. But like. Teaching them how to balance risk, right? Like, I don’t know, maybe we’re derailing now, but you think about it like your customers or your company, they don’t care about your employee data. They just don’t. So you can buy them LifeLock, move on. Like, what do they care about? And I…

Speaker 0 | 14:28.425

i don’t know i’m all over the place right now where i lost my train of thought where were we let me let me back up because i i like uh something you just mentioned and tangent no you did but it’s okay um because in that tangent you said something that was pretty uh pretty on point and you were talking about um trying to uh um basically uh you’ve got these companies and they’re trying to you know actually figure out what they need as an organization, right? And I think that’s where you’re going with it.

Speaker 1 | 15:04.188

And prioritize, right? Because sometimes you have to learn to let Rome burn. You have to sit there and go, I can’t get to this. But I think we’re cybersecurity professionals, IT professionals. We see all these problems. I mean, you go to DEF CON and you come out of that thing going, oh, we’re hosed. And so how do you prioritize it? And I think what we try to teach people is, one, it’s not your job. Your job is to identify the risks. Go to the risk. owner and let them decide how much it matters like because like you’d be amazed at some stuff they will actually help you prioritize things they’ll tell you i care about this i don’t care about that and you say are you sure blah

Speaker 0 | 15:51.673

blah they’re like nope okay cool like this won’t cost this won’t affect the pnl and a lot of people think in a lot of business uh folks and security folks as well think that It’s all or nothing. I have to go all in and stuff like that. But what it really is, is a balance between what the business needs to do and what the acceptable level, acceptable business level of security that they want to follow. Yeah.

Speaker 1 | 16:22.904

And you can and you can treat it with policies. It’s like a lot of people want to follow the rules. So you need to write your rules in a way that are followable for the record. Like you can’t just say. Like you can’t stop people from doing their job. So you got to think through the rules, but also how do you get to yes. And then like when you write your policies, one of the recommendations I have is like, tell me where you store it. Tell me how you follow this policy. What is the procedure? For all requests, I send them here. For this, I do this. All these things are stored here. And the reason why you sometimes want to add that specificity, so you actually have a program and it’s not, we do stuff and things, right?

Speaker 0 | 17:07.466

And that’s a good move because when you’re going through this stuff and if you just blanket put out a policy, nobody’s going to follow it. But if you put a policy out knowing how the business operates and you integrate that into their business operations, then they will follow.

Speaker 1 | 17:28.221

Yeah. Well, and I think you should train. I think people try to do they try to check blocks. By buying some crap training, whatever it is. There’s some good stuff out there, like the phishing simulation, stuff like that. There’s some good stuff. But I do training by, I recommend at least, trying to do it, breaking it up at least in the two groups. Sales and marketing and dev. Maybe you have operations, customer support, maybe there’s a third section. I don’t know. It depends on the organization, what you’re built at. Train when you do that, when you do your training, your training shouldn’t be don’t click on this. Like, that’s great. You should always be training like the phishing awareness, whatever. That’s fine. But train people on the policies. Talk to them about how to follow the policy. Have that conversation by group, because also like deaf people, like they’re in the dark. They’re not necessarily the most social people in the world. And they sure as hell don’t want to talk around a bunch of people who have had an egg white frittata and a frappuccino. And they’re like a bunch of salespeople. Right.

Speaker 0 | 18:31.554

like it is what it is it is true though i mean so how do you have that conversation yeah this is a this is a really a really big deal because and and i it’s almost it’s it’s security by company personalization is what it is right yeah that’s essentially what what we’re talking about um uh uh let’s take a break real quick from security sort of i want to you I want to ask a question to you about your podcast, because it’s a, I’m going to get this right. It’s a blue warrior podcast,

Speaker 1 | 19:09.438

blue team warrior,

Speaker 0 | 19:10.358

blue team warrior podcast. And that, you know, the idea of a blue team versus a red team. Can you get into that a little bit and actually select why you said, it said the blue team. Cause it’s very interesting to me. Yeah.

Speaker 1 | 19:24.064

So. I built a podcast. So part of it started from a talk I was given on guerrilla warfare for the blue team. So using insurgent tactics, cause they’re underfunded understaffed. And part of that is your own, your information campaign. Cause I think that, you know, not that I’m, I’m, I’m endorsing Che Guevara, but Che Guevara made some valid, valid points about like, you need to have an appropriate amount of propaganda with every action you do. Right. And propaganda can be used to inform or to fool. So, you know, you’re a blue team, you got to inform, but. What is our messaging? There’s so much red team. This guy got hacked. This did this. This did that. But nobody ever says thank you for not getting ransomed. Like, it’s not a thing, you know? Like no one. And for you, I teach folks, I know this is an IT podcast. When’s the last time you got a mess email saying thanks for the printer working. That’s never going to happen. But I guarantee you,

Speaker 0 | 20:15.005

right.

Speaker 1 | 20:15.685

They let you know when it breaks. No, the 300 days a year, the email is working. Nobody says anything. But the one day it’s done. They’re sure to let you know.

Speaker 0 | 20:25.652

Exactly right. And but, you know, it’s interesting, too, because if you’re on message with with your blue team. Right. If you’re on message and you’re continuously saying, hey, we need to do these items. We need to do these. You probably want to invest in this. We probably want to change this. We should do MFA. We should do all this. And you’re and you know, we need to write. We need to adhere to these policies. I need to strengthen these policies. If you’re doing all that stuff and you’re communicating, not just doing it and leaving it there, not just writing documents and going here. Bye. See you. Bye. Writing documents, communicating, making sure they’re being followed. and continuously updating people on possible threats and staying vigilant, all that thing, right? Then when it’s time for red team, right? That allows the blue team to slip in afterwards and go, remember that thing that I told you about? It’s time to do it. And that’s a great message. If you’re on point with the message. If you know what you need and if you continuously do what you’re doing, if at the point of time that something actually does happen, right, then if you dotted your I’s, crossed your T’s, then it means that somebody didn’t invest in something or didn’t follow protocol. Or you’re just, you know, you’ve got, you’re unlucky in that somebody in the organization did something wrong, right? And if that’s the case, then… That’s when your blue team message becomes even popular, even more popular, even more important.

Speaker 1 | 22:08.089

And Michael, I don’t know if I should show you my business continuity incident response tabletop.

Speaker 0 | 22:16.453

Oh, I don’t think so.

Speaker 1 | 22:17.533

Okay. So I know this is an audio only, so I’m just going to describe what I recommend to people. So because you’re talking about getting your blue team message across, like what’s one way you can do it? make your tabletops like make your own adventure so you know i i can show you you know if you want to see it but from since you guys are talking about like a choose your own adventure book so it is so like so i got so tired of just like one slide like kind of you know whatever that we uh so here let me I’ll show this to you. So like one of the ideas is.

Speaker 0 | 22:53.707

He’s going to show me and I’m going to, I’m going to go. Ooh, you’re a better describer. Right.

Speaker 1 | 22:59.290

Oh, I can’t even, I can’t even screen share. It doesn’t matter. But the idea is like one of the things would be, so one of the, like one of my scenarios is, um, uh, so Ashley sends an email to Bethany asking her to please pay the invoice for the conference booth sponsorship. Does she pay it? Yeah, it does. Cool. Well, So it takes us to the next slide, right? The next scenario. And then it goes, hey, at the leadership meeting the next day, Ashley says, I have no idea what you’re talking about. She says, oh, ask if she paid this. And she’s like, I have no idea what you’re talking about. Do you call IT or do you blow it off, right? Well, we call IT. But this is where you train IT, right? So you call IT. And IT goes, okay, we’re going to reset creds. Is that where they stop? Or do they continue to pull out that sweet run book and go through their investigation? Because, like, unfortunately, because this is the reason why I do it this way is some of it. And it’s also to show why you do the certain things. So I’ve got scenarios where it’s like, hey, I put private parts all over your website. Hey, you can pick A if you can show me your last backup and restore test. You can pick B if you can’t. So and I think the reason why is like. when I say like, you’re trying to train, you get your message out there. So you’ve got to show people, here’s what happens when it goes, if we don’t.

Speaker 0 | 24:23.997

Right. You know, that, that is a, it’s fun. This is the first time I’ve ever heard of this, but it’s such a great idea. Right. Because, because people don’t know until they know. Right. And I’ve, I’ve had so many different people, you know, sometimes come into my office. and when I was working at an office, um, and, and they would come in and they would, uh, you know, they had screwed up and done something that they shouldn’t have done. There’s a virus on a computer that, you know, something happened. I visited a website. Oh my gosh, something happened. You know, I sent an email to somebody. I didn’t know all this, all these bad things that could possibly happen. Right. And, um, And it’s too late. Especially, you know, I’ve had someone came in, they sent an email with confidential data out to somebody they don’t even know. And at that point, I look at them, I’m like, well, it’s too late now. Like, you, there’s nothing we can do. You’ve already sent the data out to the void, right? I mean, at that point, it’s free game for everybody.

Speaker 1 | 25:30.172

And it happens.

Speaker 0 | 25:31.273

Yeah. Oh, more than you would think. And, and it is a. It’s a real devastation. And that’s why I think the blue team messaging is so important. And actually, I love the thought process to do it like a choose your own adventure book.

Speaker 1 | 25:51.462

And you can write people into the story. Because if you want people to care, make it about them. It’s not about you. It’s about them. So what do they care about? People are human. Like. Why do people want to be on podcasts? Because they want to be cool, right? Like, it is what it is, and there’s nothing wrong with that. So, but play into that and understand human nature. And if you have them in the story, guess what? They’re going to be paying attention a whole lot more. Like, and the fun part is you get to ask the head of marketing, hey, do we have a script already ready to send out in case our customer, someone on Twitter says we’ve been hacked? What are our questions? No, we don’t. Okay, the scenario continues down this path because we don’t have that.

Speaker 0 | 26:33.787

Yeah. You know, what’s funny is I’ve had that conversation before several times. And it always kind of amazes me when I walk through scenarios with folks and they go, oh, no, we, no, oh, oh. And how they feel afterwards is like this bottomless pit of like they thought they were doing good. And then all of a sudden they’re like, and I’m like, listen, don’t feel bad. It’s great because you caught it before it was a problem. That’s the great part. Now you can fix it.

Speaker 1 | 27:07.621

Yeah, absolutely.

Speaker 0 | 27:09.021

Yeah, that’s a good one. I actually like that. That’s a really, really good way to look at that and a really good way to do that. Now, writing policy is a lot of people like to snore when they do it. I am a writer. I like writing. I have fun doing it. I actually like. picking my words carefully and writing policies so that when auditors will come back to look at the policy, they don’t have a lot of wiggle room to be able to do it. This is this here, I cover this. And one of the things that I always feel is, I always kind of do to folks when I talk to them about security is I start narrowing the scope, right? So I’m like, okay. Listen, we got security, but that doesn’t mean you need to secure everything. Like, what are you trying to do? You got critical data? Let’s fix, where is that data located? Let’s try and just, you know, and also apply it there.

Speaker 1 | 28:18.536

Well, I think it’s also like activities. So what business processes matter? Some matter more than others, but some are more of an availability thing than a confidentiality thing.

Speaker 0 | 28:30.748

That’s true.

Speaker 1 | 28:31.748

And so when we say secure it, what do we mean? Right. We need to, we got to think through that. That’s part of that risk assessment. That’s the part that I think, I don’t know, like I see, I see it all the time. And this is where we come in. We try to help bridge those gaps of getting it out of their own little, like they’re afraid of their own shadow sometimes. And like, for those of you listening, some of you are like, but they’re going to eat me. It’s fine. That’s what you bring in a consultant for, because we’re brilliant. Just ask us. And like,

Speaker 0 | 28:59.235

Ben through it.

Speaker 1 | 29:00.428

Yeah, not only have we been through it, but because we’re a consultant, suddenly people will listen to us, even if it’s the same stuff you’ve been saying before.

Speaker 0 | 29:09.833

It’s surprising, but Rob is making a great point here because I have done the same thing in an organization, especially if you’re internal IT. You’re trying to get something, right?

Speaker 1 | 29:22.920

Yeah.

Speaker 0 | 29:23.641

You know, I don’t know why, but why companies sometimes don’t listen to their own people. But sometimes they need a second opinion and you bring them in and you do that. And also, too, it’s not just even that. You may think, and I’m talking to the IT individuals that we have, you may think that you know the best way to do it. And you may not. You may not. There might be a better, cheaper, more streamlined way to get that done that you probably have seen because you’ve been doing it with a lot of different companies.

Speaker 1 | 29:55.031

Do you ever think like sometimes they need? it’s almost, it’s also sometimes being able to be told, Hey, it’s okay. You can’t secure it all. It’s like, There’s so much pressure and you’re trying to do all the things. And sometimes people like they’re everyone’s intentions are in the right place. But I get people sometimes trying to play see-saw and it’s nothing wrong with them. Like they’re IT people. They’re doing they’re holding both hats, but they’re either they don’t care enough or sometimes they care too much. And it’s like you’re caring about things that nobody cares about. It’s true.

Speaker 0 | 30:30.687

It’s true.

Speaker 1 | 30:31.767

Right. Like, yeah.

Speaker 0 | 30:34.472

You’ve got a bunch of companies that frequently understaff their IT departments.

Speaker 1 | 30:40.633

Absolutely.

Speaker 0 | 30:41.474

And then they, you know, and you’ve got in your head all sorts of things. Like the IT directors today, CIOs today, they deal with every possible thing under the sun. I mean, one day they could be fixing, talking to somebody about fixing their laptop while they turn around and create a budget. Right. That’s how flexible. IT directors, VPs of IT, that’s what they need to be. They just need to be able to go from one spot to the other and run the gamut. Unless they have a highly populated team in the internal IT, which is usually not the case.

Speaker 1 | 31:23.177

Absolutely. No, it’s totally true. Because I think one of the problems is they… I mean, it’s hard, right? Like, you are trying to do everything. And there’s so much cyber bullsh** a lot there. Like, you don’t even know what to care about. I mean, you go to the conference and it’s like, I’m told I need this. I need SASE. I need Zero Trust. I need this. I need AI, blockchain, APT, APT. And it’s like, bro, I am just trying to make sure people’s password isn’t password.

Speaker 0 | 31:57.789

Yeah. Let’s start with this. First and foremost. If you don’t have cybersecurity insurance, get cybersecurity insurance. Yeah. And to get cybersecurity insurance, what are they going to need to do, Rob?

Speaker 1 | 32:11.888

They need a program. They ask a lot of questions. And you probably need a privacy program depending on what you do. That’s one of the things we also do, too, is we do 27701, which for those of you listening and Googling, what’s 27701? That is the privacy cert you can get in addition to ISO 27001. The reason why that’s relevant is it’s the closest thing that I’ve seen to a GDPR cert that’s accepted. Because it means you have a real privacy program and it will cover you for CCPA, CR, whatever it is, whatever privacy world you’re in.

Speaker 0 | 32:47.856

So let’s run up these acronyms real quick. So for those who don’t know, GDPR is the European privacy set of regulations. And so if you’re in the United States and you’re trying to do business with someone that’s in Europe or you’re trying to transfer data back and forth, you better adhere to these GDPR rules. So one way to do it is to set up DPAs or data privacy addendums. They go different names, but that that will allow for that and set up privacy shield, even though privacy shield is not really. And. kind of enforced right now. I don’t want to not be on it.

Speaker 1 | 33:31.957

There’s a new thing coming.

Speaker 0 | 33:33.538

Yeah, 3.0 is sort of coming, right?

Speaker 1 | 33:35.558

Yeah, so that’s why I recommend the privacy cert with ISO.

Speaker 0 | 33:39.160

Yeah.

Speaker 1 | 33:39.600

Because Privacy Shield, it’s not really accepted, right? Or it’s kind of, it is and it isn’t.

Speaker 0 | 33:46.723

It’s this weird gray area.

Speaker 1 | 33:48.484

It doesn’t, like, yeah, that’s the problem with it, right? You’re not going to,

Speaker 0 | 33:52.726

having it is not going to be a detriment to you.

Speaker 1 | 33:55.707

No, it will not hurt you. And it… if you have a good privacy program, it really shouldn’t be hard to go get privacy shield. Like that’s not really that big of a deal.

Speaker 0 | 34:03.069

Yeah. Listen, I, I get, I get things all the time that still reference privacy shield, even though it’s not really, it’s still active within the United States.

Speaker 1 | 34:12.812

Absolutely. Is not,

Speaker 0 | 34:15.733

is not really accepting it.

Speaker 1 | 34:17.573

Yeah. They don’t care. They’re like, yeah, we got our court rejected it.

Speaker 0 | 34:20.854

That’s why you have to make sure that anybody that you hell hand data to right? Your sub processors are all documented and that you have data privacy addendums with them to ensure that data transfers will work. Well,

Speaker 1 | 34:36.978

one of the things I’ve recommended and like, I’m not saying if you get certified against it, if you don’t deal with a lot of PII, but so my little company is ISO 27001 and 2771 certified, which is pretty rare, like for seven people, like that’s people. And I was like, just record, you can do to some people. But we did it so that we could live it, right? Eat our own dog food. And like, it’s fascinating. It caused me to think through from a marketing standpoint, what data do I collect on my, on my vendors or on my customers? Like, what, what do I care about? You know, what do I, what do I need? What do I not really need? What am I not like, I don’t need this data. Like, because there were times like I thought about collecting a veteran data, right? Are the, are, you know, some of our customers are veterans and being a veteran owned company, that sounded like a cool idea. And then I thought through it and I’m like, what am I going to do with that? Nothing. Cause I’m going to still send a birthday cake to our non-veteran customers too. Like it doesn’t cause for those of you, you know, Marine Corps birthday was November 10th, 1775. If you know a Marine, always say happy birthday on November 10th. If you don’t, you’re a bad American and you let ISIS win.

Speaker 0 | 35:54.026

But sorry,

Speaker 1 | 35:56.107

I can’t continue on. The point is, but it forced me to think through that, right? And we only have it because when we’re doing audits, we possibly could come across customers with PII. And the way we set up our audits, generally it’s not going to happen, but we wanted to make sure that we knew how to run a program. And what’s good about it is it will actually increase your security if the data that would be breached, that would cause the most impact is PII, then you want a privacy program because that will limit the breach.

Speaker 0 | 36:26.923

There you go. You know, I did mention, by the way, GDP, GDPR and, you know, basically, you know, crossing the Atlantic to do it. But, yes, CCPA also is in the United States. And I neglected to mention that.

Speaker 1 | 36:44.478

So it was basically patient privacy. New York 500. So CCPA is California Consumer Rights Protection Act. It’s regulations that. There’s CRPA, there’s HIPAA, there’s HIPAA HITECH.

Speaker 0 | 36:58.485

There’s DFARS. DFARS. What’s their thing called now? It’s DFARS, but what’s the…

Speaker 1 | 37:12.173

CMMC.

Speaker 0 | 37:12.593

Yeah, yeah, thank you, CMMC. That’s the biggest one right now because a lot of contractors are scrambling to get into that one. They are.

Speaker 1 | 37:21.658

If anyone listens to this, that’s what we do for a living.

Speaker 0 | 37:24.736

If you’re dealing with credit card information, you’re dealing with PCI.

Speaker 1 | 37:28.078

PCI, you got PCI. If you’re dealing with, so you got CUI, which is basically somebody probably got a medal because it used to be, that’s why I hate acronyms sometimes, because it used to be for official use only. But now it’s like it’s CUI, which really only the government can define what CUI is. And CUI was really designed to be like, if you put Rob’s a Marine, Rob lives, Rob is stationed in Djibouti. and he does this job like those any one of those things doesn’t matter but those three things together are a thing and so like we need to control that information but one of the things i tell you is that like anyone listening to this with cui like the government needs to tell you what cui is you do not they tell you what cdu is you are not uh don’t decide it yourself let your tell you what CUI is.

Speaker 0 | 38:26.493

That’s a great point. That is absolutely great point. Because it’s really easy to determine what PHI is, right? Everyone knows what health information is, right?

Speaker 1 | 38:35.640

Just tell you what that is, right?

Speaker 0 | 38:37.501

Yep.

Speaker 1 | 38:38.522

And it’s funny, you brought up the HIPAA, so everyone knows what PHI is. Don’t confuse it with ITAR. So you familiar with ITAR? jog my memory it’s international but i can’t remember international it international trafficking trade and arms regulations like that okay basically it’s basically saying like hey it was designed uh for hey if you build this sweet gun and the military says hey you can’t sell that to russia right it’s restricted by trade regulations so you The same thing has happened with encryption. Certain encryption algorithms are governed by ITAR. So some of your software might be governed by ITAR. If you make chemicals, whatever you do might be governed by ITAR. That doesn’t mean it’s CUI. It just means it’s governed by ITAR. And there may be rules on who can read it, like no foreign, US, Canada, or whatever. But that’s different than CUI. It can be the same or it can be different.

Speaker 0 | 39:52.120

Yep. That’s an interesting point. And it kind of goes back to what I was talking about, about scope, right? And identifying scope. And this is a big deal because… it’ll save you some money and some time and a whole bunch of stuff. Because why are you going to, unless it’s cheaper to just do the whole thing, and sometimes that happens, but most of the time you don’t have to secure anything. And I love what you said when I talked about data, but you also talked about the business processes that happen as well, because that’s such an integral piece of it.

Speaker 1 | 40:27.671

Which activities handle this data or matter or care about this?

Speaker 0 | 40:32.615

Yeah. And, and. And sometimes people get wrapped up too much in, I got to protect just the confidential data and all this type of stuff. And then you’re like, okay, but, you know, if something happens, how do you collect payments from your customers?

Speaker 1 | 40:50.100

Or what’s going to serve you service credits?

Speaker 0 | 40:52.581

Right. You know, your website goes down. How’s that going to look to everybody, you know, and stuff. So these are things that sometimes people overlook because they’re so focused on. I’m trying to do the scope. So it’s a good point. We should limit the scope, but we should also identify the other pieces of the puzzle that make up the entirety of the business. I just tell people, I say, you know, listen, if you close your eyes and think that your entire company is down, what’s the type of stuff that you’ll start to bring up first?

Speaker 1 | 41:23.896

Yeah. Not only that, what’s the minimum level of security? So what stuff should be in your DR plan that’s required? by contract right that’s one of the things about iso so one of the things i love about iso and i am an iso proponent mainly because like you have an iso backbone it’s so easy to map to everybody else but two uh it allows tailoring of the controls whereas this is very prescriptive thou shall you know you gotta fail if you’re doing fed ramp fail closed if you stop logging right up right so that sounds great but that doesn’t apply to everything so what’s nice about iso is that like you can write the rules based on the risk. So if you do want to certify, because what’s cool is you can certify the whole company for ISO if you wanted to, or make everybody follow it. But then you add on the NIST, the CUI, so like this department handles this, this matters here. Here’s some more prescriptive regulations in the PCI environment, whatever. But with ISO, like you write the rules based on the risk. So like if you’re only handling, like let’s just say, internal use only or secrets, confidential data, customer contracts. You’re in this bucket and here’s where the world you live in and you have a lot more freedom. So it also encourages people to stop trying to handle stuff or have access to stuff they don’t want. But if you’re in this bucket, you handle the top secret data, the G14 classified, strictly confidential, whatever you want to call it. I don’t care. The rules should be more painful based on the risk.

Speaker 0 | 42:57.943

Yeah, exactly.

Speaker 1 | 42:59.192

You can write a program that lets the company operate and go, Hey, do you handle this data? No. And here’s your rules. If you handle this data, it’s a little more restrictive because you’re handling this data.

Speaker 0 | 43:10.838

Yeah. It’s like put the stops where they should be. Exactly. Leave everything else smoothly running.

Speaker 1 | 43:18.202

If you slow down marketing, trying to bring on some, whatever to build, to do something stupid that you don’t even care about and nobody cares about, you’re going to be out of a job. It should be part of the CI know, go, hey, here’s the risk. You’re not handling this data. It’s up to you.

Speaker 0 | 43:34.551

And another good point here is that also you have the ability when you’re redefining security in an organization to also redefine the processes as well. And you should take advantage of that because you can actually simplify processes. Processes get crazier, you know, as time goes on. And then people are doing things. I don’t even know why. And you’re like, why are you sending this to this person over here and over here and over here? Just send it here, you know. And so if you simplify those steps and make their job easier, at the same time, you’re implementing security, which is great anyway, because anytime you want to implement security, it’s always easier to implement it from the ground up than really to tack it on afterwards to a thing. So rethink of the process, reimagine it with security in mind. And sometimes you can create these processes that are way more effective.

Speaker 1 | 44:26.380

and reduce time much easier for folks and have security built in 100 i mean mr moore you are a brilliant man because like make it suck less like at the end of the day it’s not skiing it’s not snowboarding it’s compliance it’s it’s program but you got to make the program function right and you know it’s funny you talk about streamline and take advantage of that i also tell people don’t try to blow the ocean like when you talk about narrowing your scope too like nothing says like next year you can’t expand your scope so make you know when you’re doing like third-party process or something like Roll it out to just one department first and make sure you can be efficient. Because the other part that I think people screw up is they want to improve their security, but they don’t account. And they’re like, oh, and even this new software will save us time. A SIM is going to help us save log correlation. But if you haven’t been doing log correlation to begin with, guess what? it’s still net new time.

Speaker 0 | 45:35.243

Yeah.

Speaker 1 | 45:36.203

Like people forget about that. They’re like, it’s going to streamline all this stuff. But if this process didn’t exist, you can streamline it all you want, but it’s still a thing.

Speaker 0 | 45:45.245

Now you’ve added additional pieces to it. Yeah. No, it’s a good point. And this happens all the time in organizations. Yeah. There’s a nice, super good looking app, app that comes out and people are like, Ooh, yeah, this is going to solve all the problems. Well, really, well, to solve your problems is turn around and re-looking at your processes and fixing them internally. And sometimes, actually, that’s a, you know, if you can do it internally, great. If you can reach out to somebody from a consultant standpoint and do that, that also helps, too. It’s great to have an outside perspective sometimes when you have too many people that have been doing it for so often.

Speaker 1 | 46:22.449

Yeah, and it’s like, you know, so we do, like, compliance as a service. After they get certified, we help them maintain their program. And it depends on what level they need. It’s like… If they have the staffing, awesome. If they don’t, we help them. And sometimes we play, I don’t use the term virtual CISO because I don’t want to be a threat to anybody’s title. Like, bro, you can call yourself whatever, or lady, you call yourself whatever you want to be. Don’t care. You can call us whatever you want us to be. Don’t care. Because, like, we’re here to help. Sometimes we do more because, like, they need a security person and they want a peer. And sometimes they want a deputy. Like, and that’s fine too. Like. but you also have somebody to handle the grunt work or the crap that you don’t have time for. It’s like filling out the stupid questionnaires or making sure you did the risk assessment, you did the tabletop, but you never wrote it up. How do you get credit for it? Or the internal audit and the prep and the thing. There’s all these things that sometimes you need a little help. And the thing is, I always look at it as like, you’re an IT, Michael. It’s easier to outsource certain things than it is others. Like having people on your firewall is a lot scarier than somebody writing policies or making sure your internal audit was done right.

Speaker 0 | 47:37.084

Absolutely. And that’s a big piece. I mean, you end up, and that’s actually a big trick in business in general, is what do I outsource and what do I not? I mean, you got to think, you know, where is your strategic value as a company, right? What do you do that probably people don’t understand or don’t know, right? Great. You keep doing that. And then the things that have no strategic value that you can just do like normal, then outsource that stuff. Get them out of the way, right? I mean, these are…

Speaker 1 | 48:08.454

My little company. I have outsourced HR, outsourced finance, outsourced marketing. We don’t do that. We do compliance. We do security compliance.

Speaker 0 | 48:19.719

And this is a good piece to it because if you don’t know where to start with… it’s kind of last thing I’ll say on this piece is if you don’t know where to start with security and you feel overwhelmed, right? The good news is, is there’s you know, there’s folks out there like you, like you that do this all the time and can help you through the process. Don’t sit there and struggle and silence and try and, and go, I don’t know what to do. Right. I mean, this information is that there’s tons of people out there and And it’s okay to say, hey, we need to bring in some outside help to help get this correct.

Speaker 1 | 49:02.222

You know, Michael, you hit the nail on the head. So, like, one of the things I described, and it’s funny, like, I’ve worked with some, like, we have customers that are security companies, hardcore security companies. And they use us to help for what we are good at. Yeah. Like, and, like, so, like, security is like medicine now. You need a heart surgeon, you call a heart surgeon. You need a general practitioner, you go to a general practitioner. Or in your case, Michael, you know, urologist, you go to the urologist. You don’t go to, you know, the cardiothoracic surgeon. Right. Urology. Like, wrong person. So, and that’s the thing. It’s like, I feel good. It helps me sometimes, like, I need to feel good about myself. I’m like, no, I don’t suck. Because, like, you know, compliance gets a bad name. But it’s like, when we have real security companies that bring us in to go help them get, because they do security for their customers. But. It doesn’t mean anybody does this stuff for fun and they don’t know how to do what we do. That’s okay. And these are some world leading experts. I can’t give their names or any of that stuff. violation of like not only ndas but just like code man code or yeah person code but uh like what but if they can use this anybody can and it’s okay to admit you don’t know everything it’s impossible to know everything and that’s why i don’t call it virtual cso because i don’t want someone who wants that title director of security whatever they are director of it to feel because like you don’t want something no one’s gonna hire virtual cso they’ll hire some people to come help them out

Speaker 0 | 50:33.238

Absolutely. And it’s a good point. No one knows everything in IT. And it’s a foolish thought to think that they do. A lot of people understand who to talk to and who to get to get that stuff. And they understand the general rules and stuff. And if they don’t know, they know who to go out and actually talk to to make sure that they get that information. And that’s big. But that being said, Rob. It’s time for IT Crystal Ball, and I want to know if you know what the future of IT security is. I know. Every time I say this, I get that, like, oh, there’s, oh, man. But, yeah, the future of IT security.

Speaker 1 | 51:20.814

I think the future is the past. So, and this is something, like, what’s funny is, like, you ever listen to General Mattis? He talks about, like, you’ll hear, like. the new hotness, hybrid warfare, blah, blah, blah. And he’s like, it’s the same stuff people have been doing for years. It’s just now they’re doing it with different tools, techniques, and procedures.

Speaker 0 | 51:39.605

It’s a great way to look at it.

Speaker 1 | 51:41.367

Like zero trust is not new. For those of you who think you have come up with the most brilliant plan, this was all the hotness about 10 years ago. Like what’s old is new and what’s new is old, right? It’s the same stuff. And so, did my camera just get fuzzy?

Speaker 0 | 51:58.850

Yeah, good news is that no one else can see that besides me.

Speaker 1 | 52:02.531

I’m just making sure I’m not having an aneurysm because it’s like, man, I’ve had a little bit of bourbon, but it shouldn’t be that blurry. So I would say like next generation, you’re going to see automated compliance in certain parts. Now, I give this word of caution. Automated compliance is great for what it’s good for. It does not replace running a program and actually making sure your program is effective. It’ll automate what. you are doing. It will automatically tell you you’re not doing it right, but it will also only automate detecting what you pointed at. It’s like running a Nessa scan at a section of your network.

Speaker 0 | 52:40.477

That’s perfect. That doesn’t need anything.

Speaker 1 | 52:42.418

I got no vulnerabilities. Like you too can have a perfect score. So I think, and I think that’s the, the, the, the scary part is more automation. People forget that like you’re automating. you might be losing something from it. I’m not against automation, but I’m against giving yourself a false sense of security. So I think that’s one piece. I think you’re going to see a bit of a movement back away from cloud, believe it or not.

Speaker 0 | 53:14.858

Interesting. Okay.

Speaker 1 | 53:16.599

Not much, but I think there will be a subsect of people that will go, because I’m a big fan of the cloud because I hate blinky lights, shit breaks, it just is what it is. However, there are some things that maybe it doesn’t make sense to put in AWS or Azure GCP. And don’t get me wrong, they’re great stuff. And they probably do a better job securing stuff than you do. However, when you put it in that third party, you now inherit additional risks. So depending on what you do and your size, there are some things that maybe don’t make sense.

Speaker 0 | 53:51.451

Yeah.

Speaker 1 | 53:52.152

And that’s okay. So I think you’re going to see… That and then, oh, sorry. I don’t know which one we want.

Speaker 0 | 54:00.050

I think you’re doing fantastic. Just keep going.

Speaker 1 | 54:04.173

I can see this. I can see, like, it’ll be interesting to see how MSSP’s look in five years. Because, like, it’s such a hustle. Like, you pay. 10 grand for Splunk, and then you pay 10x that for someone to tell you what Splunk says. And some suck less than others, but I think you’re going to see the MSSPs that they’re going to find ways to actually take action for you. Because you’re going to need that for them to become more useful. Otherwise, it’s basically like PagerDuty. It’s a person with PagerDuty, right?

Speaker 0 | 54:47.088

Exactly. And what happens is if you don’t… actually pay attention to the needs of your clients, then what’s going to end up happening is you’re going to become the… extra cost line item on your, you know, when the CFO looks at it. Yeah. And they’re going to say, what is this? Well, they do our security.

Speaker 1 | 55:13.901

And it’s like, do you really need that? You know, because like if all they’re doing is giving you that, then like you can hire a person to just anywhere in the world. They look at red light, green light, go, it went red, call you. Like that’s way cheaper. Like. I think you’re going to see decentralized SOCs. I think you’re going to see, like, if I were smart, I would set up a SOC in, like, Rockingham, North Carolina, Casper, Wyoming, someplace with a tech college where I could just work with them and get what I need. And then the third thing, or the last thing, I think, is compliance is going to, like, FedRAMP, is going to become the gold standard for SaaS companies because it is the most prescriptive. It’s actually pretty standard for that piece as they update themselves. But I think you’re going to have compliant, like you are not going to be able to sell without having some sort of certification. What I worry about, though, is a race to the bottom with some of the automation. Some of the automation is great. Some of it could be a big, could negate certain compliance frameworks. And I’m not going to say which, but, you know, I think we can all figure out which ones it might be. Probably ones run by CPAs. So that’s what I got.

Speaker 0 | 56:27.190

I like it. Rob, thank you so much for being on this podcast today and entertaining us. Nerds, I’m Michael Moore, host of this podcast for Dissecting Popularity. We’ve had the ability to talk with Rob Carson, the founder and CEO of Semper Sec, and also running the Blue Team Warrior podcast out there on LinkedIn. So check him out. Um, we’ll post, uh, Rob’s information so that you guys can stalk him. I mean, look at, look at what he has. Uh, um, but, uh, it’s a, it’s some valuable information and Rob, this is a great, uh, a great chat. I appreciate it. There’s a lot of great.

Speaker 1 | 57:08.481

It’s fun. Like I like the crystal ballpark. Cause I’m just like, Oh, here’s what I see. Because like, I see a lot of people getting popped with automated compliance, thinking it’s going to work magically and not making sure it’s pointed at the right things. Like The tool is only good as a human. Thank you so much for having me. Like, I really appreciate it.

Speaker 0 | 57:28.410

Thank you.

182. Prioritizing Your Approach to Cybersecurity with Rob Carson

Speaker 0 | 00:09.626

Hi, nerds. I’m Michael Moore hosting this podcast for Dissecting Popular IT Nerds. I’m here with Rob Carson, founder and CEO of SemperSec. Rob, how are you doing today?

Speaker 1 | 00:18.833

I’m doing awesome, Michael. Thank you so much for having me.

Speaker 0 | 00:22.175

I’m glad. We had actually rescheduled this podcast due to my continual ailments. uh um kidney stones over and over again it was uh it was pretty awful so i really appreciate the fact that you jump on and reschedule this with me uh you saw me probably at my worst kidney stones like nope i don’t even want to talk to me like that hurts yeah it was it was not fun uh spent some time in the hospital not a not i don’t recommend it it was not the uh actually had to push my honeymoon out to march it was gonna be my honeymoon and i hit the I’m like, all right, forget it. No honeymoon. Instead, I’ll just spend it in the all-inclusive hospital.

Speaker 1 | 01:03.338

Yeah, but at twice the rate.

Speaker 0 | 01:06.060

So I was going to go to St. Augustine, Florida. And the joke is that I didn’t go to that St. A’s. I went to another St. A’s, which was the St. Anthony’s Hospital instead. But now we’re here. And since you had a great idea, which is let’s.

Speaker 1 | 01:23.032

let’s get the bourbon flowing right what what are you what are you drinking so i am drinking colorado state straight bourbon because i live in colorado this is made by peach street distillery oh uh and i tell you like colorado was leading the micro brewers back in the day now we’re reading the micro distilleries like breck bourbon also another excellent bourbon but i am drinking the peach street because this is probably my favorite bourbon period i’m gonna have to try that out the uh

Speaker 0 | 01:51.080

I got the Ghost Hill, Texas bourbon that I was trying out for the first time. It’s actually really good, very smooth going down. I usually drink what’s called Old St. Pete. It’s a whiskey, and that’s made right down the street from me, so being in St. Petersburg, Florida. So both really good bourbons. So today we’re going to be talking a lot about security. Before we get into that, I want to… hit you up with a little segment we call random access memories all right okay this is just a fun little segment it’s like rapid fire i’m gonna throw a question at you and just whatever comes to your head first right the first question is what is the craziest wi-fi ssid that you’ve ever seen oh

Speaker 1 | 02:43.906

well mine’s free nsa wi-fi i have mine

Speaker 0 | 02:49.728

Mine is Virus Infected.

Speaker 1 | 02:52.429

Virus Infected. I like that.

Speaker 0 | 02:53.869

Which is always hilarious because if I set up a laptop and send it out or something, they always have that kind of in their setting. They’re like, I’ve got a virus. No, you don’t have a virus. It’s just the name of my…

Speaker 1 | 03:04.154

Well, my guest wireless is in Lawnet because, like, why am I letting them come into my network? I don’t know where that laptop’s been. I love it.

Speaker 0 | 03:14.058

Those are good names. I like the Free NSA Wi-Fi. That’s a good one. I like that. What is the most useless IT invention?

Speaker 1 | 03:25.918

There’s so many.

Speaker 0 | 03:27.119

Can

Speaker 1 | 03:33.245

I just say acronyms? Yeah. No, I’m saying like period acronyms.

Speaker 0 | 03:39.030

Oh, just acronyms in general. It’s so many.

Speaker 1 | 03:41.932

All of a sudden it’s like maybe the most useless.

Speaker 0 | 03:46.296

I don’t know. Bob came, Microsoft Bob came to mind.

Speaker 1 | 03:49.097

Oh, you know, the Clippy?

Speaker 0 | 03:50.759

Not Clippy, Bob, the precursor. Precursor. That would, this was a, an entire like,

Speaker 1 | 03:56.743

I think the worst thing is Minesweeper because that will suck your time away on Minesweeper.

Speaker 0 | 04:02.286

That’s true. That’s true. I do remember Minesweeper and I would always, I can never get it. Zipdisk.

Speaker 1 | 04:07.830

Remember Zipdisk? Like those did not look that strong.

Speaker 0 | 04:10.192

I had Zipdisk and that was another thing. That was.

Speaker 1 | 04:12.393

On Gateway. On the Gateway.

Speaker 0 | 04:14.735

Oh man. Yeah. There’s so many useless pieces. And it’s amazing how quickly you’re like, I need to have this. I need to spend a ton of money on it.

Speaker 1 | 04:26.231

And then no longer need it. It’s not even an IT invention. The Sega CD, because I bought one.

Speaker 0 | 04:32.395

Sega CD? I’m not sure. What’s that?

Speaker 1 | 04:34.616

Exactly. Exactly. And I’ve never bought another gaming console since. Because I’ve been like, I bought one. It’s like buying the Nintendo 3D. Yeah. Remember that thing where you had one game of tennis that people got headaches from? It was actually better than that, but it lasted a year or two.

Speaker 0 | 04:56.758

Yeah, that’s not…

Speaker 1 | 04:58.220

You think you’re buying the next console and it’s like…

Speaker 0 | 05:01.055

I think I’ve had my Xbox One now for probably a good five or six years. That thing just keeps rocking. It still plays great games, so I don’t have an issue with it. All right, here’s the last one. Here’s your last one. You ready for it?

Speaker 1 | 05:19.430

Ready.

Speaker 0 | 05:19.990

If you could be haunted by an IT ghost, who would you want it to be?

Speaker 1 | 05:27.096

Oh. Ooh. They can be alive, though, still?

Speaker 0 | 05:35.047

Huh?

Speaker 1 | 05:35.847

They can be alive still? Well,

Speaker 0 | 05:38.368

sure, why not?

Speaker 1 | 05:39.129

They got to be dead? They got to be dead? Because I’m like, I don’t know. If they’re an IT ghost. So we’re talking, oh,

Speaker 0 | 05:47.092

Ross Perot. I would be a ghost that it just would continually be in your ear. Absolutely. Yeah.

Speaker 1 | 06:02.205

You got to love Ross. Like, I mean, talk about pulling a Ross, bro. It’s like, you’re just going to pay me to leave.

Speaker 0 | 06:09.668

Oh boy. All right. So tell me about Semper Sec because I saw this thing and I, you know, I actually, people don’t know. I actually appeared on your podcast. Well, I will appear on your podcast when it gets out there. Um. And then we were chatting and I said, hey, you should jump over on mine as well. And we can be podcast buddies, right? Yeah. But tell me about SemperSec. I’m interested to understand this.

Speaker 1 | 06:37.522

Sure. So we do what I call the arts and crafts of cybersecurity. Like, I know the people who hack Teslas, but we’re not the people who do that. Like, there’s a guy named Carfalker, there’s Digital Science. A lot of people do that. We don’t do that. So what we do is… We come in and typical engagement is customer is trying to, they’ve signed up for something and their sales team wants to go sell to this big customer and they need to get ISO, SOC2, FISMA, FedRAMP, NIST, whatever acronym it is, some sort of security compliance certification. And that’s where we come in to go make that suck less. Like we will craft the policies.

Speaker 0 | 07:23.315

facilitate your risk assessment we interview you make sure the policies are written in your vernacular we do the internal audit we sit there as your battle buddy during certification to make sure that you pass and you don’t say something stupid um which has happened um this is this is there’s an art form by the way to this and people don’t quite understand they think it’s just read off a list and and stuff like that but there’s a there’s an art form in the way that you frame the information the way you write the policies. We’re going to get into this a little bit later in more depth, but there, there is a, this is not just a pick anyone off the street, be able to do this type thing. This is not the case. You can really, by the way, if you’re a company and you don’t do this, you don’t do this like a, the right way, right? You can get all sorts of problems, you know, people coming back to you, auditors coming back to you. uh you’ll lose uh business with the with the companies you’re trying to do business with those big guys that that do it oh this happens a lot this is a big deal this is a really big need for companies i get this all the time absolutely i mean i look at it as like you get two you got two metrics as a city sale did you pass your audit did

Speaker 1 | 08:35.682

you uh did you get hacked right right and like how do you show you’re acting in good faith like that it is an art form right like you have to and also like I make the argument for those of you haters out there that are like, ah, compliance isn’t security. You’re right. A hundred percent. I agree with you. But you know what? If you can’t do compliance, what makes you think you’re doing security?

Speaker 0 | 08:56.491

That’s true.

Speaker 1 | 08:57.251

That’s the basics, bro. Like this is the easy shit. But it is an art form. Like you’ve got to hold a CEO’s password while they change their password for the first time. Hold their hand while they change their password. Like you’ve got to, I know more about cults than I should. Because like. this 16 character password is going to change your life. Michael, you are going to grow hair. You’re going to lose weight. You’re going to get girls. It’s going to be awesome. Like, you know, like,

Speaker 0 | 09:23.626

but I don’t even know half my passwords anymore.

Speaker 1 | 09:27.088

That’s a beautiful thing. Right.

Speaker 0 | 09:28.108

I don’t even know.

Speaker 1 | 09:29.289

But it’s like, but you have to, you have to be able to get in. Every company’s culture is different and you’ve got to make it work for them. And like, cause when we come in, like you brought in the Marines, right. You brought in this group. That’s like, we’ve got to figure out your culture. We’ve got to advise you what works within you. And like, I mean, we have customers, like we wrote an entire set of policies and procedures in Markdown on GitHub. I wouldn’t recommend it. Kind of like driving a Ferrari on a golf course. Go to a Ferrari on a golf course. But we did it. But it’s like, they have trigger words. But if you say the word change meeting, they will flip out. So you have some companies that are like hardcore, ITIL. We have a change board. We have two meetings a week. Awesome. We have other customers that like, you got to figure out how to be compliant and do a thousand pushes a day.

Speaker 0 | 10:12.908

Yeah. Yeah. This, this is actually, this is a great, this is a great discussion, Rob, because we, so often I go into companies and I talk to them and they’re like, here, I just want to pay you and get me up to date. I’m like, well, that’s just not how it’s going to work because I need to know a whole bunch of information about your company to figure out how this, how the security is going to work. Right. And just like you mentioned, you know, you know, it’s about the culture. I mean, some companies are like, I want everything and put it in place and I don’t care what it is. Other companies are like, how do we put this in place? But let me still do the things I need to get done. Right. And you just have to weigh that and figure what that is.

Speaker 1 | 10:54.424

We don’t want to have any change. Yeah. One guy was awesome. This board member was all worried about ISO. He was worried it was going to change everything. And I sat down with him. And I was like, sir. I’m just trying to make sure your insurance pays out right now. Like, like you leave a laptop at a Starbucks. We have a reportable breach. I am just trying to get to the point where like a self-inflicted woman doesn’t cause a problem.

Speaker 0 | 11:18.282

Exactly.

Speaker 1 | 11:19.462

Like I’m worried about China. I’m worried about you.

Speaker 0 | 11:23.464

It’s a, it’s amazing. So I, you know, when I was, um, uh, when I was, uh, uh, you know, learning all, all the security pieces, I actually did it in a company that was all healthcare. Right. So perfect. way to learn about security and one of the strictest spots like if you’re in healthcare financial or government you’re going to learn security really well right yeah you’re going to be audited to be able to work with other companies you’re going to have to be uh trading information back and forth and signing documents and everything like that um this it is such a needed now what i always find interesting is when you take a group um and you’ll see these like um either they’ll be startup companies or there’ll be companies that are operating kind of like the, hey, we’re new, we’re freestyle, we’re going to do all this type of stuff. And they find a client that is like a well-known credit card company and stuff like that, and they want to do business with them. And all of a sudden, they get slapped with this giant list of requirements, and they’re like, ah! You know? And it just boggles my mind sometimes, you know, because they come over, they’re like, I can’t do all this. I’m like, but you can. It’s just you need to. I mean, yes, you’ll need to invest a little bit of money here and there. It depends on what you want to do, but you can do it.

Speaker 1 | 12:50.788

It’s true. Like, and it’s what I think a lot of people not only can do it, but you can do it for cheap. Like, there’s a lot of good security can be done for free. Like, if we’re being honest, like. There’s a cybersecurity industrial complex, right? And they sell you all this fucking shit. Do you want to cuss on this podcast?

Speaker 0 | 13:09.910

I don’t know. We’ll see what happens. We’ll find a way to delete it.

Speaker 1 | 13:14.414

They sell you all this stuff. And like, you know, remind me about the Swiss Army knife later, about the software. But they sell you all this stuff and then they tell you it’s magically going to solve all your problems. It’s like magic beans.

Speaker 0 | 13:30.728

Yep.

Speaker 1 | 13:32.401

You still have to run the program, but you can also do a lot of security by just running your program effectively. That’s one of the things we teach our clients. It’s funny. A lot of our clients renew. I’m not trying to hustle you. I’m just giving you our experiences. I say this because they renew, but they don’t renew at the small rate. Some of our best reference customers didn’t renew at all. We actually teach them how to run their program. It’s great. They don’t have to have to stop with us for life. But like. Teaching them how to balance risk, right? Like, I don’t know, maybe we’re derailing now, but you think about it like your customers or your company, they don’t care about your employee data. They just don’t. So you can buy them LifeLock, move on. Like, what do they care about? And I…

Speaker 0 | 14:28.425

i don’t know i’m all over the place right now where i lost my train of thought where were we let me let me back up because i i like uh something you just mentioned and tangent no you did but it’s okay um because in that tangent you said something that was pretty uh pretty on point and you were talking about um trying to uh um basically uh you’ve got these companies and they’re trying to you know actually figure out what they need as an organization, right? And I think that’s where you’re going with it.

Speaker 1 | 15:04.188

And prioritize, right? Because sometimes you have to learn to let Rome burn. You have to sit there and go, I can’t get to this. But I think we’re cybersecurity professionals, IT professionals. We see all these problems. I mean, you go to DEF CON and you come out of that thing going, oh, we’re hosed. And so how do you prioritize it? And I think what we try to teach people is, one, it’s not your job. Your job is to identify the risks. Go to the risk. owner and let them decide how much it matters like because like you’d be amazed at some stuff they will actually help you prioritize things they’ll tell you i care about this i don’t care about that and you say are you sure blah

Speaker 0 | 15:51.673

blah they’re like nope okay cool like this won’t cost this won’t affect the pnl and a lot of people think in a lot of business uh folks and security folks as well think that It’s all or nothing. I have to go all in and stuff like that. But what it really is, is a balance between what the business needs to do and what the acceptable level, acceptable business level of security that they want to follow. Yeah.

Speaker 1 | 16:22.904

And you can and you can treat it with policies. It’s like a lot of people want to follow the rules. So you need to write your rules in a way that are followable for the record. Like you can’t just say. Like you can’t stop people from doing their job. So you got to think through the rules, but also how do you get to yes. And then like when you write your policies, one of the recommendations I have is like, tell me where you store it. Tell me how you follow this policy. What is the procedure? For all requests, I send them here. For this, I do this. All these things are stored here. And the reason why you sometimes want to add that specificity, so you actually have a program and it’s not, we do stuff and things, right?

Speaker 0 | 17:07.466

And that’s a good move because when you’re going through this stuff and if you just blanket put out a policy, nobody’s going to follow it. But if you put a policy out knowing how the business operates and you integrate that into their business operations, then they will follow.

Speaker 1 | 17:28.221

Yeah. Well, and I think you should train. I think people try to do they try to check blocks. By buying some crap training, whatever it is. There’s some good stuff out there, like the phishing simulation, stuff like that. There’s some good stuff. But I do training by, I recommend at least, trying to do it, breaking it up at least in the two groups. Sales and marketing and dev. Maybe you have operations, customer support, maybe there’s a third section. I don’t know. It depends on the organization, what you’re built at. Train when you do that, when you do your training, your training shouldn’t be don’t click on this. Like, that’s great. You should always be training like the phishing awareness, whatever. That’s fine. But train people on the policies. Talk to them about how to follow the policy. Have that conversation by group, because also like deaf people, like they’re in the dark. They’re not necessarily the most social people in the world. And they sure as hell don’t want to talk around a bunch of people who have had an egg white frittata and a frappuccino. And they’re like a bunch of salespeople. Right.

Speaker 0 | 18:31.554

like it is what it is it is true though i mean so how do you have that conversation yeah this is a this is a really a really big deal because and and i it’s almost it’s it’s security by company personalization is what it is right yeah that’s essentially what what we’re talking about um uh uh let’s take a break real quick from security sort of i want to you I want to ask a question to you about your podcast, because it’s a, I’m going to get this right. It’s a blue warrior podcast,

Speaker 1 | 19:09.438

blue team warrior,

Speaker 0 | 19:10.358

blue team warrior podcast. And that, you know, the idea of a blue team versus a red team. Can you get into that a little bit and actually select why you said, it said the blue team. Cause it’s very interesting to me. Yeah.

Speaker 1 | 19:24.064

So. I built a podcast. So part of it started from a talk I was given on guerrilla warfare for the blue team. So using insurgent tactics, cause they’re underfunded understaffed. And part of that is your own, your information campaign. Cause I think that, you know, not that I’m, I’m, I’m endorsing Che Guevara, but Che Guevara made some valid, valid points about like, you need to have an appropriate amount of propaganda with every action you do. Right. And propaganda can be used to inform or to fool. So, you know, you’re a blue team, you got to inform, but. What is our messaging? There’s so much red team. This guy got hacked. This did this. This did that. But nobody ever says thank you for not getting ransomed. Like, it’s not a thing, you know? Like no one. And for you, I teach folks, I know this is an IT podcast. When’s the last time you got a mess email saying thanks for the printer working. That’s never going to happen. But I guarantee you,

Speaker 0 | 20:15.005

right.

Speaker 1 | 20:15.685

They let you know when it breaks. No, the 300 days a year, the email is working. Nobody says anything. But the one day it’s done. They’re sure to let you know.

Speaker 0 | 20:25.652

Exactly right. And but, you know, it’s interesting, too, because if you’re on message with with your blue team. Right. If you’re on message and you’re continuously saying, hey, we need to do these items. We need to do these. You probably want to invest in this. We probably want to change this. We should do MFA. We should do all this. And you’re and you know, we need to write. We need to adhere to these policies. I need to strengthen these policies. If you’re doing all that stuff and you’re communicating, not just doing it and leaving it there, not just writing documents and going here. Bye. See you. Bye. Writing documents, communicating, making sure they’re being followed. and continuously updating people on possible threats and staying vigilant, all that thing, right? Then when it’s time for red team, right? That allows the blue team to slip in afterwards and go, remember that thing that I told you about? It’s time to do it. And that’s a great message. If you’re on point with the message. If you know what you need and if you continuously do what you’re doing, if at the point of time that something actually does happen, right, then if you dotted your I’s, crossed your T’s, then it means that somebody didn’t invest in something or didn’t follow protocol. Or you’re just, you know, you’ve got, you’re unlucky in that somebody in the organization did something wrong, right? And if that’s the case, then… That’s when your blue team message becomes even popular, even more popular, even more important.

Speaker 1 | 22:08.089

And Michael, I don’t know if I should show you my business continuity incident response tabletop.

Speaker 0 | 22:16.453

Oh, I don’t think so.

Speaker 1 | 22:17.533

Okay. So I know this is an audio only, so I’m just going to describe what I recommend to people. So because you’re talking about getting your blue team message across, like what’s one way you can do it? make your tabletops like make your own adventure so you know i i can show you you know if you want to see it but from since you guys are talking about like a choose your own adventure book so it is so like so i got so tired of just like one slide like kind of you know whatever that we uh so here let me I’ll show this to you. So like one of the ideas is.

Speaker 0 | 22:53.707

He’s going to show me and I’m going to, I’m going to go. Ooh, you’re a better describer. Right.

Speaker 1 | 22:59.290

Oh, I can’t even, I can’t even screen share. It doesn’t matter. But the idea is like one of the things would be, so one of the, like one of my scenarios is, um, uh, so Ashley sends an email to Bethany asking her to please pay the invoice for the conference booth sponsorship. Does she pay it? Yeah, it does. Cool. Well, So it takes us to the next slide, right? The next scenario. And then it goes, hey, at the leadership meeting the next day, Ashley says, I have no idea what you’re talking about. She says, oh, ask if she paid this. And she’s like, I have no idea what you’re talking about. Do you call IT or do you blow it off, right? Well, we call IT. But this is where you train IT, right? So you call IT. And IT goes, okay, we’re going to reset creds. Is that where they stop? Or do they continue to pull out that sweet run book and go through their investigation? Because, like, unfortunately, because this is the reason why I do it this way is some of it. And it’s also to show why you do the certain things. So I’ve got scenarios where it’s like, hey, I put private parts all over your website. Hey, you can pick A if you can show me your last backup and restore test. You can pick B if you can’t. So and I think the reason why is like. when I say like, you’re trying to train, you get your message out there. So you’ve got to show people, here’s what happens when it goes, if we don’t.

Speaker 0 | 24:23.997

Right. You know, that, that is a, it’s fun. This is the first time I’ve ever heard of this, but it’s such a great idea. Right. Because, because people don’t know until they know. Right. And I’ve, I’ve had so many different people, you know, sometimes come into my office. and when I was working at an office, um, and, and they would come in and they would, uh, you know, they had screwed up and done something that they shouldn’t have done. There’s a virus on a computer that, you know, something happened. I visited a website. Oh my gosh, something happened. You know, I sent an email to somebody. I didn’t know all this, all these bad things that could possibly happen. Right. And, um, And it’s too late. Especially, you know, I’ve had someone came in, they sent an email with confidential data out to somebody they don’t even know. And at that point, I look at them, I’m like, well, it’s too late now. Like, you, there’s nothing we can do. You’ve already sent the data out to the void, right? I mean, at that point, it’s free game for everybody.

Speaker 1 | 25:30.172

And it happens.

Speaker 0 | 25:31.273

Yeah. Oh, more than you would think. And, and it is a. It’s a real devastation. And that’s why I think the blue team messaging is so important. And actually, I love the thought process to do it like a choose your own adventure book.

Speaker 1 | 25:51.462

And you can write people into the story. Because if you want people to care, make it about them. It’s not about you. It’s about them. So what do they care about? People are human. Like. Why do people want to be on podcasts? Because they want to be cool, right? Like, it is what it is, and there’s nothing wrong with that. So, but play into that and understand human nature. And if you have them in the story, guess what? They’re going to be paying attention a whole lot more. Like, and the fun part is you get to ask the head of marketing, hey, do we have a script already ready to send out in case our customer, someone on Twitter says we’ve been hacked? What are our questions? No, we don’t. Okay, the scenario continues down this path because we don’t have that.

Speaker 0 | 26:33.787

Yeah. You know, what’s funny is I’ve had that conversation before several times. And it always kind of amazes me when I walk through scenarios with folks and they go, oh, no, we, no, oh, oh. And how they feel afterwards is like this bottomless pit of like they thought they were doing good. And then all of a sudden they’re like, and I’m like, listen, don’t feel bad. It’s great because you caught it before it was a problem. That’s the great part. Now you can fix it.

Speaker 1 | 27:07.621

Yeah, absolutely.

Speaker 0 | 27:09.021

Yeah, that’s a good one. I actually like that. That’s a really, really good way to look at that and a really good way to do that. Now, writing policy is a lot of people like to snore when they do it. I am a writer. I like writing. I have fun doing it. I actually like. picking my words carefully and writing policies so that when auditors will come back to look at the policy, they don’t have a lot of wiggle room to be able to do it. This is this here, I cover this. And one of the things that I always feel is, I always kind of do to folks when I talk to them about security is I start narrowing the scope, right? So I’m like, okay. Listen, we got security, but that doesn’t mean you need to secure everything. Like, what are you trying to do? You got critical data? Let’s fix, where is that data located? Let’s try and just, you know, and also apply it there.

Speaker 1 | 28:18.536

Well, I think it’s also like activities. So what business processes matter? Some matter more than others, but some are more of an availability thing than a confidentiality thing.

Speaker 0 | 28:30.748

That’s true.

Speaker 1 | 28:31.748

And so when we say secure it, what do we mean? Right. We need to, we got to think through that. That’s part of that risk assessment. That’s the part that I think, I don’t know, like I see, I see it all the time. And this is where we come in. We try to help bridge those gaps of getting it out of their own little, like they’re afraid of their own shadow sometimes. And like, for those of you listening, some of you are like, but they’re going to eat me. It’s fine. That’s what you bring in a consultant for, because we’re brilliant. Just ask us. And like,

Speaker 0 | 28:59.235

Ben through it.

Speaker 1 | 29:00.428

Yeah, not only have we been through it, but because we’re a consultant, suddenly people will listen to us, even if it’s the same stuff you’ve been saying before.

Speaker 0 | 29:09.833

It’s surprising, but Rob is making a great point here because I have done the same thing in an organization, especially if you’re internal IT. You’re trying to get something, right?

Speaker 1 | 29:22.920

Yeah.

Speaker 0 | 29:23.641

You know, I don’t know why, but why companies sometimes don’t listen to their own people. But sometimes they need a second opinion and you bring them in and you do that. And also, too, it’s not just even that. You may think, and I’m talking to the IT individuals that we have, you may think that you know the best way to do it. And you may not. You may not. There might be a better, cheaper, more streamlined way to get that done that you probably have seen because you’ve been doing it with a lot of different companies.

Speaker 1 | 29:55.031

Do you ever think like sometimes they need? it’s almost, it’s also sometimes being able to be told, Hey, it’s okay. You can’t secure it all. It’s like, There’s so much pressure and you’re trying to do all the things. And sometimes people like they’re everyone’s intentions are in the right place. But I get people sometimes trying to play see-saw and it’s nothing wrong with them. Like they’re IT people. They’re doing they’re holding both hats, but they’re either they don’t care enough or sometimes they care too much. And it’s like you’re caring about things that nobody cares about. It’s true.

Speaker 0 | 30:30.687

It’s true.

Speaker 1 | 30:31.767

Right. Like, yeah.

Speaker 0 | 30:34.472

You’ve got a bunch of companies that frequently understaff their IT departments.

Speaker 1 | 30:40.633

Absolutely.

Speaker 0 | 30:41.474

And then they, you know, and you’ve got in your head all sorts of things. Like the IT directors today, CIOs today, they deal with every possible thing under the sun. I mean, one day they could be fixing, talking to somebody about fixing their laptop while they turn around and create a budget. Right. That’s how flexible. IT directors, VPs of IT, that’s what they need to be. They just need to be able to go from one spot to the other and run the gamut. Unless they have a highly populated team in the internal IT, which is usually not the case.

Speaker 1 | 31:23.177

Absolutely. No, it’s totally true. Because I think one of the problems is they… I mean, it’s hard, right? Like, you are trying to do everything. And there’s so much cyber bullsh** a lot there. Like, you don’t even know what to care about. I mean, you go to the conference and it’s like, I’m told I need this. I need SASE. I need Zero Trust. I need this. I need AI, blockchain, APT, APT. And it’s like, bro, I am just trying to make sure people’s password isn’t password.

Speaker 0 | 31:57.789

Yeah. Let’s start with this. First and foremost. If you don’t have cybersecurity insurance, get cybersecurity insurance. Yeah. And to get cybersecurity insurance, what are they going to need to do, Rob?

Speaker 1 | 32:11.888

They need a program. They ask a lot of questions. And you probably need a privacy program depending on what you do. That’s one of the things we also do, too, is we do 27701, which for those of you listening and Googling, what’s 27701? That is the privacy cert you can get in addition to ISO 27001. The reason why that’s relevant is it’s the closest thing that I’ve seen to a GDPR cert that’s accepted. Because it means you have a real privacy program and it will cover you for CCPA, CR, whatever it is, whatever privacy world you’re in.

Speaker 0 | 32:47.856

So let’s run up these acronyms real quick. So for those who don’t know, GDPR is the European privacy set of regulations. And so if you’re in the United States and you’re trying to do business with someone that’s in Europe or you’re trying to transfer data back and forth, you better adhere to these GDPR rules. So one way to do it is to set up DPAs or data privacy addendums. They go different names, but that that will allow for that and set up privacy shield, even though privacy shield is not really. And. kind of enforced right now. I don’t want to not be on it.

Speaker 1 | 33:31.957

There’s a new thing coming.

Speaker 0 | 33:33.538

Yeah, 3.0 is sort of coming, right?

Speaker 1 | 33:35.558

Yeah, so that’s why I recommend the privacy cert with ISO.

Speaker 0 | 33:39.160

Yeah.

Speaker 1 | 33:39.600

Because Privacy Shield, it’s not really accepted, right? Or it’s kind of, it is and it isn’t.

Speaker 0 | 33:46.723

It’s this weird gray area.

Speaker 1 | 33:48.484

It doesn’t, like, yeah, that’s the problem with it, right? You’re not going to,

Speaker 0 | 33:52.726

having it is not going to be a detriment to you.

Speaker 1 | 33:55.707

No, it will not hurt you. And it… if you have a good privacy program, it really shouldn’t be hard to go get privacy shield. Like that’s not really that big of a deal.

Speaker 0 | 34:03.069

Yeah. Listen, I, I get, I get things all the time that still reference privacy shield, even though it’s not really, it’s still active within the United States.

Speaker 1 | 34:12.812

Absolutely. Is not,

Speaker 0 | 34:15.733

is not really accepting it.

Speaker 1 | 34:17.573

Yeah. They don’t care. They’re like, yeah, we got our court rejected it.

Speaker 0 | 34:20.854

That’s why you have to make sure that anybody that you hell hand data to right? Your sub processors are all documented and that you have data privacy addendums with them to ensure that data transfers will work. Well,

Speaker 1 | 34:36.978

one of the things I’ve recommended and like, I’m not saying if you get certified against it, if you don’t deal with a lot of PII, but so my little company is ISO 27001 and 2771 certified, which is pretty rare, like for seven people, like that’s people. And I was like, just record, you can do to some people. But we did it so that we could live it, right? Eat our own dog food. And like, it’s fascinating. It caused me to think through from a marketing standpoint, what data do I collect on my, on my vendors or on my customers? Like, what, what do I care about? You know, what do I, what do I need? What do I not really need? What am I not like, I don’t need this data. Like, because there were times like I thought about collecting a veteran data, right? Are the, are, you know, some of our customers are veterans and being a veteran owned company, that sounded like a cool idea. And then I thought through it and I’m like, what am I going to do with that? Nothing. Cause I’m going to still send a birthday cake to our non-veteran customers too. Like it doesn’t cause for those of you, you know, Marine Corps birthday was November 10th, 1775. If you know a Marine, always say happy birthday on November 10th. If you don’t, you’re a bad American and you let ISIS win.

Speaker 0 | 35:54.026

But sorry,

Speaker 1 | 35:56.107

I can’t continue on. The point is, but it forced me to think through that, right? And we only have it because when we’re doing audits, we possibly could come across customers with PII. And the way we set up our audits, generally it’s not going to happen, but we wanted to make sure that we knew how to run a program. And what’s good about it is it will actually increase your security if the data that would be breached, that would cause the most impact is PII, then you want a privacy program because that will limit the breach.

Speaker 0 | 36:26.923

There you go. You know, I did mention, by the way, GDP, GDPR and, you know, basically, you know, crossing the Atlantic to do it. But, yes, CCPA also is in the United States. And I neglected to mention that.

Speaker 1 | 36:44.478

So it was basically patient privacy. New York 500. So CCPA is California Consumer Rights Protection Act. It’s regulations that. There’s CRPA, there’s HIPAA, there’s HIPAA HITECH.

Speaker 0 | 36:58.485

There’s DFARS. DFARS. What’s their thing called now? It’s DFARS, but what’s the…

Speaker 1 | 37:12.173

CMMC.

Speaker 0 | 37:12.593

Yeah, yeah, thank you, CMMC. That’s the biggest one right now because a lot of contractors are scrambling to get into that one. They are.

Speaker 1 | 37:21.658

If anyone listens to this, that’s what we do for a living.

Speaker 0 | 37:24.736

If you’re dealing with credit card information, you’re dealing with PCI.

Speaker 1 | 37:28.078

PCI, you got PCI. If you’re dealing with, so you got CUI, which is basically somebody probably got a medal because it used to be, that’s why I hate acronyms sometimes, because it used to be for official use only. But now it’s like it’s CUI, which really only the government can define what CUI is. And CUI was really designed to be like, if you put Rob’s a Marine, Rob lives, Rob is stationed in Djibouti. and he does this job like those any one of those things doesn’t matter but those three things together are a thing and so like we need to control that information but one of the things i tell you is that like anyone listening to this with cui like the government needs to tell you what cui is you do not they tell you what cdu is you are not uh don’t decide it yourself let your tell you what CUI is.

Speaker 0 | 38:26.493

That’s a great point. That is absolutely great point. Because it’s really easy to determine what PHI is, right? Everyone knows what health information is, right?

Speaker 1 | 38:35.640

Just tell you what that is, right?

Speaker 0 | 38:37.501

Yep.

Speaker 1 | 38:38.522

And it’s funny, you brought up the HIPAA, so everyone knows what PHI is. Don’t confuse it with ITAR. So you familiar with ITAR? jog my memory it’s international but i can’t remember international it international trafficking trade and arms regulations like that okay basically it’s basically saying like hey it was designed uh for hey if you build this sweet gun and the military says hey you can’t sell that to russia right it’s restricted by trade regulations so you The same thing has happened with encryption. Certain encryption algorithms are governed by ITAR. So some of your software might be governed by ITAR. If you make chemicals, whatever you do might be governed by ITAR. That doesn’t mean it’s CUI. It just means it’s governed by ITAR. And there may be rules on who can read it, like no foreign, US, Canada, or whatever. But that’s different than CUI. It can be the same or it can be different.

Speaker 0 | 39:52.120

Yep. That’s an interesting point. And it kind of goes back to what I was talking about, about scope, right? And identifying scope. And this is a big deal because… it’ll save you some money and some time and a whole bunch of stuff. Because why are you going to, unless it’s cheaper to just do the whole thing, and sometimes that happens, but most of the time you don’t have to secure anything. And I love what you said when I talked about data, but you also talked about the business processes that happen as well, because that’s such an integral piece of it.

Speaker 1 | 40:27.671

Which activities handle this data or matter or care about this?

Speaker 0 | 40:32.615

Yeah. And, and. And sometimes people get wrapped up too much in, I got to protect just the confidential data and all this type of stuff. And then you’re like, okay, but, you know, if something happens, how do you collect payments from your customers?

Speaker 1 | 40:50.100

Or what’s going to serve you service credits?

Speaker 0 | 40:52.581

Right. You know, your website goes down. How’s that going to look to everybody, you know, and stuff. So these are things that sometimes people overlook because they’re so focused on. I’m trying to do the scope. So it’s a good point. We should limit the scope, but we should also identify the other pieces of the puzzle that make up the entirety of the business. I just tell people, I say, you know, listen, if you close your eyes and think that your entire company is down, what’s the type of stuff that you’ll start to bring up first?

Speaker 1 | 41:23.896

Yeah. Not only that, what’s the minimum level of security? So what stuff should be in your DR plan that’s required? by contract right that’s one of the things about iso so one of the things i love about iso and i am an iso proponent mainly because like you have an iso backbone it’s so easy to map to everybody else but two uh it allows tailoring of the controls whereas this is very prescriptive thou shall you know you gotta fail if you’re doing fed ramp fail closed if you stop logging right up right so that sounds great but that doesn’t apply to everything so what’s nice about iso is that like you can write the rules based on the risk. So if you do want to certify, because what’s cool is you can certify the whole company for ISO if you wanted to, or make everybody follow it. But then you add on the NIST, the CUI, so like this department handles this, this matters here. Here’s some more prescriptive regulations in the PCI environment, whatever. But with ISO, like you write the rules based on the risk. So like if you’re only handling, like let’s just say, internal use only or secrets, confidential data, customer contracts. You’re in this bucket and here’s where the world you live in and you have a lot more freedom. So it also encourages people to stop trying to handle stuff or have access to stuff they don’t want. But if you’re in this bucket, you handle the top secret data, the G14 classified, strictly confidential, whatever you want to call it. I don’t care. The rules should be more painful based on the risk.

Speaker 0 | 42:57.943

Yeah, exactly.

Speaker 1 | 42:59.192

You can write a program that lets the company operate and go, Hey, do you handle this data? No. And here’s your rules. If you handle this data, it’s a little more restrictive because you’re handling this data.

Speaker 0 | 43:10.838

Yeah. It’s like put the stops where they should be. Exactly. Leave everything else smoothly running.

Speaker 1 | 43:18.202

If you slow down marketing, trying to bring on some, whatever to build, to do something stupid that you don’t even care about and nobody cares about, you’re going to be out of a job. It should be part of the CI know, go, hey, here’s the risk. You’re not handling this data. It’s up to you.

Speaker 0 | 43:34.551

And another good point here is that also you have the ability when you’re redefining security in an organization to also redefine the processes as well. And you should take advantage of that because you can actually simplify processes. Processes get crazier, you know, as time goes on. And then people are doing things. I don’t even know why. And you’re like, why are you sending this to this person over here and over here and over here? Just send it here, you know. And so if you simplify those steps and make their job easier, at the same time, you’re implementing security, which is great anyway, because anytime you want to implement security, it’s always easier to implement it from the ground up than really to tack it on afterwards to a thing. So rethink of the process, reimagine it with security in mind. And sometimes you can create these processes that are way more effective.

Speaker 1 | 44:26.380

and reduce time much easier for folks and have security built in 100 i mean mr moore you are a brilliant man because like make it suck less like at the end of the day it’s not skiing it’s not snowboarding it’s compliance it’s it’s program but you got to make the program function right and you know it’s funny you talk about streamline and take advantage of that i also tell people don’t try to blow the ocean like when you talk about narrowing your scope too like nothing says like next year you can’t expand your scope so make you know when you’re doing like third-party process or something like Roll it out to just one department first and make sure you can be efficient. Because the other part that I think people screw up is they want to improve their security, but they don’t account. And they’re like, oh, and even this new software will save us time. A SIM is going to help us save log correlation. But if you haven’t been doing log correlation to begin with, guess what? it’s still net new time.

Speaker 0 | 45:35.243

Yeah.

Speaker 1 | 45:36.203

Like people forget about that. They’re like, it’s going to streamline all this stuff. But if this process didn’t exist, you can streamline it all you want, but it’s still a thing.

Speaker 0 | 45:45.245

Now you’ve added additional pieces to it. Yeah. No, it’s a good point. And this happens all the time in organizations. Yeah. There’s a nice, super good looking app, app that comes out and people are like, Ooh, yeah, this is going to solve all the problems. Well, really, well, to solve your problems is turn around and re-looking at your processes and fixing them internally. And sometimes, actually, that’s a, you know, if you can do it internally, great. If you can reach out to somebody from a consultant standpoint and do that, that also helps, too. It’s great to have an outside perspective sometimes when you have too many people that have been doing it for so often.

Speaker 1 | 46:22.449

Yeah, and it’s like, you know, so we do, like, compliance as a service. After they get certified, we help them maintain their program. And it depends on what level they need. It’s like… If they have the staffing, awesome. If they don’t, we help them. And sometimes we play, I don’t use the term virtual CISO because I don’t want to be a threat to anybody’s title. Like, bro, you can call yourself whatever, or lady, you call yourself whatever you want to be. Don’t care. You can call us whatever you want us to be. Don’t care. Because, like, we’re here to help. Sometimes we do more because, like, they need a security person and they want a peer. And sometimes they want a deputy. Like, and that’s fine too. Like. but you also have somebody to handle the grunt work or the crap that you don’t have time for. It’s like filling out the stupid questionnaires or making sure you did the risk assessment, you did the tabletop, but you never wrote it up. How do you get credit for it? Or the internal audit and the prep and the thing. There’s all these things that sometimes you need a little help. And the thing is, I always look at it as like, you’re an IT, Michael. It’s easier to outsource certain things than it is others. Like having people on your firewall is a lot scarier than somebody writing policies or making sure your internal audit was done right.

Speaker 0 | 47:37.084

Absolutely. And that’s a big piece. I mean, you end up, and that’s actually a big trick in business in general, is what do I outsource and what do I not? I mean, you got to think, you know, where is your strategic value as a company, right? What do you do that probably people don’t understand or don’t know, right? Great. You keep doing that. And then the things that have no strategic value that you can just do like normal, then outsource that stuff. Get them out of the way, right? I mean, these are…

Speaker 1 | 48:08.454

My little company. I have outsourced HR, outsourced finance, outsourced marketing. We don’t do that. We do compliance. We do security compliance.

Speaker 0 | 48:19.719

And this is a good piece to it because if you don’t know where to start with… it’s kind of last thing I’ll say on this piece is if you don’t know where to start with security and you feel overwhelmed, right? The good news is, is there’s you know, there’s folks out there like you, like you that do this all the time and can help you through the process. Don’t sit there and struggle and silence and try and, and go, I don’t know what to do. Right. I mean, this information is that there’s tons of people out there and And it’s okay to say, hey, we need to bring in some outside help to help get this correct.

Speaker 1 | 49:02.222

You know, Michael, you hit the nail on the head. So, like, one of the things I described, and it’s funny, like, I’ve worked with some, like, we have customers that are security companies, hardcore security companies. And they use us to help for what we are good at. Yeah. Like, and, like, so, like, security is like medicine now. You need a heart surgeon, you call a heart surgeon. You need a general practitioner, you go to a general practitioner. Or in your case, Michael, you know, urologist, you go to the urologist. You don’t go to, you know, the cardiothoracic surgeon. Right. Urology. Like, wrong person. So, and that’s the thing. It’s like, I feel good. It helps me sometimes, like, I need to feel good about myself. I’m like, no, I don’t suck. Because, like, you know, compliance gets a bad name. But it’s like, when we have real security companies that bring us in to go help them get, because they do security for their customers. But. It doesn’t mean anybody does this stuff for fun and they don’t know how to do what we do. That’s okay. And these are some world leading experts. I can’t give their names or any of that stuff. violation of like not only ndas but just like code man code or yeah person code but uh like what but if they can use this anybody can and it’s okay to admit you don’t know everything it’s impossible to know everything and that’s why i don’t call it virtual cso because i don’t want someone who wants that title director of security whatever they are director of it to feel because like you don’t want something no one’s gonna hire virtual cso they’ll hire some people to come help them out

Speaker 0 | 50:33.238

Absolutely. And it’s a good point. No one knows everything in IT. And it’s a foolish thought to think that they do. A lot of people understand who to talk to and who to get to get that stuff. And they understand the general rules and stuff. And if they don’t know, they know who to go out and actually talk to to make sure that they get that information. And that’s big. But that being said, Rob. It’s time for IT Crystal Ball, and I want to know if you know what the future of IT security is. I know. Every time I say this, I get that, like, oh, there’s, oh, man. But, yeah, the future of IT security.

Speaker 1 | 51:20.814

I think the future is the past. So, and this is something, like, what’s funny is, like, you ever listen to General Mattis? He talks about, like, you’ll hear, like. the new hotness, hybrid warfare, blah, blah, blah. And he’s like, it’s the same stuff people have been doing for years. It’s just now they’re doing it with different tools, techniques, and procedures.

Speaker 0 | 51:39.605

It’s a great way to look at it.

Speaker 1 | 51:41.367

Like zero trust is not new. For those of you who think you have come up with the most brilliant plan, this was all the hotness about 10 years ago. Like what’s old is new and what’s new is old, right? It’s the same stuff. And so, did my camera just get fuzzy?

Speaker 0 | 51:58.850

Yeah, good news is that no one else can see that besides me.

Speaker 1 | 52:02.531

I’m just making sure I’m not having an aneurysm because it’s like, man, I’ve had a little bit of bourbon, but it shouldn’t be that blurry. So I would say like next generation, you’re going to see automated compliance in certain parts. Now, I give this word of caution. Automated compliance is great for what it’s good for. It does not replace running a program and actually making sure your program is effective. It’ll automate what. you are doing. It will automatically tell you you’re not doing it right, but it will also only automate detecting what you pointed at. It’s like running a Nessa scan at a section of your network.

Speaker 0 | 52:40.477

That’s perfect. That doesn’t need anything.

Speaker 1 | 52:42.418

I got no vulnerabilities. Like you too can have a perfect score. So I think, and I think that’s the, the, the, the scary part is more automation. People forget that like you’re automating. you might be losing something from it. I’m not against automation, but I’m against giving yourself a false sense of security. So I think that’s one piece. I think you’re going to see a bit of a movement back away from cloud, believe it or not.

Speaker 0 | 53:14.858

Interesting. Okay.

Speaker 1 | 53:16.599

Not much, but I think there will be a subsect of people that will go, because I’m a big fan of the cloud because I hate blinky lights, shit breaks, it just is what it is. However, there are some things that maybe it doesn’t make sense to put in AWS or Azure GCP. And don’t get me wrong, they’re great stuff. And they probably do a better job securing stuff than you do. However, when you put it in that third party, you now inherit additional risks. So depending on what you do and your size, there are some things that maybe don’t make sense.

Speaker 0 | 53:51.451

Yeah.

Speaker 1 | 53:52.152

And that’s okay. So I think you’re going to see… That and then, oh, sorry. I don’t know which one we want.

Speaker 0 | 54:00.050

I think you’re doing fantastic. Just keep going.

Speaker 1 | 54:04.173

I can see this. I can see, like, it’ll be interesting to see how MSSP’s look in five years. Because, like, it’s such a hustle. Like, you pay. 10 grand for Splunk, and then you pay 10x that for someone to tell you what Splunk says. And some suck less than others, but I think you’re going to see the MSSPs that they’re going to find ways to actually take action for you. Because you’re going to need that for them to become more useful. Otherwise, it’s basically like PagerDuty. It’s a person with PagerDuty, right?

Speaker 0 | 54:47.088

Exactly. And what happens is if you don’t… actually pay attention to the needs of your clients, then what’s going to end up happening is you’re going to become the… extra cost line item on your, you know, when the CFO looks at it. Yeah. And they’re going to say, what is this? Well, they do our security.

Speaker 1 | 55:13.901

And it’s like, do you really need that? You know, because like if all they’re doing is giving you that, then like you can hire a person to just anywhere in the world. They look at red light, green light, go, it went red, call you. Like that’s way cheaper. Like. I think you’re going to see decentralized SOCs. I think you’re going to see, like, if I were smart, I would set up a SOC in, like, Rockingham, North Carolina, Casper, Wyoming, someplace with a tech college where I could just work with them and get what I need. And then the third thing, or the last thing, I think, is compliance is going to, like, FedRAMP, is going to become the gold standard for SaaS companies because it is the most prescriptive. It’s actually pretty standard for that piece as they update themselves. But I think you’re going to have compliant, like you are not going to be able to sell without having some sort of certification. What I worry about, though, is a race to the bottom with some of the automation. Some of the automation is great. Some of it could be a big, could negate certain compliance frameworks. And I’m not going to say which, but, you know, I think we can all figure out which ones it might be. Probably ones run by CPAs. So that’s what I got.

Speaker 0 | 56:27.190

I like it. Rob, thank you so much for being on this podcast today and entertaining us. Nerds, I’m Michael Moore, host of this podcast for Dissecting Popularity. We’ve had the ability to talk with Rob Carson, the founder and CEO of Semper Sec, and also running the Blue Team Warrior podcast out there on LinkedIn. So check him out. Um, we’ll post, uh, Rob’s information so that you guys can stalk him. I mean, look at, look at what he has. Uh, um, but, uh, it’s a, it’s some valuable information and Rob, this is a great, uh, a great chat. I appreciate it. There’s a lot of great.

Speaker 1 | 57:08.481

It’s fun. Like I like the crystal ballpark. Cause I’m just like, Oh, here’s what I see. Because like, I see a lot of people getting popped with automated compliance, thinking it’s going to work magically and not making sure it’s pointed at the right things. Like The tool is only good as a human. Thank you so much for having me. Like, I really appreciate it.

Speaker 0 | 57:28.410

Thank you.

Share This Episode On:

HOSTED BY PHIL HOWARD

Dissecting Popular IT Nerds Podcast

Weekly strategic insights from technology executives who understand your challenges

Are You The Nerd We're Looking For?

ATTENTION IT EXECUTIVES: Your advice and unique stories are invaluable to us. Help us by taking this quiz. You’ll gain recognition good for your career and you’ll contribute value to your fellow IT peers.

QR Code