April 9, 2025 • 38 mins
Cybersecurity doesn't have to be overwhelming or unaffordable for small and mid-sized businesses. Corey White, CEO at Cyvatar, explains how their platform provides right-sized, comprehensive security that serves as a business driver rather than just a cost center.
• Most companies don't need to hire a full security team – outsourcing cybersecurity makes sense just like outsourcing HR or payroll
• Even with the best security training, 3% of employees will still click on malicious links, so protection must go beyond awareness
• 98% of cyber attacks are preventable with the right controls in place
• Hackers typically choose targets of opportunity rather than specifically targeting your company
• Many businesses discover their cyber insurance won't pay out because they weren't actually implementing claimed security measures
• "Right-sized cybersecurity" tailors protection to specific business needs and risk profiles
• AI plays a critical role in both attacks and defense, requiring human expertise to guide implementation
• Quantum computing will revolutionize cybersecurity in the coming years
Check out Cyvatar's free assessment tool and basic security tools at cyvatar.ai, and connect with Corey White on LinkedIn to learn more about affordable, comprehensive security solutions.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Corey White, ceo at Cybertar.
Welcome to Cybernomics.
Thanks for carving out sometime in your day.
Your busy, busy schedule.
Speaker 2 (00:10):
Yeah, Josh, thank you for having me.
This is exciting.
I look forward to this.
Let's dive in.
Speaker 1 (00:16):
Look, I'll admit I don't know a whole lot about
your space and the space thatCybertar lives in, and the way
that you summed it up to me andthe way that my little monkey
brain is trying to rub two braincells together to make sense of
it is that you're a platformthat helps companies manage all
(00:36):
of their, or most of their, orthe majority of their,
cybersecurity tools activities,and all that stuff targeted
mainly to those companies thatare small, medium, large.
I guess that's the whole gamut,right?
Everybody needs this, butespecially those small to medium
companies that may not have afull on security team and they
(01:00):
may need some help managing allof the different parts and the
various legs of the spider.
So those are my words, Corey.
In your words, what is Civitar?
Speaker 2 (01:12):
Yeah, let me give some analogies and then I'll
bring it home to answer.
What is Civitar?
So, when you think of amid-sized business, or many of
the small businesses out there,like, none of them go and say,
day one, I'm going to hire a VPof HR, do payroll and HR and
benefits myself, right, becausethat's not their expertise.
(01:34):
Right, they're not experts inthat.
So you have, you know, yourTrinance, your Rippling, your
Gusto, all these companies, allthese PEOs out there, that you
just simply outsource it.
And that's exactly what I didfor this business.
I am not an expert in dentalcare or either healthcare, you
know, god forbid, right, I'mtired for all that.
I just need to know myemployees have all that covered
(01:56):
period.
So let's equate that tocybersecurity, right?
So here's the challengeCompanies, in order to grow,
they got to be able to fill outthird party questionnaires, they
got to be compliant, they gotto have cyber insurance.
And oh yeah, by the way, theycannot get hacked with a
ransomware attack or businessemail compromise attack or
(02:16):
anything that cripples theirbusiness.
So why would you say, ok, well,hey, we're a midsize business
Even if you got, you know, 100employees, 200 employees, I'm
going to go hire a CISO and asecurity team.
I'm going to go do a bunch ofproduct evaluations and test all
of it out first, and then I'mgoing to go and implement it and
I'm going to manage andmaintain that.
That would take you anywhere,depending on the size of your
(02:38):
organization nine to 12 topotentially even 18 months,
depending on how long yourevaluation is.
Or you can come to Savitar andwe're going to bring in the best
of breed products.
We're going to install it,we're going to configure it,
we're going to assess your gaps,we're going to remediate your
gaps on a continuous basis.
We're going to get you cyberinsurance.
We're going to get youcompliant and have your third
(02:59):
party risk management.
And yes, we just added managedIT, but it managed secure IT,
because a lot of the companieshave IT vendors doing their
cybersecurity.
Well, we're a cybersecuritycompany that's going to do your
IT.
Okay, so everything IT relatedthat is implemented needs to be
done securely, otherwise youwill get hacked.
So we come in with that angle.
(03:21):
So that's what Savitar is.
Speaker 1 (03:24):
So I wasn't way off.
You summed it up way betterthan I ever could.
But I'm curious, Corey, how didyou get into this business?
Speaker 2 (03:33):
I get that question a lot and it makes me laugh
because I've been doing it for30 years.
The business did not exist in1995 when I started.
Okay, like, I got out of schooland the internet came out, so
you know Pascal and COBOLprogram, and that wasn't a thing
.
So I had to learn how tocontinuously learn.
So every single day, week, I amlearning something new to stay
(03:57):
on top of this.
So when I dove in my first gig,literally in 1995, I was
working for Microsoft supportingWindows 95.
The day it came out it was thefirst operating system with an
IP stack, and so with theinternet, internet Explorer,
exchange 1.0, all this was whatI was supporting.
So I had to learn all thatstuff brand new.
(04:19):
But nothing I learned incollege was really applicable.
So I had to go get Microsoftcertified, cisco certified, a
bunch of sand certifications, etcetera.
And so as a result of that I'vejust been continually learning
and right after I left MicrosoftI got into consulting and
consulting.
You're the expert.
Whether the product just cameout or goes wherever it is,
(04:40):
you're the expert.
Like when I built the externalnetwork for Intuit, you know
TurboTax, so we can do taxreturns for the first time in
1997, down in San Diego, my bosscame to me.
You know, literally this is howhorrible for a podcast, but
it's a true story.
So we're in the bathroom, youknow, at the urinals, and he was
(05:00):
like Corey, do you know loadbalancers?
And I was like Corey, do youknow load balancers?
And I'm like, looking straightahead, because you can't look
side to side Looking straightahead and I'm like, yeah, I can
figure it out.
I've never done one before, butyou know well, they just came
out a couple of weeks ago.
We got this gig in San Diego,want to go do it?
And I'm like sure.
So I got the manual from Ciscoand I'm reading up on load
balancers, trying to figure itout, and I implemented it.
(05:24):
Anybody that did a tax returnin 1997 through Intuit TurboTax
went through my load balancersin the perimeter network that I
built.
So it's just a process ofcontinuing learning.
And so when I built perimeternetworks, I got into perimeter
cybersecurity assessments andpen tests and the remediation of
it.
So I literally have been inthis world for 30 years.
Speaker 1 (05:43):
Well, it's a good thing he didn't ask you to shake
on it.
Speaker 2 (05:45):
Yeah, exactly.
Yeah, I've been an elbow bumpor something.
Yeah, yeah, yeah, yeah, just towash your hands, got it?
Speaker 1 (05:53):
All right, it sounds like you have to be a generalist
to oversee something likeCivitar, and it seems like
you've seen it.
All right, Do you have to be ageneralist to do this job?
Speaker 2 (06:04):
I think 100%.
You've got to be a Swiss Armyknife, because when I talk to
people in my public talks Iusually ask the question how
fast does technology move andevolve and change?
And for giggles, what do youthink?
How fast do you think it moves,josh?
Speaker 1 (06:23):
Faster than you can blink.
Faster than you can blink.
Speaker 2 (06:25):
Faster than you can blink and so literally, I
started really asking thatquestion about 10 years ago, so
roughly, you know, 2016-ish.
I would ask people in a publictalk in a crowd like hey, what
is it?
They will come back and say atthe time, 12 to 18 months.
Things are evolving and themetric I use now is how often
(06:46):
does a new AI model come out?
Okay, and it's getting faster,it's getting faster.
Speaker 1 (06:51):
I think it's weekly.
At this point it sounds like.
Speaker 2 (06:53):
Exactly so.
The things that we were able tocouldn't do in an AI model like
a month ago.
Now it can do and it's betterat it, and that's going to keep
on getting shorter and shorterand shorter.
And so when you look at wherewe are from a cybersecurity
perspective the end customerthat is trying to secure their
(07:14):
organization they're in mostcases using some legacy approach
.
But what are the hackers aredoing?
The hackers and especiallywhat's going on with our economy
right now people losing jobs.
The hackers and especiallywhat's going on with our economy
right now people losing jobs.
If I were a malicious person, Iknow I could probably make more
money faster by hacking intocompanies with ransomware,
business email compromise,because there's ransomware as a
(07:35):
service.
Business email compromise as aservice.
There's fraud, gpt.
So all these things haveautomated cybersecurity.
You don't have to be atechnical cybersecurity expert
at all.
You just got to say I want totarget this company and put it
in.
It will build up your phishingpage or phishing campaigns.
Everything is automated.
So that's what we're fightingagainst.
(07:57):
So if you're a small ormid-sized company and you're
fighting against an automatedAI-based attack, then you're not
going to be able to survive,because many of them don't even
have the tools in place.
We solve that for our customers.
We have to stay cutting edgeand solve that for our customers
.
Speaker 1 (08:13):
Well, somebody has to .
If not you, then someone willinevitably take that place.
But it sounds like you areuniquely qualified.
Not just Civitar, but you,corey.
With your wealth of experience,you are uniquely qualified to
tackle this problem.
Now, one of the challenges oftackling these problems in
(08:34):
cybersecurity, especially formedium-sized businesses small
businesses even more so.
They may not know what theydon't know right.
So there's a lot of educationthat might not might.
That inevitably has to happen.
So what are two or threemisconceptions that you
encounter on a regular basis?
Speaker 2 (08:54):
What I end up getting is a few things.
Number one a lot of companiesand CISOs of companies that are
like, well, we have antivirus,is that it Well?
And I explained to them andthey'll throw out like a Norton
or, you know, mcafee or whatever.
The problem is is that thosesolutions?
You know they were good forwhat they were back in the day,
(09:17):
but they're usingsignature-based technology and
it's almost starting to leverage, you know, ai-based.
But again, we all know if acompany has been in business for
a very long time, it's reallyhard for them to use the latest
and greatest technology.
But the hackers are.
They're using the latest andgreatest technology.
So there's a big gap.
So, to stop cyber attacks, whatwe have built across our
(09:40):
customers is an AI-powered toolset.
And then you have ourAI-enabled team that is securing
your environment.
And so the misconceptions andquestions that we get is
companies come into us like,well, we have antivirus.
Well, let's just say you havethe best antivirus out there.
There's some great vendors andwe leverage them.
(10:02):
But let's say, you have that,but what if it's not installed
correctly and not configured onevery single endpoint?
And the analogy I give I lovecar analogies because you know,
most people have a car, unlessyou're like New York or
something.
But you know, when you thinkabout a car, you get out of your
car, you park it in a parkinglot, you close the door and you
lock it and you let your windowsup.
(10:22):
And you lock it and you letyour windows up.
But if you say, okay, we haveantivirus, even if it's the best
antivirus, that's theequivalent of saying I closed my
door but my window is stilldown, okay, and then you may
still have your wallet in thefront seat.
And then when you go back toyour car and your car is stolen
and your wallet's gone, right,and your whole thing is gone,
(10:43):
then you're like someone hackedinto me, someone stole my car.
You're like, well, you leftyour wallet on your front seat
and your window down.
Well, if you don't havemulti-factor authentication,
you're not patching your systems.
And let's just say, and you didantivirus, right, but you
didn't do the other things.
Then that's the equivalent.
So, yeah, you will still getcompromised.
And what I don't think mostpeople understand is that
(11:06):
there's not this one product orone thing you can do and then
you're secure.
That's not it.
And that goes back to the car,just because you roll up your
windows doesn't mean your dooris locked.
Your door could be wide open,but your window's out, hey,
you're good.
And so I think most peoplearen't thinking about
cybersecurity as holistic as itneeds to be.
Speaker 1 (11:28):
When you're implementing AI.
Okay, first of all, is AIwreaking havoc on your roadmap?
Speaker 2 (11:34):
It's coming out so fast?
Speaker 1 (11:36):
I mean, how do you keep up?
Speaker 2 (11:39):
Yeah.
So you've got to use the righttechnology for some formals.
So I went and did an audit lastyear of all the technology.
Just check in base, make sureEvery technology we're using for
our customer base is using AIat some level.
Okay, built into the product,okay.
Then the second thing I did is,you know, worked with my team
(12:02):
to better understand how arethey using AI, how are we
automating ourselves?
And, for me personally, ai ismy co-pilot, it is my co-founder
.
Speaker 1 (12:12):
So it starts with you it does.
Is what you're saying, yeah.
Speaker 2 (12:15):
It absolutely has to start with me, because I can't
have my teams, you know, saying,hey, make sure you use AI, and
I'm still old school, not usingAI.
Like everything that I'mdeveloping and strategizing
around is using AI.
And I was talking to a goodfriend of mine just last week
and you know literally two of myfriends.
We were having this debate andboth were in the marketing space
(12:36):
and so we were talking and wewere just debating around what's
different with AI and evenmarketing, but the same thing
applies to cybersecurity.
The gap that we're running intonow is that you have new people
coming into business whether itbe marketing, cybersecurity,
whatever and they're using AI.
With me being in cybersecurityand technology for 30 years, I
(12:59):
know what questions to ask.
I know where I need to take itokay, when I'm using AI, but if
you don't have the foundationalcomponents, then you're going to
ping AI and it's going to giveyou an answer back and it will
sound freaking amazing, but itain't the right answer, because
you cannot continue promptingand fine-tuning it, because you
don't know the right answer.
You can't trust AI to give youthe right answer.
(13:22):
Okay, and you got to have theexperience to know where you
need to take this.
Speaker 1 (13:26):
Yeah, that's, that is my experience with AI as well.
You try to go to it in a, in afield or in a domain that you
have no idea what you're doing.
You don't know anything aboutit and you're like you know what
I'm going to get by by justusing whatever the AI spits out.
And then you lay it out infront of somebody who's got all
the experience and they look atthis and they're like did you?
It's a classic scenario of theprofessor.
(13:48):
You know, a kid writes a paper.
The professor can tell rightaway you didn't write that paper
, that that paper, that paperactually doesn't really make
much sense.
And if you really readShakespeare, you'd be able to
look at this sonnet or this poemor this play this way, and I
can tell that it just doesn'thave the human touch.
So you're totally right when itcomes to AI, you can't just
(14:08):
slap it on a product and ship itout to market.
You have to really understandwhat's going on and the AI is
your co-pilot.
You use that word, which is thekey word here is that it is
your co-pilot.
Okay, so that's the first.
That is the first misconception.
It's that people think thatthey can just use antivirus or
they can use one or two productsand that gives you holistic
(14:33):
security, which is really a goodpoint.
So I'm going to stick on thatjust a little bit more and maybe
we can unpack that.
I've always heard and maybe youcan decipher this for me a
little bit I've always heardthat if you've got multi-factor
authentication, you implementzero trust and I think there's
like 18 controls that you canslap into your network.
(14:57):
You're 90% covered.
I know this is sort of thephilosophy behind the um.
Is it the CIS top 20?
Speaker 2 (15:06):
Yeah, yeah, okay.
Speaker 1 (15:09):
So is that a myth or is that real, that if you were
to get those 18 controls, putthem in place, then you're about
90% covered?
Is that just a total myth?
Speaker 2 (15:21):
It's not a myth.
No, absolutely not.
I'll even go a little bitfurther than that.
So when you take the CIS-18,they actually have three
implementation groups.
So implementation group one andit's called IG-1, right, is a
little bit basic, but it's notas stringent as two or three.
You do three, you're ironclad,you're solid, right.
(15:45):
But here's another nuance,another spin on what you said.
So Gardner came out with a stat, probably about three years ago
, and it says 98% of all cyberattacks are preventable.
All right, so you know that'shigher than your 90% number.
And so, with my background,like I said, 24 years of
(16:07):
incident response, I've seenevery type of attack out there
and what I'll say is incidentsfall into two different
categories.
Okay, number one, I'll call itthe drive-by hacker.
Okay, and what that means isthey.
You know, think of this analogyin another.
You know this is a house.
Now, analogy If I'm drivingdown the street, josh, and I see
(16:28):
huh, josh has a nice car in thegarage, you know garage door is
up.
You know side gate is open,garage door is up, side gate is
open, but as I go down thatwhole street, everybody else,
garage door is down, side gateclosed, locked up.
Speaker 1 (16:43):
At that point you were morally obligated to steal
my car.
Speaker 2 (16:45):
Yeah, exactly, steal your car to break into your
house, whatever it is right, andso that's the drive-by hack.
Now let me explain it incybersecurity terms.
So if I'm scanning the internetand you are scanned literally
thousands of times a day, everysingle second, someone is
scanning your external presenceor probably sending you a
(17:06):
phishing email.
It is continually happening.
So if you don't have propercontrols and you aren't patching
your systems, you don't havemulti-factor, you don't have
endpoint protection, your gate'sopen, your guard's closed up.
And to just give you a statwhich is just, everybody needs
to just marinate on here for asecond.
(17:27):
Everybody's heard of securityawareness training, right, and
people say, god, I have securityawareness training.
If people would just stopclicking, we would be okay.
A couple of things to that.
The internet is all links, like.
Your email address is a link.
A calendar invite that we useto set up our initial meeting is
a link that you can embedmalware in.
(17:49):
Okay.
So even if you have the bestbreed of security awareness
training out there, you couldpossibly have.
The best you're ever going toget is you can get your click
rate on malicious attacks downto 3%.
So now you got to make theassumption that at least 3% if
you're really good are going toclick.
(18:10):
Average companies, usually, ifthey have nothing in place, is
around 30, okay, so you got todesign your security program.
What happens after the click?
All right, because the click isgoing to happen.
Okay, the gate is going to beleft open eventually.
All right, so now let's go tothe other type of attack.
Okay, my point is, you know,attack scenario one that all can
(18:32):
be prevented and stopped, andwe do that across all of our
customers.
You know we've never had asuccessful breach and always
knock on wood when I say we'venever had a successful breach
five years in business.
You know, hundreds of customers.
Okay, so we know, just in thelast six months I look at our
stats we blocked 195 ransomwareattacks and 165 of them were
(18:56):
from someone clicking onsomething.
So the click is going to happen.
But, we blocked it every singletime.
Okay, so it can be stopped.
Okay, now let's go to scenarionumber two, which I call a
nation state threat actor attack.
What that means is you know itgoes old school.
By any means necessary, they'regoing to hack into you.
(19:18):
Okay, that means they have agroup of people after a specific
target to get into your company.
They specifically have targetedyour company, but that's only
about 2% of the hacks out therewhere you get a targeted threat
actor group coming after yourcompany.
Speaker 1 (19:37):
Most of it are hacks of opportunity.
Corey, let me ask you thisbecause I know that your
customers, your prospects, thegeneral public, anyone in
business.
Speaker 2 (19:52):
They're going to ask this question why would anybody
want to hack me?
Here's what the real answer tothat is they don't want to hack
you.
They're hacking you becauseyour gate is wide open.
It is a hack of opportunity.
Speaker 1 (20:02):
It's an opportunity thing, okay.
Speaker 2 (20:03):
Yeah, okay, like literally, we've got a ton of
manufacturing companies.
Those are the ones that gethacked all the time.
But again, if you're just tosay literally, you know I was
talking to one a few weeks agobillion dollar manufacturing
company, okay, and so what wedesigned for them is right size,
(20:24):
cybersecurity.
They have no compliance needs,they have no PII, nothing, okay,
nothing saying that you need tobe compliant with anything,
nothing.
So what we did is so we saidthe most likely way you're going
to get hacked is business emailcompromise okay, or some type
of financial fraud where youknow it's similar to BDC, but
(20:47):
you know, some kind of financialfraud because they're a billion
dollar company, so they'rehandling millions and millions
of dollars of transactions on aregular basis.
So, and then the last one isransomware.
So if you have access to thatmuch money, or even if you're
smaller you're smaller you stillhave access to money.
So I had a manufacturingcustomer come to us.
(21:08):
They lost $150,000, you know,because business email
compromised, they gotcompromised.
Their user that did, all theirfinances got compromised, and so
the person you know did notknow, but the hacker got into
their email and they sent emailsand said send money to this
bank account, so all theircustomers were paying to the
(21:29):
wrong bank account.
Speaker 1 (21:31):
That is a big problem that needs to be solved,
because 150 grand may not be alot to a big company like
Walmart, but for us little guys,150 grand could be the
difference between your doorsstaying open and being closed.
That's like being in New YorkCity and losing your job.
(21:52):
Right, you can be two paychecksaway from you know, asking for
change on the subway.
So that is not a small problemand I think that that needs to
be highlighted.
That a lot of people they mayask nobody wants to hack me, or
why me or the percentage chanceof my company being hacked is so
low.
But the thing is, the impact ofgetting hacked is so high.
Speaker 2 (22:17):
Yes, and let me give you a couple layers to that
particular same hack.
So that same hack.
This company had cyberinsurance.
So they're like okay, let'sreach out to our insurance
company and let's get this moneyback.
Well, when you fill out yourinsurance questionnaire, if
you're not a Sabotage customerpretty much everybody else
(22:39):
you're saying we havemulti-factor in place, we're
doing continuous patching andremediation, we have antivirus,
next-gen antivirus, edr on everysingle endpoint.
So you're checking those boxessaying you're doing that and
several other things that youhave in place.
(22:59):
So when you get breached,they're going to come in and do
forensics and figure out how didthis happen?
And if it happened because youdidn't have antivirus or you
weren't monitoring that system,didn't have multi-factor, didn't
apply a patch, then guess what?
You're not going to get paid.
So, literally, companies arepaying for years having cyber
insurance and then when thebreach does happen, then they
(23:20):
don't get paid back from it.
Yes, they lost $150,000, butlet's just say, if you're paying
$8,000, $10,000 a year for yourcyber insurance policy, then
when the breach actually happens, then you don't get paid out
either.
Well, what CyberTar has done is,while we're experts at bringing
all this together, we have theinsurance ecosystem partners.
(23:40):
We have the preventativecontrols in place.
You don't even have to fill outthe questionnaire.
If you're a Sabotar customer,okay, we have solved that for
you.
And so, even if the breach didhappen, then we can sit and show
we were automatically applyingpatches every single month, or
week, I'm sorry, or day,depending on the need there.
Right.
Then, on top of that, we arecontinuously blocking malware,
(24:02):
because your endpoint protectionis designed to protect, and
then we monitor a lockdownendpoint and you have
multi-factor.
You are covered.
Okay, they still get in, whichis possible with these
sophisticated threat actors.
The analogy I give when youthink about a sophisticated
threat actor you can have yourhouse locked down or your car
locked down as hard as you want,but if someone gets a big rock
(24:23):
and breaks the window andreaches in, okay, when I say by
any means necessary, that's whathappens.
Speaker 1 (24:31):
Now, just to wrap up, I think that there's something
here that we take for grantedespecially in the security
community, when we're trying todrive home the importance of
security for the general publicand for the large enterprise,
small, medium businesses, foreveryone which is that security
(24:55):
is you can spend all of yourtime, all of your money, you can
spend your resources.
I know CEOs, presidents, cfos,executives they're up all night
at times worrying about how do Imake more revenue, how do I hit
those numbers, how do we closethe quarter strong, how do we do
this in a way that you know?
(25:15):
How are we responsible to ouremployees, to our partners?
They're doing all this stuff tomake sure that their company is
growing and moving forward, butwhen it comes to security, a
lot of times they just kind ofgo, they put it on the back
burner or they don't prioritizesecurity as much as they
possibly could or should.
(25:37):
It seems to me and you can tellme, am I nuts here that if I'm
spinning my wheels and I'mtrying to take care of my
business, my baby, and I'm doingall these things to make sure
that my company grows, why would?
It's like having that Ferrarithat you worked so hard for and
you know it's.
You've.
You've got the best wheels,you've got the Brembo brakes.
(25:59):
You wash it, you make sure thatnobody touches it, that birds
are nowhere in a.
You've got a bug zapper thatzaps the birds when they're 10
within 10 feet of the car sonobody's pooping on it.
You do everything to make surethat that car is perfect and you
worked so hard blood, sweat andtears and then you drive it
(26:22):
into the bronx and you leaveyour wallet on the seat and the
doors unlocked and the windowsrolled down.
Or you or you drive it into thegarage and, uh, you forget to
put the garage door up and youdon't lock.
You don't have any security onit.
That is a crazy thought to meand I hope that this doesn't
disparage I hope I'm to small,medium business owners, business
(26:44):
owners across the gamut in sucha way that they can really
grasp and understand the gravityof the situation they're in.
Speaker 2 (27:04):
Yeah, I think, fantastic question.
Here's the deal.
Cybersecurity is a businessdriver.
It needs to be Okay.
The example I gave of themanufacturing company that has
no PII, no driver forcybersecurity.
So we didn't come in and sayyou need to meet every single
requirement of the CISA team,okay, no, absolutely not.
(27:28):
It's called right sizecybersecurity.
Okay, and so we built the rightsolution for their size
cybersecurity.
Okay, and so you, we built theright solution for their size
and their need.
You know, because there are alot of things that we're not
recommending they do.
It could be further along in theroadmap, but you got to secure
what your highest risk is, basedupon the overall threats to
your business.
(27:48):
So that's one piece of it.
The other piece to it is andthis is why we've designed
Savitar the way we did whatdrives companies to buy
cybersecurity.
If I'm a small, medium-sizedbusiness and again, I'm keeping
the lights on and I'm growing,but I'm keeping the lights on Am
I going to stop because I'venever had a breach before and
I'm not going to worry about it?
Am I going to stop and say I'mgoing to go spend a million
(28:10):
dollars or even $10,000 oncybersecurity?
No, you're not.
But for you to grow yourbusiness.
If you've got to be able toanswer a third-party risk
questionnaire to partner withsome large global company that
sent you that questionnaire,you've got to meet those
requirements.
Yes, that's where Cybertar cancome in and help you.
If you need to get cyberinsurance and name that large
(28:33):
company on that policy, yes,that's where Sabotar can help
you.
And then ultimately, of course,you want to be compliant and
secure at the same time and nothave additional costs, high
costs, associated with it.
That's where Sabotar comes in.
We're not trying to charge agazillion dollars for
cybersecurity.
We don't.
We have made it affordable andwe've solved the whole ecosystem
(28:57):
issue with insurance andcompliance and third party risk
management.
We've solved all that for youso that you can affordably meet
your goals all in a simplesubscription and then make a
subscription monthly.
Ok, so instead of paying alarge sum all at once, you can
pay monthly.
So it's a small chunk comingout that meets your business and
cybersecurity goals.
Speaker 1 (29:19):
I like you, corey.
You're speaking the language ofthe business.
That's what I really like aboutyour style and the way that you
approach this.
You put the business first.
You put that in terms of hey,if you don't do this, you can be
losing out on business.
You can be losing out onbusiness, you can be losing out
on partnerships because you'renot compliant, you're not risk
conscious and you're not costconscious.
(29:42):
So this seems to me to be acost conscious solution and one
that puts the business first,and I really think that this is
where a lot more ofcybersecurity should go.
I'm a part of this community andI hear the business side of it
(30:03):
a lot right, and I'm more on thebusiness side now than on the
technical side, and, to behonest with you, I don't have a
lot of technical chops.
I don't have an engineeringbone in my body, so I tend to
take the side of the business alot more, and I don't have an
engineering bone in my body, soI tend to take the side of the
business a lot more.
And that question is soimportant why should I care?
Why does this matter?
And a lot of times when I askthat question of someone in the
(30:24):
security community.
I get a lot of technical jargonand it's all about you know,
hackers and all that which istrue, as you've we've been
talking about for the last halfhour or so.
But really what it comes downto is how do you articulate
security in such a way that thebusiness understands that
without it, it's not just a costcenter, but without it revenue
(30:48):
would go down.
And in the world that we'reliving in, people are spooked.
They don't want to do businesswith someone who does not have
proper cybersecurityimplementations.
They don't want to do businesswith someone who has the door
open because now can just walkinto your house.
But you're inviting yourfriends and your neighbors over
(31:16):
and you're inviting their kidsover for a sleepover.
Nobody's going to want to comeover to your house if you've got
no security, knowing that inthe middle of the night, a
little Johnny's going to get avisit from the tooth fairy, and
a very unwanted visit that'sgoing to result in some missing
teeth that he didn't intend togo missing.
So look, we can extend thisanalogy as far as the moon, but
(31:41):
we're running low on time, soI'm going to ask one last
question what do you want yourlegacy to be Not just Civitar,
but you, corey.
What do you want your legacy tobe?
Speaker 2 (32:00):
Once you've been in business for 30 years and run
teams, you get beyond.
Oh, I just want to make a lotof money, you know, and get a
yacht and go on an island orsomething.
A few things about me that givethis perspective.
I'm a bit of a biohacker.
I plan on living at least 150years, maybe more.
So when you think you know,only I don't know a third of the
way in, you know, at this point, you know I got lots of room to
(32:23):
grow and expand, but the goalis this Because I existed, this
world got better.
Okay, because if you spend yourtime chasing money or chasing
success or chasing some kind ofstardom, that's, that's not deep
enough, like the world has tobe better.
(32:45):
Because I exist and I've beenblessed to have just a ton of
experience and technicalknowledge.
And one thing I'll share withyou, josh that I'm loving what
is happening.
Over the last, let's just say,15 years, my little side hobby
has been, you know, just quantumphysics and just understanding
how the universe works and howscience works, and that moving
(33:08):
my mindset from the Newtonianmindset of how things work and
moving into a quantum mindset,and so how this ties into
cybersecurity and computers,fascinates me.
So check this out reallyquickly.
Quantum computers.
So when you think about whatquantum computers which will be
(33:28):
here in the next five years orso, is already partially here,
when you think about what'shappening with it in a quantum
computer, how it's differentfrom a legacy computer, is on a
legacy computer, like we're onright now, it's looking at zeros
or ones, okay, and that's it.
Okay, it's either a zero or aone.
But in a quantum world it's azero or a one, a one and a zero
(33:51):
one.
It's all of that.
At the same time, everythingexists in a possibility, in
what's called superposition.
Now, here's the analogy thatreally blows my mind, which I
love.
So us, as human beings, we livein a quantum world and we're
just not realizing it.
Okay, you know, it's in quantum.
Entanglement is what Einsteincalled.
(34:14):
You know there's somethingspooky going on here.
Spooky action at a distance.
Yes, exactly, he couldn'tfigure it out.
Like, why is this happening?
So it's just like you know now.
You know, Josh, you and I we'vemet, and we've done this
together with quantum entangled,no-transcript computers where
(34:56):
we as human beings have beenliving but not really realizing
it.
Now all that has converged intoone.
Okay, we have no other choiceother than to embrace the
quantum world.
Okay, so that's what's exciting.
Speaker 1 (35:11):
Quantum GPT.
It just makes me so excited tothink about, when that happens,
what it's going to be like.
We're going to be cyborgs onsteroids.
Speaker 2 (35:21):
Exactly.
Speaker 1 (35:21):
Yeah Well, corey, thanks, and you know we should
follow up.
We should do an entire episode.
If you'd like to come back, theinvitation is yours and we can
dig into the quantum stuff.
Because, you're right, quantumcomputing is right around the
corner.
I don't think that thecybersecurity community
completely understands it and,like you, I have taken an
(35:43):
interest in the quantum worldand there's a significant amount
of overlap and thecybersecurity in the technical
world is going to become evermore philosophical.
It's already a nebulous concept, but there's more to come.
Corey White, thank you so muchfor stopping by Cybernomics.
If people want to learn moreabout you and want to learn more
(36:06):
about Civitar, how can theyfollow you?
Speaker 2 (36:09):
Yes, please connect with me on LinkedIn.
That's where I am most active,so hit me up on LinkedIn.
Obviously, it's Corey White,easy to find me.
I look just like this in myprofile.
You see me public speaking onmy picture and then, on top of
that, go to Savitarai C-Y-V, asin Victor A-T-A-R, dot A-I.
(36:30):
We have an offering for everysingle person out there that has
a business called Freemium,because we do not believe in
charging you to do a CISassessment.
That's free.
On our website, josh, a gapanalysis is there.
You know, using CISquestionnaire, it takes about 10
minutes to go through, so itshouldn't pay anybody to do the
(36:51):
gap analysis.
Just, you know, that's free.
Speaker 1 (36:53):
Wow, really.
Yeah, I know of companies thatI hope they're not listening to
this.
Actually, I hope they arebecause you're challenging them
to bring their A game.
I know companies that this istheir bread and butter and
you're kind of eating theirlunch.
Sorry, go ahead.
Speaker 2 (37:07):
Well, here's the premise behind it If you know
you don't have anything in place, companies know they're not
patching or don't havemulti-factor.
Why do I have to?
Why do you have to pay moneyfor me to tell you hey, josh,
you don't have multi-factor inplace.
You know that already.
Go and fill out thequestionnaire, figure out where
your gaps are and then we matchthem to solutions to solve those
gaps based upon the CIS-18, youknow, in our platform.
(37:30):
On top of that you get yourfree MasterCard risk recon scans
to see what your externalexposure looks like, and then on
top of that, we do externalscans once a month for you for
free and give you freecybersecurity policies.
So all that basics.
That's taken care of in ourfreemium.
Then, when you're actuallyready to secure your
organization, you can clicksubscribe right in our platform.
(37:51):
It takes you to our e-commercepage and then we guide you or
jump on the phone with us andwe'll do a consultation and help
build a security program foryou that meets your needs and
right sizes your cybersecurity.
Speaker 1 (38:02):
Well, you heard it here on Cybernomics, check out
Civitar, and if you want tosearch me I don't know if you
want to look for me for whateverreason check me out on LinkedIn
.
Josh Bruning, uh,b-r-u-y-n-i-n-g.
If you want to learn more aboutbruning media and what we do,
go to bruningcom,b-r-u-y-n-i-n-gcom and check out
(38:23):
cybernomics.
You can catch full interviews,just like this one, every
wednesday morning at 7 am.
Thanks for listening.
Bye, all right.
Bye, all right.
Corey White, ceo at Cybertar.
Welcome to Cybernomics.
Thanks for carving out sometime in your day.
Your busy, busy schedule.
Speaker 2 (00:10):
Yeah, Josh, thank you for having me.
This is exciting.
I look forward to this.
Let's dive in.
Speaker 1 (00:16):
Look, I'll admit I don't know a whole lot about
your space and the space thatCybertar lives in, and the way
that you summed it up to me andthe way that my little monkey
brain is trying to rub two braincells together to make sense of
it is that you're a platformthat helps companies manage all
(00:36):
of their, or most of their, orthe majority of their,
cybersecurity tools activities,and all that stuff targeted
mainly to those companies thatare small, medium, large.
I guess that's the whole gamut,right?
Everybody needs this, butespecially those small to medium
companies that may not have afull on security team and they
(01:00):
may need some help managing allof the different parts and the
various legs of the spider.
So those are my words, Corey.
In your words, what is Civitar?
Speaker 2 (01:12):
Yeah, let me give some analogies and then I'll
bring it home to answer.
What is Civitar?
So, when you think of amid-sized business, or many of
the small businesses out there,like, none of them go and say,
day one, I'm going to hire a VPof HR, do payroll and HR and
benefits myself, right, becausethat's not their expertise.
(01:34):
Right, they're not experts inthat.
So you have, you know, yourTrinance, your Rippling, your
Gusto, all these companies, allthese PEOs out there, that you
just simply outsource it.
And that's exactly what I didfor this business.
I am not an expert in dentalcare or either healthcare, you
know, god forbid, right, I'mtired for all that.
I just need to know myemployees have all that covered
(01:56):
period.
So let's equate that tocybersecurity, right?
So here's the challengeCompanies, in order to grow,
they got to be able to fill outthird party questionnaires, they
got to be compliant, they gotto have cyber insurance.
And oh yeah, by the way, theycannot get hacked with a
ransomware attack or businessemail compromise attack or
(02:16):
anything that cripples theirbusiness.
So why would you say, ok, well,hey, we're a midsize business
Even if you got, you know, 100employees, 200 employees, I'm
going to go hire a CISO and asecurity team.
I'm going to go do a bunch ofproduct evaluations and test all
of it out first, and then I'mgoing to go and implement it and
I'm going to manage andmaintain that.
That would take you anywhere,depending on the size of your
(02:38):
organization nine to 12 topotentially even 18 months,
depending on how long yourevaluation is.
Or you can come to Savitar andwe're going to bring in the best
of breed products.
We're going to install it,we're going to configure it,
we're going to assess your gaps,we're going to remediate your
gaps on a continuous basis.
We're going to get you cyberinsurance.
We're going to get youcompliant and have your third
(02:59):
party risk management.
And yes, we just added managedIT, but it managed secure IT,
because a lot of the companieshave IT vendors doing their
cybersecurity.
Well, we're a cybersecuritycompany that's going to do your
IT.
Okay, so everything IT relatedthat is implemented needs to be
done securely, otherwise youwill get hacked.
So we come in with that angle.
(03:21):
So that's what Savitar is.
Speaker 1 (03:24):
So I wasn't way off.
You summed it up way betterthan I ever could.
But I'm curious, Corey, how didyou get into this business?
Speaker 2 (03:33):
I get that question a lot and it makes me laugh
because I've been doing it for30 years.
The business did not exist in1995 when I started.
Okay, like, I got out of schooland the internet came out, so
you know Pascal and COBOLprogram, and that wasn't a thing
.
So I had to learn how tocontinuously learn.
So every single day, week, I amlearning something new to stay
(03:57):
on top of this.
So when I dove in my first gig,literally in 1995, I was
working for Microsoft supportingWindows 95.
The day it came out it was thefirst operating system with an
IP stack, and so with theinternet, internet Explorer,
exchange 1.0, all this was whatI was supporting.
So I had to learn all thatstuff brand new.
(04:19):
But nothing I learned incollege was really applicable.
So I had to go get Microsoftcertified, cisco certified, a
bunch of sand certifications, etcetera.
And so as a result of that I'vejust been continually learning
and right after I left MicrosoftI got into consulting and
consulting.
You're the expert.
Whether the product just cameout or goes wherever it is,
(04:40):
you're the expert.
Like when I built the externalnetwork for Intuit, you know
TurboTax, so we can do taxreturns for the first time in
1997, down in San Diego, my bosscame to me.
You know, literally this is howhorrible for a podcast, but
it's a true story.
So we're in the bathroom, youknow, at the urinals, and he was
(05:00):
like Corey, do you know loadbalancers?
And I was like Corey, do youknow load balancers?
And I'm like, looking straightahead, because you can't look
side to side Looking straightahead and I'm like, yeah, I can
figure it out.
I've never done one before, butyou know well, they just came
out a couple of weeks ago.
We got this gig in San Diego,want to go do it?
And I'm like sure.
So I got the manual from Ciscoand I'm reading up on load
balancers, trying to figure itout, and I implemented it.
(05:24):
Anybody that did a tax returnin 1997 through Intuit TurboTax
went through my load balancersin the perimeter network that I
built.
So it's just a process ofcontinuing learning.
And so when I built perimeternetworks, I got into perimeter
cybersecurity assessments andpen tests and the remediation of
it.
So I literally have been inthis world for 30 years.
Speaker 1 (05:43):
Well, it's a good thing he didn't ask you to shake
on it.
Speaker 2 (05:45):
Yeah, exactly.
Yeah, I've been an elbow bumpor something.
Yeah, yeah, yeah, yeah, just towash your hands, got it?
Speaker 1 (05:53):
All right, it sounds like you have to be a generalist
to oversee something likeCivitar, and it seems like
you've seen it.
All right, Do you have to be ageneralist to do this job?
Speaker 2 (06:04):
I think 100%.
You've got to be a Swiss Armyknife, because when I talk to
people in my public talks Iusually ask the question how
fast does technology move andevolve and change?
And for giggles, what do youthink?
How fast do you think it moves,josh?
Speaker 1 (06:23):
Faster than you can blink.
Faster than you can blink.
Speaker 2 (06:25):
Faster than you can blink and so literally, I
started really asking thatquestion about 10 years ago, so
roughly, you know, 2016-ish.
I would ask people in a publictalk in a crowd like hey, what
is it?
They will come back and say atthe time, 12 to 18 months.
Things are evolving and themetric I use now is how often
(06:46):
does a new AI model come out?
Okay, and it's getting faster,it's getting faster.
Speaker 1 (06:51):
I think it's weekly.
At this point it sounds like.
Speaker 2 (06:53):
Exactly so.
The things that we were able tocouldn't do in an AI model like
a month ago.
Now it can do and it's betterat it, and that's going to keep
on getting shorter and shorterand shorter.
And so when you look at wherewe are from a cybersecurity
perspective the end customerthat is trying to secure their
(07:14):
organization they're in mostcases using some legacy approach
.
But what are the hackers aredoing?
The hackers and especiallywhat's going on with our economy
right now people losing jobs.
The hackers and especiallywhat's going on with our economy
right now people losing jobs.
If I were a malicious person, Iknow I could probably make more
money faster by hacking intocompanies with ransomware,
business email compromise,because there's ransomware as a
(07:35):
service.
Business email compromise as aservice.
There's fraud, gpt.
So all these things haveautomated cybersecurity.
You don't have to be atechnical cybersecurity expert
at all.
You just got to say I want totarget this company and put it
in.
It will build up your phishingpage or phishing campaigns.
Everything is automated.
So that's what we're fightingagainst.
(07:57):
So if you're a small ormid-sized company and you're
fighting against an automatedAI-based attack, then you're not
going to be able to survive,because many of them don't even
have the tools in place.
We solve that for our customers.
We have to stay cutting edgeand solve that for our customers
.
Speaker 1 (08:13):
Well, somebody has to .
If not you, then someone willinevitably take that place.
But it sounds like you areuniquely qualified.
Not just Civitar, but you,corey.
With your wealth of experience,you are uniquely qualified to
tackle this problem.
Now, one of the challenges oftackling these problems in
(08:34):
cybersecurity, especially formedium-sized businesses small
businesses even more so.
They may not know what theydon't know right.
So there's a lot of educationthat might not might.
That inevitably has to happen.
So what are two or threemisconceptions that you
encounter on a regular basis?
Speaker 2 (08:54):
What I end up getting is a few things.
Number one a lot of companiesand CISOs of companies that are
like, well, we have antivirus,is that it Well?
And I explained to them andthey'll throw out like a Norton
or, you know, mcafee or whatever.
The problem is is that thosesolutions?
You know they were good forwhat they were back in the day,
(09:17):
but they're usingsignature-based technology and
it's almost starting to leverage, you know, ai-based.
But again, we all know if acompany has been in business for
a very long time, it's reallyhard for them to use the latest
and greatest technology.
But the hackers are.
They're using the latest andgreatest technology.
So there's a big gap.
So, to stop cyber attacks, whatwe have built across our
(09:40):
customers is an AI-powered toolset.
And then you have ourAI-enabled team that is securing
your environment.
And so the misconceptions andquestions that we get is
companies come into us like,well, we have antivirus.
Well, let's just say you havethe best antivirus out there.
There's some great vendors andwe leverage them.
(10:02):
But let's say, you have that,but what if it's not installed
correctly and not configured onevery single endpoint?
And the analogy I give I lovecar analogies because you know,
most people have a car, unlessyou're like New York or
something.
But you know, when you thinkabout a car, you get out of your
car, you park it in a parkinglot, you close the door and you
lock it and you let your windowsup.
(10:22):
And you lock it and you letyour windows up.
But if you say, okay, we haveantivirus, even if it's the best
antivirus, that's theequivalent of saying I closed my
door but my window is stilldown, okay, and then you may
still have your wallet in thefront seat.
And then when you go back toyour car and your car is stolen
and your wallet's gone, right,and your whole thing is gone,
(10:43):
then you're like someone hackedinto me, someone stole my car.
You're like, well, you leftyour wallet on your front seat
and your window down.
Well, if you don't havemulti-factor authentication,
you're not patching your systems.
And let's just say, and you didantivirus, right, but you
didn't do the other things.
Then that's the equivalent.
So, yeah, you will still getcompromised.
And what I don't think mostpeople understand is that
(11:06):
there's not this one product orone thing you can do and then
you're secure.
That's not it.
And that goes back to the car,just because you roll up your
windows doesn't mean your dooris locked.
Your door could be wide open,but your window's out, hey,
you're good.
And so I think most peoplearen't thinking about
cybersecurity as holistic as itneeds to be.
Speaker 1 (11:28):
When you're implementing AI.
Okay, first of all, is AIwreaking havoc on your roadmap?
Speaker 2 (11:34):
It's coming out so fast?
Speaker 1 (11:36):
I mean, how do you keep up?
Speaker 2 (11:39):
Yeah.
So you've got to use the righttechnology for some formals.
So I went and did an audit lastyear of all the technology.
Just check in base, make sureEvery technology we're using for
our customer base is using AIat some level.
Okay, built into the product,okay.
Then the second thing I did is,you know, worked with my team
(12:02):
to better understand how arethey using AI, how are we
automating ourselves?
And, for me personally, ai ismy co-pilot, it is my co-founder
.
Speaker 1 (12:12):
So it starts with you it does.
Is what you're saying, yeah.
Speaker 2 (12:15):
It absolutely has to start with me, because I can't
have my teams, you know, saying,hey, make sure you use AI, and
I'm still old school, not usingAI.
Like everything that I'mdeveloping and strategizing
around is using AI.
And I was talking to a goodfriend of mine just last week
and you know literally two of myfriends.
We were having this debate andboth were in the marketing space
(12:36):
and so we were talking and wewere just debating around what's
different with AI and evenmarketing, but the same thing
applies to cybersecurity.
The gap that we're running intonow is that you have new people
coming into business whether itbe marketing, cybersecurity,
whatever and they're using AI.
With me being in cybersecurityand technology for 30 years, I
(12:59):
know what questions to ask.
I know where I need to take itokay, when I'm using AI, but if
you don't have the foundationalcomponents, then you're going to
ping AI and it's going to giveyou an answer back and it will
sound freaking amazing, but itain't the right answer, because
you cannot continue promptingand fine-tuning it, because you
don't know the right answer.
You can't trust AI to give youthe right answer.
(13:22):
Okay, and you got to have theexperience to know where you
need to take this.
Speaker 1 (13:26):
Yeah, that's, that is my experience with AI as well.
You try to go to it in a, in afield or in a domain that you
have no idea what you're doing.
You don't know anything aboutit and you're like you know what
I'm going to get by by justusing whatever the AI spits out.
And then you lay it out infront of somebody who's got all
the experience and they look atthis and they're like did you?
It's a classic scenario of theprofessor.
(13:48):
You know, a kid writes a paper.
The professor can tell rightaway you didn't write that paper
, that that paper, that paperactually doesn't really make
much sense.
And if you really readShakespeare, you'd be able to
look at this sonnet or this poemor this play this way, and I
can tell that it just doesn'thave the human touch.
So you're totally right when itcomes to AI, you can't just
(14:08):
slap it on a product and ship itout to market.
You have to really understandwhat's going on and the AI is
your co-pilot.
You use that word, which is thekey word here is that it is
your co-pilot.
Okay, so that's the first.
That is the first misconception.
It's that people think thatthey can just use antivirus or
they can use one or two productsand that gives you holistic
(14:33):
security, which is really a goodpoint.
So I'm going to stick on thatjust a little bit more and maybe
we can unpack that.
I've always heard and maybe youcan decipher this for me a
little bit I've always heardthat if you've got multi-factor
authentication, you implementzero trust and I think there's
like 18 controls that you canslap into your network.
(14:57):
You're 90% covered.
I know this is sort of thephilosophy behind the um.
Is it the CIS top 20?
Speaker 2 (15:06):
Yeah, yeah, okay.
Speaker 1 (15:09):
So is that a myth or is that real, that if you were
to get those 18 controls, putthem in place, then you're about
90% covered?
Is that just a total myth?
Speaker 2 (15:21):
It's not a myth.
No, absolutely not.
I'll even go a little bitfurther than that.
So when you take the CIS-18,they actually have three
implementation groups.
So implementation group one andit's called IG-1, right, is a
little bit basic, but it's notas stringent as two or three.
You do three, you're ironclad,you're solid, right.
(15:45):
But here's another nuance,another spin on what you said.
So Gardner came out with a stat, probably about three years ago
, and it says 98% of all cyberattacks are preventable.
All right, so you know that'shigher than your 90% number.
And so, with my background,like I said, 24 years of
(16:07):
incident response, I've seenevery type of attack out there
and what I'll say is incidentsfall into two different
categories.
Okay, number one, I'll call itthe drive-by hacker.
Okay, and what that means isthey.
You know, think of this analogyin another.
You know this is a house.
Now, analogy If I'm drivingdown the street, josh, and I see
(16:28):
huh, josh has a nice car in thegarage, you know garage door is
up.
You know side gate is open,garage door is up, side gate is
open, but as I go down thatwhole street, everybody else,
garage door is down, side gateclosed, locked up.
Speaker 1 (16:43):
At that point you were morally obligated to steal
my car.
Speaker 2 (16:45):
Yeah, exactly, steal your car to break into your
house, whatever it is right, andso that's the drive-by hack.
Now let me explain it incybersecurity terms.
So if I'm scanning the internetand you are scanned literally
thousands of times a day, everysingle second, someone is
scanning your external presenceor probably sending you a
(17:06):
phishing email.
It is continually happening.
So if you don't have propercontrols and you aren't patching
your systems, you don't havemulti-factor, you don't have
endpoint protection, your gate'sopen, your guard's closed up.
And to just give you a statwhich is just, everybody needs
to just marinate on here for asecond.
(17:27):
Everybody's heard of securityawareness training, right, and
people say, god, I have securityawareness training.
If people would just stopclicking, we would be okay.
A couple of things to that.
The internet is all links, like.
Your email address is a link.
A calendar invite that we useto set up our initial meeting is
a link that you can embedmalware in.
(17:49):
Okay.
So even if you have the bestbreed of security awareness
training out there, you couldpossibly have.
The best you're ever going toget is you can get your click
rate on malicious attacks downto 3%.
So now you got to make theassumption that at least 3% if
you're really good are going toclick.
(18:10):
Average companies, usually, ifthey have nothing in place, is
around 30, okay, so you got todesign your security program.
What happens after the click?
All right, because the click isgoing to happen.
Okay, the gate is going to beleft open eventually.
All right, so now let's go tothe other type of attack.
Okay, my point is, you know,attack scenario one that all can
(18:32):
be prevented and stopped, andwe do that across all of our
customers.
You know we've never had asuccessful breach and always
knock on wood when I say we'venever had a successful breach
five years in business.
You know, hundreds of customers.
Okay, so we know, just in thelast six months I look at our
stats we blocked 195 ransomwareattacks and 165 of them were
(18:56):
from someone clicking onsomething.
So the click is going to happen.
But, we blocked it every singletime.
Okay, so it can be stopped.
Okay, now let's go to scenarionumber two, which I call a
nation state threat actor attack.
What that means is you know itgoes old school.
By any means necessary, they'regoing to hack into you.
(19:18):
Okay, that means they have agroup of people after a specific
target to get into your company.
They specifically have targetedyour company, but that's only
about 2% of the hacks out therewhere you get a targeted threat
actor group coming after yourcompany.
Speaker 1 (19:37):
Most of it are hacks of opportunity.
Corey, let me ask you thisbecause I know that your
customers, your prospects, thegeneral public, anyone in
business.
Speaker 2 (19:52):
They're going to ask this question why would anybody
want to hack me?
Here's what the real answer tothat is they don't want to hack
you.
They're hacking you becauseyour gate is wide open.
It is a hack of opportunity.
Speaker 1 (20:02):
It's an opportunity thing, okay.
Speaker 2 (20:03):
Yeah, okay, like literally, we've got a ton of
manufacturing companies.
Those are the ones that gethacked all the time.
But again, if you're just tosay literally, you know I was
talking to one a few weeks agobillion dollar manufacturing
company, okay, and so what wedesigned for them is right size,
(20:24):
cybersecurity.
They have no compliance needs,they have no PII, nothing, okay,
nothing saying that you need tobe compliant with anything,
nothing.
So what we did is so we saidthe most likely way you're going
to get hacked is business emailcompromise okay, or some type
of financial fraud where youknow it's similar to BDC, but
(20:47):
you know, some kind of financialfraud because they're a billion
dollar company, so they'rehandling millions and millions
of dollars of transactions on aregular basis.
So, and then the last one isransomware.
So if you have access to thatmuch money, or even if you're
smaller you're smaller you stillhave access to money.
So I had a manufacturingcustomer come to us.
(21:08):
They lost $150,000, you know,because business email
compromised, they gotcompromised.
Their user that did, all theirfinances got compromised, and so
the person you know did notknow, but the hacker got into
their email and they sent emailsand said send money to this
bank account, so all theircustomers were paying to the
(21:29):
wrong bank account.
Speaker 1 (21:31):
That is a big problem that needs to be solved,
because 150 grand may not be alot to a big company like
Walmart, but for us little guys,150 grand could be the
difference between your doorsstaying open and being closed.
That's like being in New YorkCity and losing your job.
(21:52):
Right, you can be two paychecksaway from you know, asking for
change on the subway.
So that is not a small problemand I think that that needs to
be highlighted.
That a lot of people they mayask nobody wants to hack me, or
why me or the percentage chanceof my company being hacked is so
low.
But the thing is, the impact ofgetting hacked is so high.
Speaker 2 (22:17):
Yes, and let me give you a couple layers to that
particular same hack.
So that same hack.
This company had cyberinsurance.
So they're like okay, let'sreach out to our insurance
company and let's get this moneyback.
Well, when you fill out yourinsurance questionnaire, if
you're not a Sabotage customerpretty much everybody else
(22:39):
you're saying we havemulti-factor in place, we're
doing continuous patching andremediation, we have antivirus,
next-gen antivirus, edr on everysingle endpoint.
So you're checking those boxessaying you're doing that and
several other things that youhave in place.
(22:59):
So when you get breached,they're going to come in and do
forensics and figure out how didthis happen?
And if it happened because youdidn't have antivirus or you
weren't monitoring that system,didn't have multi-factor, didn't
apply a patch, then guess what?
You're not going to get paid.
So, literally, companies arepaying for years having cyber
insurance and then when thebreach does happen, then they
(23:20):
don't get paid back from it.
Yes, they lost $150,000, butlet's just say, if you're paying
$8,000, $10,000 a year for yourcyber insurance policy, then
when the breach actually happens, then you don't get paid out
either.
Well, what CyberTar has done is,while we're experts at bringing
all this together, we have theinsurance ecosystem partners.
(23:40):
We have the preventativecontrols in place.
You don't even have to fill outthe questionnaire.
If you're a Sabotar customer,okay, we have solved that for
you.
And so, even if the breach didhappen, then we can sit and show
we were automatically applyingpatches every single month, or
week, I'm sorry, or day,depending on the need there.
Right.
Then, on top of that, we arecontinuously blocking malware,
(24:02):
because your endpoint protectionis designed to protect, and
then we monitor a lockdownendpoint and you have
multi-factor.
You are covered.
Okay, they still get in, whichis possible with these
sophisticated threat actors.
The analogy I give when youthink about a sophisticated
threat actor you can have yourhouse locked down or your car
locked down as hard as you want,but if someone gets a big rock
(24:23):
and breaks the window andreaches in, okay, when I say by
any means necessary, that's whathappens.
Speaker 1 (24:31):
Now, just to wrap up, I think that there's something
here that we take for grantedespecially in the security
community, when we're trying todrive home the importance of
security for the general publicand for the large enterprise,
small, medium businesses, foreveryone which is that security
(24:55):
is you can spend all of yourtime, all of your money, you can
spend your resources.
I know CEOs, presidents, cfos,executives they're up all night
at times worrying about how do Imake more revenue, how do I hit
those numbers, how do we closethe quarter strong, how do we do
this in a way that you know?
(25:15):
How are we responsible to ouremployees, to our partners?
They're doing all this stuff tomake sure that their company is
growing and moving forward, butwhen it comes to security, a
lot of times they just kind ofgo, they put it on the back
burner or they don't prioritizesecurity as much as they
possibly could or should.
(25:37):
It seems to me and you can tellme, am I nuts here that if I'm
spinning my wheels and I'mtrying to take care of my
business, my baby, and I'm doingall these things to make sure
that my company grows, why would?
It's like having that Ferrarithat you worked so hard for and
you know it's.
You've.
You've got the best wheels,you've got the Brembo brakes.
(25:59):
You wash it, you make sure thatnobody touches it, that birds
are nowhere in a.
You've got a bug zapper thatzaps the birds when they're 10
within 10 feet of the car sonobody's pooping on it.
You do everything to make surethat that car is perfect and you
worked so hard blood, sweat andtears and then you drive it
(26:22):
into the bronx and you leaveyour wallet on the seat and the
doors unlocked and the windowsrolled down.
Or you or you drive it into thegarage and, uh, you forget to
put the garage door up and youdon't lock.
You don't have any security onit.
That is a crazy thought to meand I hope that this doesn't
disparage I hope I'm to small,medium business owners, business
(26:44):
owners across the gamut in sucha way that they can really
grasp and understand the gravityof the situation they're in.
Speaker 2 (27:04):
Yeah, I think, fantastic question.
Here's the deal.
Cybersecurity is a businessdriver.
It needs to be Okay.
The example I gave of themanufacturing company that has
no PII, no driver forcybersecurity.
So we didn't come in and sayyou need to meet every single
requirement of the CISA team,okay, no, absolutely not.
(27:28):
It's called right sizecybersecurity.
Okay, and so we built the rightsolution for their size
cybersecurity.
Okay, and so you, we built theright solution for their size
and their need.
You know, because there are alot of things that we're not
recommending they do.
It could be further along in theroadmap, but you got to secure
what your highest risk is, basedupon the overall threats to
your business.
(27:48):
So that's one piece of it.
The other piece to it is andthis is why we've designed
Savitar the way we did whatdrives companies to buy
cybersecurity.
If I'm a small, medium-sizedbusiness and again, I'm keeping
the lights on and I'm growing,but I'm keeping the lights on Am
I going to stop because I'venever had a breach before and
I'm not going to worry about it?
Am I going to stop and say I'mgoing to go spend a million
(28:10):
dollars or even $10,000 oncybersecurity?
No, you're not.
But for you to grow yourbusiness.
If you've got to be able toanswer a third-party risk
questionnaire to partner withsome large global company that
sent you that questionnaire,you've got to meet those
requirements.
Yes, that's where Cybertar cancome in and help you.
If you need to get cyberinsurance and name that large
(28:33):
company on that policy, yes,that's where Sabotar can help
you.
And then ultimately, of course,you want to be compliant and
secure at the same time and nothave additional costs, high
costs, associated with it.
That's where Sabotar comes in.
We're not trying to charge agazillion dollars for
cybersecurity.
We don't.
We have made it affordable andwe've solved the whole ecosystem
(28:57):
issue with insurance andcompliance and third party risk
management.
We've solved all that for youso that you can affordably meet
your goals all in a simplesubscription and then make a
subscription monthly.
Ok, so instead of paying alarge sum all at once, you can
pay monthly.
So it's a small chunk comingout that meets your business and
cybersecurity goals.
Speaker 1 (29:19):
I like you, corey.
You're speaking the language ofthe business.
That's what I really like aboutyour style and the way that you
approach this.
You put the business first.
You put that in terms of hey,if you don't do this, you can be
losing out on business.
You can be losing out onbusiness, you can be losing out
on partnerships because you'renot compliant, you're not risk
conscious and you're not costconscious.
(29:42):
So this seems to me to be acost conscious solution and one
that puts the business first,and I really think that this is
where a lot more ofcybersecurity should go.
I'm a part of this community andI hear the business side of it
(30:03):
a lot right, and I'm more on thebusiness side now than on the
technical side, and, to behonest with you, I don't have a
lot of technical chops.
I don't have an engineeringbone in my body, so I tend to
take the side of the business alot more, and I don't have an
engineering bone in my body, soI tend to take the side of the
business a lot more.
And that question is soimportant why should I care?
Why does this matter?
And a lot of times when I askthat question of someone in the
(30:24):
security community.
I get a lot of technical jargonand it's all about you know,
hackers and all that which istrue, as you've we've been
talking about for the last halfhour or so.
But really what it comes downto is how do you articulate
security in such a way that thebusiness understands that
without it, it's not just a costcenter, but without it revenue
(30:48):
would go down.
And in the world that we'reliving in, people are spooked.
They don't want to do businesswith someone who does not have
proper cybersecurityimplementations.
They don't want to do businesswith someone who has the door
open because now can just walkinto your house.
But you're inviting yourfriends and your neighbors over
(31:16):
and you're inviting their kidsover for a sleepover.
Nobody's going to want to comeover to your house if you've got
no security, knowing that inthe middle of the night, a
little Johnny's going to get avisit from the tooth fairy, and
a very unwanted visit that'sgoing to result in some missing
teeth that he didn't intend togo missing.
So look, we can extend thisanalogy as far as the moon, but
(31:41):
we're running low on time, soI'm going to ask one last
question what do you want yourlegacy to be Not just Civitar,
but you, corey.
What do you want your legacy tobe?
Speaker 2 (32:00):
Once you've been in business for 30 years and run
teams, you get beyond.
Oh, I just want to make a lotof money, you know, and get a
yacht and go on an island orsomething.
A few things about me that givethis perspective.
I'm a bit of a biohacker.
I plan on living at least 150years, maybe more.
So when you think you know,only I don't know a third of the
way in, you know, at this point, you know I got lots of room to
(32:23):
grow and expand, but the goalis this Because I existed, this
world got better.
Okay, because if you spend yourtime chasing money or chasing
success or chasing some kind ofstardom, that's, that's not deep
enough, like the world has tobe better.
(32:45):
Because I exist and I've beenblessed to have just a ton of
experience and technicalknowledge.
And one thing I'll share withyou, josh that I'm loving what
is happening.
Over the last, let's just say,15 years, my little side hobby
has been, you know, just quantumphysics and just understanding
how the universe works and howscience works, and that moving
(33:08):
my mindset from the Newtonianmindset of how things work and
moving into a quantum mindset,and so how this ties into
cybersecurity and computers,fascinates me.
So check this out reallyquickly.
Quantum computers.
So when you think about whatquantum computers which will be
(33:28):
here in the next five years orso, is already partially here,
when you think about what'shappening with it in a quantum
computer, how it's differentfrom a legacy computer, is on a
legacy computer, like we're onright now, it's looking at zeros
or ones, okay, and that's it.
Okay, it's either a zero or aone.
But in a quantum world it's azero or a one, a one and a zero
(33:51):
one.
It's all of that.
At the same time, everythingexists in a possibility, in
what's called superposition.
Now, here's the analogy thatreally blows my mind, which I
love.
So us, as human beings, we livein a quantum world and we're
just not realizing it.
Okay, you know, it's in quantum.
Entanglement is what Einsteincalled.
(34:14):
You know there's somethingspooky going on here.
Spooky action at a distance.
Yes, exactly, he couldn'tfigure it out.
Like, why is this happening?
So it's just like you know now.
You know, Josh, you and I we'vemet, and we've done this
together with quantum entangled,no-transcript computers where
(34:56):
we as human beings have beenliving but not really realizing
it.
Now all that has converged intoone.
Okay, we have no other choiceother than to embrace the
quantum world.
Okay, so that's what's exciting.
Speaker 1 (35:11):
Quantum GPT.
It just makes me so excited tothink about, when that happens,
what it's going to be like.
We're going to be cyborgs onsteroids.
Speaker 2 (35:21):
Exactly.
Speaker 1 (35:21):
Yeah Well, corey, thanks, and you know we should
follow up.
We should do an entire episode.
If you'd like to come back, theinvitation is yours and we can
dig into the quantum stuff.
Because, you're right, quantumcomputing is right around the
corner.
I don't think that thecybersecurity community
completely understands it and,like you, I have taken an
(35:43):
interest in the quantum worldand there's a significant amount
of overlap and thecybersecurity in the technical
world is going to become evermore philosophical.
It's already a nebulous concept, but there's more to come.
Corey White, thank you so muchfor stopping by Cybernomics.
If people want to learn moreabout you and want to learn more
(36:06):
about Civitar, how can theyfollow you?
Speaker 2 (36:09):
Yes, please connect with me on LinkedIn.
That's where I am most active,so hit me up on LinkedIn.
Obviously, it's Corey White,easy to find me.
I look just like this in myprofile.
You see me public speaking onmy picture and then, on top of
that, go to Savitarai C-Y-V, asin Victor A-T-A-R, dot A-I.
(36:30):
We have an offering for everysingle person out there that has
a business called Freemium,because we do not believe in
charging you to do a CISassessment.
That's free.
On our website, josh, a gapanalysis is there.
You know, using CISquestionnaire, it takes about 10
minutes to go through, so itshouldn't pay anybody to do the
(36:51):
gap analysis.
Just, you know, that's free.
Speaker 1 (36:53):
Wow, really.
Yeah, I know of companies thatI hope they're not listening to
this.
Actually, I hope they arebecause you're challenging them
to bring their A game.
I know companies that this istheir bread and butter and
you're kind of eating theirlunch.
Sorry, go ahead.
Speaker 2 (37:07):
Well, here's the premise behind it If you know
you don't have anything in place, companies know they're not
patching or don't havemulti-factor.
Why do I have to?
Why do you have to pay moneyfor me to tell you hey, josh,
you don't have multi-factor inplace.
You know that already.
Go and fill out thequestionnaire, figure out where
your gaps are and then we matchthem to solutions to solve those
gaps based upon the CIS-18, youknow, in our platform.
(37:30):
On top of that you get yourfree MasterCard risk recon scans
to see what your externalexposure looks like, and then on
top of that, we do externalscans once a month for you for
free and give you freecybersecurity policies.
So all that basics.
That's taken care of in ourfreemium.
Then, when you're actuallyready to secure your
organization, you can clicksubscribe right in our platform.
(37:51):
It takes you to our e-commercepage and then we guide you or
jump on the phone with us andwe'll do a consultation and help
build a security program foryou that meets your needs and
right sizes your cybersecurity.
Speaker 1 (38:02):
Well, you heard it here on Cybernomics, check out
Civitar, and if you want tosearch me I don't know if you
want to look for me for whateverreason check me out on LinkedIn
.
Josh Bruning, uh,b-r-u-y-n-i-n-g.
If you want to learn more aboutbruning media and what we do,
go to bruningcom,b-r-u-y-n-i-n-gcom and check out
(38:23):
cybernomics.
You can catch full interviews,just like this one, every
wednesday morning at 7 am.
Thanks for listening.
Bye, all right.
Bye, all right.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com