Episode Cover Image

311- Securing the Mid-Market: Tom Shock’s Step by Step Approach to Cybersecurity

Securing the Mid-Market: Tom Shock's Practical Approach to Cybersecurity
Dissecting Popular IT Nerds
311- Securing the Mid-Market: Tom Shock's Step by Step Approach to Cybersecurity
Loading
/

Tom Shock

Tom Shock is a seasoned IT professional with over 15 years of experience modernizing technology environments in mid-market organizations. Currently serving as the Director of IT at Shepherd Electric Supply, Tom is known for his hands-on approach, instilling  a customer service-oriented IT culture. His leadership style focuses on cultivating engagement and passion within his team by providing opportunities, guidance, and autonomy. Throughout his tenure, he has driven accelerated growth, improved efficiency, and enhanced productivity.

While Tom’s primary expertise lies in IT modernization, he also possesses significant knowledge of cybersecurity, especially in addressing the unique challenges faced by companies with 200-1000 employees. His pragmatic approach ensures that security solutions are both effective and aligned with business operations.

Securing the Mid-Market: Tom Shock’s Step by Step Approach to Cybersecurity

How can mid-market companies protect themselves against cyber threats without breaking the bank? Tom Shock, Director of IT at Shepard Electric Supply, shares his expertise on implementing effective cybersecurity measures for mid-sized businesses. From endpoint detection to email security and beyond, Tom outlines practical steps companies can take to strengthen their defenses, emphasizing the importance of a layered approach and continuous improvement.

Disclaimer: The views, thoughts, and opinions expressed by guests on this podcast are solely their own and do not necessarily reflect the views or positions of their employers, affiliates, organizations, or any other entities. The content provided is for informational purposes only and should not be considered professional advice. The podcast hosts and producers are not responsible for any actions taken based on the discussions in the episodes. We encourage listeners to consult with a professional or conduct their own research before making any decisions based on the content of this podcast

Securing the Mid-Market: Tom Shock's Practical Approach to Cybersecurity

3 Key Takeaways

Episode Show Notes

00:01 – Introduction and guest background

01:35 – Challenges and advantages of mid-market cybersecurity

05:47 – Starting with endpoint detection and response

12:31 – Importance of email security

14:11 – User awareness training

23:21 – Patch management as a critical security layer

28:03 – Adapting to remote work security needs

35:41 – AI in cybersecurity tools

44:13 – Backup strategies and immutability

48:31 – Choosing right-sized solutions for mid-market

51:29 – Three-pronged approach to cybersecurity

Transcript

Speaker 0 | 00:01.108

All right. Well, welcome back to another episode of Dissecting Popular IT Nerd. Your host, Mike Kelly. And today we’ve got Tom Schock, who is the Director of IT over at Shepard Electric Supply in Annapolis, Maryland. So, Tom, why don’t you go ahead and introduce yourself? Tell us a little about your history and why you consider yourself a nerd or a geek.

Speaker 1 | 00:23.694

Sure thing. So, I am the Director of IT at MidMarket. wholesaler of electrical supplies. Shepard Electric has seven locations in the Maryland, Virginia, Washington, D.C. region. We have about 350 employees and we have about $500 million per year in revenue. So, you know, my expertise is really in the overlap between cybersecurity and mid-market. You know, I’ve been in the mid-market space for… better part of 20 years at three different companies, all distributors of some sort. So the experience of addressing cybersecurity at those companies has just given me some insight into what that’s like because it is different. There are challenges for mid-market companies when they try to address cybersecurity, but then there are also some things that make it a little easier. And those are the kind of the things I’d like to highlight as we talk through our session today.

Speaker 0 | 01:35.602

Yeah. You know, with my experience, I didn’t have experience at multiple organizations, but I was at a mid market and I helped them grow through quite a bit. They were emerging or getting to that emerging side of enterprise. And, you know, we were up to like 40 locations, eight different lines of business and everything else. And I. I’m going to make the assumption that the challenges that you’re talking about is the fact that they’re not one of the big guys and they don’t have the big budget to be able to just go buy all the shinies. But the advantage that the mid-market has compared to some of those big guys is their agility and their ability to quickly address multiple things and or to have immediate access to those different things. Everything’s not so. segmented into different silos that you have to go make sure that this, this head of the silo and that head of the silo and that head of the silo all agree so that you can implement MFA across the organization. You could just say, you know what, we’ve got to do this because we’re doing cyber insurance and too bad.

Speaker 1 | 02:49.094

Yep. Yep. Yeah. I think certainly, and when I speak of big market, I’m talking about companies where, you know, certainly less than a thousand employees, typically a couple hundred, sometimes even less than that. And it’s really that size that creates the challenge that you were alluding to, in that you don’t have a security team. You probably don’t have a chief information security officer. You may not even have a member of your team that is dedicated to cybersecurity. So what you end up with is, as we have at CEPR, a group of generalists who… need to provide application support and infrastructure support and cyber security you know all at the same time sometimes in the same hour um you know kind of just changing hat as needed um the flip side is what makes it a little easier what works in our favor is that um a company of that size you know i know all of our users many of them by site so when you think about securing something you know kind of like uh you know we’re and in the mid market we’re trying to keep a you know a small house kind of secure and and safe compared to like a a large resort you know how much easier that is because i recognize all the people walking in the door you know i don’t need to rely on a key card system or you know anything a code system you know it’s like i can have each person’s face you know my name and and it’s similar on on the i.t front um And that’s what I think makes the mid-market unique because the solutions that we are looking for or can deploy really and often we can leverage that familiarity and that side benefit. The fact of the matter is most mid-market companies aren’t going to scale up to 5,000 users, 1 billion in sales. They’ve been in the mid-market for sometimes 30, 40 years and that’s a great size. usually family-owned, and that’s probably where they’re going to stay. So they just need to find a way to secure that. footprint. And, you know, and I think that’s where I had some experience and can offer some thought.

Speaker 0 | 05:08.568

And so, you know, for sure, that’s one of those areas that people, that group definitely needs that help and that guidance. Where do you think is the best place to start with? Because typically, you know, we’ve got, you sent me some ideas before the podcast on topics and and you’ve hit on all of the the primary ones to go with but which one’s the first one to go with where where do we where do we start this journey and and why there first yeah so that’s an excellent question and um you

Speaker 1 | 05:47.146

know cyber security is right now it’s incredibly wide and incredibly deep and if you’re starting from scratch it is absolutely overwhelming um it’s really difficult now because it’s sometimes hard to even categorize a solution provider. Are you a car, a boat, or a plane? Because, you know, so many of the solution providers are kind of like, well, we actually can do all three of those. And that’s just very confusing when you’re stopping, you know. But I would say the first place that I have always started has been with an endpoint detection or response solution. And there’s probably three of them, four of them out there that are, you know, top tier. And those are… There really isn’t a difference between buying one of those for a five-person shop or a 5,000, you know, endpoint shop. You know, they’re all kind of built to do the same thing and for the most part don’t require a lot of specialization. So you can off the shelf implement, you know, just to throw out names, CloudStrike, SentinelOne, Windows, Defender. I think Sophos has an EDR solution. Um, and you know, carbon black was certainly one of the pioneers in that area. Um, um, I think still, you know, provides that solution as well, but that’s, I think always a good place to start because it, you know, as it’s kind of like, you know, absent that you’re just, you’ve got a big gap in your, in your security posture. So, um,

Speaker 0 | 07:18.477

So what about the innate one or, you know, you mentioned windows defender, but then there’s windows endpoint protection. And so what about the NA versus, especially if you’re a five-person shop, versus the 500 or the 5,000 user shop?

Speaker 1 | 07:36.864

Yeah, and I take responsibility for finding this naming with Microsoft products, but I feel like they care a little bit about it because they can’t be named. They do. And they rename everything. So when I think, you know, Microsoft, I’m talking about their EDR product. So if they’re currently called… endpoint detection, then let’s go with that. Yeah, I don’t think the built-in firewall, while I’m sure it has utility, I don’t think it has the breadth and capability set that a top-tier EDR solution provides. All those, the ones that I mentioned are cloud-based in that you can access the telemetry from the machine on a cloud portal and Really, all they need is some form of internet connectivity, which is kind of ubiquitous now. That’s a gift.

Speaker 0 | 08:32.938

Yeah, yeah. There’s not too many places, especially in the mid-market, that need air-gapped computers.

Speaker 1 | 08:38.860

Nope, nope. If anything,

Speaker 0 | 08:41.461

they have to have that internet connectivity to be able to get their email.

Speaker 1 | 08:45.402

Yeah, yeah. I think, you know, and that mid-market is also far more likely to have some type of legacy, you know, maybe homegrown components that they need to. that they can’t decommission or turn off. And that’s going to introduce more complexity to their cybersecurity posture than, you know, kind of a bigger company that can, you know, again, do like air gap, this, that, and the other. And so I think understanding that and recognizing, hey, there are some things that, yeah, you can’t change it. If you’re running a home built product that, you know, Lord knows what its operating system is and it’s no longer, you know, been decommissioned by the, you know, vendor for a long time. providing security updates, then that may be a fact of your life. And you just need to kind of build your security posture with that, you know, understanding in place. It doesn’t mean you can’t become more secure. You might not ever pass a, you know, one of the NIF framework.

Speaker 0 | 09:43.612

Yeah.

Speaker 1 | 09:44.953

But that’s probably okay. Cause you’re also not going to be required to do that by any kind of, you know, outside entity.

Speaker 0 | 09:52.155

Yeah. You know, one of my friends, had and i know that it’s a real popular saying anymore um If it’s free, then you’re the product.

Speaker 1 | 10:05.047

Yeah, right, right.

Speaker 0 | 10:06.849

So the AVGs and those kinds of endpoint detection. And every time I’m trying to help somebody out and I find AVG or the free version of Symantec or, you know, all of those, I just cringe and just go, oh, man, I don’t know if I can trust this machine going forward.

Speaker 1 | 10:29.627

Yeah. It is a challenge. And, you know, but EDR really isn’t terribly expensive. It’s usually pretty simple to deploy. You know, people who are supporting an environment, you know, it’s going to be in their wheelhouse. You know, it’s going to be something they’re accustomed to doing. And it doesn’t really, you know, all of them are all the ones I mentioned are fine products and that they’re not going to, generally speaking, blow anything up. You know, obviously, it always makes sense to do the wise thing and start with a. one or a small sample of machines and kind of ease into it just to make sure you don’t have anything in your environment that looks very unusual to that solution and therefore it wants to you know quarantine it or shut it down but um once you get over that hurdle i found that our edr solution is very quiet um you know we’ve got a couple hundred users and um Most of them stick to their knitting. They don’t do anything wild. They’re coming in to kind of do their operations-oriented jobs. It’s kind of the same thing every day for them. And we just generate very few alerts. And I just think compared to a large enterprise where you just have a much wider spectrum of users, I just think the volume makes it such that it’s pretty manageable.

Speaker 0 | 11:50.311

And then the engine. The cloud-based ones, the other benefit that you really get from those is the fact that not only is it looking at your environment, but it’s checking back in with the mothership, so to speak, and getting those updates of any of the new threats. And so it gets new definitions all the time. So even though, you know, it’s not just the base of my five computers, it’s the base of all of the consumers of that same product. So, yeah. You know, it’s getting vision and all of that. So they finally started, those providers started leveraging their whole network ecosystem. All right, we got EDR covered. What’s next?

Speaker 1 | 12:31.318

So I think the next easiest thing is email security. I mean, the vast majority of people listening on the podcast probably are, you know, either Google or M365. I just don’t think too many people run Exchange on-prem anymore.

Speaker 0 | 12:44.646

You’d be surprised.

Speaker 1 | 12:46.346

Well, I… But I do think an email security solution is just the next easiest and most bang for the buck, because that’s another really frequent entry point for bad things. And if you’ve got an email security provider that’s going to screen out the malicious messages or the messages from known good users that happen to be hacked and have a bad file attached to them, it’s just, again, it’s layer number two.

Speaker 0 | 13:17.828

two you’ve got the edr kind of playing goalie now you’ve got email you know out in front it’s close to fence and it’s just it just is the definition of a layer to personal security yeah and then you know the uh the other critical one that has to come in here and it’s it’s one of the ones that some organizations are making their living off of this and others are just trying to do the best they can with with um what’s being provided but that now comes to education we teach because Both of these products are focused on the end user. And so we’ve got to start educating or we’ve got to make sure that they’re, you know, we’re all hearing about cybersecurity. But, you know, what is it? What do I got to do with that? You know, hey, I just got that email from the CEO. He needs five Google certificates real quick. Give certificates and they fall for it.

Speaker 1 | 14:11.143

Yeah. Well, I think and that’s, you know, I agree with you 100% that security awareness training, you know. really important. I think you’ll find that a lot of the email providers, that is one of the situations where it’s a plane and a car. They do both. You know, it’s just a really easy place for them to tack on, you know, that service. And there are some other standalones, you know, before it’s probably the most common matter of security or training. But going back to that small footprint, you know, on the mid market, the benefit of, you know, that’s just not having a lot of people is everybody in my company knows our CEO. And first of all, they know he’s not, he’s highly unlikely to send an email asking them to, you know what I mean? They just know him personally. And so those types of… you know, there’s an, there’s, it’s like, there’s a sweet spot for that kind of circle engineered attack. And the mid market, a lot of times is like too tight knit, you know what I mean? It’s like, I just saw him in the bathroom, you know, and he’s not going to send me an email to me to go buy, buy him a gift card. So it helps, you know, it’s one of those places where it helps to be small. Yeah,

Speaker 0 | 15:20.846

it does. And, and, but it’s also one of those areas where you got to, just as you’re starting to grow and you get to the point of, you don’t recognize every face in the hall. You really need to start making sure that you’re setting up those checks and balances of, hey, you know, an employee just sent that they want to change where their paycheck is being deposited. Call them. Stop by. Talk to them. Don’t just send them an email and validate it. And don’t just take a text message for gospel on it. You know, go talk to them and make sure that they actually ask for their paycheck to get rerouted. especially if it’s one of the executives who has a larger paycheck.

Speaker 1 | 16:03.415

Yeah, I think what’s changed is the kind of automation isn’t the right word, but the simplification of malicious tools makes it really possible to target a company of any size in the U.S. I think, you know, if you flashback 10 years ago, you know, cybersecurity wasn’t as easy to perpetrate as it is now. And so, you know, if you were going to spend all that time and effort, you wanted to kind of, you know, be elephant hunting. And now I think the tools are made incredibly proliferated. And I mean, really, you know, there’s just so much ease of access to become a cybersecurity perpetrator that really any company, any US based company, regardless of its size, is now an equivalent target. Because if you, you know, hit 10 companies and, you know. get 10 grand each from them that’s you know as good as elephant hunting and finding you know

Speaker 0 | 16:58.232

100 000 pounds yeah well and and one of the other things that that i’ve really come to to use that technical term grok um is that you know the the cost or the value of the u.s dollar in other countries makes this so profitable for certain certain countries to really just go after it you know a 500 win to us is like god i can’t even bother calling somebody about it because they’re not going to care about five hundred dollars but for some countries that’s an annual salary so if they can get if they can get a couple of those done in a month then yay um but if they can get a couple of those done in an hour and continue to go after it then it becomes really really profitable for them so you know yeah it’s it’s not oh i have to have i gotta get the elephant that’s going to get me $5 million, if I can just get, you know, those rabbits, then I’m, I’m fat and happy.

Speaker 1 | 18:02.381

Yeah. And that’s just, you know, we could complain all day, but that’s, you know, the way the world is right now, you know, the U S just has a huge number of companies. I mean, think about, you know, everything from little long care providers to home improvement. I mean, just the list is almost endless. And to your point, um, Many of those, $500 is an unpleasant experience, but it’s not going to be a showstopper. But if their email is inaccessible or their data is inaccessible or their network is down, that is a showstopper. Yeah.

Speaker 0 | 18:43.880

Well, and that’s the difference between the business email compromise, then social engineering, and ransomware. ransomware ransomware they’re hunting the elephants or or at least that’s the mindset more of okay we’re going to get the whole organization not just like one individual and get them to uh mess up yeah

Speaker 1 | 19:08.590

yeah it’s tough i mean you know i’ve been doing sitting in a it director chair 2011 2011 so i guess i’m sure you don’t do math in my head but 10 12 you And it’s certainly become, if I spent 5% of my time in 2011 worried about cybersecurity, I spend 35% of my time worried about cybersecurity now. It is a significant portion of my day. And, you know, I don’t envision that changing. You know, perhaps at some point Shepard will grow large enough where every company will have someone who just focuses on. security. But for the foreseeable future, it gets as much of my time as our key applications for our structure. Um, you know, it’s certainly probably more than how much time I spend on budget and strategic planning.

Speaker 0 | 20:05.994

So with your experience at multiple organizations, what has been your experience with the, um, other executives and their general stance on cybersecurity? Cause I, you know, the organization that I was at the longest, um, I just, it was, it was. kind of that necessary evil like insurance but they were more willing to to go after insurance than they were to invest in cyber security because it was still this ethereal thing out there where um where either i was doing a good enough job that it wasn’t a threat to them or they just they just weren’t really afraid of that it’s it’s one of those things that you almost have to have that car wreck before you’re worried about the car insurance to really bring that home. How have you broached those conversations? Because I know that was always one of the challenges for me. And I’ve talked to a few people on our chairs and asked them how they approached it. And what’s your approach?

Speaker 1 | 21:15.579

So it was certainly a more challenging conversation 10 years ago and even five years ago. But I think the… frequency of occurrence has made it a much easier sell. So in our market space, you know, again, we’re a wholesale buyer of electrical components, just in the region, some of our competitors have had windows of time where they’ve been offline, and we’ll get, you know, an influx of calls, because, you know, someone goes down and we come to find it was cybersecurity related. So, you know, one of those probably would have been sufficient, the fact that that’s happened, probably three times over the last five years, the different entities in our area has made it such that, you know, if I go to our owner and say, hey, I really think we need to do X, you know, I have his full and complete attention because, you know, it was a hundred and thirty something year old family, you know, run business and reputation is really material to him, you know, probably more so than the monetary concerns, the thought that he wouldn’t be able to serve. his customers because we were down because we’re recovering from some type of security incident. So that makes the discussion now, it’s not so much of a sell, but it’s more of a, okay, we’re not going to become the NSA. We don’t have that kind of expertise or budget. So what do we do and how do we do it in a way that doesn’t slow our speed of business or our customer service or degrade our user experience? because that’s certainly not the objective. You know, you don’t make money by having a great cybersecurity posture. That’s not the way, you know, you’re able to get paid. So we just need to be cognizant of that. And that’s more where the conversation lives now than convincing them of an actual need to do something.

Speaker 0 | 23:07.045

Yeah. Okay. EDR, email security, making sure the executives are aware, getting the end users trained and conscious at the very least of things. Next?

Speaker 1 | 23:21.334

So I would, you know, for me, the next one is patch management. So you’ve got devices, servers, and, you know, desktops, laptops. Keeping them packed, I think, is fairly affordable. And I think, you know, a lot of times people are like, oh, I can do that myself. But it’s more than just the operating system. You know, what you’ll find is a lot of times there are vulnerabilities in applications that you just wouldn’t think would be that big of a target. Adobe, no offense to Adobe. right they’re an elephant yeah so the patch management solutions and there are a number of them out there they just provide you with that you know kind of list of hey here are all the remediations that need are needed on the machines and many of them you know you can kind of configure them to you know kind of knock that out on your behalf and it takes a little getting used to our users didn’t love it you know we got complaints that this thing wants to restart like every day now and you know my response is you know again them Sorry, that’s the world that we live in, but most of those patches are security-driven. And when you have 20 applications on your scene, plus the OS, plus M365, plus the firmware, yeah, there’s going to be a lot of restarts in your life. That’s the way it goes.

Speaker 0 | 24:33.944

Yeah. And you probably need to be doing them a little faster. And if you haven’t set up autosave, hey, that’s what. Yeah. Most everything has a version of autosave now so that you. can get right back to where you were.

Speaker 1 | 24:49.942

It’s true. It’s true.

Speaker 0 | 24:52.689

What other thoughts you got for us? What other?

Speaker 1 | 24:55.595

So I think, you know, once you kind of have those. Those four in place, you know, you’ve got EDR, you know, you’ve got email security, got the awareness training, and you’re doing some, you know, you’re patching your endpoints. Now it kind of becomes, all right, you know your environment better than anybody else. So the exercise that I do with my team once a year is, you know, we have a kind of a purpose built meeting for this is, hey, put on your hacker hat. If you were going to hack Deppert, what would you do? How would you, you know, break into the company? You know, there are some people or someone might. team members are better at others and kind of like flipping the script and coming up with, you know, ideas. But once, you know, as like, you know, people start throwing out thoughts, it kind of, you know, you get some tracks in there. And I generated, you know, a punch list that took me 18 months to clean up from their, you know, their input. And that includes everything from just physical security to, for instance, you know, historically, we didn’t have any type of barrier on our server ring door, you know, I mean, it was just a a small company that grew to be a slightly larger company. And, you know, but that’s the deposit. Yeah. You know, and after a while, people were like, well, hey, wouldn’t it make sense, you know, even if it just seems like a cursory barrier, just to, you know, put something in, you’re probably right. So those types of things can come out of that exercise and, and some more complex thoughts, you know, it also helps you to kind of build your, hey, you know, what, what are our most critical assets? I mean, you kind of know that. intuitively, but it just helps to kind of talk about that. It leads into that conversation. So, you know, I, what my kind of three pronged approach to, you know, cybersecurity is something’s better than nothing. You know, it’s just, it can be a little bit overwhelming, but you know, that’s, that’s always a good place to start. But then the kind of the part of where you really plan to be unsuccessful, expect that at some point in the next. so many months or years, you’re going to have a cybersecurity incident, despite your best effort. So I believe it makes sense to make investments in that future failure in the form of some type of incident response plan. So it can seem like, well, gosh, that sounds expensive. And it’s not inexpensive, but for a couple of thousand dollars, you could have an incident response retainer with a company who could help you because… It really is. I mean, again, I’ve been in this industry a long time, but I am not a cybersecurity expert. You know, if something is present in my network, it’s encrypting files. I am not going to be the person to figure out what that is, how to remediate it. What steps do I need to take? Where did it most likely originate? You know, all of those types of activities are really, you know, that is a specialist. You want to know who that specialist is. You want to know what their number is. You want to have that relationship in place so that when it happens, your response is measured in hours and not days.

Speaker 0 | 28:03.652

Yeah, because days means days of time that the organization is probably not working or at the very least, they’re not at 100%. So what about these other, well, not other, I mean, you’ve already talked about some of the… as a service but now you blend in the cloud now we we’ve taken away that that um hard exterior shell that we all used to love and and hide behind our firewalls and now we’ve got roaming workers we’ve got roaming hardware we’ve got cloud services not not just as a service but you know we’ve got virtual machines and in cloud networks where um we’re Most people are probably open, aren’t using private networks anymore. So MPLS and the like and those dedicated expensive networks are gone. And now we’re trying to all leverage direct Internet access and internal VPNs to connect interconnect all of our sites. What levels of security? What are you doing in those realms or or what advice do you have for somebody who’s walking into this? position, you know, has just gotten their director hat and is trying to take and evaluate, okay, where am I?

Speaker 1 | 29:28.253

Yeah. So, you know, Shepard’s a great example. When I first arrived five years ago in 2019, they were very traditional, you know, everybody in an office working. Maybe there were five laptops in the entire organization. And then COVID comes around and, you know, that changes everything. And we are now a fully hybrid organization. 170 of our users, pretty much anyone who could possibly work remotely. has that capability and almost all of them take advantage of it at least one day a week. So to your point, yeah, that’s a totally different architecture. But it’s not terribly difficult to set up. I mean, really any firewall product that you have, whether it’s a physical firewall or a virtual firewall, is going to have a secure socket, you know, where VPN, SSL VPN client, you can install on that remote endpoint. And that’s going to create, you know, secure tunnel between that endpoint and your network. And again, all of the kind of major players in that space, adding MFA to that is quite doable, not expensive, not complex. Our users are totally accustomed to it. They do MFA to get to their bank or their 401k or, you know, really anything now. So that was not a hard sell. So that’s where we, that’s the space we currently live in. We have on all of our remote endpoints, SSL VPN client from our firewall vendor with MFA using an app. on their smartphone. That being said, I am, we are exploring the secure access service edge with so many different acronyms now, CASB, FASI, but essentially it is firewall on the cloud that you access, that you go to, and then that lets you go on to wherever else you’re going to go, whether it be software as a service, you know, like Salesforce, or back to your network for your own on-prem ERP.

Speaker 0 | 31:24.073

You know, I’m thankful and i think i’m beginning to really start to see that that consolidation because you mentioned something about it in the beginning of the conversation that cyber security wide and deep but i think we’re finally starting to see it kind of start to constrict again down to a limited number of critical products like like the five that you’ve mentioned but now we bring in sassy we bring in casby we We start bringing in the zero trust and just having that correct posture and that thought of the protection of every individual endpoint. And I’m not even saying it the right way. I can’t even think of a better way of saying it. But we’re seeing that consolidation versus all of the different ways. I remember SASE when it was four individual things versus.

Speaker 1 | 32:24.706

the the combined um solution that it’s becoming it’s almost becoming like that xdr is one of the other things that they love to throw out there too yeah and that that i do i agree with you that there is started to become some consolidation and also some of it i think is you know because you need you know every it leader is spending more time in the cybersecurity space they’re becoming more familiar with kind of categorizing different vendors because As a vendor, you may want to be a car, boat, and a plane, but if really you’re bread and butter, what kind of brought you to the dance is being a boat, everyone’s pretty much going to kind of look to you for that activity. And then it just helps as you’re evaluating the market space to kind of filter out all the acronyms, EDR, XDR, MDR, and how does all that mean? It’s like, oh, well, really, there isn’t that much. They are different. But, you know, the core value proposition is a little bit simpler to digest. And then some of it’s more like, you know, toppings on a taco, you know. Salsa.

Speaker 0 | 33:39.238

Right.

Speaker 1 | 33:40.219

Treaded cheese.

Speaker 0 | 33:42.801

Yeah, I want my queso, yes. So, interestingly enough, one of the acronyms that you threw out there made me think of something else that that a lot of people are pushing. And I wonder what your thoughts are about that. And that’s the 24-7 coverage.

Speaker 1 | 34:01.689

So we don’t have 24-7 coverage. We did for a while.

Speaker 0 | 34:05.791

Don’t.

Speaker 1 | 34:06.991

Yeah, we did for a while on our EDR product. And to be honest, what we found is, when we changed EDR products this past year, we took the opportunity to kind of reallocate those funds. And we went with one of the big players. And we just basically implemented a really tight policy. I mean, it’s all kind of sliders. We didn’t have to like write any code or anything, but essentially we have our EDR set to anything it doesn’t like, shut it down. Anything it definitely doesn’t like, shut it down. Basically, you know, when in doubt, shut it down. Because it’s more feasible for my, you know, six person team to get a phone call, you know, once in a blue moon from a user that, hey, you know, I can’t do anything. I think, you know. what’s wrong with my laptop and then to hop on the cloud portal and see that our EDR shut them down, then it is to pay for a 24-7 monitoring and have a more permissive policy and rely on that vendor or managed security service provider to take action on our behalf. So we have two of our solutions are in that kind of same boat, autonomous mode, super tight policy, whatever you don’t like, shut it down and we’ll deal with fallout. kind of our approach.

Speaker 0 | 35:27.566

Have you seen anything with the artificial intelligence hitting yet? I mean, and any direction, let’s, let’s talk about that for just a minute. And, you know, there’s lots of topics around that.

Speaker 1 | 35:41.289

Yeah. So our network monitoring solution was kind of born from AI. It’s dark trace. It’s a, you know, fairly common solution now, but so that thing’s whole approach to life is, you know, it’s like a little old lady on the street who knows. every neighbor and every car they drive and what their schedule is. So as soon as Bob’s driving a different car and gets home late, that’s just set to our Twitter. And that is exactly what Darktrace does. It sucks in all this data and it pushes it up to the AI engine. And the AI engine just compares what’s happening right now to what that MAC address has been doing for the last year of its life. And when there’s something different, it shuts it down. It doesn’t really… It’s not smart. you know it’s not smart like a person would be smart and be like oh well that’s actually okay and that’s fine that’s all that we needed to do but it is definitely an ai driven service product even though we as a company script we don’t you know don’t have any real investment in ai at this moment we certainly don’t have any expertise in ai at this moment but i can recognize you know a quality pumpkin pie when i see one and i don’t have to know how to made it to enjoy it and that’s kind of what we’re doing with our network monitoring tool

Speaker 0 | 36:55.194

What about on the flip side of that, though? Have you seen any AI or heard of any times that AI was leveraged as the attack mode? Because in all honesty, I have yet to really hear of a big breach that they’re touting being driven by some of the AI tools.

Speaker 1 | 37:16.528

Yeah, I have not. So I think maybe that’s one of those places where you really need that bespoke human component to be a quality hacker. I think, you know, AI in general, I mean, we’re looking at it pretty seriously from a productivity tool, not cybersecurity related, but how can it augment our regular employees’lives to make them faster, easier, better, you know. And there’s a couple of different solutions there that we’re exploring, all of them, you know, Microsoft, Zoom, you know, we’re not doing anything terribly different from the rest of the market space. But yeah, I don’t. I can’t speak to why, you know, convergence of the kind of simplification or commoditization, you know, malicious actor tool and AI haven’t become a bigger thing. But as you kind of mentioned, a lot of these providers have a big enough install base that, you know, they’re sharing that telemetry from all of their customers. And I imagine it’s not insignificant to, you know, try to slip one past the goalie there when you have that many, you know, that big of a sample size. You know, you come up with something new and inventive and then all, you know, those tools kind of see it once and then they share that knowledge with the other, you know, million endpoints running their product and it becomes obsolete. I don’t know.

Speaker 0 | 38:35.289

Yeah. Well, and so I have seen a little bit in this arena, kind of from the same side that you have, though, of the providers who are leveraging AI to make their product more full featured. And. You know, trying to, and I’m thinking of somebody in particular, but I’m not giving them the airtime yet. They’re doing just like you were talking about of, you know, that the behavior analysis and the traffic analysis and the endpoint information and the log aggregation and just aggregating all of that data together to be faster on the shutdowns and those things. Instead of waiting for the human to say. Okay, I agree. This is bad and push the button. It’s going ahead and pushing that button. And I think it’s doing it more of a surgical strike than, you know, I like to think of it with the cell phone. So you can either do the nuclear option and just brick the phone. Or if you’re doing things properly, you’ve got that surgical strike and you can remove all of the corporate data while leaving the user data alone. So the new AI tools are. doing the surgical strike of not just shutting down that whole laptop and, and segmenting them out of the network, but now they’re. Like saying, okay, he’s now suddenly talking and he’s sending non-DNS requests on that DNS port. Let’s shut down that DNS port from that machine and doing much more segmented approaches to things or laser approaches to things versus the big options. But I also know, and I’ve read somewhere about… ChatGPT, Gemini, and what’s the other one?

Speaker 1 | 40:29.847

OpenAI?

Speaker 0 | 40:31.447

Yeah. Well, ChatGPT. Oh, Copilot. Yeah, which is OpenAI. Two of those are the same. But there are hacker tools that they’re building their own large language models to have their own AI tool for the attacks. So as they get that initial foothold… then they’re spreading faster or attacking faster. So their speed from infiltration to execution or their cyber kill chain, I think, is one of the ways that we talk about it. It’s getting smaller and faster. And so we have to have the AI, or either that or all of the vendors are upselling it that way.

Speaker 1 | 41:16.578

You’re going to have to.

Speaker 0 | 41:19.060

Humans are too slow. Back to the 24-7 conversation. You know what? Let’s take a slight twist. Tell me some of the fun things in your career. What’s one of those stories? What’s one of those times that you just go, oh, God, double facepalm? When you think about that, either that trouble ticket, that time that executive walked into your office, or Nancy from accounting came yelling at you for something. What’s one of those tickets?

Speaker 1 | 41:48.040

Well, I and this is kind of cyber security release. I’ve been through a cyber security incident. It was, you know, not quite 10 years ago. So not early in the cyber security world, but early enough. And I just remember hopping on, forget what I was doing, but I needed to hop on on a Sunday night to do something pretty pedestrian. And all the files on the desktop for the server I jumped on, like looked at Zane. And it’s just that, you know, it’s like that kind of thing when you, you’ve ever been robbed, where you walk into your house, you’re like, well, that’s not where I am. that or that either or that looks really odd it just takes a moment to kind of you know for the reality of thinking that you know this is not going to be a fun night and um so yeah i remember looking at that you know the server desktop and being that’s really odd all the icons are the same and you know the thought i had was you know i this is probably what a lot of other type of security instance looks like and then lo and behold there we are um so you know i And it was, you know, we survived, the backups held, you know, and I’d rather be lucky than good any day. I will say that. But it was a great experience in that I came out of there really in touch with how close I came and that organization came to, you know, you know, having to pay the ransom or, you know, it really could have been the end of that setup. Because, you know, at the end of the day, if you can’t access, you know, your data. you know, you’re kind of done. And so, you know, and backups are really great. But, you know, everyone’s had a situation in their career where a backup either didn’t restore properly or restored, but something was a little bit amiss. So we haven’t really touched on it, but I really lump backup and recovery as a cybersecurity layer. And I don’t think of it as infrastructure. I think of it as a cybersecurity solution. And I put it in my cybersecurity budget accordingly. It doesn’t go in the same budget as like server refreshes or that kind of thing. It goes in cybersecurity because that’s almost certainly where it’s going to get utilized. I mean, you know, we couldn’t get hit by a tornado or a train or a plane, but we’re probably going to get hit by cybersecurity. That’s probably where we’re going to be.

Speaker 0 | 44:01.420

Yeah, and it is. It’s critical. And then, so what are your thoughts about on-prem, off-prem, immutable? Talk a little about this.

Speaker 1 | 44:13.511

So I am, I’ve been a Veeam customer forever, you know, just probably like 85% of the market space, but really became concerned just with the architecture of my implementation of Veeam, which was, I was running Veeam backup recovery on one of my virtual machines. And I just, it became clear, just, you know, talking with, you know, any conferences and, and kind of staying up on the setup that, that. architecture was vulnerable. So there were a couple options. I could either harden that Veeam architecture, which is absolutely a viable way to go, just so that you’re not reliant on your vCenter, vSphere kind of setup to execute on your backup recovery, because that’s… not a great game plan in the event of a cybersecurity incident because, you know, most factors kind of understand that. So once they’re in your environment, kind of their game plan is, well, we’re going to detonate this malware that’s going to compromise your vCenter environment, either all the way down to the host or maybe just the vCenter server at the same time that we encrypt your data. So it kind of, that setup, you know, encouraged me to reevaluate our backup architecture. and kind of understand all right where you know what kind of situation are we going to be in if we really need to kind of start from scratch and again this is something that we did further on in our our maturity as you know putting our cyber security game plan together because it was not an inexpensive investment but we have backup hardware that’s you know with a vendor that we can call and get essentially new esd host or luminary is the site host that we can run and our backup and recovery solution is no longer associated or tied to or dependent upon our ESXI or VMware vCenter environment. It is completely separate. That was a long answer to your question of, yes, I have backups on-prem, on hard-to-devices, in the cloud, and a third copy elsewhere, two of which are immutable. Wow.

Speaker 0 | 46:26.350

Multi-copy, immutable.

Speaker 1 | 46:29.830

Self-suspenders and a pair of shorts with a lot of coverage is kind of how they’re going to approach the fact of coverage.

Speaker 0 | 46:38.553

All right. So I was trying to find one of those tickets that you got any other stories? You got something personal? What lit up in your eyes right then when I asked you that question? What’s the story? They’re trading behind that smile. Well,

Speaker 1 | 46:57.400

I have to filter all the ones that are not appropriate for podcast, which is a subset. I think, you know, one of the pieces of information that I’ve found helpful is looking for solutions that provide like 80% of the value with only like 20% of the complexity. Because I think there are, you know, just like when you’re shopping for a car. you know there can be a car that you know has a bunch of bells and whistles and yes they are nice but really if you’re just looking for basic transportation you know there’s there’s a model out there that can perform that function perfectly well and it will be a little less expensive and a lot easier to maintain and for crews of my size the ease of maintenance is so important because on any given day um you know we’re stepping into you know helping someone with a printer, fixing a Wi-Fi access point, and then we’ve got to step into one of our cybersecurity solutions. And it really needs to be intuitive because we just don’t have the luxury of sending someone to a training seminar for that last a week long to become an expert in that product. We just don’t have that headcount. So don’t be afraid to say to a vendor, hey, I like this architecture, I think it’s a fine approach, but you’re not the right vendor for us. We’re just looking for someone who can provide a comparable product that is far less complex. That’s a legitimate response.

Speaker 0 | 48:31.966

Yeah, especially for the mid-market because there’s a lot of times that they try to use that same approach of trying to sell to the elephant and trying to sell to the rabbit. Yeah. And it just doesn’t work. I was trying to think of something that I was going to ask you to give me an example of some of the technology that you grew up with that you don’t think that somebody born after 2000 would recognize. What’s up in there?

Speaker 1 | 49:06.826

So certainly, you know, I feel like the fax machine fits into that category. You know, I was talking to somebody the other day about Excel and they were about my age. And down. we were talking about the slash key and Lotus 1-2-3 and like every command was you know a slash key and then it was just there just was no it was all keyboard and the other person in the room was probably in their 20s or something they were just we might as well like speak they were like what are they talking but yeah back in the back in the day you know you had Lotus 1-2-3 and Harvard Graphics and some type of you know email package that was not standard I mean every email package was like that you know, blue mail or whatever. It was just, you know, yeah, totally different.

Speaker 0 | 49:51.269

Yeah, I’m thinking back to Pine when we had to log into the Linux server, instantiate Pine so that we could then bring up the text-based emails and read through those. Um, so, so I went to one of the, uh, AIs and I asked them for some examples of these and, and I actually tried to flip the script a little bit and say, okay, give me, give me 10 technologies that somebody born before 1980 wouldn’t recognize. And the answer, um, I’m, I’m a text-based AI and can’t assist with that. What? And the other, all of the examples it gave are things that I think every one of us that was born in 1970 through 1985 would recognize. Smart watches, wireless charging, cryptocurrency, virtual reality, augmented reality, smart speakers, streaming services, social media platforms like TikTok, cloud gaming, e-scooters. Because, you know. we can’t handle those. We can’t handle a scooter that moves for us.

Speaker 1 | 51:05.625

I think, um, I think the, the test case for that is like a US robotics modem. You know, if you showed somebody a US robotics modem and they have, you know, use one of those in their professional life, that kind of tells you where they fall in the age, in the age spectrum. Yeah.

Speaker 0 | 51:23.450

Well, you got any thoughts or anything else you want to share? Any, uh, anything that you want to self promote?

Speaker 1 | 51:29.912

No, no. But I think I mentioned the three-pronged approach, but I’ve only said two of them. But again, a three-pronged approach I take to cybersecurity is it’s definitely a journey. It’s not a destination. You’re never going to get there. So you’ve got to kind of frame it that way. It can be a little bit demoralizing to feel like, oh, my God, we’ve done so much, but now there’s an X, Y, and Z threat that we haven’t addressed. And that’s okay. You do the best that you can. And kind of along those lines, you know, again, something is better than nothing. So, you know, if you’re just don’t feel like you have the bandwidth or the capacity to take on any of the major solutions we mentioned, you know, you can Google and, you know, just take some actions on your domain controllers, you know, make them a little more hard. And that’s better than doing nothing. And I think, you know, people will find that once they kind of get into that state, it’s not quite as daunting as it seems. And then a lot of the solutions that come out have autonomous mode. And I am, you know, someone who wasn’t, you know, was cautious about that. But now that I’ve utilized it on a couple of different platforms, I’m a big fan. I feel like it has utility and, you know, has a place, particularly in the mid-market, to mitigate the need for 24-7 coverage, which is a big challenge for companies who are outside.

Speaker 0 | 52:53.110

Yeah, and I think things have gotten a lot better because I remember When I first started thinking about, oh, like intrusion prevention, IPSs instead of IDSs, and being so afraid to turn that on. Because it was going to be, it was like one of the first products that was trying to use that autonomous mode and say, ooh, bad pattern, we’re going to block this. And the ability to shut down. a potential business activity was so scary back then. But now, you know, like, just like MFA, people have gotten used to it and have been introduced to it in so many different places that, that they’re that autonomous mode and our ability to correctly identify things that should be shut down. Just like they, they recognize that, that. The scams happening on our credit cards when those purchases being made are outside our norm that they’re calling you going, hey, are you really trying to buy tennis shoes after you just filled up the gas tank?

Speaker 1 | 54:09.589

Yep.

Speaker 0 | 54:10.230

So, yeah. So that’s the three-pronged approach. It’s a journey, not the destination. Something’s better than nothing. And turn it on. Yep.

Speaker 1 | 54:22.178

No test bike production.

Speaker 0 | 54:24.940

All right, sir. Thanks, Tom. Thanks for spending your time with us. We really appreciate it. Dissecting popular IT nerds and the audience appreciates your time and your dedication. And hopefully somebody learned something today. I know it’s been an enjoyable conversation. So thank you for your time.

Speaker 1 | 54:43.310

It was a pleasure to be here. Thanks so much.

Speaker 0 | 54:45.331

Thank you.

311- Securing the Mid-Market: Tom Shock’s Step by Step Approach to Cybersecurity

Speaker 0 | 00:01.108

All right. Well, welcome back to another episode of Dissecting Popular IT Nerd. Your host, Mike Kelly. And today we’ve got Tom Schock, who is the Director of IT over at Shepard Electric Supply in Annapolis, Maryland. So, Tom, why don’t you go ahead and introduce yourself? Tell us a little about your history and why you consider yourself a nerd or a geek.

Speaker 1 | 00:23.694

Sure thing. So, I am the Director of IT at MidMarket. wholesaler of electrical supplies. Shepard Electric has seven locations in the Maryland, Virginia, Washington, D.C. region. We have about 350 employees and we have about $500 million per year in revenue. So, you know, my expertise is really in the overlap between cybersecurity and mid-market. You know, I’ve been in the mid-market space for… better part of 20 years at three different companies, all distributors of some sort. So the experience of addressing cybersecurity at those companies has just given me some insight into what that’s like because it is different. There are challenges for mid-market companies when they try to address cybersecurity, but then there are also some things that make it a little easier. And those are the kind of the things I’d like to highlight as we talk through our session today.

Speaker 0 | 01:35.602

Yeah. You know, with my experience, I didn’t have experience at multiple organizations, but I was at a mid market and I helped them grow through quite a bit. They were emerging or getting to that emerging side of enterprise. And, you know, we were up to like 40 locations, eight different lines of business and everything else. And I. I’m going to make the assumption that the challenges that you’re talking about is the fact that they’re not one of the big guys and they don’t have the big budget to be able to just go buy all the shinies. But the advantage that the mid-market has compared to some of those big guys is their agility and their ability to quickly address multiple things and or to have immediate access to those different things. Everything’s not so. segmented into different silos that you have to go make sure that this, this head of the silo and that head of the silo and that head of the silo all agree so that you can implement MFA across the organization. You could just say, you know what, we’ve got to do this because we’re doing cyber insurance and too bad.

Speaker 1 | 02:49.094

Yep. Yep. Yeah. I think certainly, and when I speak of big market, I’m talking about companies where, you know, certainly less than a thousand employees, typically a couple hundred, sometimes even less than that. And it’s really that size that creates the challenge that you were alluding to, in that you don’t have a security team. You probably don’t have a chief information security officer. You may not even have a member of your team that is dedicated to cybersecurity. So what you end up with is, as we have at CEPR, a group of generalists who… need to provide application support and infrastructure support and cyber security you know all at the same time sometimes in the same hour um you know kind of just changing hat as needed um the flip side is what makes it a little easier what works in our favor is that um a company of that size you know i know all of our users many of them by site so when you think about securing something you know kind of like uh you know we’re and in the mid market we’re trying to keep a you know a small house kind of secure and and safe compared to like a a large resort you know how much easier that is because i recognize all the people walking in the door you know i don’t need to rely on a key card system or you know anything a code system you know it’s like i can have each person’s face you know my name and and it’s similar on on the i.t front um And that’s what I think makes the mid-market unique because the solutions that we are looking for or can deploy really and often we can leverage that familiarity and that side benefit. The fact of the matter is most mid-market companies aren’t going to scale up to 5,000 users, 1 billion in sales. They’ve been in the mid-market for sometimes 30, 40 years and that’s a great size. usually family-owned, and that’s probably where they’re going to stay. So they just need to find a way to secure that. footprint. And, you know, and I think that’s where I had some experience and can offer some thought.

Speaker 0 | 05:08.568

And so, you know, for sure, that’s one of those areas that people, that group definitely needs that help and that guidance. Where do you think is the best place to start with? Because typically, you know, we’ve got, you sent me some ideas before the podcast on topics and and you’ve hit on all of the the primary ones to go with but which one’s the first one to go with where where do we where do we start this journey and and why there first yeah so that’s an excellent question and um you

Speaker 1 | 05:47.146

know cyber security is right now it’s incredibly wide and incredibly deep and if you’re starting from scratch it is absolutely overwhelming um it’s really difficult now because it’s sometimes hard to even categorize a solution provider. Are you a car, a boat, or a plane? Because, you know, so many of the solution providers are kind of like, well, we actually can do all three of those. And that’s just very confusing when you’re stopping, you know. But I would say the first place that I have always started has been with an endpoint detection or response solution. And there’s probably three of them, four of them out there that are, you know, top tier. And those are… There really isn’t a difference between buying one of those for a five-person shop or a 5,000, you know, endpoint shop. You know, they’re all kind of built to do the same thing and for the most part don’t require a lot of specialization. So you can off the shelf implement, you know, just to throw out names, CloudStrike, SentinelOne, Windows, Defender. I think Sophos has an EDR solution. Um, and you know, carbon black was certainly one of the pioneers in that area. Um, um, I think still, you know, provides that solution as well, but that’s, I think always a good place to start because it, you know, as it’s kind of like, you know, absent that you’re just, you’ve got a big gap in your, in your security posture. So, um,

Speaker 0 | 07:18.477

So what about the innate one or, you know, you mentioned windows defender, but then there’s windows endpoint protection. And so what about the NA versus, especially if you’re a five-person shop, versus the 500 or the 5,000 user shop?

Speaker 1 | 07:36.864

Yeah, and I take responsibility for finding this naming with Microsoft products, but I feel like they care a little bit about it because they can’t be named. They do. And they rename everything. So when I think, you know, Microsoft, I’m talking about their EDR product. So if they’re currently called… endpoint detection, then let’s go with that. Yeah, I don’t think the built-in firewall, while I’m sure it has utility, I don’t think it has the breadth and capability set that a top-tier EDR solution provides. All those, the ones that I mentioned are cloud-based in that you can access the telemetry from the machine on a cloud portal and Really, all they need is some form of internet connectivity, which is kind of ubiquitous now. That’s a gift.

Speaker 0 | 08:32.938

Yeah, yeah. There’s not too many places, especially in the mid-market, that need air-gapped computers.

Speaker 1 | 08:38.860

Nope, nope. If anything,

Speaker 0 | 08:41.461

they have to have that internet connectivity to be able to get their email.

Speaker 1 | 08:45.402

Yeah, yeah. I think, you know, and that mid-market is also far more likely to have some type of legacy, you know, maybe homegrown components that they need to. that they can’t decommission or turn off. And that’s going to introduce more complexity to their cybersecurity posture than, you know, kind of a bigger company that can, you know, again, do like air gap, this, that, and the other. And so I think understanding that and recognizing, hey, there are some things that, yeah, you can’t change it. If you’re running a home built product that, you know, Lord knows what its operating system is and it’s no longer, you know, been decommissioned by the, you know, vendor for a long time. providing security updates, then that may be a fact of your life. And you just need to kind of build your security posture with that, you know, understanding in place. It doesn’t mean you can’t become more secure. You might not ever pass a, you know, one of the NIF framework.

Speaker 0 | 09:43.612

Yeah.

Speaker 1 | 09:44.953

But that’s probably okay. Cause you’re also not going to be required to do that by any kind of, you know, outside entity.

Speaker 0 | 09:52.155

Yeah. You know, one of my friends, had and i know that it’s a real popular saying anymore um If it’s free, then you’re the product.

Speaker 1 | 10:05.047

Yeah, right, right.

Speaker 0 | 10:06.849

So the AVGs and those kinds of endpoint detection. And every time I’m trying to help somebody out and I find AVG or the free version of Symantec or, you know, all of those, I just cringe and just go, oh, man, I don’t know if I can trust this machine going forward.

Speaker 1 | 10:29.627

Yeah. It is a challenge. And, you know, but EDR really isn’t terribly expensive. It’s usually pretty simple to deploy. You know, people who are supporting an environment, you know, it’s going to be in their wheelhouse. You know, it’s going to be something they’re accustomed to doing. And it doesn’t really, you know, all of them are all the ones I mentioned are fine products and that they’re not going to, generally speaking, blow anything up. You know, obviously, it always makes sense to do the wise thing and start with a. one or a small sample of machines and kind of ease into it just to make sure you don’t have anything in your environment that looks very unusual to that solution and therefore it wants to you know quarantine it or shut it down but um once you get over that hurdle i found that our edr solution is very quiet um you know we’ve got a couple hundred users and um Most of them stick to their knitting. They don’t do anything wild. They’re coming in to kind of do their operations-oriented jobs. It’s kind of the same thing every day for them. And we just generate very few alerts. And I just think compared to a large enterprise where you just have a much wider spectrum of users, I just think the volume makes it such that it’s pretty manageable.

Speaker 0 | 11:50.311

And then the engine. The cloud-based ones, the other benefit that you really get from those is the fact that not only is it looking at your environment, but it’s checking back in with the mothership, so to speak, and getting those updates of any of the new threats. And so it gets new definitions all the time. So even though, you know, it’s not just the base of my five computers, it’s the base of all of the consumers of that same product. So, yeah. You know, it’s getting vision and all of that. So they finally started, those providers started leveraging their whole network ecosystem. All right, we got EDR covered. What’s next?

Speaker 1 | 12:31.318

So I think the next easiest thing is email security. I mean, the vast majority of people listening on the podcast probably are, you know, either Google or M365. I just don’t think too many people run Exchange on-prem anymore.

Speaker 0 | 12:44.646

You’d be surprised.

Speaker 1 | 12:46.346

Well, I… But I do think an email security solution is just the next easiest and most bang for the buck, because that’s another really frequent entry point for bad things. And if you’ve got an email security provider that’s going to screen out the malicious messages or the messages from known good users that happen to be hacked and have a bad file attached to them, it’s just, again, it’s layer number two.

Speaker 0 | 13:17.828

two you’ve got the edr kind of playing goalie now you’ve got email you know out in front it’s close to fence and it’s just it just is the definition of a layer to personal security yeah and then you know the uh the other critical one that has to come in here and it’s it’s one of the ones that some organizations are making their living off of this and others are just trying to do the best they can with with um what’s being provided but that now comes to education we teach because Both of these products are focused on the end user. And so we’ve got to start educating or we’ve got to make sure that they’re, you know, we’re all hearing about cybersecurity. But, you know, what is it? What do I got to do with that? You know, hey, I just got that email from the CEO. He needs five Google certificates real quick. Give certificates and they fall for it.

Speaker 1 | 14:11.143

Yeah. Well, I think and that’s, you know, I agree with you 100% that security awareness training, you know. really important. I think you’ll find that a lot of the email providers, that is one of the situations where it’s a plane and a car. They do both. You know, it’s just a really easy place for them to tack on, you know, that service. And there are some other standalones, you know, before it’s probably the most common matter of security or training. But going back to that small footprint, you know, on the mid market, the benefit of, you know, that’s just not having a lot of people is everybody in my company knows our CEO. And first of all, they know he’s not, he’s highly unlikely to send an email asking them to, you know what I mean? They just know him personally. And so those types of… you know, there’s an, there’s, it’s like, there’s a sweet spot for that kind of circle engineered attack. And the mid market, a lot of times is like too tight knit, you know what I mean? It’s like, I just saw him in the bathroom, you know, and he’s not going to send me an email to me to go buy, buy him a gift card. So it helps, you know, it’s one of those places where it helps to be small. Yeah,

Speaker 0 | 15:20.846

it does. And, and, but it’s also one of those areas where you got to, just as you’re starting to grow and you get to the point of, you don’t recognize every face in the hall. You really need to start making sure that you’re setting up those checks and balances of, hey, you know, an employee just sent that they want to change where their paycheck is being deposited. Call them. Stop by. Talk to them. Don’t just send them an email and validate it. And don’t just take a text message for gospel on it. You know, go talk to them and make sure that they actually ask for their paycheck to get rerouted. especially if it’s one of the executives who has a larger paycheck.

Speaker 1 | 16:03.415

Yeah, I think what’s changed is the kind of automation isn’t the right word, but the simplification of malicious tools makes it really possible to target a company of any size in the U.S. I think, you know, if you flashback 10 years ago, you know, cybersecurity wasn’t as easy to perpetrate as it is now. And so, you know, if you were going to spend all that time and effort, you wanted to kind of, you know, be elephant hunting. And now I think the tools are made incredibly proliferated. And I mean, really, you know, there’s just so much ease of access to become a cybersecurity perpetrator that really any company, any US based company, regardless of its size, is now an equivalent target. Because if you, you know, hit 10 companies and, you know. get 10 grand each from them that’s you know as good as elephant hunting and finding you know

Speaker 0 | 16:58.232

100 000 pounds yeah well and and one of the other things that that i’ve really come to to use that technical term grok um is that you know the the cost or the value of the u.s dollar in other countries makes this so profitable for certain certain countries to really just go after it you know a 500 win to us is like god i can’t even bother calling somebody about it because they’re not going to care about five hundred dollars but for some countries that’s an annual salary so if they can get if they can get a couple of those done in a month then yay um but if they can get a couple of those done in an hour and continue to go after it then it becomes really really profitable for them so you know yeah it’s it’s not oh i have to have i gotta get the elephant that’s going to get me $5 million, if I can just get, you know, those rabbits, then I’m, I’m fat and happy.

Speaker 1 | 18:02.381

Yeah. And that’s just, you know, we could complain all day, but that’s, you know, the way the world is right now, you know, the U S just has a huge number of companies. I mean, think about, you know, everything from little long care providers to home improvement. I mean, just the list is almost endless. And to your point, um, Many of those, $500 is an unpleasant experience, but it’s not going to be a showstopper. But if their email is inaccessible or their data is inaccessible or their network is down, that is a showstopper. Yeah.

Speaker 0 | 18:43.880

Well, and that’s the difference between the business email compromise, then social engineering, and ransomware. ransomware ransomware they’re hunting the elephants or or at least that’s the mindset more of okay we’re going to get the whole organization not just like one individual and get them to uh mess up yeah

Speaker 1 | 19:08.590

yeah it’s tough i mean you know i’ve been doing sitting in a it director chair 2011 2011 so i guess i’m sure you don’t do math in my head but 10 12 you And it’s certainly become, if I spent 5% of my time in 2011 worried about cybersecurity, I spend 35% of my time worried about cybersecurity now. It is a significant portion of my day. And, you know, I don’t envision that changing. You know, perhaps at some point Shepard will grow large enough where every company will have someone who just focuses on. security. But for the foreseeable future, it gets as much of my time as our key applications for our structure. Um, you know, it’s certainly probably more than how much time I spend on budget and strategic planning.

Speaker 0 | 20:05.994

So with your experience at multiple organizations, what has been your experience with the, um, other executives and their general stance on cybersecurity? Cause I, you know, the organization that I was at the longest, um, I just, it was, it was. kind of that necessary evil like insurance but they were more willing to to go after insurance than they were to invest in cyber security because it was still this ethereal thing out there where um where either i was doing a good enough job that it wasn’t a threat to them or they just they just weren’t really afraid of that it’s it’s one of those things that you almost have to have that car wreck before you’re worried about the car insurance to really bring that home. How have you broached those conversations? Because I know that was always one of the challenges for me. And I’ve talked to a few people on our chairs and asked them how they approached it. And what’s your approach?

Speaker 1 | 21:15.579

So it was certainly a more challenging conversation 10 years ago and even five years ago. But I think the… frequency of occurrence has made it a much easier sell. So in our market space, you know, again, we’re a wholesale buyer of electrical components, just in the region, some of our competitors have had windows of time where they’ve been offline, and we’ll get, you know, an influx of calls, because, you know, someone goes down and we come to find it was cybersecurity related. So, you know, one of those probably would have been sufficient, the fact that that’s happened, probably three times over the last five years, the different entities in our area has made it such that, you know, if I go to our owner and say, hey, I really think we need to do X, you know, I have his full and complete attention because, you know, it was a hundred and thirty something year old family, you know, run business and reputation is really material to him, you know, probably more so than the monetary concerns, the thought that he wouldn’t be able to serve. his customers because we were down because we’re recovering from some type of security incident. So that makes the discussion now, it’s not so much of a sell, but it’s more of a, okay, we’re not going to become the NSA. We don’t have that kind of expertise or budget. So what do we do and how do we do it in a way that doesn’t slow our speed of business or our customer service or degrade our user experience? because that’s certainly not the objective. You know, you don’t make money by having a great cybersecurity posture. That’s not the way, you know, you’re able to get paid. So we just need to be cognizant of that. And that’s more where the conversation lives now than convincing them of an actual need to do something.

Speaker 0 | 23:07.045

Yeah. Okay. EDR, email security, making sure the executives are aware, getting the end users trained and conscious at the very least of things. Next?

Speaker 1 | 23:21.334

So I would, you know, for me, the next one is patch management. So you’ve got devices, servers, and, you know, desktops, laptops. Keeping them packed, I think, is fairly affordable. And I think, you know, a lot of times people are like, oh, I can do that myself. But it’s more than just the operating system. You know, what you’ll find is a lot of times there are vulnerabilities in applications that you just wouldn’t think would be that big of a target. Adobe, no offense to Adobe. right they’re an elephant yeah so the patch management solutions and there are a number of them out there they just provide you with that you know kind of list of hey here are all the remediations that need are needed on the machines and many of them you know you can kind of configure them to you know kind of knock that out on your behalf and it takes a little getting used to our users didn’t love it you know we got complaints that this thing wants to restart like every day now and you know my response is you know again them Sorry, that’s the world that we live in, but most of those patches are security-driven. And when you have 20 applications on your scene, plus the OS, plus M365, plus the firmware, yeah, there’s going to be a lot of restarts in your life. That’s the way it goes.

Speaker 0 | 24:33.944

Yeah. And you probably need to be doing them a little faster. And if you haven’t set up autosave, hey, that’s what. Yeah. Most everything has a version of autosave now so that you. can get right back to where you were.

Speaker 1 | 24:49.942

It’s true. It’s true.

Speaker 0 | 24:52.689

What other thoughts you got for us? What other?

Speaker 1 | 24:55.595

So I think, you know, once you kind of have those. Those four in place, you know, you’ve got EDR, you know, you’ve got email security, got the awareness training, and you’re doing some, you know, you’re patching your endpoints. Now it kind of becomes, all right, you know your environment better than anybody else. So the exercise that I do with my team once a year is, you know, we have a kind of a purpose built meeting for this is, hey, put on your hacker hat. If you were going to hack Deppert, what would you do? How would you, you know, break into the company? You know, there are some people or someone might. team members are better at others and kind of like flipping the script and coming up with, you know, ideas. But once, you know, as like, you know, people start throwing out thoughts, it kind of, you know, you get some tracks in there. And I generated, you know, a punch list that took me 18 months to clean up from their, you know, their input. And that includes everything from just physical security to, for instance, you know, historically, we didn’t have any type of barrier on our server ring door, you know, I mean, it was just a a small company that grew to be a slightly larger company. And, you know, but that’s the deposit. Yeah. You know, and after a while, people were like, well, hey, wouldn’t it make sense, you know, even if it just seems like a cursory barrier, just to, you know, put something in, you’re probably right. So those types of things can come out of that exercise and, and some more complex thoughts, you know, it also helps you to kind of build your, hey, you know, what, what are our most critical assets? I mean, you kind of know that. intuitively, but it just helps to kind of talk about that. It leads into that conversation. So, you know, I, what my kind of three pronged approach to, you know, cybersecurity is something’s better than nothing. You know, it’s just, it can be a little bit overwhelming, but you know, that’s, that’s always a good place to start. But then the kind of the part of where you really plan to be unsuccessful, expect that at some point in the next. so many months or years, you’re going to have a cybersecurity incident, despite your best effort. So I believe it makes sense to make investments in that future failure in the form of some type of incident response plan. So it can seem like, well, gosh, that sounds expensive. And it’s not inexpensive, but for a couple of thousand dollars, you could have an incident response retainer with a company who could help you because… It really is. I mean, again, I’ve been in this industry a long time, but I am not a cybersecurity expert. You know, if something is present in my network, it’s encrypting files. I am not going to be the person to figure out what that is, how to remediate it. What steps do I need to take? Where did it most likely originate? You know, all of those types of activities are really, you know, that is a specialist. You want to know who that specialist is. You want to know what their number is. You want to have that relationship in place so that when it happens, your response is measured in hours and not days.

Speaker 0 | 28:03.652

Yeah, because days means days of time that the organization is probably not working or at the very least, they’re not at 100%. So what about these other, well, not other, I mean, you’ve already talked about some of the… as a service but now you blend in the cloud now we we’ve taken away that that um hard exterior shell that we all used to love and and hide behind our firewalls and now we’ve got roaming workers we’ve got roaming hardware we’ve got cloud services not not just as a service but you know we’ve got virtual machines and in cloud networks where um we’re Most people are probably open, aren’t using private networks anymore. So MPLS and the like and those dedicated expensive networks are gone. And now we’re trying to all leverage direct Internet access and internal VPNs to connect interconnect all of our sites. What levels of security? What are you doing in those realms or or what advice do you have for somebody who’s walking into this? position, you know, has just gotten their director hat and is trying to take and evaluate, okay, where am I?

Speaker 1 | 29:28.253

Yeah. So, you know, Shepard’s a great example. When I first arrived five years ago in 2019, they were very traditional, you know, everybody in an office working. Maybe there were five laptops in the entire organization. And then COVID comes around and, you know, that changes everything. And we are now a fully hybrid organization. 170 of our users, pretty much anyone who could possibly work remotely. has that capability and almost all of them take advantage of it at least one day a week. So to your point, yeah, that’s a totally different architecture. But it’s not terribly difficult to set up. I mean, really any firewall product that you have, whether it’s a physical firewall or a virtual firewall, is going to have a secure socket, you know, where VPN, SSL VPN client, you can install on that remote endpoint. And that’s going to create, you know, secure tunnel between that endpoint and your network. And again, all of the kind of major players in that space, adding MFA to that is quite doable, not expensive, not complex. Our users are totally accustomed to it. They do MFA to get to their bank or their 401k or, you know, really anything now. So that was not a hard sell. So that’s where we, that’s the space we currently live in. We have on all of our remote endpoints, SSL VPN client from our firewall vendor with MFA using an app. on their smartphone. That being said, I am, we are exploring the secure access service edge with so many different acronyms now, CASB, FASI, but essentially it is firewall on the cloud that you access, that you go to, and then that lets you go on to wherever else you’re going to go, whether it be software as a service, you know, like Salesforce, or back to your network for your own on-prem ERP.

Speaker 0 | 31:24.073

You know, I’m thankful and i think i’m beginning to really start to see that that consolidation because you mentioned something about it in the beginning of the conversation that cyber security wide and deep but i think we’re finally starting to see it kind of start to constrict again down to a limited number of critical products like like the five that you’ve mentioned but now we bring in sassy we bring in casby we We start bringing in the zero trust and just having that correct posture and that thought of the protection of every individual endpoint. And I’m not even saying it the right way. I can’t even think of a better way of saying it. But we’re seeing that consolidation versus all of the different ways. I remember SASE when it was four individual things versus.

Speaker 1 | 32:24.706

the the combined um solution that it’s becoming it’s almost becoming like that xdr is one of the other things that they love to throw out there too yeah and that that i do i agree with you that there is started to become some consolidation and also some of it i think is you know because you need you know every it leader is spending more time in the cybersecurity space they’re becoming more familiar with kind of categorizing different vendors because As a vendor, you may want to be a car, boat, and a plane, but if really you’re bread and butter, what kind of brought you to the dance is being a boat, everyone’s pretty much going to kind of look to you for that activity. And then it just helps as you’re evaluating the market space to kind of filter out all the acronyms, EDR, XDR, MDR, and how does all that mean? It’s like, oh, well, really, there isn’t that much. They are different. But, you know, the core value proposition is a little bit simpler to digest. And then some of it’s more like, you know, toppings on a taco, you know. Salsa.

Speaker 0 | 33:39.238

Right.

Speaker 1 | 33:40.219

Treaded cheese.

Speaker 0 | 33:42.801

Yeah, I want my queso, yes. So, interestingly enough, one of the acronyms that you threw out there made me think of something else that that a lot of people are pushing. And I wonder what your thoughts are about that. And that’s the 24-7 coverage.

Speaker 1 | 34:01.689

So we don’t have 24-7 coverage. We did for a while.

Speaker 0 | 34:05.791

Don’t.

Speaker 1 | 34:06.991

Yeah, we did for a while on our EDR product. And to be honest, what we found is, when we changed EDR products this past year, we took the opportunity to kind of reallocate those funds. And we went with one of the big players. And we just basically implemented a really tight policy. I mean, it’s all kind of sliders. We didn’t have to like write any code or anything, but essentially we have our EDR set to anything it doesn’t like, shut it down. Anything it definitely doesn’t like, shut it down. Basically, you know, when in doubt, shut it down. Because it’s more feasible for my, you know, six person team to get a phone call, you know, once in a blue moon from a user that, hey, you know, I can’t do anything. I think, you know. what’s wrong with my laptop and then to hop on the cloud portal and see that our EDR shut them down, then it is to pay for a 24-7 monitoring and have a more permissive policy and rely on that vendor or managed security service provider to take action on our behalf. So we have two of our solutions are in that kind of same boat, autonomous mode, super tight policy, whatever you don’t like, shut it down and we’ll deal with fallout. kind of our approach.

Speaker 0 | 35:27.566

Have you seen anything with the artificial intelligence hitting yet? I mean, and any direction, let’s, let’s talk about that for just a minute. And, you know, there’s lots of topics around that.

Speaker 1 | 35:41.289

Yeah. So our network monitoring solution was kind of born from AI. It’s dark trace. It’s a, you know, fairly common solution now, but so that thing’s whole approach to life is, you know, it’s like a little old lady on the street who knows. every neighbor and every car they drive and what their schedule is. So as soon as Bob’s driving a different car and gets home late, that’s just set to our Twitter. And that is exactly what Darktrace does. It sucks in all this data and it pushes it up to the AI engine. And the AI engine just compares what’s happening right now to what that MAC address has been doing for the last year of its life. And when there’s something different, it shuts it down. It doesn’t really… It’s not smart. you know it’s not smart like a person would be smart and be like oh well that’s actually okay and that’s fine that’s all that we needed to do but it is definitely an ai driven service product even though we as a company script we don’t you know don’t have any real investment in ai at this moment we certainly don’t have any expertise in ai at this moment but i can recognize you know a quality pumpkin pie when i see one and i don’t have to know how to made it to enjoy it and that’s kind of what we’re doing with our network monitoring tool

Speaker 0 | 36:55.194

What about on the flip side of that, though? Have you seen any AI or heard of any times that AI was leveraged as the attack mode? Because in all honesty, I have yet to really hear of a big breach that they’re touting being driven by some of the AI tools.

Speaker 1 | 37:16.528

Yeah, I have not. So I think maybe that’s one of those places where you really need that bespoke human component to be a quality hacker. I think, you know, AI in general, I mean, we’re looking at it pretty seriously from a productivity tool, not cybersecurity related, but how can it augment our regular employees’lives to make them faster, easier, better, you know. And there’s a couple of different solutions there that we’re exploring, all of them, you know, Microsoft, Zoom, you know, we’re not doing anything terribly different from the rest of the market space. But yeah, I don’t. I can’t speak to why, you know, convergence of the kind of simplification or commoditization, you know, malicious actor tool and AI haven’t become a bigger thing. But as you kind of mentioned, a lot of these providers have a big enough install base that, you know, they’re sharing that telemetry from all of their customers. And I imagine it’s not insignificant to, you know, try to slip one past the goalie there when you have that many, you know, that big of a sample size. You know, you come up with something new and inventive and then all, you know, those tools kind of see it once and then they share that knowledge with the other, you know, million endpoints running their product and it becomes obsolete. I don’t know.

Speaker 0 | 38:35.289

Yeah. Well, and so I have seen a little bit in this arena, kind of from the same side that you have, though, of the providers who are leveraging AI to make their product more full featured. And. You know, trying to, and I’m thinking of somebody in particular, but I’m not giving them the airtime yet. They’re doing just like you were talking about of, you know, that the behavior analysis and the traffic analysis and the endpoint information and the log aggregation and just aggregating all of that data together to be faster on the shutdowns and those things. Instead of waiting for the human to say. Okay, I agree. This is bad and push the button. It’s going ahead and pushing that button. And I think it’s doing it more of a surgical strike than, you know, I like to think of it with the cell phone. So you can either do the nuclear option and just brick the phone. Or if you’re doing things properly, you’ve got that surgical strike and you can remove all of the corporate data while leaving the user data alone. So the new AI tools are. doing the surgical strike of not just shutting down that whole laptop and, and segmenting them out of the network, but now they’re. Like saying, okay, he’s now suddenly talking and he’s sending non-DNS requests on that DNS port. Let’s shut down that DNS port from that machine and doing much more segmented approaches to things or laser approaches to things versus the big options. But I also know, and I’ve read somewhere about… ChatGPT, Gemini, and what’s the other one?

Speaker 1 | 40:29.847

OpenAI?

Speaker 0 | 40:31.447

Yeah. Well, ChatGPT. Oh, Copilot. Yeah, which is OpenAI. Two of those are the same. But there are hacker tools that they’re building their own large language models to have their own AI tool for the attacks. So as they get that initial foothold… then they’re spreading faster or attacking faster. So their speed from infiltration to execution or their cyber kill chain, I think, is one of the ways that we talk about it. It’s getting smaller and faster. And so we have to have the AI, or either that or all of the vendors are upselling it that way.

Speaker 1 | 41:16.578

You’re going to have to.

Speaker 0 | 41:19.060

Humans are too slow. Back to the 24-7 conversation. You know what? Let’s take a slight twist. Tell me some of the fun things in your career. What’s one of those stories? What’s one of those times that you just go, oh, God, double facepalm? When you think about that, either that trouble ticket, that time that executive walked into your office, or Nancy from accounting came yelling at you for something. What’s one of those tickets?

Speaker 1 | 41:48.040

Well, I and this is kind of cyber security release. I’ve been through a cyber security incident. It was, you know, not quite 10 years ago. So not early in the cyber security world, but early enough. And I just remember hopping on, forget what I was doing, but I needed to hop on on a Sunday night to do something pretty pedestrian. And all the files on the desktop for the server I jumped on, like looked at Zane. And it’s just that, you know, it’s like that kind of thing when you, you’ve ever been robbed, where you walk into your house, you’re like, well, that’s not where I am. that or that either or that looks really odd it just takes a moment to kind of you know for the reality of thinking that you know this is not going to be a fun night and um so yeah i remember looking at that you know the server desktop and being that’s really odd all the icons are the same and you know the thought i had was you know i this is probably what a lot of other type of security instance looks like and then lo and behold there we are um so you know i And it was, you know, we survived, the backups held, you know, and I’d rather be lucky than good any day. I will say that. But it was a great experience in that I came out of there really in touch with how close I came and that organization came to, you know, you know, having to pay the ransom or, you know, it really could have been the end of that setup. Because, you know, at the end of the day, if you can’t access, you know, your data. you know, you’re kind of done. And so, you know, and backups are really great. But, you know, everyone’s had a situation in their career where a backup either didn’t restore properly or restored, but something was a little bit amiss. So we haven’t really touched on it, but I really lump backup and recovery as a cybersecurity layer. And I don’t think of it as infrastructure. I think of it as a cybersecurity solution. And I put it in my cybersecurity budget accordingly. It doesn’t go in the same budget as like server refreshes or that kind of thing. It goes in cybersecurity because that’s almost certainly where it’s going to get utilized. I mean, you know, we couldn’t get hit by a tornado or a train or a plane, but we’re probably going to get hit by cybersecurity. That’s probably where we’re going to be.

Speaker 0 | 44:01.420

Yeah, and it is. It’s critical. And then, so what are your thoughts about on-prem, off-prem, immutable? Talk a little about this.

Speaker 1 | 44:13.511

So I am, I’ve been a Veeam customer forever, you know, just probably like 85% of the market space, but really became concerned just with the architecture of my implementation of Veeam, which was, I was running Veeam backup recovery on one of my virtual machines. And I just, it became clear, just, you know, talking with, you know, any conferences and, and kind of staying up on the setup that, that. architecture was vulnerable. So there were a couple options. I could either harden that Veeam architecture, which is absolutely a viable way to go, just so that you’re not reliant on your vCenter, vSphere kind of setup to execute on your backup recovery, because that’s… not a great game plan in the event of a cybersecurity incident because, you know, most factors kind of understand that. So once they’re in your environment, kind of their game plan is, well, we’re going to detonate this malware that’s going to compromise your vCenter environment, either all the way down to the host or maybe just the vCenter server at the same time that we encrypt your data. So it kind of, that setup, you know, encouraged me to reevaluate our backup architecture. and kind of understand all right where you know what kind of situation are we going to be in if we really need to kind of start from scratch and again this is something that we did further on in our our maturity as you know putting our cyber security game plan together because it was not an inexpensive investment but we have backup hardware that’s you know with a vendor that we can call and get essentially new esd host or luminary is the site host that we can run and our backup and recovery solution is no longer associated or tied to or dependent upon our ESXI or VMware vCenter environment. It is completely separate. That was a long answer to your question of, yes, I have backups on-prem, on hard-to-devices, in the cloud, and a third copy elsewhere, two of which are immutable. Wow.

Speaker 0 | 46:26.350

Multi-copy, immutable.

Speaker 1 | 46:29.830

Self-suspenders and a pair of shorts with a lot of coverage is kind of how they’re going to approach the fact of coverage.

Speaker 0 | 46:38.553

All right. So I was trying to find one of those tickets that you got any other stories? You got something personal? What lit up in your eyes right then when I asked you that question? What’s the story? They’re trading behind that smile. Well,

Speaker 1 | 46:57.400

I have to filter all the ones that are not appropriate for podcast, which is a subset. I think, you know, one of the pieces of information that I’ve found helpful is looking for solutions that provide like 80% of the value with only like 20% of the complexity. Because I think there are, you know, just like when you’re shopping for a car. you know there can be a car that you know has a bunch of bells and whistles and yes they are nice but really if you’re just looking for basic transportation you know there’s there’s a model out there that can perform that function perfectly well and it will be a little less expensive and a lot easier to maintain and for crews of my size the ease of maintenance is so important because on any given day um you know we’re stepping into you know helping someone with a printer, fixing a Wi-Fi access point, and then we’ve got to step into one of our cybersecurity solutions. And it really needs to be intuitive because we just don’t have the luxury of sending someone to a training seminar for that last a week long to become an expert in that product. We just don’t have that headcount. So don’t be afraid to say to a vendor, hey, I like this architecture, I think it’s a fine approach, but you’re not the right vendor for us. We’re just looking for someone who can provide a comparable product that is far less complex. That’s a legitimate response.

Speaker 0 | 48:31.966

Yeah, especially for the mid-market because there’s a lot of times that they try to use that same approach of trying to sell to the elephant and trying to sell to the rabbit. Yeah. And it just doesn’t work. I was trying to think of something that I was going to ask you to give me an example of some of the technology that you grew up with that you don’t think that somebody born after 2000 would recognize. What’s up in there?

Speaker 1 | 49:06.826

So certainly, you know, I feel like the fax machine fits into that category. You know, I was talking to somebody the other day about Excel and they were about my age. And down. we were talking about the slash key and Lotus 1-2-3 and like every command was you know a slash key and then it was just there just was no it was all keyboard and the other person in the room was probably in their 20s or something they were just we might as well like speak they were like what are they talking but yeah back in the back in the day you know you had Lotus 1-2-3 and Harvard Graphics and some type of you know email package that was not standard I mean every email package was like that you know, blue mail or whatever. It was just, you know, yeah, totally different.

Speaker 0 | 49:51.269

Yeah, I’m thinking back to Pine when we had to log into the Linux server, instantiate Pine so that we could then bring up the text-based emails and read through those. Um, so, so I went to one of the, uh, AIs and I asked them for some examples of these and, and I actually tried to flip the script a little bit and say, okay, give me, give me 10 technologies that somebody born before 1980 wouldn’t recognize. And the answer, um, I’m, I’m a text-based AI and can’t assist with that. What? And the other, all of the examples it gave are things that I think every one of us that was born in 1970 through 1985 would recognize. Smart watches, wireless charging, cryptocurrency, virtual reality, augmented reality, smart speakers, streaming services, social media platforms like TikTok, cloud gaming, e-scooters. Because, you know. we can’t handle those. We can’t handle a scooter that moves for us.

Speaker 1 | 51:05.625

I think, um, I think the, the test case for that is like a US robotics modem. You know, if you showed somebody a US robotics modem and they have, you know, use one of those in their professional life, that kind of tells you where they fall in the age, in the age spectrum. Yeah.

Speaker 0 | 51:23.450

Well, you got any thoughts or anything else you want to share? Any, uh, anything that you want to self promote?

Speaker 1 | 51:29.912

No, no. But I think I mentioned the three-pronged approach, but I’ve only said two of them. But again, a three-pronged approach I take to cybersecurity is it’s definitely a journey. It’s not a destination. You’re never going to get there. So you’ve got to kind of frame it that way. It can be a little bit demoralizing to feel like, oh, my God, we’ve done so much, but now there’s an X, Y, and Z threat that we haven’t addressed. And that’s okay. You do the best that you can. And kind of along those lines, you know, again, something is better than nothing. So, you know, if you’re just don’t feel like you have the bandwidth or the capacity to take on any of the major solutions we mentioned, you know, you can Google and, you know, just take some actions on your domain controllers, you know, make them a little more hard. And that’s better than doing nothing. And I think, you know, people will find that once they kind of get into that state, it’s not quite as daunting as it seems. And then a lot of the solutions that come out have autonomous mode. And I am, you know, someone who wasn’t, you know, was cautious about that. But now that I’ve utilized it on a couple of different platforms, I’m a big fan. I feel like it has utility and, you know, has a place, particularly in the mid-market, to mitigate the need for 24-7 coverage, which is a big challenge for companies who are outside.

Speaker 0 | 52:53.110

Yeah, and I think things have gotten a lot better because I remember When I first started thinking about, oh, like intrusion prevention, IPSs instead of IDSs, and being so afraid to turn that on. Because it was going to be, it was like one of the first products that was trying to use that autonomous mode and say, ooh, bad pattern, we’re going to block this. And the ability to shut down. a potential business activity was so scary back then. But now, you know, like, just like MFA, people have gotten used to it and have been introduced to it in so many different places that, that they’re that autonomous mode and our ability to correctly identify things that should be shut down. Just like they, they recognize that, that. The scams happening on our credit cards when those purchases being made are outside our norm that they’re calling you going, hey, are you really trying to buy tennis shoes after you just filled up the gas tank?

Speaker 1 | 54:09.589

Yep.

Speaker 0 | 54:10.230

So, yeah. So that’s the three-pronged approach. It’s a journey, not the destination. Something’s better than nothing. And turn it on. Yep.

Speaker 1 | 54:22.178

No test bike production.

Speaker 0 | 54:24.940

All right, sir. Thanks, Tom. Thanks for spending your time with us. We really appreciate it. Dissecting popular IT nerds and the audience appreciates your time and your dedication. And hopefully somebody learned something today. I know it’s been an enjoyable conversation. So thank you for your time.

Speaker 1 | 54:43.310

It was a pleasure to be here. Thanks so much.

Speaker 0 | 54:45.331

Thank you.

Share This Episode On:

HOSTED BY PHIL HOWARD

Dissecting Popular IT Nerds Podcast

Weekly strategic insights from technology executives who understand your challenges

Are You The Nerd We're Looking For?

ATTENTION IT EXECUTIVES: Your advice and unique stories are invaluable to us. Help us by taking this quiz. You’ll gain recognition good for your career and you’ll contribute value to your fellow IT peers.

QR Code