April 22, 2025 • 44 mins
Join Joe as he reconnects with Matthew Alderman, Chief Product Officer at CyberSaint, in this insightful episode of the podcast! With over 250 episodes under his belt, Joe dives deep with Matthew, a cybersecurity veteran, podcast host, and advisor, to explore:
CyberSaint’s Game-Changing Approach: How CyberSaint uses historical loss data to revolutionize cyber risk quantification, helping CISOs justify budgets with real financial metrics.
Career Insights: Matthew shares his journey, from running startups to advising new ventures, and how he balances multiple roles (CPO, podcast host, advisor, and family man).
Leadership & Communication: Why CISOs need to speak the language of business to earn a seat at the boardroom table.
Practical Tips: Advice on avoiding burnout, building a mentorship network, and leveraging your personal brand in cybersecurity.
Free Cyber Risk Analysis: Visit CyberSaint.io to benchmark your organization’s cyber risk against industry peers.
Connect with Matthew: Find him on LinkedIn Matthew Alderman or X @Maldermania
Listen to Matthew’s Podcast: Check out Business Security Weekly at securityweekly.com/BSW.
Chapters
00:00 Reconnecting and Reflecting on Podcasting Journey
02:19 Balancing Multiple Roles and Responsibilities
05:44 The Importance of Personal Well-being
07:53 Career Goals and Retirement Aspirations
10:31 Integrating Consulting and Podcasting
11:55 The Value of Mentorship in Professional Growth
15:02 Building Trust and Reputation in Networking
16:39 Leveraging Podcasting for Career Opportunities
18:20 Innovations in Cyber Risk Management
23:07 Integrating Risk and Control Data
25:30 The Importance of Risk Quantification
28:33 Communicating Cyber Risk to the Board
30:41 CISO's Role in Business Strategy
33:03 Free Cyber Risk Analysis Offering
36:20 Customizing Risk Models
39:58 Real-Time Risk Monitoring
42:24 Targeting Public Companies for Cyber Risk Solutions
45:14 Closing Thoughts and Future Directions
Subscribe for more cybersecurity insights, leadership tips, and industry trends! Drop your thoughts in the comments below—how do you approach cyber risk in your organization?
Follow the Podcast on Social Media!
Tesla Referral Code: https://ts.la/joseph675128
YouTube: https://www.youtube.com/@securityunfilteredpodcast
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
How's it going, matt?
It's been a while since you'vebeen on the podcast.
I think you might have been oneof the first 20 guests that
I've had on.
Maybe I'm being a little bitgenerous with that number maybe
the first 10.
Speaker 2 (00:15):
Oh, maybe I don't know.
Speaker 1 (00:18):
Yeah, now I'm all the way at over 250 episodes out
there.
Speaker 2 (00:21):
Wow, I'm cranking out the content, but I really
appreciate you wanting to evencome back on oh, of course,
Pleasure Like I do a podcast, soI might as well be on the other
side every once in a while.
Speaker 1 (00:35):
Yeah, it's interesting when you're on the
other side.
I'm not quite used to it yet.
I don't go on very many otherpodcasts, but the ones that I do
, it's just, it's different.
Speaker 2 (00:44):
Yeah, it's funny because a lot of people ask me
like what podcasts do you listento?
I don't, I don't listen topodcasts.
And it's funny because, being apodcast host, you would think
that I'd listen to more podcasts.
I don't have time, so I I domine, but I don't really listen
to others.
Speaker 1 (01:02):
I do mine, but I don't really listen to others.
Yeah, that is.
Yeah, that's very accurate, youknow, and I never understood it
until I started doing it.
And now it's like, yeah, Idon't really listen to podcasts
like that.
Maybe I'll put on Joe Rogan,right, if I'm doing the dishes
or something like that, you know, to keep me a little bit busy,
(01:26):
but like listening to othercybersecurity podcasts or just
any other podcasts, overall it'sa little bit difficult because
you know, for us, we're not onlydoing a podcast, we're doing
several other things.
You know, which has its ownchallenges.
How do you?
you know, how do you manageeverything that you do, Right.
Let's maybe cue in the audienceto the different, the different
roles and different hats thatyou're wearing you know, right.
Let's maybe cue in the audienceto the different roles and
different hats that you'rewearing on a daily basis.
Speaker 2 (01:49):
Yeah, I wear about three on a daily basis.
I have my day job chief productofficer at CyberSync building
out a risk quantification, whatwe call cyber risk management
platform.
So that's my day job.
That's where most of my time isspent On average.
It was funny I was tellingsomebody last night I average
like seven meetings a day halfan hour to hour long meetings.
(02:10):
But I'm doing right about sevenmeetings a day.
So I'm doing 35 meetings a weekfor my day job.
My podcast roll hat.
So Mondays is my podcast and myrecording day, so I have to
make sure everything's ready forMonday.
I block out an hour and a halfevery Monday for the podcast, so
(02:32):
the podcast is an hour long.
I block out 15 minutes before,15 minutes after.
That way we have buffer time,we get the guests in.
So an hour and a half everyMonday is dedicated to podcasts
and I block out my Fridayafternoons right after this time
frame.
Actually I block out Fridayafternoons to make sure all my
podcast prep is done.
So my prep takes about an hourto an hour and a half a week.
(02:57):
I have to do my prep call withmy interview host.
I have to prepare all myarticles for our leadership
communication segment.
I do that in about an hour,hour and a half every week.
Everything's ready to go record.
My third hat is kind of myadvisory side.
Right, I still have theadvisory practice, I still
advise startups, I still do someangel investment in the
(03:18):
startups and so those kind ofcome and go.
They ebb and flow depending onwhich clients I have at any
given time what they need.
So I've been helping a startupthat's doing some really
interesting stuff aroundincident response, investigation
work, leveraging AI.
So I've been helping them kindof like get their message
together, help them understandhow to communicate what they're
(03:38):
doing out to the different buyerpersonas.
So that's kind of my third haton a regular basis and that's
before.
I'm a husband, a father, yeah,you know.
Speaker 1 (03:47):
Yeah, light stuff, right, I mean, you're not not
too, not too busy of a week,right?
No, not at all.
I'm real quick to say yes tonew opportunities and taking on
(04:07):
more and then managing it.
I don't want to say it'schallenging, but I think the
burnout rate will increase as Idon't do my own personal things.
Right, like if I don't go for awalk, if I don't go work out,
if I don't, you know, do my myfloat session.
(04:27):
Right, like, it's like I'm, I'mslowly burning out, right, um
and so it's.
It's a, it's a fine balance I'mfinding over the over the past
couple of years.
Right, like any.
Any regular listener has heardme talk about burnout every
single fall and it's.
I just get to the point whereI'm like hey guys, I'm literally
not recording the next twomonths.
(04:48):
I have episodes, they're goingout, I'm not doing anything.
Speaker 2 (04:50):
Yeah, Well, that's that's like the husband father
side of it, Right?
So every Monday night andThursday night on a regular
basis, we try to play pickleball, my wife and I, right?
So we have a group of us here.
Uh, live that we try to playevery Monday and Thursday.
So that kind of gets us out ofthe house, gets us going.
Every once in a while the wifewill grab me and go come on,
(05:12):
we're going for a walk.
I got to get up because, as Isaid, I sit on seven meetings a
day.
I'm constantly at this desk Iactually that's the home machine
right there or the work machine, so I'm sitting at that desk a
lot during the day.
So getting up, moving around,getting some exercise so you
don't get burned out, aredefinitely important things to
(05:32):
have to do.
Speaker 1 (05:33):
Yeah, yeah, that's very true, it's.
You know, I recently and when Isay recently, I mean 30 minutes
ago, right, I heard this videoof kind of reengaging your brain
or changing your why along theway.
Right, why you do all of this,right, and I think that that is
something that, for myself, hasfallen off a bit right, my why
(05:55):
when I started was let's get acareer going that is successful
enough to support a family,right.
Let's have a house, right, likeall those sorts of things, as
I'm sure a lot of people youknow go through that and
probably are going through that.
Right, I mean, that's anadmirable goal and whatnot,
right.
And I've found that Iaccomplished that, but then I
(06:15):
never reset, refocused, and sonow I'm taking on more things
than I probably should becausein my mind, in the back of my
head, I'm still trying toachieve that goal that was
already achieved.
Does that make sense?
Did you ever go throughsomething like that?
Speaker 2 (06:31):
Oh, it completely makes sense.
Yeah, I mean, my career pathhas been interesting.
Anybody who's followed me knowsthat every two to three years I
do something different, butI've always had this kind of
goal in mind.
Right, my kids are primarilygrown.
My youngest is 21.
He graduates with hisbachelor's from Texas Tech in
(06:53):
May.
He's got one more year.
He's got his master's.
He's the last one.
Right, I'm at a different stagein life.
I'm in what I assume to be myretirement house that we built
down here in Texas.
I'm in a golf assume to be myretirement house that we built
down here in Texas.
I'm in a golf course communityand I tell people my vision of
retirement is I golf in themorning and I do advisory work
in the afternoon.
I'm not ready to quite do thatyet, but that's my goal, and so
(07:18):
the reason I have the advisorypractice, the reason I do the
podcast, is those are things Ilove to do and I can do them in
retirement.
I don't have to work full timeif I don't want to, I still do
because there's some things Iwant to finish, but in a few
years I love just doing thepodcast.
(07:38):
When I ran Security Weekly, pauland I were doing four podcasts
a week.
Each right, that's all we didand selling sponsorships and
running the company and stuff.
But we were doing four podcastsa week and so one podcast a
week's easy.
After you've done four a week,like it's not that hard, like
once you have your system down.
(07:59):
Like I said, takes me an hourprep an recording.
I spend two hours a week.
Okay, if I can augment thatwith some other consulting
advisory work, that's a happylittle retirement.
And in Texas if you don't golfin the morning it's too darn hot
in the afternoon to do anythingelse, so why not sit in the air
conditioning?
Speaker 1 (08:21):
Right, it's, you know .
You describing that, you know,makes me think about what I'm
working on right now, right,it's, you know you, describing
that, you know, makes me thinkabout what I'm working on right
now, right.
So, you know, I've had thisconsulting business I mean, I
stray away from calling it abusiness, right, I've had
customers here and there.
It's not regular or anythinglike that, right, and it's
purely on the side, on the side,and I always wanted something
(08:43):
where I could go into, you know,a domain, a discipline, get the
expertise you know from thenine to five from my own
research and whatnot, and turnthat around into a consulting
business to have something,something extra right, thinking
about it from that perspectiveof even, you know, retirement, I
don't.
I don't see myself, you know,you know, retirement, I don't.
(09:05):
I don't see myself, you know,retiring into the sunset, not
not doing anything, you knowlike what.
Like what you just described isexactly how I kind of
envisioned my own retirement,right, and I'm I'm much farther
off, you know, from then.
Then you from it, right, butthat's how I view it too, and so
now I'm starting to kind ofthat's how I view it too, and so
(09:47):
now I'm starting to kind ofrestructure or rework my
consulting with my podcast, withblog posts, everything else.
You're doing too many dispersedthings.
Right, you need to tie it allin and have a platform.
Right, because right now yougot three, four, five different
platforms.
Right, let's tie it all in.
You're doing good work and itall feeds each other.
But it's a different way ofthinking.
You know, and that's probablythe thing that I love about
cybersecurity the most overallis that, as an individual, I get
(10:09):
to learn this stuff and thestuff that I learn is intangible
.
Right, it's not like a companycould be like oh, that's my IP,
you know, you can't use thatknowledge anywhere else.
It's like well, no, once I knowhow to secure the cloud, I know
how to secure the cloud.
I know how to secure the cloudlike that's anyone's cloud.
Right, I can take that and Ican build something else off of
it.
Right, like that.
Speaker 2 (10:30):
That really excites me, that gets me going, you know
yeah, or to help others,actually help them with their
startup, right.
Right, because you've you'vebuilt different products.
You've seen different things.
How do you use that knowledgeto help others as they build?
Like I said, this company I'mworking with the guys are young,
(10:53):
they're young, they're babies.
They're barely older than mydaughter.
They might not even be olderthan my daughter, right, but
what they're doing is reallycool, but they haven't been
there before.
How can I bring my leadershipand some of the things I've
learned and help them build abetter product or how to market
that product?
(11:13):
And so those skill sets have atremendous amount of value to
others who are trying to buildtheir own company from scratch
are trying to build their owncompany from scratch.
Speaker 1 (11:26):
What am I not thinking about?
Because you don't know what youdon't know until someone tells
you or you live through it right, and in the beginning you
really want to kind of limitthose giant issues that occur
because it takes up so much timeand effort and money and
whatnot.
Speaker 2 (11:38):
Yeah, I mean Jason Albuquerque, my co-host, talks
about it a lot.
You need to have that networkof mentors.
It's not just one mentor, itcould be multiple mentors,
because each mentor has adifferent skill set that you
might need to tap into at anygiven time Marketing versus the
finance side versus technology,or whatever it may be and it's
(12:00):
important for us and we are atight-knit community continue to
build out that network and yournetwork of mentors.
Who do you go to when you runinto a problem and you need help
?
Right, like?
I know who my mentorship groupis Like.
If I run into something, I knowwho I'm going to pick up and
call and they're going to bethere and they're going to be
like hey, here's what I know,here's what I did, you know.
Hopefully that helps you andthat's why I always try to do
(12:23):
the same thing in return.
Right Is, when people come to me, I always try to help them.
I just had a buddy looking fora new role.
He's finally wants to get backinto the workforce.
I took his resume.
I sent it to all the recruiters, I know.
I hope it helps, right, that'swhat I want to do.
I want to help and give backand use my network to help
connect other people.
(12:44):
I want to help and give backand use my network to help
connect other people.
Speaker 1 (12:45):
Yeah, I think that's actually a really powerful thing
right there that not a lot ofpeople really understand, right,
and you know, right from thevery beginning I wanted my name
to have some, some power behindit, Right?
So when I do make thatrecommendation, you know there's
no questions beyond what I say,right, like there's no
(13:07):
questions from that person youknow to me.
Oh well, can they do this?
Are they a good fit?
How do they work with all thatstuff?
It's like my initial statementcovers it all, right, the
initial statement being you knowmy name, I'm referring this
person to your role.
I know you, I know this person,it'll work out well, right, and
so I'm very selective, even Iwouldn't say very selective, but
(13:32):
when I refer someone, it'sbecause I know that they can do
it Right, I know that they're agood fit for it.
You know, and I really try toprotect you know, not
necessarily like my brand, youknow security, unfiltered, or
anything like that.
I just try to protect my youknow, not necessarily like my
brand, you know, security,unfiltered or anything like that
.
I just try to protect my ownpersonal you know brand, right,
like when Joe says you know it'sthis, it truly is this.
(13:54):
Like I don't have to worryabout it, you know, great,
that's something I take a lot ofpride in, you know.
Speaker 2 (13:59):
Yeah, and you should.
Speaker 1 (14:01):
Being able to do that have people trust me like that.
Speaker 2 (14:04):
Yeah, and it takes time to build those
relationships, to build thattrust, to put you in that
position, right, but that's whatwe should all be doing to
better our networks.
Speaker 1 (14:13):
Yeah, and it pays dividends down the line too.
When you need something now,you have that established
network, you have thatestablished brand and whatnot.
Speaker 2 (14:25):
And we all need it at some point.
Joe, trust me, we all do.
We all go through the ebbs andthe flows, and sometimes we need
help in return.
Speaker 1 (14:34):
Yeah, you know it's fascinating, right, when I was
starting this podcast, I mean,literally, I expected five
people to tune in.
Maybe, you know, five on a goodday, right.
But you know, fast forward acouple of years, four years,
which is kind of crazy for me tosay, because for a while there
it was like every year I wasreassessing if I was going to
(14:55):
keep doing it, Right, right, youknow now, like, I've gotten,
you know, job opportunities offof it.
I've gotten consultingopportunities from it.
You know job opportunities offof it.
I've gotten consultingopportunities from it.
When I, you know, interview at acompany, right, the first thing
that I'm typically told is, oh,you have a podcast, so that,
(15:16):
like, separates you completelyfrom everyone else, right, Like,
not only do you have a podcast,you're developing connections
as you're doing it.
You know, like now, like I said,right, I have over 250 episodes
going in, that's, most of thoseepisodes are different people
Like I mean you've been on twice, right, I mean it's not, it's
not like I'm bringing the samepeople on all the time.
And so now, you know, when I goto companies and they're saying
(15:38):
we need an email securitysolution, I mean this literally
happened, right, pretty recentlywas one of the directors was
saying we need an email securitysolution.
I mean, this literally happenedright Pretty recently was one
of the directors was saying weneed an email security solution.
This thing isn't working out.
Who has any recommendations?
No one else on the call exceptfor me had a recommendation and
it's not because I necessarilylike worked with them directly,
(15:58):
it's because I know the product,because I talked to the people
that built it.
You know it's a it's aninteresting door.
You know that I never wouldhave expected.
Speaker 2 (16:07):
Yep.
Great connections, Greatknowledge too.
I mean, how many vendors have Iinterviewed in my career?
A lot.
Speaker 1 (16:14):
Yeah, yeah, that's a good point.
That's probably like thousandsat this point, right?
Yeah, well, matt, you know,tell me about CyberSync, tell me
about what your primary focusis right now, because I was
looking at it and it looksinteresting.
I think you guys areapproaching risk management
(16:35):
overall from a different anglecame here.
Speaker 2 (16:47):
So the CyberSync team has been a sponsor on my
podcast in the past.
So I knew the team.
I knew the founder, patrickO'Reilly, and I kind of always
tracked them because they didsome really interesting things
around automating crosswalks.
Then they built some automationcapabilities to auto score
controls.
So I was always intrigued.
Some people know that my firststartup was in the GRC space.
Controlpath was one of theearly governance risk management
(17:10):
compliance products out therein the industry.
I spent two and a half years atArcher trying to fix it.
So I have a lot of experiencein this space.
And one of the challenges thatthe legacy GRC platforms have is
they don't have a really goodway of handling cyber risk.
All the major platformsOpenPages, archer, even
(17:34):
ServiceNow they really focusedaround operational risk but that
doesn't necessarily translateto cyber risk, and so the joke
has always been in the industrybig G, little r, big C, heavy on
governance, heavy on compliancebut really light on risk.
Governance, heavy on compliancebut really light on risk.
(17:54):
And Richard Syerson is a reallyreally good friend of mine.
He wrote the book of how toMeasure Anything Cybersecurity
with Doug Hubbard and one dayRichard came to me and said we
should do a startup together.
I said, richard, the onlystartup you and I are going to
do is if we can solve the riskmanagement problem once and for
all, which has to be some sortof quantified risk capability.
(18:15):
Richard went off and did someother stuff.
He's now at Qualys as theirchief trust risk officer or
something like that.
But that stuck with me a littlebit in the back of my mind when
I left Cyber Risk Alliance afterthe Security Weekly acquisition
and being on the media side fora couple years, I got the itch
(18:37):
to build something again.
So my first kind of foray wasto go to Living Security, which
was building a human riskmanagement platform.
Take the human user side withrisk management Really
interesting.
Except for here was the problem.
Risk was just as number betweenzero and a thousand.
What does that mean?
Right, like, if you think aboutall these risk algorithms that
(19:01):
are out there, there's somenumber between zero and 10, zero
and a hundred, zero and athousand.
Some of them are unbounded.
It's meaningless.
It's a meaningless metric andthis has been the problem in
cyber for a long time is we lookat things qualitatively and we
(19:22):
multiply random numbers togetherto come up with a number.
That really doesn't meananything.
And what do I mean by that?
As a CISO, I have to work withmy executive team to go justify
budgets.
If I walk into the CFO, the CEOor the board and say we're 79
(19:43):
out of 100, and I need $2million, what does that mean?
79 to what?
What's the 2 million going todo?
Move you to an 85?
What does that mean?
What does 85 out of 100 mean?
It's what.
What's the $2 million going todo?
Move you to an 85?
What does that mean?
What does 85 out of 100 mean?
It's a meaningless metric.
However, if you can go to theboard and say I need $2 million
(20:05):
because I can reduce $10 millionin risk and I can back that up
through actual riskquantification, now I'm in a
much better position to get the2 million because I can write
down 10 million in risk.
So what prompted me to come toCyberSaint was Patty, the
founder.
Patrick O'Reilly showed me whathe was doing with actual
(20:29):
historical loss data actualhistorical loss data.
So there is a database ofactual cyber loss events that
has been around for almost 20years Now.
If we know anything aboutinsurance and actuarial tables,
we also know that that dataexists for life insurance and
all these other things.
And what he figured out, joe,was how to take the cyber loss
(20:52):
database, statistically analyzeit and be able to drive risk
quantification off of it.
And when I saw it I was likedude, this is a game changer
Because we've been talking aboutwe don't have this data to
actually do this, but he foundit and he's doing it.
Now.
Patty is an ex-economist.
(21:13):
He's a quant on the economicside right, so he's a math guy.
But he figured out how to applythose same principles that
finance and insurance use intothe cyberspace.
And I'm like dude, I'm in.
I know exactly what we need tobuild, because it's the gap that
the old GRCs have how do youtie risk and compliance together
(21:36):
?
And whenever you see a changein your controls, how does it
impact your risk?
So what I've been building inthe last year and a half is a
basically we call it a cyberrisk management platform.
It's tying risk data withcontrol data.
So out of the historical lossdatabase, we have 18 risk
(21:58):
vectors that we can identifyactual historical loss against
for every industry.
I can use it as a startingpoint to drive the potential
inherent risk of an organization.
Inherent risk of anorganization based off of its
peers' already sustained losses,and use that as a way to
(22:23):
prioritize which controls, basedoff those risks, should I
concentrate on to drive down themost risk?
And that's kind of what we'vebuilt is this very connected
risk compliance product, and sowhy is that important.
There's a lot of CRQ vendors,cyber risk quantification
vendors, and they're really goodat quantifying risk, but they
have no idea about controls orcompliance or how that ties into
(22:43):
risk.
They're simply doing riskquantification for the purpose
of driving insurance premiumpolicies.
Okay, so I do the risk quantonce, I do it once, once I'm
done, because once I have mypolicy, I don't need you anymore
.
Then you have the continuouscontrol automation vendors that
are doing continuous controlautomation I won't name names,
(23:06):
but they're doing it at scaleGreat but they know nothing
about risk.
Their risk purview is a list ofvulnerabilities, but they know
nothing about risk.
Their risk purview is a list ofvulnerabilities, folks, that is
not risk.
So what we do is we bring thosetwo together in a very unique
way, and so what it allows ourclients to do is not only
quantify risks.
(23:26):
We can actually use those riskquantification capabilities to
actually justify whether Ishould or shouldn't remediate
certain risks, because not onlycan I quantify the reduction in
risk, I can compare that to thecost of the project and I can
tell you whether there's areturn on security investment or
not.
That's what I believe CISOsneed to have a risk budget
(23:51):
conversation with their boardand their executive staff.
That changes the game, becausenow they can justify spend based
on actual reduction in riskdollars.
That's what we're building.
Speaker 1 (24:04):
Wow, that is a completely different way of
doing all of risk.
I mean, the biggest thing forme being in the role that I'm in
(24:30):
, right, is basically making theargument for they want that
they're going to be using, youknow, and putting those numbers
together.
Are it's so difficult?
And, like you said, right, it'son a scale of a thousand.
What?
What in the world does 700 mean?
To me it sounds like a c right,like I mean, when I hear 700
out of a thousand sounds likeI'm passing, I mean I don't know
(24:53):
, I don't know, I don't know howelse to relate that.
You know, and that's everythingthat we've been taught, you
know through all of oureducation.
Right Is okay, that sounds like70%, you know, and it has no
context.
Speaker 2 (25:04):
No, it has not Right.
Speaker 1 (25:17):
It has no industry context and even when I try to
tie it back and say, hey look,our competitor over here, they
got breached this way and itcost them X amount of dollars,
it's still loosely tied backsomewhat right, like I mean, you
kind of need that authoritativesource like CyberSaint to go in
and actually say, no, like thisis the real data.
You know, these are the numbers, so that's, that's very
fascinating.
Speaker 2 (25:36):
Yeah, and it's so interesting because what really
kind of highlighted this for meis when I was at Living Security
, one of our clients a largeclient they were trying to
figure out how to put our riskscore on a slide with the other
risk scores and it was fourdifferent scores of four
different ranges, and I went howcan anybody understand this?
Like literally, how can anybodyunderstand why this tool's
(25:59):
producing a 700, this one'sproducing a seven, this one's
producing 70.
Like it just didn't make senseto me.
Right, it was like because it'sall.
It's all.
It's all, it's all garbage,it's made up, craziness.
The only thing that reallyboards, ceos and CFOs understand
(26:22):
is money.
They're all money, people,cyber risks in something that
they fully understand.
I'm never, ever, as a CISO,going to get a full seat at that
table, because if I bringvulnerability counts or incident
counts or other things to theboard, they're going to give you
five minutes, you're out andthey're going to have the real
(26:45):
big boy conversation witheverybody else.
Then that's just reality.
And I mean Jason Ben and I talkabout this on the podcast all
the time.
Joe is, that's why we do aleadership and communication
segment on the podcast.
We're trying to help educatethe next set of CISOs to learn
how to be more business-focusedexecutives, because cyber is a
(27:07):
business risk that has to bemanaged, and it has to be
managed like any other businessrisk.
It's all about money, guys, andso that's why I went to
CyberState, because I saw such aunique opportunity to do
something different that Ithought would actually move the
needle in the risk conversation.
Speaker 1 (27:24):
Yeah, you said something that is kind of like a
it's a mentality switch.
Right, Because typically,typically, when you think about
the experience that CISO hasright, Because typically,
typically when you think aboutthe experience the CISO has
right, they probably haveexperience, as you know a
technical engineer.
Right, Like, they understandtechnology, they're the top
security person at theorganization.
(27:45):
They are the go to person forit.
Right, they're a leader in thecommunity.
They have their differentavenues and outlets, like maybe
they go on podcasts and whatnot.
Right, and coming from thatbackground, you're not really
geared towards talking to theboard in a way that the board
understands.
You're geared in talking toother technical people in a way
(28:07):
that they understand.
Right, and that I've only hadone CISO that really kind of
drew that home to an extent.
Right, I mean, like I feel likeengineers can be a little
hardheaded at times.
Right, Because we're so in theweeds, we're so technical, it's
hard to break through.
But to have that understandingof, hey, the board is looking
(28:28):
for this, this is how they viewit.
They view it as a business.
It's a section of our businessthat they just seem to only
throw money into and nothingcomes out of it and they're
required to do it.
And so me going to the boardand saying I need another 2
million.
They're going to say, well, whydo we have to burn another 2
million on you guys?
(28:49):
You guys have been fine eversince.
We haven't been breached yet.
Why do we need to give you moremoney?
Speaker 2 (28:55):
Right, and why not take that $2 million and go
invest it in some new AIcapabilities in this product
line to grow my revenue?
See, that's the battle thatCISOs are going up against.
They have to justify thosedollars and the justification is
do I spend $2 million onsecurity or do I spend $2
million on AI?
Those conversations happen allthe time.
We've had multiple segments onthe podcast that highlight this.
(29:18):
I had Sumedh Takkar, the CEO ofQualys, come on because his
board asked him how much are wespending on cyber?
Why don't we just buy a biggercyber insurance policy to cover
those losses?
He's a security vendor gettingasked these questions from his
board.
Very interesting interview foranybody who wants to listen to
it.
I brought Jess Byrne and JeffPollard on from Forrester in
(29:39):
their Future of the CISO reportHuge kind of eye-opening based
on the different role, thedifferent CISO types.
What kind of skillset do youneed?
And I just put a clip onLinkedIn the other day If you,
as a CISO, want a board seat andyou haven't run a P&L, you're
not going to get a board seat,because board seats are reserved
(30:03):
for people who understand howto run businesses right and they
made that very clear.
Jeff Pollard does a really goodtalk on this point, but CISOs
who want to be board membersalso have to learn how to run a
business.
They need to be a founder, theyneed to run a company, because
then they'll have the rest ofthe skill set the boards are
(30:25):
looking for, which is thefinancial understanding.
Speaker 1 (30:28):
That's interesting that you frame it like that.
I never, I never thought aboutit like that.
You know that really, the boardis expecting you to run your
business line like it's aseparate business, you know
under the same entity, andwhatnot.
And all of those people on theboard, they're all doing that.
(30:49):
You know you think about theproduct marketing, the sales,
all of those people.
They're all treating it like abusiness, and security is the
only one that's coming into theconversation.
That's telling people thatthey're wrong.
Right, making things moredifficult.
They're asking for more moneywithout really having the
evidence and the proof.
(31:09):
So I mean that product atCyberSync that's going to be
invaluable to really any companyin any industry.
Speaker 2 (31:16):
Then yes, and because we have a lot of the base data,
it helps you quickly benchmarkyourself against your peers.
We actually give that away forfree.
By the way, it's funny, we havethis thing called the free
cyber risk analysis.
You can go to the CyberSynciowebsite, sign up Four clicks.
You put in your primaryindustry your secondary industry
if you want to it's optionalyour revenue size and your
(31:38):
employee size.
We'll tell you the top fiverisks that your industry has
faced and we'll tell you whichcontrols are mapped to those
risks.
We give that away for free soyou can see it yourself.
It's eye-opening sometimes tosee what your peers have been
susceptible to, how much actualloss they've incurred just on
(32:02):
the top five that's, five out ofthe 18 and which controls they
should focus on.
We do that as a way to helpeducate people on what we're
doing and how we're doing it,but it's a great starting point
for anybody who wants to try tomove away from a qualitative
kind of risk-based approach to aquantitative, risk-based
approach.
Speaker 1 (32:23):
Yeah, I mean, that's also a fantastic hook to just
comment on the product, right?
Because as security people,we're very curious.
You give us a little crumb, allright.
Now we want to see the wholeslice of bread, right, we want
to see the whole thing, and sofor me, that would be an
(32:44):
immediate okay.
Well, what else is there?
You showed me five.
What are the?
Speaker 2 (32:50):
other 13 that.
Speaker 1 (32:51):
I'm missing.
Yeah, it's interesting.
Now I kind of want to go do itright now after this podcast.
That's what I'm doing.
Speaker 2 (33:01):
All right, go ahead, it's free Sign up.
Now watch out, my marketingteam might come after you after
the fact.
Speaker 1 (33:07):
but right before, I'm used to I'm used to marketing.
At this point, you know it's um, yeah, that that is fascinating
, and I wonder why no one elsereally even thought about doing
it like this, Because a lot ofpeople don't realize that the
data exists.
Speaker 2 (33:26):
If you look at the data source we're using, if you
look at it in the raw, it's hardto figure out how to use it.
You can't.
(33:51):
It's hard to figure out how touse it and this is where Patty's
brain really came into the mixwhich're basically producing two
values loss event frequency andloss magnitude, or threat event
frequency or single lossexpectancy in the NIST 830 model
.
Right, it's very simple.
Once I have those two numbers,I can either do a straight line
ALE like 830, which is threatevent frequency times, single
(34:15):
loss expectancy, or I can takeloss event frequency, loss
magnitude, drop it into FAIR,run the 10,000 Monte Carlo
simulations and produce the riskcurves.
It's not rocket science, butthe hard part was the data
source, the statistical analysisthat then drives those quants,
and so it's a foundation to theplatform.
(34:37):
We use it to help kickstart alot of our clients.
But then what I built into theplatform was all the
customization that clients cando themselves.
Right, If you have differentloss magnitudes, put them in the
system.
You can build your own riskmodels.
You can create your own heatmaps.
You want a six by six?
(34:57):
Create a six by six.
You want a four by four, createa four by four.
I don't care.
But what we do is we balance theold qualitative heat map with a
risk quant on the other side ofit.
They're right side by side inthe platform.
It just opens your eyes to allright, I have all these risks
that I think are high, but whenyou see the bubble, the size of
the risk in quantified dollars,you instantly know where to
(35:20):
focus.
It's so evident.
And so all that customizationsin the platform.
And then, with our latestrelease towards the end of last
year, our version four release,I opened up beyond cyber risks,
because we had a lot of clientsthat were like we love what you
do for cyber risk.
Can you add an enterprise orother types of risk in the
platform?
Absolutely, so we have clientscan customize their own risk
(35:43):
types and categories.
They can track other types ofrisk outside of cyber risk in
the platform.
And now what we're looking foris are there similar data
sources that we can use toquantify some of those risks?
Speaker 1 (35:55):
Wow, have you ever done a case study of how
accurate the numbers are toactual breaches?
If you go back in time andlet's say you run Equifax's
number, I wonder how accurate itwould be compared to the
(36:15):
numbers of that breach.
Speaker 2 (36:16):
Yeah, so remember, annualized loss expectancy is
likelihood times impact.
So we have the raw impacts, butwe also know the likelihood of
that attack, right?
So everything in the platformis annualized loss expectancy.
Okay, so we know the impact,but in order to keep it
consistent, we used ALE as themetric in the platform.
(36:40):
So we have that data.
I have customers that have runthrough it and use it to
prioritize the remediation,right so?
I had a home builder here inthe Dallas area use it to look
at their posture compared totheir peers.
The CEO set their target.
They use that to drive downtheir risk.
They're going throughremediation right now.
(37:01):
We have a large public companyout of the Seattle area that the
first they got breached, firstpurchase they made was us to
understand their current riskposture and they've used to
prioritize all their downstreamprojects.
Now they're enabling automationto automate all those control
scores in real time to justcontinue to drive that real-time
(37:22):
kind of risk quant data in theplatform.
Like great use cases.
Speaker 1 (37:26):
It's probably like a great single pane of glass, not
just for the CISO to look at,but maybe even other executives
in the C-suite right Other boardmembers that say, hey, I want
to look at this 8 am every day.
I just want to check it.
Right, I want to see it.
Speaker 2 (37:41):
See where I am.
Let me look at my inherent risk.
Let me look at my residual risk.
Let me see how I'm trending.
Where are my top risks?
Are they trending up and down?
So lots of trending graphs inthe platform kind of show you
trend over time.
Is ransomware ticking up or isit ticking down?
Right, the beauty of thehistorical loss database is we
get monthly updates right.
So every month we're updatingthat data.
(38:02):
So if you synchronize yourrisks with our industry data set
, you're getting real-timeupdates to those trends as
they're coming into the platformand so we can show those risk
trends over time, which kind ofhelps you.
Like is the inherent risk forransomware going up or going
down based off the latestbreaches?
And we use a by default we usea 10 year look back period, but
(38:26):
you can shorten that down tothree years so you can use just
the last three years ofhistorical loss to kind of fine
tune how you want to track those.
Lots of fun customization inthe platform to support various
use cases.
But the data is awesome andthat's what hooked me when I saw
it.
Speaker 1 (38:41):
Yeah, yeah, that's.
I mean, that's what caught myattention right there.
You know, when you talked aboutthe data and how you found it,
how it wasn't really even beingused earlier.
You know which kind of blows mymind, because I've been at
companies where they're actively.
They have some solution that'scomparing them against their
(39:03):
competitors right, and they getsome arbitrary score that
doesn't even make sense to me,right, and they're pitching it
to the board and they'rewondering why they never get
approved for a solution for thenext budget or whatever it might
be right.
Do you find that now?
I know that this would bevaluable in the federal sector,
(39:24):
the government side of things.
Do you find that a lot ofgovernment agencies are coming
to you right now and finding thevalue?
Not yet they're so compliancefocused from a CMMC perspective.
Speaker 2 (39:37):
right now, it's just they're not there.
Speaker 1 (39:41):
That's a maturity thing right.
Speaker 2 (39:43):
I mean, the industries that see the value in
this obviously are thefinancials and the insurers, who
have been doing this for a longtime.
Healthcare, a lot of publiccompanies, and it's not
necessarily the Fortune 500.
I think our sweet spot is the3,000 public companies that are
not the Fortune 500.
And the reason is they don'thave highly mature security or
(40:04):
risk management programs but yetneed to understand materiality
and potential impact of cyberrisks in the SEC reporting
requirements.
That's where I think our sweetspot is and we're starting to
see some of that.
But I mean, look, we've gotFortune 500 clients using our
platform.
But I think we also have areally, really good use case for
much right and that isextremely.
Speaker 1 (40:25):
it's extremely valuable right, because you're
you're, you're really capturingthis data in a way that hasn't
(40:46):
been conceptualized before.
You know, like I keep on goingback to that point.
But this is really, it'sfascinating to me because, even
like I'm in the space, I'm theone that's preparing the report
that the CISO is going to give,and I'm looking at these numbers
and I'm saying they're notgonna.
No one in that room is going tounderstand this.
No one in that room, right?
(41:07):
If I have to explain to the cso, right, and break it down, no
one over there is going tounderstand it.
You know, and so that that'swhere that revolutionary piece
is coming from, that I keep ongoing back to it inadvertently
yeah, that's the good and thebad, right?
Speaker 2 (41:22):
yeah, it forces people to think differently.
The problem is, people are soused to doing the old way and
that they can't wrap their headsaround some of that too.
So I mean, we take the goodwith the bad yeah, well, that's
kind of the.
Speaker 1 (41:35):
That's probably like the government, the government
side, the government impression,you know where.
You know you always hear abouthow, like DARPA and the NSA and
CIA, all these intelligenceagencies, they're, they're, you
know, decades ahead of what'spublicly available and things
like that, and that's that verytrue.
I've talked to some of thosepeople and you know I brought up
(41:58):
something like you know somesome like homomorphic encryption
to a friend of mine who's inthe Navy on the cyber
intelligence side of it.
He's like, yeah, we've beendoing that for about seven years
now, so go ahead and catch up,right.
And that mentality iscompletely different.
When we're talking about theother side of the house, right,
(42:19):
the not-so-innovation,keep-the-lights-on house, right,
where they're not interested indoing new things until it's an
old thing for everyone else,right, it's a totally different
mindset, kind of frustrating,yeah.
Speaker 2 (42:35):
Again, we get the good with the bad mindset Kind
of frustrating.
Speaker 1 (42:40):
Yeah, again, we get the good with the bad.
Yeah Well, matt, before we endthings here, how about you tell
my audience where they couldfind you if they wanted to
connect with you and where theycould find CyberSaint if they
wanted to definitely go, takeadvantage of that free offering.
Speaker 2 (42:51):
Well, anybody can find me on LinkedIn Matthew
Alderman.
I'm one of the early guys, so Idon't have a bunch of crazy
numbers behind my name.
On X, I'm at Muldermania.
Cybersaintio is the website forthe company and the podcast is
Business Security Weekly.
Go to securityweeklycom forward, slash BSW and you'll find all
my 380 plus episodes.
Speaker 1 (43:12):
Nice, awesome, well, thanks, matt, I really
appreciate you coming back on.
It was a fantastic conversation.
Speaker 2 (43:18):
Yeah, thanks for having me too.
Speaker 1 (43:20):
Absolutely Well.
Thanks everyone.
I hope you enjoyed this episode.
How's it going, matt?
It's been a while since you'vebeen on the podcast.
I think you might have been oneof the first 20 guests that
I've had on.
Maybe I'm being a little bitgenerous with that number maybe
the first 10.
Speaker 2 (00:15):
Oh, maybe I don't know.
Speaker 1 (00:18):
Yeah, now I'm all the way at over 250 episodes out
there.
Speaker 2 (00:21):
Wow, I'm cranking out the content, but I really
appreciate you wanting to evencome back on oh, of course,
Pleasure Like I do a podcast, soI might as well be on the other
side every once in a while.
Speaker 1 (00:35):
Yeah, it's interesting when you're on the
other side.
I'm not quite used to it yet.
I don't go on very many otherpodcasts, but the ones that I do
, it's just, it's different.
Speaker 2 (00:44):
Yeah, it's funny because a lot of people ask me
like what podcasts do you listento?
I don't, I don't listen topodcasts.
And it's funny because, being apodcast host, you would think
that I'd listen to more podcasts.
I don't have time, so I I domine, but I don't really listen
to others.
Speaker 1 (01:02):
I do mine, but I don't really listen to others.
Yeah, that is.
Yeah, that's very accurate, youknow, and I never understood it
until I started doing it.
And now it's like, yeah, Idon't really listen to podcasts
like that.
Maybe I'll put on Joe Rogan,right, if I'm doing the dishes
or something like that, you know, to keep me a little bit busy,
(01:26):
but like listening to othercybersecurity podcasts or just
any other podcasts, overall it'sa little bit difficult because
you know, for us, we're not onlydoing a podcast, we're doing
several other things.
You know, which has its ownchallenges.
How do you?
you know, how do you manageeverything that you do, Right.
Let's maybe cue in the audienceto the different, the different
roles and different hats thatyou're wearing you know, right.
Let's maybe cue in the audienceto the different roles and
different hats that you'rewearing on a daily basis.
Speaker 2 (01:49):
Yeah, I wear about three on a daily basis.
I have my day job chief productofficer at CyberSync building
out a risk quantification, whatwe call cyber risk management
platform.
So that's my day job.
That's where most of my time isspent On average.
It was funny I was tellingsomebody last night I average
like seven meetings a day halfan hour to hour long meetings.
(02:10):
But I'm doing right about sevenmeetings a day.
So I'm doing 35 meetings a weekfor my day job.
My podcast roll hat.
So Mondays is my podcast and myrecording day, so I have to
make sure everything's ready forMonday.
I block out an hour and a halfevery Monday for the podcast, so
(02:32):
the podcast is an hour long.
I block out 15 minutes before,15 minutes after.
That way we have buffer time,we get the guests in.
So an hour and a half everyMonday is dedicated to podcasts
and I block out my Fridayafternoons right after this time
frame.
Actually I block out Fridayafternoons to make sure all my
podcast prep is done.
So my prep takes about an hourto an hour and a half a week.
(02:57):
I have to do my prep call withmy interview host.
I have to prepare all myarticles for our leadership
communication segment.
I do that in about an hour,hour and a half every week.
Everything's ready to go record.
My third hat is kind of myadvisory side.
Right, I still have theadvisory practice, I still
advise startups, I still do someangel investment in the
(03:18):
startups and so those kind ofcome and go.
They ebb and flow depending onwhich clients I have at any
given time what they need.
So I've been helping a startupthat's doing some really
interesting stuff aroundincident response, investigation
work, leveraging AI.
So I've been helping them kindof like get their message
together, help them understandhow to communicate what they're
(03:38):
doing out to the different buyerpersonas.
So that's kind of my third haton a regular basis and that's
before.
I'm a husband, a father, yeah,you know.
Speaker 1 (03:47):
Yeah, light stuff, right, I mean, you're not not
too, not too busy of a week,right?
No, not at all.
I'm real quick to say yes tonew opportunities and taking on
(04:07):
more and then managing it.
I don't want to say it'schallenging, but I think the
burnout rate will increase as Idon't do my own personal things.
Right, like if I don't go for awalk, if I don't go work out,
if I don't, you know, do my myfloat session.
(04:27):
Right, like, it's like I'm, I'mslowly burning out, right, um
and so it's.
It's a, it's a fine balance I'mfinding over the over the past
couple of years.
Right, like any.
Any regular listener has heardme talk about burnout every
single fall and it's.
I just get to the point whereI'm like hey guys, I'm literally
not recording the next twomonths.
(04:48):
I have episodes, they're goingout, I'm not doing anything.
Speaker 2 (04:50):
Yeah, Well, that's that's like the husband father
side of it, Right?
So every Monday night andThursday night on a regular
basis, we try to play pickleball, my wife and I, right?
So we have a group of us here.
Uh, live that we try to playevery Monday and Thursday.
So that kind of gets us out ofthe house, gets us going.
Every once in a while the wifewill grab me and go come on,
(05:12):
we're going for a walk.
I got to get up because, as Isaid, I sit on seven meetings a
day.
I'm constantly at this desk Iactually that's the home machine
right there or the work machine, so I'm sitting at that desk a
lot during the day.
So getting up, moving around,getting some exercise so you
don't get burned out, aredefinitely important things to
(05:32):
have to do.
Speaker 1 (05:33):
Yeah, yeah, that's very true, it's.
You know, I recently and when Isay recently, I mean 30 minutes
ago, right, I heard this videoof kind of reengaging your brain
or changing your why along theway.
Right, why you do all of this,right, and I think that that is
something that, for myself, hasfallen off a bit right, my why
(05:55):
when I started was let's get acareer going that is successful
enough to support a family,right.
Let's have a house, right, likeall those sorts of things, as
I'm sure a lot of people youknow go through that and
probably are going through that.
Right, I mean, that's anadmirable goal and whatnot,
right.
And I've found that Iaccomplished that, but then I
(06:15):
never reset, refocused, and sonow I'm taking on more things
than I probably should becausein my mind, in the back of my
head, I'm still trying toachieve that goal that was
already achieved.
Does that make sense?
Did you ever go throughsomething like that?
Speaker 2 (06:31):
Oh, it completely makes sense.
Yeah, I mean, my career pathhas been interesting.
Anybody who's followed me knowsthat every two to three years I
do something different, butI've always had this kind of
goal in mind.
Right, my kids are primarilygrown.
My youngest is 21.
He graduates with hisbachelor's from Texas Tech in
(06:53):
May.
He's got one more year.
He's got his master's.
He's the last one.
Right, I'm at a different stagein life.
I'm in what I assume to be myretirement house that we built
down here in Texas.
I'm in a golf assume to be myretirement house that we built
down here in Texas.
I'm in a golf course communityand I tell people my vision of
retirement is I golf in themorning and I do advisory work
in the afternoon.
I'm not ready to quite do thatyet, but that's my goal, and so
(07:18):
the reason I have the advisorypractice, the reason I do the
podcast, is those are things Ilove to do and I can do them in
retirement.
I don't have to work full timeif I don't want to, I still do
because there's some things Iwant to finish, but in a few
years I love just doing thepodcast.
(07:38):
When I ran Security Weekly, pauland I were doing four podcasts
a week.
Each right, that's all we didand selling sponsorships and
running the company and stuff.
But we were doing four podcastsa week and so one podcast a
week's easy.
After you've done four a week,like it's not that hard, like
once you have your system down.
(07:59):
Like I said, takes me an hourprep an recording.
I spend two hours a week.
Okay, if I can augment thatwith some other consulting
advisory work, that's a happylittle retirement.
And in Texas if you don't golfin the morning it's too darn hot
in the afternoon to do anythingelse, so why not sit in the air
conditioning?
Speaker 1 (08:21):
Right, it's, you know .
You describing that, you know,makes me think about what I'm
working on right now, right,it's, you know you, describing
that, you know, makes me thinkabout what I'm working on right
now, right.
So, you know, I've had thisconsulting business I mean, I
stray away from calling it abusiness, right, I've had
customers here and there.
It's not regular or anythinglike that, right, and it's
purely on the side, on the side,and I always wanted something
(08:43):
where I could go into, you know,a domain, a discipline, get the
expertise you know from thenine to five from my own
research and whatnot, and turnthat around into a consulting
business to have something,something extra right, thinking
about it from that perspectiveof even, you know, retirement, I
don't.
I don't see myself, you know,you know, retirement, I don't.
(09:05):
I don't see myself, you know,retiring into the sunset, not
not doing anything, you knowlike what.
Like what you just described isexactly how I kind of
envisioned my own retirement,right, and I'm I'm much farther
off, you know, from then.
Then you from it, right, butthat's how I view it too, and so
now I'm starting to kind ofthat's how I view it too, and so
(09:47):
now I'm starting to kind ofrestructure or rework my
consulting with my podcast, withblog posts, everything else.
You're doing too many dispersedthings.
Right, you need to tie it allin and have a platform.
Right, because right now yougot three, four, five different
platforms.
Right, let's tie it all in.
You're doing good work and itall feeds each other.
But it's a different way ofthinking.
You know, and that's probablythe thing that I love about
cybersecurity the most overallis that, as an individual, I get
(10:09):
to learn this stuff and thestuff that I learn is intangible
.
Right, it's not like a companycould be like oh, that's my IP,
you know, you can't use thatknowledge anywhere else.
It's like well, no, once I knowhow to secure the cloud, I know
how to secure the cloud.
I know how to secure the cloudlike that's anyone's cloud.
Right, I can take that and Ican build something else off of
it.
Right, like that.
Speaker 2 (10:30):
That really excites me, that gets me going, you know
yeah, or to help others,actually help them with their
startup, right.
Right, because you've you'vebuilt different products.
You've seen different things.
How do you use that knowledgeto help others as they build?
Like I said, this company I'mworking with the guys are young,
(10:53):
they're young, they're babies.
They're barely older than mydaughter.
They might not even be olderthan my daughter, right, but
what they're doing is reallycool, but they haven't been
there before.
How can I bring my leadershipand some of the things I've
learned and help them build abetter product or how to market
that product?
(11:13):
And so those skill sets have atremendous amount of value to
others who are trying to buildtheir own company from scratch
are trying to build their owncompany from scratch.
Speaker 1 (11:26):
What am I not thinking about?
Because you don't know what youdon't know until someone tells
you or you live through it right, and in the beginning you
really want to kind of limitthose giant issues that occur
because it takes up so much timeand effort and money and
whatnot.
Speaker 2 (11:38):
Yeah, I mean Jason Albuquerque, my co-host, talks
about it a lot.
You need to have that networkof mentors.
It's not just one mentor, itcould be multiple mentors,
because each mentor has adifferent skill set that you
might need to tap into at anygiven time Marketing versus the
finance side versus technology,or whatever it may be and it's
(12:00):
important for us and we are atight-knit community continue to
build out that network and yournetwork of mentors.
Who do you go to when you runinto a problem and you need help
?
Right, like?
I know who my mentorship groupis Like.
If I run into something, I knowwho I'm going to pick up and
call and they're going to bethere and they're going to be
like hey, here's what I know,here's what I did, you know.
Hopefully that helps you andthat's why I always try to do
(12:23):
the same thing in return.
Right Is, when people come to me, I always try to help them.
I just had a buddy looking fora new role.
He's finally wants to get backinto the workforce.
I took his resume.
I sent it to all the recruiters, I know.
I hope it helps, right, that'swhat I want to do.
I want to help and give backand use my network to help
connect other people.
(12:44):
I want to help and give backand use my network to help
connect other people.
Speaker 1 (12:45):
Yeah, I think that's actually a really powerful thing
right there that not a lot ofpeople really understand, right,
and you know, right from thevery beginning I wanted my name
to have some, some power behindit, Right?
So when I do make thatrecommendation, you know there's
no questions beyond what I say,right, like there's no
(13:07):
questions from that person youknow to me.
Oh well, can they do this?
Are they a good fit?
How do they work with all thatstuff?
It's like my initial statementcovers it all, right, the
initial statement being you knowmy name, I'm referring this
person to your role.
I know you, I know this person,it'll work out well, right, and
so I'm very selective, even Iwouldn't say very selective, but
(13:32):
when I refer someone, it'sbecause I know that they can do
it Right, I know that they're agood fit for it.
You know, and I really try toprotect you know, not
necessarily like my brand, youknow security, unfiltered, or
anything like that.
I just try to protect my youknow, not necessarily like my
brand, you know, security,unfiltered or anything like that
.
I just try to protect my ownpersonal you know brand, right,
like when Joe says you know it'sthis, it truly is this.
(13:54):
Like I don't have to worryabout it, you know, great,
that's something I take a lot ofpride in, you know.
Speaker 2 (13:59):
Yeah, and you should.
Speaker 1 (14:01):
Being able to do that have people trust me like that.
Speaker 2 (14:04):
Yeah, and it takes time to build those
relationships, to build thattrust, to put you in that
position, right, but that's whatwe should all be doing to
better our networks.
Speaker 1 (14:13):
Yeah, and it pays dividends down the line too.
When you need something now,you have that established
network, you have thatestablished brand and whatnot.
Speaker 2 (14:25):
And we all need it at some point.
Joe, trust me, we all do.
We all go through the ebbs andthe flows, and sometimes we need
help in return.
Speaker 1 (14:34):
Yeah, you know it's fascinating, right, when I was
starting this podcast, I mean,literally, I expected five
people to tune in.
Maybe, you know, five on a goodday, right.
But you know, fast forward acouple of years, four years,
which is kind of crazy for me tosay, because for a while there
it was like every year I wasreassessing if I was going to
(14:55):
keep doing it, Right, right, youknow now, like, I've gotten,
you know, job opportunities offof it.
I've gotten consultingopportunities from it.
You know job opportunities offof it.
I've gotten consultingopportunities from it.
When I, you know, interview at acompany, right, the first thing
that I'm typically told is, oh,you have a podcast, so that,
(15:16):
like, separates you completelyfrom everyone else, right, Like,
not only do you have a podcast,you're developing connections
as you're doing it.
You know, like now, like I said,right, I have over 250 episodes
going in, that's, most of thoseepisodes are different people
Like I mean you've been on twice, right, I mean it's not, it's
not like I'm bringing the samepeople on all the time.
And so now, you know, when I goto companies and they're saying
(15:38):
we need an email securitysolution, I mean this literally
happened, right, pretty recentlywas one of the directors was
saying we need an email securitysolution.
I mean, this literally happenedright Pretty recently was one
of the directors was saying weneed an email security solution.
This thing isn't working out.
Who has any recommendations?
No one else on the call exceptfor me had a recommendation and
it's not because I necessarilylike worked with them directly,
(15:58):
it's because I know the product,because I talked to the people
that built it.
You know it's a it's aninteresting door.
You know that I never wouldhave expected.
Speaker 2 (16:07):
Yep.
Great connections, Greatknowledge too.
I mean, how many vendors have Iinterviewed in my career?
A lot.
Speaker 1 (16:14):
Yeah, yeah, that's a good point.
That's probably like thousandsat this point, right?
Yeah, well, matt, you know,tell me about CyberSync, tell me
about what your primary focusis right now, because I was
looking at it and it looksinteresting.
I think you guys areapproaching risk management
(16:35):
overall from a different anglecame here.
Speaker 2 (16:47):
So the CyberSync team has been a sponsor on my
podcast in the past.
So I knew the team.
I knew the founder, patrickO'Reilly, and I kind of always
tracked them because they didsome really interesting things
around automating crosswalks.
Then they built some automationcapabilities to auto score
controls.
So I was always intrigued.
Some people know that my firststartup was in the GRC space.
Controlpath was one of theearly governance risk management
(17:10):
compliance products out therein the industry.
I spent two and a half years atArcher trying to fix it.
So I have a lot of experiencein this space.
And one of the challenges thatthe legacy GRC platforms have is
they don't have a really goodway of handling cyber risk.
All the major platformsOpenPages, archer, even
(17:34):
ServiceNow they really focusedaround operational risk but that
doesn't necessarily translateto cyber risk, and so the joke
has always been in the industrybig G, little r, big C, heavy on
governance, heavy on compliancebut really light on risk.
Governance, heavy on compliancebut really light on risk.
(17:54):
And Richard Syerson is a reallyreally good friend of mine.
He wrote the book of how toMeasure Anything Cybersecurity
with Doug Hubbard and one dayRichard came to me and said we
should do a startup together.
I said, richard, the onlystartup you and I are going to
do is if we can solve the riskmanagement problem once and for
all, which has to be some sortof quantified risk capability.
(18:15):
Richard went off and did someother stuff.
He's now at Qualys as theirchief trust risk officer or
something like that.
But that stuck with me a littlebit in the back of my mind when
I left Cyber Risk Alliance afterthe Security Weekly acquisition
and being on the media side fora couple years, I got the itch
(18:37):
to build something again.
So my first kind of foray wasto go to Living Security, which
was building a human riskmanagement platform.
Take the human user side withrisk management Really
interesting.
Except for here was the problem.
Risk was just as number betweenzero and a thousand.
What does that mean?
Right, like, if you think aboutall these risk algorithms that
(19:01):
are out there, there's somenumber between zero and 10, zero
and a hundred, zero and athousand.
Some of them are unbounded.
It's meaningless.
It's a meaningless metric andthis has been the problem in
cyber for a long time is we lookat things qualitatively and we
(19:22):
multiply random numbers togetherto come up with a number.
That really doesn't meananything.
And what do I mean by that?
As a CISO, I have to work withmy executive team to go justify
budgets.
If I walk into the CFO, the CEOor the board and say we're 79
(19:43):
out of 100, and I need $2million, what does that mean?
79 to what?
What's the 2 million going todo?
Move you to an 85?
What does that mean?
What does 85 out of 100 mean?
It's what.
What's the $2 million going todo?
Move you to an 85?
What does that mean?
What does 85 out of 100 mean?
It's a meaningless metric.
However, if you can go to theboard and say I need $2 million
(20:05):
because I can reduce $10 millionin risk and I can back that up
through actual riskquantification, now I'm in a
much better position to get the2 million because I can write
down 10 million in risk.
So what prompted me to come toCyberSaint was Patty, the
founder.
Patrick O'Reilly showed me whathe was doing with actual
(20:29):
historical loss data actualhistorical loss data.
So there is a database ofactual cyber loss events that
has been around for almost 20years Now.
If we know anything aboutinsurance and actuarial tables,
we also know that that dataexists for life insurance and
all these other things.
And what he figured out, joe,was how to take the cyber loss
(20:52):
database, statistically analyzeit and be able to drive risk
quantification off of it.
And when I saw it I was likedude, this is a game changer
Because we've been talking aboutwe don't have this data to
actually do this, but he foundit and he's doing it.
Now.
Patty is an ex-economist.
(21:13):
He's a quant on the economicside right, so he's a math guy.
But he figured out how to applythose same principles that
finance and insurance use intothe cyberspace.
And I'm like dude, I'm in.
I know exactly what we need tobuild, because it's the gap that
the old GRCs have how do youtie risk and compliance together
(21:36):
?
And whenever you see a changein your controls, how does it
impact your risk?
So what I've been building inthe last year and a half is a
basically we call it a cyberrisk management platform.
It's tying risk data withcontrol data.
So out of the historical lossdatabase, we have 18 risk
(21:58):
vectors that we can identifyactual historical loss against
for every industry.
I can use it as a startingpoint to drive the potential
inherent risk of an organization.
Inherent risk of anorganization based off of its
peers' already sustained losses,and use that as a way to
(22:23):
prioritize which controls, basedoff those risks, should I
concentrate on to drive down themost risk?
And that's kind of what we'vebuilt is this very connected
risk compliance product, and sowhy is that important.
There's a lot of CRQ vendors,cyber risk quantification
vendors, and they're really goodat quantifying risk, but they
have no idea about controls orcompliance or how that ties into
(22:43):
risk.
They're simply doing riskquantification for the purpose
of driving insurance premiumpolicies.
Okay, so I do the risk quantonce, I do it once, once I'm
done, because once I have mypolicy, I don't need you anymore
.
Then you have the continuouscontrol automation vendors that
are doing continuous controlautomation I won't name names,
(23:06):
but they're doing it at scaleGreat but they know nothing
about risk.
Their risk purview is a list ofvulnerabilities, but they know
nothing about risk.
Their risk purview is a list ofvulnerabilities, folks, that is
not risk.
So what we do is we bring thosetwo together in a very unique
way, and so what it allows ourclients to do is not only
quantify risks.
(23:26):
We can actually use those riskquantification capabilities to
actually justify whether Ishould or shouldn't remediate
certain risks, because not onlycan I quantify the reduction in
risk, I can compare that to thecost of the project and I can
tell you whether there's areturn on security investment or
not.
That's what I believe CISOsneed to have a risk budget
(23:51):
conversation with their boardand their executive staff.
That changes the game, becausenow they can justify spend based
on actual reduction in riskdollars.
That's what we're building.
Speaker 1 (24:04):
Wow, that is a completely different way of
doing all of risk.
I mean, the biggest thing forme being in the role that I'm in
(24:30):
, right, is basically making theargument for they want that
they're going to be using, youknow, and putting those numbers
together.
Are it's so difficult?
And, like you said, right, it'son a scale of a thousand.
What?
What in the world does 700 mean?
To me it sounds like a c right,like I mean, when I hear 700
out of a thousand sounds likeI'm passing, I mean I don't know
(24:53):
, I don't know, I don't know howelse to relate that.
You know, and that's everythingthat we've been taught, you
know through all of oureducation.
Right Is okay, that sounds like70%, you know, and it has no
context.
Speaker 2 (25:04):
No, it has not Right.
Speaker 1 (25:17):
It has no industry context and even when I try to
tie it back and say, hey look,our competitor over here, they
got breached this way and itcost them X amount of dollars,
it's still loosely tied backsomewhat right, like I mean, you
kind of need that authoritativesource like CyberSaint to go in
and actually say, no, like thisis the real data.
You know, these are the numbers, so that's, that's very
fascinating.
Speaker 2 (25:36):
Yeah, and it's so interesting because what really
kind of highlighted this for meis when I was at Living Security
, one of our clients a largeclient they were trying to
figure out how to put our riskscore on a slide with the other
risk scores and it was fourdifferent scores of four
different ranges, and I went howcan anybody understand this?
Like literally, how can anybodyunderstand why this tool's
(25:59):
producing a 700, this one'sproducing a seven, this one's
producing 70.
Like it just didn't make senseto me.
Right, it was like because it'sall.
It's all.
It's all, it's all garbage,it's made up, craziness.
The only thing that reallyboards, ceos and CFOs understand
(26:22):
is money.
They're all money, people,cyber risks in something that
they fully understand.
I'm never, ever, as a CISO,going to get a full seat at that
table, because if I bringvulnerability counts or incident
counts or other things to theboard, they're going to give you
five minutes, you're out andthey're going to have the real
(26:45):
big boy conversation witheverybody else.
Then that's just reality.
And I mean Jason Ben and I talkabout this on the podcast all
the time.
Joe is, that's why we do aleadership and communication
segment on the podcast.
We're trying to help educatethe next set of CISOs to learn
how to be more business-focusedexecutives, because cyber is a
(27:07):
business risk that has to bemanaged, and it has to be
managed like any other businessrisk.
It's all about money, guys, andso that's why I went to
CyberState, because I saw such aunique opportunity to do
something different that Ithought would actually move the
needle in the risk conversation.
Speaker 1 (27:24):
Yeah, you said something that is kind of like a
it's a mentality switch.
Right, Because typically,typically, when you think about
the experience that CISO hasright, Because typically,
typically when you think aboutthe experience the CISO has
right, they probably haveexperience, as you know a
technical engineer.
Right, Like, they understandtechnology, they're the top
security person at theorganization.
(27:45):
They are the go to person forit.
Right, they're a leader in thecommunity.
They have their differentavenues and outlets, like maybe
they go on podcasts and whatnot.
Right, and coming from thatbackground, you're not really
geared towards talking to theboard in a way that the board
understands.
You're geared in talking toother technical people in a way
(28:07):
that they understand.
Right, and that I've only hadone CISO that really kind of
drew that home to an extent.
Right, I mean, like I feel likeengineers can be a little
hardheaded at times.
Right, Because we're so in theweeds, we're so technical, it's
hard to break through.
But to have that understandingof, hey, the board is looking
(28:28):
for this, this is how they viewit.
They view it as a business.
It's a section of our businessthat they just seem to only
throw money into and nothingcomes out of it and they're
required to do it.
And so me going to the boardand saying I need another 2
million.
They're going to say, well, whydo we have to burn another 2
million on you guys?
(28:49):
You guys have been fine eversince.
We haven't been breached yet.
Why do we need to give you moremoney?
Speaker 2 (28:55):
Right, and why not take that $2 million and go
invest it in some new AIcapabilities in this product
line to grow my revenue?
See, that's the battle thatCISOs are going up against.
They have to justify thosedollars and the justification is
do I spend $2 million onsecurity or do I spend $2
million on AI?
Those conversations happen allthe time.
We've had multiple segments onthe podcast that highlight this.
(29:18):
I had Sumedh Takkar, the CEO ofQualys, come on because his
board asked him how much are wespending on cyber?
Why don't we just buy a biggercyber insurance policy to cover
those losses?
He's a security vendor gettingasked these questions from his
board.
Very interesting interview foranybody who wants to listen to
it.
I brought Jess Byrne and JeffPollard on from Forrester in
(29:39):
their Future of the CISO reportHuge kind of eye-opening based
on the different role, thedifferent CISO types.
What kind of skillset do youneed?
And I just put a clip onLinkedIn the other day If you,
as a CISO, want a board seat andyou haven't run a P&L, you're
not going to get a board seat,because board seats are reserved
(30:03):
for people who understand howto run businesses right and they
made that very clear.
Jeff Pollard does a really goodtalk on this point, but CISOs
who want to be board membersalso have to learn how to run a
business.
They need to be a founder, theyneed to run a company, because
then they'll have the rest ofthe skill set the boards are
(30:25):
looking for, which is thefinancial understanding.
Speaker 1 (30:28):
That's interesting that you frame it like that.
I never, I never thought aboutit like that.
You know that really, the boardis expecting you to run your
business line like it's aseparate business, you know
under the same entity, andwhatnot.
And all of those people on theboard, they're all doing that.
(30:49):
You know you think about theproduct marketing, the sales,
all of those people.
They're all treating it like abusiness, and security is the
only one that's coming into theconversation.
That's telling people thatthey're wrong.
Right, making things moredifficult.
They're asking for more moneywithout really having the
evidence and the proof.
(31:09):
So I mean that product atCyberSync that's going to be
invaluable to really any companyin any industry.
Speaker 2 (31:16):
Then yes, and because we have a lot of the base data,
it helps you quickly benchmarkyourself against your peers.
We actually give that away forfree.
By the way, it's funny, we havethis thing called the free
cyber risk analysis.
You can go to the CyberSynciowebsite, sign up Four clicks.
You put in your primaryindustry your secondary industry
if you want to it's optionalyour revenue size and your
(31:38):
employee size.
We'll tell you the top fiverisks that your industry has
faced and we'll tell you whichcontrols are mapped to those
risks.
We give that away for free soyou can see it yourself.
It's eye-opening sometimes tosee what your peers have been
susceptible to, how much actualloss they've incurred just on
(32:02):
the top five that's, five out ofthe 18 and which controls they
should focus on.
We do that as a way to helpeducate people on what we're
doing and how we're doing it,but it's a great starting point
for anybody who wants to try tomove away from a qualitative
kind of risk-based approach to aquantitative, risk-based
approach.
Speaker 1 (32:23):
Yeah, I mean, that's also a fantastic hook to just
comment on the product, right?
Because as security people,we're very curious.
You give us a little crumb, allright.
Now we want to see the wholeslice of bread, right, we want
to see the whole thing, and sofor me, that would be an
(32:44):
immediate okay.
Well, what else is there?
You showed me five.
What are the?
Speaker 2 (32:50):
other 13 that.
Speaker 1 (32:51):
I'm missing.
Yeah, it's interesting.
Now I kind of want to go do itright now after this podcast.
That's what I'm doing.
Speaker 2 (33:01):
All right, go ahead, it's free Sign up.
Now watch out, my marketingteam might come after you after
the fact.
Speaker 1 (33:07):
but right before, I'm used to I'm used to marketing.
At this point, you know it's um, yeah, that that is fascinating
, and I wonder why no one elsereally even thought about doing
it like this, Because a lot ofpeople don't realize that the
data exists.
Speaker 2 (33:26):
If you look at the data source we're using, if you
look at it in the raw, it's hardto figure out how to use it.
You can't.
(33:51):
It's hard to figure out how touse it and this is where Patty's
brain really came into the mixwhich're basically producing two
values loss event frequency andloss magnitude, or threat event
frequency or single lossexpectancy in the NIST 830 model
.
Right, it's very simple.
Once I have those two numbers,I can either do a straight line
ALE like 830, which is threatevent frequency times, single
(34:15):
loss expectancy, or I can takeloss event frequency, loss
magnitude, drop it into FAIR,run the 10,000 Monte Carlo
simulations and produce the riskcurves.
It's not rocket science, butthe hard part was the data
source, the statistical analysisthat then drives those quants,
and so it's a foundation to theplatform.
(34:37):
We use it to help kickstart alot of our clients.
But then what I built into theplatform was all the
customization that clients cando themselves.
Right, If you have differentloss magnitudes, put them in the
system.
You can build your own riskmodels.
You can create your own heatmaps.
You want a six by six?
(34:57):
Create a six by six.
You want a four by four, createa four by four.
I don't care.
But what we do is we balance theold qualitative heat map with a
risk quant on the other side ofit.
They're right side by side inthe platform.
It just opens your eyes to allright, I have all these risks
that I think are high, but whenyou see the bubble, the size of
the risk in quantified dollars,you instantly know where to
(35:20):
focus.
It's so evident.
And so all that customizationsin the platform.
And then, with our latestrelease towards the end of last
year, our version four release,I opened up beyond cyber risks,
because we had a lot of clientsthat were like we love what you
do for cyber risk.
Can you add an enterprise orother types of risk in the
platform?
Absolutely, so we have clientscan customize their own risk
(35:43):
types and categories.
They can track other types ofrisk outside of cyber risk in
the platform.
And now what we're looking foris are there similar data
sources that we can use toquantify some of those risks?
Speaker 1 (35:55):
Wow, have you ever done a case study of how
accurate the numbers are toactual breaches?
If you go back in time andlet's say you run Equifax's
number, I wonder how accurate itwould be compared to the
(36:15):
numbers of that breach.
Speaker 2 (36:16):
Yeah, so remember, annualized loss expectancy is
likelihood times impact.
So we have the raw impacts, butwe also know the likelihood of
that attack, right?
So everything in the platformis annualized loss expectancy.
Okay, so we know the impact,but in order to keep it
consistent, we used ALE as themetric in the platform.
(36:40):
So we have that data.
I have customers that have runthrough it and use it to
prioritize the remediation,right so?
I had a home builder here inthe Dallas area use it to look
at their posture compared totheir peers.
The CEO set their target.
They use that to drive downtheir risk.
They're going throughremediation right now.
(37:01):
We have a large public companyout of the Seattle area that the
first they got breached, firstpurchase they made was us to
understand their current riskposture and they've used to
prioritize all their downstreamprojects.
Now they're enabling automationto automate all those control
scores in real time to justcontinue to drive that real-time
(37:22):
kind of risk quant data in theplatform.
Like great use cases.
Speaker 1 (37:26):
It's probably like a great single pane of glass, not
just for the CISO to look at,but maybe even other executives
in the C-suite right Other boardmembers that say, hey, I want
to look at this 8 am every day.
I just want to check it.
Right, I want to see it.
Speaker 2 (37:41):
See where I am.
Let me look at my inherent risk.
Let me look at my residual risk.
Let me see how I'm trending.
Where are my top risks?
Are they trending up and down?
So lots of trending graphs inthe platform kind of show you
trend over time.
Is ransomware ticking up or isit ticking down?
Right, the beauty of thehistorical loss database is we
get monthly updates right.
So every month we're updatingthat data.
(38:02):
So if you synchronize yourrisks with our industry data set
, you're getting real-timeupdates to those trends as
they're coming into the platformand so we can show those risk
trends over time, which kind ofhelps you.
Like is the inherent risk forransomware going up or going
down based off the latestbreaches?
And we use a by default we usea 10 year look back period, but
(38:26):
you can shorten that down tothree years so you can use just
the last three years ofhistorical loss to kind of fine
tune how you want to track those.
Lots of fun customization inthe platform to support various
use cases.
But the data is awesome andthat's what hooked me when I saw
it.
Speaker 1 (38:41):
Yeah, yeah, that's.
I mean, that's what caught myattention right there.
You know, when you talked aboutthe data and how you found it,
how it wasn't really even beingused earlier.
You know which kind of blows mymind, because I've been at
companies where they're actively.
They have some solution that'scomparing them against their
(39:03):
competitors right, and they getsome arbitrary score that
doesn't even make sense to me,right, and they're pitching it
to the board and they'rewondering why they never get
approved for a solution for thenext budget or whatever it might
be right.
Do you find that now?
I know that this would bevaluable in the federal sector,
(39:24):
the government side of things.
Do you find that a lot ofgovernment agencies are coming
to you right now and finding thevalue?
Not yet they're so compliancefocused from a CMMC perspective.
Speaker 2 (39:37):
right now, it's just they're not there.
Speaker 1 (39:41):
That's a maturity thing right.
Speaker 2 (39:43):
I mean, the industries that see the value in
this obviously are thefinancials and the insurers, who
have been doing this for a longtime.
Healthcare, a lot of publiccompanies, and it's not
necessarily the Fortune 500.
I think our sweet spot is the3,000 public companies that are
not the Fortune 500.
And the reason is they don'thave highly mature security or
(40:04):
risk management programs but yetneed to understand materiality
and potential impact of cyberrisks in the SEC reporting
requirements.
That's where I think our sweetspot is and we're starting to
see some of that.
But I mean, look, we've gotFortune 500 clients using our
platform.
But I think we also have areally, really good use case for
much right and that isextremely.
Speaker 1 (40:25):
it's extremely valuable right, because you're
you're, you're really capturingthis data in a way that hasn't
(40:46):
been conceptualized before.
You know, like I keep on goingback to that point.
But this is really, it'sfascinating to me because, even
like I'm in the space, I'm theone that's preparing the report
that the CISO is going to give,and I'm looking at these numbers
and I'm saying they're notgonna.
No one in that room is going tounderstand this.
No one in that room, right?
(41:07):
If I have to explain to the cso, right, and break it down, no
one over there is going tounderstand it.
You know, and so that that'swhere that revolutionary piece
is coming from, that I keep ongoing back to it inadvertently
yeah, that's the good and thebad, right?
Speaker 2 (41:22):
yeah, it forces people to think differently.
The problem is, people are soused to doing the old way and
that they can't wrap their headsaround some of that too.
So I mean, we take the goodwith the bad yeah, well, that's
kind of the.
Speaker 1 (41:35):
That's probably like the government, the government
side, the government impression,you know where.
You know you always hear abouthow, like DARPA and the NSA and
CIA, all these intelligenceagencies, they're, they're, you
know, decades ahead of what'spublicly available and things
like that, and that's that verytrue.
I've talked to some of thosepeople and you know I brought up
(41:58):
something like you know somesome like homomorphic encryption
to a friend of mine who's inthe Navy on the cyber
intelligence side of it.
He's like, yeah, we've beendoing that for about seven years
now, so go ahead and catch up,right.
And that mentality iscompletely different.
When we're talking about theother side of the house, right,
(42:19):
the not-so-innovation,keep-the-lights-on house, right,
where they're not interested indoing new things until it's an
old thing for everyone else,right, it's a totally different
mindset, kind of frustrating,yeah.
Speaker 2 (42:35):
Again, we get the good with the bad mindset Kind
of frustrating.
Speaker 1 (42:40):
Yeah, again, we get the good with the bad.
Yeah Well, matt, before we endthings here, how about you tell
my audience where they couldfind you if they wanted to
connect with you and where theycould find CyberSaint if they
wanted to definitely go, takeadvantage of that free offering.
Speaker 2 (42:51):
Well, anybody can find me on LinkedIn Matthew
Alderman.
I'm one of the early guys, so Idon't have a bunch of crazy
numbers behind my name.
On X, I'm at Muldermania.
Cybersaintio is the website forthe company and the podcast is
Business Security Weekly.
Go to securityweeklycom forward, slash BSW and you'll find all
my 380 plus episodes.
Speaker 1 (43:12):
Nice, awesome, well, thanks, matt, I really
appreciate you coming back on.
It was a fantastic conversation.
Speaker 2 (43:18):
Yeah, thanks for having me too.
Speaker 1 (43:20):
Absolutely Well.
Thanks everyone.
I hope you enjoyed this episode.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!